domenica 29 gennaio 2012

Best of the week - 29 gennaio 2012

Here you can find my list of the best security resources of the week.

Hope you enjoy it.

First of all, the cloud section...
@cuoretoro US spy agencies look to cloud computing

@georgevhulme The transition to cloud - an opportunity to get application security right: #infosec

@slashdot New Privacy Laws Could Boost EU Cloud Industry

secondly, the general security section..
@DarkReading Zappos, Amazon sued over data breach:

@dsancho66 Cyberpower index: <- Spain is not even in the list

@KimZetter Mapping Tool Shows 10,000 Reasons to Worry about Critical Infrastructure -

and to finish, the laughs section...
@mikko Only four more years to go until EU Copyright expires for 'Happy Birthday to You' and then we can all sing it for free!…

domenica 22 gennaio 2012

Best of the week - 22 gennaio 2012

A new week is just around the corner and a lot of security news are ready to be published, but which are the best security news of this week? Here you can find the answer!

Hope you enjoy it.

@RealSecurity Anonymous Changes DDoS Tactics in Megaupload Retaliation via @threatpost #security

@assolini Brazilian cybercriminals’ daily earnings – more than you’ll ever earn in a year! | Securelist (by @dimitribest)

@InfosecNewsBot 74% believe mobile devices increase security incidents: The number of personal mobile devices connectin... #infosec

@metalabasia Brian White, managing director of the Chertoff Group, Discusses Cyber Attack Against Amazon's Zappos…

@mikko Sophos blogs about phishing sites hosted on Google Docs:… Our take on this, from last May:…

@SecureEB #security Mourad: Google services for Handling and Cleaning Infected Websites #infosec

domenica 15 gennaio 2012

Best of the week - 15 gennaio 2012

This week I found a lot of interesting readings and here is the list of the best security resources.

Hope you enjoy it.

@eEye RT @hugsec: Trends in Security #InfoSec #security #vulnerability

@CND_Ltd Microsoft Readying Real Time Hosted Threat Intelligence Feed via @threatpost

@dsancho66 Why Internet crime goes unpunished:

@RonGula Very cool youtube video from Stratfor CEO about their recent attacks and compromises :

@DrInfoSec A Practical Guide to Implementing SEC Guidance on Disclosure of Cybersecurity Risks… [PDF is worth the quick read]

@suffert 4TB+ of rainbowtables to download <= Distributed Rainbow Tables Project.. - (4TB??? It's a huge amount of data!!!!)

@e_kaspersky There is no winning party in #cyberwarfare. It's a boomerang as much as nuclear weapons. Great reading:

mercoledì 11 gennaio 2012

Cloud Incident Response: Detection and Declaration

Modified from the original Wired's image
Here's another part of the series devoted to cloud incident response
This time we will talk about incident detection and incident declaration. These topics are closely linked and well developed in classical environments but are still immature in cloud services, so let's begin to explore them.

Phase 1 - Incident Detection

This phase is common to every security incident and, in non-cloud environments, can be performed either by a final user who sees something strange in his/her service or by an operational team that becomes aware of the problem. In the first case, the user can warn the security that performs some checks with the operational teams in order to clear the exact nature of the reported event. In the second case, the activation of the security team is internal and, usually, the investigations will start almost immediately.

This approach is a little bit different in cloud services because the roles of the final user and the operational team are tailored in a different manner and, in some cases, the Cloud Service Provider (CSP) could have only a portion of the essential data. So, taking a closer look at the possibilities, we become  immediately aware that the erogation models of the cloud services change the operational scenario. Infact, also in the simplest situation in which the service is erogated directly by only one CSP, the state changes radically if the service is a Software as a Service (saaS), or a Platform as a Service (PaaS), or an Infrastructure as a Service (IaaS).

In the SaaS case, the user has only access to some personal activity log without any access to system information. In this scenario, the CSP has to conduct all the incident detection activities and the Cloud Service Consumer (CSC) is totally dependent on the information items shared by the CSP.

IaaS represents the complementary situation; in this erogation model the CSP directly manages only the network security layer, on the contrary all the information regarding the inner layer, from the OS to the application, are a CSC matter.

PaaS is in the middle between the previous cases with a different involvement of the CSC varying the implementation.

The above reasons imply that, in order to have the right instruments to respond to incidents in cloud environments, the information sharing between CSP and CSC is essential.

Since clauses regulate every aspect of the cloud services, also these matters have to be clearly defined in the contract.
These clauses have to set at least the following features:
- the expected pieces of information that have to be exchanged
- the triggers for the information sharing
- the temporal SLA for the exchange of information
- the confidentiality level of any information shared.

Phase 2 - Declaration

In this phase, after the detection, someone has to declare the incident. This moment is crucial for the effective response of an incident; a bad move in this phase might affect all the following activities, compromising the final outcome. But, who is in charge of this activity? And, which is the best way to approach this critical phase? And finally, which cases have to go public?

These questions are pertaining to every CSP and it's nearly impossible to give indications or best practices...

except this one: "Every CSP has to be well prepared!"

A plan has to be prearranged, officially issued and shared between the operational teams.

Moreover, after every incident a review has to be performed to verify the effectiveness of the plan.

In conclusion, every CSC, while approaching a CSP, should verify the presence and the effectiveness of such a plan checking the compliance of this document with law, regulations and his requirements.

Well, for this post it is enough, in the following parts I'll share with you other thoughts on the Cloud Incident Response, so... stay tuned!

domenica 8 gennaio 2012

Best of the Week - 8 gennaio 2012

Regular publications of the series "Best of the Week" are started again and here you can find my new selection of the best security resources of the week.

Hope you enjoy it.

@RIPE_NCC Vint Cerf: Internet Access is Not a Human Right

@CERT_Polska_en Results of our long term analysis of the #ZeuS P2P+DGA trojan published, including the mapping out of it's network:…

@mthorbruegge RT @ProjectHoneynet: There's a great series of malware analysis tutorials starting here:… #malware

@VJirasek RT @PeterWoodx: Cracking 14 Character Complex Passwords in 5 Seconds <- @miketmclaughlin 

@CiscoGGSG 2012 Cybersecurity Trends to Watch in Government

@suffert Allocating Security Resources to Protect Critical Infrastructure

@kakroo Cloud SWAT teams - Cloud computing poses unique security challenges. Here's how cloud-specific 'security incident-re...

giovedì 5 gennaio 2012

Thorwed: a conversation with the hacker

Some days ago, I found that a governmental Italian site ( was hacked by an hacker named Thorwed. Thorwed owned the DB and then published all the usernames and passwords of the site (more than 9000 entries) on Pastebin. Since I work for a governmental CERT, I warned the people in charge of the security of this site and then, with the essential help of some friends, we sent an email to all the involved users asking them to change their passwords.

After few days, other two "events" occurred, the Joint Research Centre and the Rainews24 sites were hacked and, again, all data (usernames, passwords and emails) were published by Thorwed on Pastebin.

Same situation, same response. 

The day after all has finished, but I was very intrigued by the actions of this hacker so I decided to leave a message on Pastebin, asking Thorwed to contact me.

This evening I found on my blog and on Pastebin this message left by Thorwed:

"# Thorwed
# I apologize in advance

Hi Matteo, I am Thorwed.
Let me explain about: ( 
The first laid the basis of (, which contained (login; pass; mail) a day later it was modified,
where I wrote the reasons for their actions:
"... I am very sad to look at the large site with such childish errors that are fixed for a few minutes. 
This is especially true of government websites. In December, an error that could be eliminated within a few minutes was the diversion of 9000 + data. 
I think you ask why I showed the entire database? but if I showed only a mistake nobody would have noticed.
When I put a base on it turns out there was already an analogy only it contained the names of the tables.
( on October 10, ridiculous is not it? Nobody paid any attention to even and did not close the error." 
I think the reasons for these large and important sites such as Rainews24 and others are not worth explaining.
I just want to add, in a world very vulnerable state sites.
Oh yeah I forgot to say that I stopped and I was left with a list of vulnerable sites of domain zones (.,. and others), but they will not leak.
Goodbye. Yours faithfully. Thorwed ..."

First of all, I want to thank Thorwed to have accepted my invitation.

Secondly, I want write a public answer to the Thorwed's message:
"Thorwed, I remember that you had a Twitter account in which you wrote "Con la esperanza de hacerlo mejor...". 

Well, you do have the possibility to make it better... and this possibility is called "Responsible disclosure". 

I don't want to bother you giving a definition of what responsible disclosure is or highlighting the importance of a such approach.

I just want to say that, if your goal is the improvement of the websites security, particularly the governmental ones, just send me your findings privately, I can forward them to the right people and then publish your discovery on my blog.

This way, you can achieve your goals and obtain the deserved visibility without harming anyone.

Think about it. 

This makes the difference between an offence and a meritorious action.

Write me, this is my email address

Update to the post (January 13, 2012)

Some days ago Thorwed contacted me privately to submit some information regarding a couple of vulnerabilites found on many Italian sites. Most of these sites are registered by private citizens and companies but some of them are school websites within the "" domain.

In association with a friend, I performed some checks to verify the quality of these warnings then I sent a report to some of the owners of the vulnerable sites.

I want to publicly thank Thorwed for accepting my invitation to disclose this kind of  information more responsibly.

In the next few days I will verify, if at least the domain will be fixed.

mercoledì 4 gennaio 2012

Tra Hacktivism e Cyberterrorism

Il nuovo anno ha portato agli Israeliani un'amara sorpresa!

0xOmar del gruppo "group-xp", il più grande gruppo di hacker Wahabiti dell'Arabia Saudita, legato anche al movimento Anonymous, ha pubblicato su Pastebin e su Pastebay un comunicato in cui annuncia di aver reso disponibili i dati di 400.000 carte di credito appartenenti appunto a cittadini israeliani.

Questo gesto viene spiegato con una finalità che sta a metà tra la protesta e il "terrorismo", infatti viene chiaramente detto che questo è il primo passo di un'operazione che ha come obiettivo finale la compromissione di 1 milione di carte con i relativi dati di identità. In un paese come Israele che detiene complessivamente tra i 6 e i 7 milioni di carte, questa compromissione rappresenterebbe una quota decisamente rilevante. Se ciò si dovesse avverare comporterebbe   certamente grandi problemi nel paese. Problemi che vengono anticipati nel comunicato stesso da parte degli hacker arabi: 
"What's fun for us?
- Watching 400,000 people gathered in front of Israeli credit card companies and banks, complaining about cards and that they are stolen
- Watching Israeli banks shredding 400,000 credit cards and re-generate new cards (so costly, huh?)
- Watching people purchasing stuff for theirself using the cards and making Israeli credit cards untrustable in the world, like Nigerian credit cards
- and much more..."

Al di là dei numeri, che un comunicato di Isracard ridemensiona moltissimo, la cosa che trovo più rilevante in questa operazione è il cambio di strategia che vi è sotteso. Un cambio che punta alla creazione del caos attraverso l'utilizzo di informazioni e procedure che, di norma, sono appannaggio dei cybercriminali e che ora, invece, vengono usate con scopi di cyberprotesta al limite del cyberterrorismo.

Credo che questo tipo di evoluzione sia solo l'anticipazione di quanto potrà avvenire nel corso dell'anno appena iniziato. 

E' infatti veramente troppo facile portare a termine questo tipo di operazioni e creare scompiglio senza dover affrontare i grandi rischi che un gruppo di terroristi che opera in maniera tradizionale è costretto a  correre.

domenica 1 gennaio 2012

Best of the week - New Year Edition

Well, a new year has come and, starting from today, we will be able to verify all the security prediction made these days.

Meanwhile, here you can find the best security resources of the last week of the year.

Hope you enjoy it.

Happy new year to all of you!!

@QatarCERT: Q-CERT Weekly Newsletter,01 January,2012 -

@Security_FAQs Why Is Sand Boxing A Most Wanted Security Feature?

@dimitribest Know the story about Stuxnet? For sure you didn't. This is the new story with the new malware platform “Tilded”

@suffert Ideas about China’s Cyber Command - Council on Foreign Relations - (cc: @taosecurity @jeffreycarr)

@hdmoore RT @effffn: are you also missing 28c3? watch the talks online