Опубликовано 27 декабря, 200718 г еще информация - если баян (датирована июлем 2007 года), прошу простить Коротко -ФБР-овцы, выслеживая e-mail-"террориста", установили подозреваемому своего специального трояна CIPAV. На основании собранных им доказательств, человек получил срок... :smile2: Программа собирала разные данные - IP, посещаемые URL ит.д. Так как человек пользовался в качестве прокси взломанным сервером в Италии, его не могли вычислить другими способами. Собранные трояном данные посылались через Интернет на сервер ФБР (вторая ссылка) С помощью социальной инженерии его заставили открыть сообщение с программой якобы от знакомого в социальной сети Myspace :smile14: В будущем году в ФБР на такие программы выделено 220000 USD... _ttp://blog.wired.com/defense/2007/07/fbi-spyware-rev.html FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News. The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals. The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment. In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV. Sanders wrote that the spyware program gathers a wide range of information, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL. The CIPAV then settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days. Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance -- which does not capture the content of the communications -- can be conducted without a wiretap warrant, because internet users have no "reasonable expectation of privacy" in the data when using the internet. _ttp://www.wired.com/politics/law/news/2007/07/fbi_spyware The Washington case unfolded May 30, when a handwritten bomb threat prompted the evacuation of Timberline High School in Lacey, Washington. No bomb was found. On June 4, a second bomb threat was e-mailed to the school from a Gmail account that had been newly created under the name of an innocent student. "I will be blowing up your school Monday, June 4, 2007," the message read. "There are 4 bombs planted throughout Timberline high school. One in the math hall, library hall, main office and one portable. The bombs will go off in 5 minute intervals at 9:15 AM." In addition, the message promised, "The e-mail server of your district will be offline starting at 8:45 am." The author made good on the latter threat, and a denial-of-service attack smacked the North Thurston Public Schools computer network, generating a relatively modest 1 million packets an hour. Responding to the bomb threat, school administrators ordered an evacuation of the high school, but, once again, no explosives were found. That began a bizarre cat-and-mouse game between law enforcement and school officials and the ersatz cyberterrorist, who e-mailed a new hoax bomb threat every day for several days, each triggering a new evacuation. Each threat used the same pseudonym, but was sent from a different, newly created Gmail account to complicate tracing efforts. On June 7, the hoaxer started issuing threats through other online mediums. In his most brazen move, he set up a MySpace profile called Timberlinebombinfo and sent friend requests to 33 classmates. The whole time he was daring law enforcement officials to trace him. "The e-mail was sent over a newly made Gmail account, from overseas in a foreign country," he wrote in one message. "Seeing as you're too stupid to trace the e-mail back lets (sic) get serious," he taunted in another. "Maybe you should hire Bill Gates to tell you that it is coming from Italy. HAHAHA. Oh wait. I already told you that it's coming from Italy." As promised, attempts to trace the hoaxer dead-ended at a hacked server in Grumello del Monte, Italy. The FBI's Seattle Division contacted the FBI legal attaché in Rome, who provided an official request to the Italian national police for assistance. But on June 12, perhaps fed up with the mocking, the FBI applied for and obtained a search warrant authorizing the bureau to send the CIPAV to the Timberlinebombinfo MySpace profile. Court documents reveal the search warrant was "executed" June 13 at 5:49 p.m. Though the CIPAV provided a wealth of information, Glazebrook's IP address would have been enough to guide the FBI to the teen's front door. John Sinclair, Glazebrook's attorney, says his client never intended to blow anything up -- "it was a prank from the get-go" -- but admits he hacked into computers in Italy to launder his activities, and that he launched the denial-of-service attack against the school district's network. Glazebrook was sentenced Monday to 90 days in custody, and given credit for 32 days he's spent behind bars since his arrest. When he's released he'll be on two years' probation with internet and computer restrictions, and he's been expelled from high school. The teen is being held at the Thurston County Juvenile Detention Center, where he will serve out his sentence, says Sinclair. Изменено 27 декабря, 200718 г пользователем Vinni
Опубликовано 27 декабря, 200718 г более свежая информация о вреде социальных сетей для анонимности :smile3: _ttp://www.securitylab.ru/news/310425.php _ttp://fuzzing.ru/blog/2007/12/25/xss-uyazvimosti-v-livejournalcom/ iveJournal или Живой Журнал - один из самых популярных интернет-ресурсов в мире, оказался уязвимым к межсатовому выполнению сценариев. На сайте fuzzing.ru сообщается о наличии нескольких уязвимостей в ЖЖ, которые позволяют злоумышленнику выполнить произвольный HTML код и код сценария в браузере жертвы в контексте безопасности сайта LiveJournal.com. * На LiveJournal.com используется уязвимая версия Web сервера Apache. Злоумышленник может с помощью специально сформированного HTTP запроса произвести XSS нападение. * Также сообщается об ошибке проверки входных данных в параметре usejournal в сценарии update.bml. Злоумышленник может, с помощью специально сформированной ссылки, выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта. Примеры использования: http://www.livejournal.com:80/update.bml?u...urnal=>”> <script%20%0a%0d>alert(document.cookie)%3B</script> http://www.livejournal.com:80/update.bml?u...urnal=>’> <script%20%0a%0d>alert(document.cookie)%3B</script> http://www.livejournal.com/update.bml?usejournal=–> <script%20%0a%0d>alert(document.cookie)%3B</script> SecurityLab рекомендует всем пользователям Живого Журнала с осторожностью посещать ссылки, ведущие на сайт LiveJournal.com.
Опубликовано 14 января, 200818 г еще пример из жизни - двое колумбийцев устанавливали в течение трех лет кейлоггеры на компьютеры в отелях и крали пароли и номера кредитных карт... --Man Pleads Guilty to Data Theft from Hotel Computers (January 9, 2008) Colombian engineer Mario Alberto Simbaqueba Bonilla has pleaded guilty to charges of conspiracy, fraud, and identity theft for placing keystroke logging software on hotel business center computers and stealing personally identifiable information. Simbaqueba Bonilla stole more than US $400,000 in a three-year period by installing the software on computers at hotels in the US and in other countries. Simbaqueba Bonilla is believed to have an accomplice, Nelya Alexandra Valero, who is still at large. He could face between seven and 10 years in prison when he is sentenced in March. http://www.miamiherald.com/news/breaking_n...ory/372940.html [Editor's Note (Pescatore): Three problems here: (1) the computers put in business centers for public use *should* be completely locked down so no software can be used but (2) business should *not* assume that is being done, because it obviously isn't, so (3) if you are *still* allowing reusable passwords to be used for remote access, your business *is* going to be hit by password stealing, whether from business center computers, employee home PCs or employee's checking email from their personal iPhones and the like. (Skoudis): We really need to educate our employees about the risks of public kiosks and computers. They are completely unsafe. Tell employees to assume that anything they type into a public computer is accessible to everyone. Passwords for access to an enterprise or its applications should _never_ be entered into such systems. (Northcutt): Keep in mind the another way they collect information on you in hotels is the hotel Internet Service Provider: http://www.sans.edu/resources/securitylab/...ick_privacy.php ]
Опубликовано 14 января, 200818 г а вот еще "веселая" статистика (из того же SANS NewsBytes) - оказывается многие компании передают своим разработчикам живые данные своих клиентов для тестирования их программ. :smile13: Интересно, а как с этим обстоят дела в России? :smile10: --Companies Use Customer Data in Development and Testing (January 10, 2008) A study commissioned by Compuware and conducted by the Ponemon Institute found that more than 75 percent of German companies use customer data in software development or application testing. In the US, 69 percent of companies use customer data in testing, followed by the UK (58 percent) and France (43 percent). Companies presume that because the data are not being used in a live scenario, there is no risk of exposure. Customer data used in the testing process can include names, credit card numbers, Social Security numbers (SSNs) and other sensitive information. Sixty percent of companies that outsource application testing share sensitive data with those contractors. A large number of companies do not have clearly established policies about who is responsible for test data security. The statistics are based on responses from 2.368 IT professionals in Germany, the US, the UK, and France. http://www.heise.de/english/newsticker/news/101593 [Editor's Note (Pescatore): There are plenty of data obfuscation products out there to create safe test databases out of live customer databases. The data safety side of secure development life cycles definitely needs to be emphasized. This is one area where the federal government and FISMA have pushed requirements out to government contractors to protect such data. (Skoudis): I'm surprised the number is so low. When we perform assessments, the vast majority of the companies we work with tell us that they use customer data in test environments, even greater than the 75% of this survey. (Schultz): Using customer data in development and testing shows blatant disregard for the welfare of customers. The fact that security considerations appear to be largely overlooked only compounds the problem. (Honan): The high percentage of European companies using information in this way is disconcerting as these companies could be in breach of the European Data Protection legislation as personal data belonging to customers can only be used for the purposes the customer agreed to when submitting their details. (Shpantzer): This problem also extends to researchers who use live medical and social welfare data. Here's one recent example we reported on in Newsbites, there are many, many more. http://www.marinecorpstimes.com/news/2007/...exposed_070726/]
Опубликовано 15 января, 200818 г а вот эссе от Брюса Шнейера (_ttp://www.schneier.com/crypto-gram-0801.html) о том, как легко установить личность человека по частичным данным о нем. Например, по ZIP-коду, полу и дате рождения можно установить 216 миллионов американцев, а половина американцев может быть установлена по полу, дате рождения и городу, в котором живет человек. :smile3: Using public anonymous data from the 1990 census, Latanya Sweeney found that 87 percent of the population in the United States, 216 million of 248 million, could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth. About half of the U.S. population is likely identifiable by gender, date of birth and the city, town or municipality in which the person resides. Expanding the geographic scope to an entire county reduces that to a still-significant 18 percent. "In general," the researchers wrote, "few characteristics are needed to uniquely identify a person." Stanford University researchers reported similar results using 2000 census data. It turns out that date of birth, which (unlike birthday month and day alone) sorts people into thousands of different buckets, is incredibly valuable in disambiguating people. This has profound implications for releasing anonymous data. On one hand, anonymous data is an enormous boon for researchers -- AOL did a good thing when it released its anonymous dataset for research purposes, and it's sad that the CTO resigned and an entire research team was fired after the public outcry. Large anonymous databases of medical data are enormously valuable to society: for large-scale pharmacology studies, long-term follow-up studies and so on. Even anonymous telephone data makes for fascinating research. On the other hand, in the age of wholesale surveillance, where everyone collects data on us all the time, anonymization is very fragile and riskier than it initially seems. Like everything else in security, anonymity systems shouldn't be fielded before being subjected to adversarial attacks. We all know that it's folly to implement a cryptographic system before it's rigorously attacked; why should we expect anonymity systems to be any different? And, like everything else in security, anonymity is a trade-off. There are benefits, and there are corresponding risks.
Для публикации сообщений создайте учётную запись или авторизуйтесь