Wednesday, October 26, 2016

As Artificial Intelligence Evolves, So Does Its Criminal Potential

By JOHN MARKOFF
OCT. 23, 2016
Imagine receiving a phone call from your aging mother seeking your help because she has forgotten her banking password.
Except it’s not your mother. The voice on the other end of the phone call just sounds deceptively like her.
It is actually a computer-synthesized voice, a tour-de-force of artificial intelligence technology that has been crafted to make it possible for someone to masquerade via the telephone.
Such a situation is still science fiction — but just barely. It is also the future of crime.
The software components necessary to make such masking technology widely accessible are advancing rapidly. Recently, for example, DeepMind, the Alphabet subsidiary known for a program that has bested some of the top human players in the board game Go, announced that it had designed a program that “mimics any human voice and which sounds more natural than the best existing text-to-speech systems, reducing the gap with human performance by over 50 percent.”
The irony, of course, is that this year the computer security industry, with $75 billion in annual revenue, has started to talk about how machine learning and pattern recognition techniques will improve the woeful state of computer security.
But there is a downside.
“The thing people don’t get is that cybercrime is becoming automated and it is scaling exponentially,” said Marc Goodman, a law enforcement agency adviser and the author of “Future Crimes.” He added, “This is not about Matthew Broderick hacking from his basement,” a reference to the 1983 movie “War Games.”
The alarm about the malevolent use of advanced artificial intelligence technologies was founded earlier this year by James R. Clapper, the director of National Intelligence. In his annual review of security, Mr. Clapper underscored the point that while A.I. systems would make some things easier, they would also expand the vulnerabilities of the online world.
The growing sophistication of computer criminals can be seen in the evolution of attack tools like the widely used malicious program known as Blackshades, according to Mr. Goodman. The author of the program, a Swedish national, was convicted last year in the United States.
The system, which was sold widely in the computer underground, functioned as a “criminal franchise in a box,” Mr. Goodman said. It allowed users without technical skills to deploy computer ransomware or perform video or audio eavesdropping with a mouse click.
The next generation of these tools will add machine learning capabilities that have been pioneered by artificial intelligence researchers to improve the quality of machine vision, speech understanding, speech synthesis and natural language understanding. Some computer security researchers believe that digital criminals have been experimenting with the use of A.I. technologies for more than half a decade.
That can be seen in efforts to subvert the internet’s omnipresent Captcha — Completely Automated Public Turing test to tell Computers and Humans Apart — the challenge-and-response puzzle invented in 2003 by Carnegie Mellon University researchers to block automated programs from stealing online accounts.
Both “white hat” artificial intelligence researchers and “black hat” criminals have been deploying machine vision software to subvert Captchas for more than half a decade, said Stefan Savage, a computer security researcher at the University of California, San Diego.
“If you don’t change your Captcha for two years, you will be owned by some machine vision algorithm,” he said.
Surprisingly, one thing that has slowed the development of malicious A.I. has been the ready availability of either low-cost or free human labor. For example, some cybercriminals have farmed out Captcha-breaking schemes to electronic sweatshops where humans are used to decoding the puzzles for a tiny fee.
Even more inventive computer crooks have used online pornography as a reward for human web surfers who break the Captcha, Mr. Goodman said. Free labor is a commodity that A.I. software won’t be able to compete with anytime soon.
So what’s next?
Criminals, for starters, can piggyback on new tech developments. Voice-recognition technology like Apple’s Siri and Microsoft’s Cortana are now used extensively to interact with computers. And Amazon’s Echo voice-controlled speaker and Facebook’s Messenger chatbot platform are rapidly becoming conduits for online commerce and customer support. As is often the case, whenever a communication advancement like voice recognition starts to go mainstream, criminals looking to take advantage of it aren’t far behind.
“I would argue that companies that offer customer support via chatbots are unwittingly making themselves liable to social engineering,” said Brian Krebs, an investigative reporter who publishes at krebsonsecurity.com.
Social engineering, which refers to the practice of manipulating people into performing actions or divulging information, is widely seen as the weakest link in the computer security chain. Cybercriminals already exploit the best qualities in humans — trust and willingness to help others — to steal and spy. The ability to create artificial intelligence avatars that can fool people online will only make the problem worse.
This can already be seen in efforts by state governments and political campaigns who are using chatbot technology widely for political propaganda.
Researchers have coined the term “computational propaganda” to describe the explosion of deceptive social media campaigns on services like Facebook and Twitter.
In a recent research paper, Philip N. Howard, a sociologist at the Oxford Internet Institute, and Bence Kollanyi, a researcher at the Corvinus University of Budapest, described how political chatbots had a “small but strategic role” in shaping the online conversation during the run-up to the “Brexit” referendum.
It is only a matter of time before such software is put to criminal use.
“There’s a lot of cleverness in designing social engineering attacks, but as far as I know, nobody has yet started using machine learning to find the highest quality suckers,” said Mark Seiden, an independent computer security specialist. He paused and added, “I should have replied: ‘I’m sorry, Dave, I can’t answer that question right now.’”
A version of this article appears in print on October 24, 2016, on page B3 of the New York edition with the headline: As Artificial Intelligence Evolves, So Does Its Criminal Potential.
Artificially intelligent ‘judge’ developed which can predict court verdicts with 79 percent accuracy
A statue representing the scales of justice at the Old Bailey, Central Criminal Court in London 
Sarah Knapton, Science Editor
24 October 2016 • 12:05am
A computer ‘judge’ has been developed which can correctly predict verdicts of the European Court of Human Rights with 79 percent accuracy.
Computer scientists at University College London and the University of Sheffield developed an algorithm which can not only weigh up legal evidence, but also moral considerations.
As early as the 1960s experts predicted that computers would one day be able to predict the outcomes of judicial decisions.
 

But the new method is the first to predict the outcomes of court cases by automatically analyzing case text using a machine learning algorithm.
“We don’t see AI replacing judges or lawyers, but we think they’d find it useful for rapidly identifying patterns in cases that lead to certain outcomes,” said  Dr. Nikolaos Aletras, who led the study at UCL Computer Science.
“It could also be a valuable tool for highlighting which cases are most likely to be violations of the European Convention on Human Rights.”
To develop the algorithm, the team allowed an artificially intelligent computer to scan the published judgments from 584 cases relating to torture and degrading treatment, fair trials, and privacy.
They computer learned that certain phrases, facts, or circumstances occurred more frequently when there was a violation of the human rights act. After analyzing hundreds of cases the computer was able to predict a verdict with 79 per cent accuracy.
“Previous studies have predicted outcomes based on the nature of the crime, or the policy position of each judge, so this is the first time judgments have been predicted using analysis of text prepared by the court,” said co-author, Dr. Vasileios Lampos, UCL Computer Science.
“We expect this sort of tool would improve efficiencies of high level, in demand courts, but to become a reality, we need to test it against more articles and the case data submitted to the court.
“Ideally, we’d test and refine our algorithm using the applications made to the court rather than the published judgments, but without access to that data we rely on the court-published summaries of these submissions.
The team found that judgments by the European Court of Human Rights are often based on non-legal facts rather than directly legal arguments, suggesting that judges are often swayed by moral considerations father than simply sticking strictly to the legal framework.
Co-author Dr Dimitrios Tsarapatsanis, a law lecturer at the University of Sheffield, said: "The study, which is the first of its kind, corroborates the findings of other empirical work on the determinants of reasoning performed by high-level courts.
"It should be further pursued and refined, through the systematic examination of more data."
The research was published in the journal Computer Science.


Sunday, October 23, 2016

Don’t Let Leaky Apps Bring You Down


TAKE A SECURITY-FIRST MINDSET TO MINIMIZE EXPLOITABLE VULNERABILITIES


DATA THEFT and data leaks are so common today that many people just expect one to happen to them at some point in their lives. There are so many different pieces of technology that
connect to the internet in a variety of ways that it’s relatively easy for cyber-
criminals to find a vulnerability somewhere in the chain and exploit
it. “Leaky applications” are one area where cybercrime is booming. When
an app is leaky, it means that the app can either be used as a gateway to
attack other systems or as a target for an attack in its own right. For ex-
ample, an attacker might use a vulnerability in an app to steal credentials
that can be used to log in to a more valuable system, or they may just use that vulnerability to get in the app itself to essentially hijack it. When trying to determine whether
leaky apps are a problem, all you have to do is look at how much mobile device usage has grown over the past few years and how many apps ship with vulnerabilities from the start. For its 2016
Mobile Security Report, NowSecure analyzed more than 400,000 applications that were available on the Google Play store and gathered some interesting and concerning statistics. As far as usage is concerned, mobile device users spend more than 87% of their
time on the device accessing applications, and when it comes to the devices themselves, 74% of organizations either already have policies in place or will put policies in place in the near future
to allow BYOD and personally owned devices in the workplace.Those statistics on their own don’t
illustrate a problem and in fact just reflect how businesses are going mobile and being more flexible when it comes to how devices are used. The problem is that NowSecure’s study also found that 24.7% of mobile apps had at  least one high-risk security flaw; 50%  of popular applications sent data, in- cluding phone numbers, location in- formation, and more to advertising
networks; and 10.8% of all applications  analyzed actually leaked sensitive in- formation over a connected network.  Add to this the fact that business ap- plications are three times more likely
than other types of applications to leak  log-in credentials, and you have too many attack vectors for businesses to realistically keep track of.  Fortunately, enterprises have new methodologies they can put in place to prevent vulnerabilities from ending up in released applications. If vulnerabili-
ties are discovered once the app is actu-ally in production, there are even ways to patch them on-the-fly or quarantine certain vulnerabilities for a brief pe-riod to give the business time to react.
However, the first place you need to start when thinking about leaky apps is to understand that the types of attacks on those apps are always evolving and difficult to track.
Be Aware Of New Attack Types In the early days of leaky applica-tions, and when they were first dis-covered a few years ago, the concept primarily centered on games. In fact,
today, according to NowSecure, games are still 1.5 times more likely to have
a high-risk vulnerability than other applications. This is especially con-
cerning for companies that allow personally owned devices in the work-
place, because there’s a good chance they will have games installed. If a
cybercriminal were able to get to the phone through that gaming applica-
tion, then she could grab hold of any data stored on the device or any data
the device has access to. This idea of hijacking a mobile de-vice, a computer, or an account falls
right into the area of ransomware, which is where a cybercriminal locks
a user out of an important system and forces that party to pay a fee to re-
gain access. The problem with ran-somware is that attackers in that space
don’t discriminate based on size. “Ransomware is transactional cyber-crime, and what I mean by that is that it’s a business that’s characterized by a large number of small to medium-
sized transactions,” says Doug Cahill, senior analyst at Enterprise Strategy Group. “The ransoms aren’t typically huge. Sometimes they do get into seven figures, but very often they’re a
couple thousand dollars or $10,000. It depends on the target, but what that
means is that organizations of all sizes are at risk. Even if you’re an SMB,
you’re still subject to ransomware.” When it first started, ransomware
typically made its way onto a system via web or email, but Cahill says that
attackers are more often using ap- plications, and especially cloud apps, to inject malware. The reason for this  is that organizations and their em- ployees have gotten better at spot-
ting potential spearfishing schemes  and socially engineered emails, which  means attackers are having to find new ways to get in. One way to do this is using file-sharing services, which often have mobile app counterparts that can cause multiple problems if
credentials are stolen. “Let’s say you and I talk once every month and you get an email
from me that says ‘Hey, I talked to you a couple weeks ago about leaky applications and I put together a pre-sentation on it that you can get from here,’” says Cahill. “You’re condi-
tioned to get content from Dropbox and get emails from not only col-leagues that work in the same orga-nization, but also third parties. That’s now being used as a way to introduce
ransomware into the environment.”What makes this worse is that many enterprise file-sync-and-share ser-vices use what Cahill calls a “one-to-many sync dynamic,” which means
that many people have their tablets, smartphones, and laptops all set up to automatically sync to a cloud folder. If that system is being used by the entire enterprise, then multiple users may
have information in that same folder. “If I can successfully insert a piece of ransomware or another type of mal-ware into that cloud storage folder, I get a one-to-many effect because all of
you have configured auto-sync,” says Cahill. “When I spearfish, I get it into one place, but if I do it via file sync and share, I can potentially infect multiple devices at once.”
Learn How To Identify Leaky Apps
To spot vulnerabilities in applica-
tions that may lead to data leaks, start
by keeping all of your technology up-
dated. Cahill points out that applica-
tions aren’t the only leaky systems.
Other possibilities include browsers,
browser plug-ins, and even entire op-
erating systems. “If you think about
how much time we all spend in a web
browser, that’s probably the first thing
is to make sure you’re patching regu-
larly and make sure you’re patching
the plug-ins that are used within a
browser,” says Cahill. “We’re constantly
getting messages to update Flash.
Ideally, you’re running client software
that automatically updates itself. That
would be sort of step one is to configure
auto-update.”
Another important step in identi-
fying leaky apps is to have some form of
vulnerability management solution in
place that “correlates software running
in a production environment with a list
of known vulnerabilities.” MITRE, for
example, has its CVE (common vulner-
abilities and exposures) database that is
free and open to the public and can be
used to find potential vulnerabilities in
software. Rapid7 and Tenable also offer
solutions in this space that are meant to
continuously scan environments and
applications for vulnerabilities, and
some even scan operating systems to
make sure there are no vulnerabilities at
that level.

Employ A DevSecOps Philosophy Although individual solutions are great, especially when it comes to vulnerability scanning, companies will need to adopt entirely new security phi-
losophies and methodologies to keep up with threats and prevent the release of leaky apps. Cahill says that most organizations are moving toward this concept of Agile software development,
which includes facets of DevOps, as a way to more quickly develop, test, and deliver applications. This may sound dangerous and that it might actually introduce more vulnerabilities, but Cahill
chooses to have a more optimistic outlook where companies can add security into their DevOps strategies and start to embrace a DevSecOps mindset with “continuous everything,” including
continuous testing, integrating, monitoring, and security. “Application security (AppSec) is
one of those security best practices and controls that should be part of DevSecOps,” Cahill says. That in-volves checking for coding practices, or scanning for vulnerabilities getting introduced at the time of software development, so bad code doesn’t get delivered. “We want to be checking
for bad code before it goes into pro-duction, so we should be applying application security things like code scanning, which is doing static anal-ysis of code before it gets delivered
to production. It’s amazing that more people don’t do this, because soft-ware vulnerability is one of the most common attack methods. Once it goes into production and is out in the wild,
then it’s vulnerable.” Even with this idea of scanning for vulnerabilities throughout the pro-
cess of developing an application, Cahill says you won’t be able to catch every vulnerability before the app goes into production, but you will be able
to catch some of them. That’s why he stresses that companies should consider putting a solution in place that not only integrates with your development tools and your development environments
but also one that can automatically per-form the scanning to truly fit into the DevOps methodology. Solutions from vendors such as Vericode, Threat Stack, and Trend Micro can handle this type
of scanning both internally and in the cloud. Of course, even with these so-lutions, you aren’t going to catch all
vulnerabilities, which is why you may
want to consider taking advantage of
other technologies that make it easier
to patch applications or at least prevent
vulnerability exploits while you work
on a patch.
“There’s an approach called vir-
tual patching,” says Cahill. “Let’s say I
have a vulnerability in production, but
I don’t want to patch it yet because I
don’t want to bring it down, but I want
to protect against any exploits that take
advantage of that vulnerability. What
you’re doing is running software that is
doing behavior analysis and looking for
exploits. I know an exploit will behave
this way, so I’m going to look for soft-
ware that behaves this way, and if I see
it, I’m going to prevent it. That allows
me to buy some time before I have to
actually patch the vulnerability.”
In the end, not any single solution is
going to prevent all apps from leaking
data, so you’ll need to take a multi-
layered approach that includes vulnera-
bility scanning and automatic patching, 
but also foundational security con-
cepts such as encryption, firewalls, and 
good old-fashioned policy. DevSecOps is a great model for including security throughout the entire application development process, but you also need to expand that concept to the organization as a whole. If you can put security first in all things, then you should be able to deal with leaky applications and vulnerabilities as they come along.


“As part of that hand-off between Agile software development and DevOps, you can incorporate doing application security tests, looking for vulnerabilities, and doing code scanning before it goes into production, and you can automate it, which is what DevOps is all about. It’s moving fast vis-à-vis automation. So we’re talking about leaky apps. What if you try to plug some of the leaks before you even get into production? That’s really the essence of adding application security as part of your DevOps methodology.”

DOUG CAHILL
Senior Analyst
Enterprise Strategy Group

Diferença entre reverse shell e bind shell

Reverse shells são úteis para emitir comandos a um cliente remoto quando o cliente está atrás de alguma coisa, como um NAT. Você pode dizer: "Mas um shell normal ou túnel SSH simples não pode fazer a mesma coisa?". Não, não pode. 

Reverse Shell
Um reverse shelll se conecta a computador remoto enviando seu shell para um usuário específico, em vez de ligar a uma porta, o que seria inacessível em muitas circunstâncias. Isso permite comandos de raiz  no servidor remoto.

Bind Shell
É quando um usuário utiliza BASH e bind para uma porta local onde qualquer um pode emitir comandos para a rede local. São comumente usados para fins nefastos, como depois que um hacker consegue acesso ao root de  um servidor, provavelmente eles vão fazer um shell reverso para que eles tenham acesso fácil ao computador para uso futuro. 

Sophos Cloud


Saturday, October 22, 2016

Economics of Cybersecurity - Michael Van Eeten


IS VIRTUAL REALITY THE FUTURE OF TELEVISION?

Despite long being a sceptic, Olly Mann has  changed his view on virtual reality—a little bit
The Future Of An Illusion

That’s probably not a question that keeps you awake at night. But, as technology columnist for this auspicious publication, I get asked it a lot. Last month, I would have answered with an assured and   arrogant “No!” To underline my point, I might have added a dismissive wave of my palm. I would tell you that this much- hyped technology will alter the world of gaming, for sure,  and perhaps also change the way viewers experience, erm,  “adult” entertainment. But if you’re asking me to imagine a world ten years hence, in which families slob around with  individual plastic helmets on, each watching VR versions of Mob Wives…fuhgeddaboudit. BUT THEN, LURED bY FREE CROISSANTS, I attended the  Edinburgh International Television Festival, the shindig for  Britain’s TV industry, and was taken aback by how much  multinational moolah is being splurged on this new dawn.  As the great and the good (and the not-so-good, who make  Jeremy Kyle) entered the conference hall, they were met with  three VR displays. One was set up by YouTube: perhaps to  be expected, as they’re a tech company. The second was a  showcase for Sky: again, not surprising, as they have a track  record of investing early in developing technology. But the  third display—the biggest, in fact—was hosted by the BBC.

That’s right. Good old Auntie Beeb. On their stand, delegates could donan aforementioned ludicrous plastic headset (first removing their industry-standard square-rimmed spectacles) and enjoy such public-service  delights as the Trooping of the Colour, a tour of the underground quarry at the Pantheon, or David Attenborough poking around a giant dinosaur’s skeleton, all in glorious 360-degree vision.

This, I admit, gave me pause. If the BBC are chucking licence-fee money at capturing big-ticket events in surround vision, they are obviously anticipating that much of the general public, eventually, will watch it. So I tried it out: CNN let me have a play with their demo headset, which featured immersive footage filmed at the International Space Station, at a bullfight in Spain and amid a protest outside a courtroom.
Suddenly I didn’t feel like I was merely watching a news broadcast, but rather that I was actually present at an event, liberated to look where I wished. I could turn side-to-side, up and down, and explore exotic locales as if I was really there. It was impressive. It made me wonder, though, about the taste and decency issues this raises. Is it appropriate to film, say, the Syrian civil war, in a way that makes viewers feel like they’re “part of it”? At what point might that  approach tip over into voyeurism,
rather than news coverage; a luxury
entertainment for those of us lucky
enough to not actually live in a war
zone? Viewers might feel guiltier still
if they understood that to capture such images the filmmakers must
rig up dozens of cameras—all
rather more intrusive than a typical
photojournalist’s kit.

EVEN IF VIEWERS are untroubled
by such ethical discomfort, physical
discomfort might cause other
concerns. After just a few minutes
with a VR headset
on, my nose became
squished, my eyes
were straining and I
felt nauseous. Hardly
a premium viewing
experience.
VR headsets also fail
my Doofus Test, which
goes like this: if you feel
like a doofus when you
wear a product, it will
never go mainstream.
For previous examples,
see 3D TV (I don’t want
to put sunglasses on
in my lounge, I feel like
a doofus) and smartwatches (I don’t
want text notifications flashing on
my wrist, I feel like a doofus). While
donning a VR headset in a museum,
art gallery or cinema feels fun, doing
it at home, in front of your children,
makes you feel like a doofus. It fails
the Doofus Test.
But they have a favourite saying
in the TV industry: “Content Is King”.
(It’s not as popular as “Can we edit
this faster?”, “Pass me the drugs”, or
“Can we get Holly Willoughby?”, but it’s right up there.) What it means is: viewers don’t care what technology is used to deliver the good stuff they want to watch; they just want good stuff to watch. And the content being captured for VR is, as I discovered, really good stuff—an extra layer of detail that otherwise you’d never be able to experience. So is VR the future of TV? I have a new answer to that question! It’s this: as more of us realise we can access VR footage on Facebook and YouTube by using our smartphones, moving them around in our hands, without the need for silly headsets that make us feel like a doofus, it will become increasingly popular to explore VR on a “second screen” at the same time as watching traditional TV, or shortly afterwards—rather like re-watching DVDs with the director’s commentary turned on, or seeking out a Wikipedia entry about your favorite TV show while you watch.
Bet you’re glad you asked.

11•2016 | 1 5 |

THINGS THAT GO BUMP IN THE NIGHT
Most movie taglines do a good job of selling and promoting the film.
Some horror flicks, however, don’t even try:
Scared Stiff (1953)
“They’re making a spook-tacle of themselves!”
Werewolf (1996)
“Rest in...beast”
Killer Klowns from Outer Space (1988)
“In space, no one can eat ice cream...”
Happy Birthday to Me (1981)
“John will never eat shish kebab again”
The Day of the Dolphin (1973)
“Unwittingly, he trained a dolphin to kill the President of the United States”
Miner’s Massacre (2002)
“They axed for it!”
The Pit (1981)
“Down in the pit there’s something alive. Half-human. Half-monster.
Half-crazed. Pray to God it only kills you”
Black Christmas (2006)

“This holiday season, the slay ride begins”

Pattern finder





PATTERN FINDER
Each cube’s number is the sum
of the two numbers on the cubes
below it to the left and the right.
The missing numbers, from top
to bottom and left to right, are 41,
25, 5, 14, 2 and 6.

Friday, October 21, 2016

Cyber Insecurity - Revista Time

http://time.com/4525957/2016-election-internet-security/

Cyber Insecurity


Bruce Schneier
Oct. 13, 2016


Traduzido por Afonso Henrique Rodrigues Alves


Na Internet de hoje, muita energia está concentrada nas mãos de poucos. Nos primeiros dias da Internet, os indivíduos foram empoderados. Agora governos e corporações mantêm o equilíbrio de poder. Se quisermos deixar uma Internet melhor para as próximas gerações, os governos precisam reequilibrar o poder da Internet mais para o indivíduo. Isto significa várias coisas.

Em primeiro lugar, menos vigilância. Vigilância tornou-se o modelo de negócio da Internet, e um aspecto que é atraente para os governos em todo o mundo. Embora os computadores conseguem recolher dados com facilidade e agrega-los a redes de conhecimento, os governos devem fazer mais para garantir que qualquer vigilância seja excepcional, transparente, regulamentada e orientada. É uma tarefa difícil; governos como o dos EUA precisam superar seus próprios desejos em massa de vigilância e, ao mesmo tempo implementar regulamentos para impedir a capacidade das corporações de fazer o mesmo.

Em segundo lugar, menos censura. Os primeiros dias de internet estavam livres de censura, mas não mais. Muitos países censuram a Internet para uma variedade de razões políticas e morais, e muitas plataformas de redes sociais fazem a mesma coisa por razões comerciais. Turquia censura discurso político anti-governo; muitos países censuram a pornografia. Facebook censura tanto nudez e vídeos de brutalidade policial. Os governos devem se comprometer com o livre fluxo de informações, e assim tornar mais difícil para que outros possam censurar.

Em terceiro lugar, menos propaganda.
Um dos efeitos colaterais da liberdade de expressão é a fala errada. Isto, naturalmente, corrige-se quando toda a gente pode falar, mas uma Internet com poder centralizado é aquela que convida à propaganda. Por exemplo, a China e a Rússia usam ativamente propagandistas para influenciar a opinião pública sobre a mídia social.
Quanto mais os governos combatem a propaganda em todas as formas, melhor nós nos tornamos.

E em quarto lugar, menos controle. Os governos precisam garantir que os nossos sistemas de Internet estão abertos e não fechados, que nem os governos totalitários, nem as grandes empresas podem limitar o que fazemos com eles. Isso inclui limites sobre o que os aplicativos que você executa ou compra para seu smartphone fazem com os arquivos recolhidos.

Controlar inibe a inovação: técnica, comercial e social.

Soluções requerem regulamentação corporativa e cooperação internacional. Elas exigem a governança da Internet para permanecer nas mãos de comunidades globais de engenheiros, empresas, grupos da sociedade civil e usuários da Internet. Elas exigem que os governos sejam mais  ágeis em face de uma Internet em constante evolução. E eles vão resultar em mais poder e controle para o indivíduo e menos para instituições poderosas. É assim que nós construímos uma Internet que consagrou o melhor das nossas sociedades, e é assim que nós vamos mantê-lo assim para as gerações futuras.

Schneier é um especialista em segurança e autor de dados.

Golias: As batalhas escondidas para coletar seus dados e controlar o seu mundo

Presidente Obama fala sobre o perigo da Inteligência Artificial, segurança cibernética e mais.

Traduzido por Afonso Henrique Rodrigues Alves


Presidente Obama fala sobre o perigo da Inteligência Artificial, segurança cibernética e mais.

Interessante entrevista:

Fala de Obama:
Tradicionalmente, quando pensamos sobre a segurança e proteger a nós mesmos, pensamos em termos de armadura ou paredes. Cada vez mais, eu me encontro olhando para a medicina e pensando sobre vírus, anticorpos. Parte da razão pela qual a segurança cibernética continua a ser tão difícil é porque a ameaça não é um punhado de tanques que rolam sobre você, mas todo um conjunto de sistemas que podem ser vulneráveis ​​a um “verme”. Isso significa que nós temos que pensar de forma diferente sobre a nossa segurança, fazer diferentes investimentos que podem não ser tão agradáveis, mas podem realmente acabar sendo tão importantes quanto qualquer outra coisa.
Eu gasto muito tempo me preocupando com coisas como pandemias. Você não pode construir paredes, a fim de evitar que a próxima gripe letal no ar se espalhe em nossas costas. Em vez disso, o que temos de ser capazes de fazer é criar sistemas para a criação de sistemas de saúde pública em todas as partes do mundo, ative gatilhos que nos digam quando vemos algo emergente, e fazer protocolos rápidos, na certeza que temos um sistema que permita-nos fazer as vacinas muito mais eficazes. Então, se você escolher um modelo de saúde pública, você pensa sobre como podemos lidar com, você sabe, os problemas de segurança cibernética, acabamos então sendo direcionados na reflexão sobre as ameaças da Inteligência Artificial.


Tags: segurança cibernética, epidemiologia, política de segurança nacional

Wednesday, October 19, 2016

Kevin Beaumont - Security Architect - IT Security - good reference

https://twitter.com/GossiTheDog

Kevin Beaumont

@GossiTheDog


I tweet the weird stuff. Security Architect. Views do not represent my workplace - in fact, they represent the views of the Khajiit.

IT Security, from the trenches of reality. Liverpool, UK based. Email kevin.beaumont@gmail.com | Twitter: @gossithedog on Twitter.


Wednesday, October 12, 2016

Podcast from CERT

http://www.cert.org/podcasts/

Practicing strong information and cybersecurity is a nonnegotiable requirement for organizations doing business today. However, building security into an existing corporate culture is a complex undertaking. This series of podcasts provides both general principles and specific starting points for business leaders who want to launch an enterprise-wide security effort or make sure their existing security program is as good as it can be.


Podcast sobre cyber security em Inglês.

https://securityintelligence.com/media/

Podcast from IBM - muito bom!

Rich Tennant - blowholes...


Guerra cibernética: de Atribuição à retenção

Postado em segurança geral no 03 de outubro de 2016

Pierluigi Paganini – author
Traduzido por Afonso Henrique Rodrigues Alves

Introdução

O número de ciberataques continua a aumentar, tal como as ofensivas realizadas por hackers com suporte de Estados-nações contra governos de todo o mundo.
Muitas vezes, os especialistas em segurança usam o termo “guerra de informação” para se referir a disputas virtuais entre os estados. Um ataque cibernético pode causar danos físicos, como um ataque militar, isto é, os agentes do Estado-nação agem de acordo com estratégias específicas em relação as infraestruturas críticas de seus inimigos.

Disputas cibernéticas são dissimuladas e assimétricas, na maioria dos casos, os agentes do Estado-nação lançam ataques não-letais contra os sistemas de informação dos adversários, tanto para sabotagem e espionagem cibernética, isto mostra a ascensão da guerra de informação.

A Guerra cibernética está se tornando mais dominante e progressiva após a Segunda Guerra Mundial.

Quais são os atores globais que se beneficiam ao máximo com esse recurso?

O desenvolvimento de capacidades de guerra cibernética ofensivas dos estados menores contra os chamados "estados superpotentes", que têm maiores capacidades de guerra, confere-lhes uma vantagem estratégica e está mudando rapidamente o equilíbrio de poder em seu proveito.

A guerra de informação é atraente para quase qualquer governo devido ao seu baixo custo de desenvolvimento e implantação, a sua visibilidade mínima durante o desenvolvimento e mobilização de uma arma, as dificuldades da atribuição, a possibilidade de atacar também em "tempo de paz", a grande dependência dos chamados superpoderosos em relação a sua infraestrutura crítica.

Qual é a definição de guerra de informação?

Há muitas definições para um termo que ainda não é claro para os meios de comunicação, Dan Kuehl, da Universidade Nacional de Defesa define guerra de informação como o "conflito ou luta entre dois ou mais grupos no ambiente de informações."

Isto significa que o prazo poderia ser usado para referir qualquer ação para impedir, explorar, corromper ou destruir o ambiente de informação do inimigo e suas operações;

O conceito básico por trás da guerra de informação é o chamado "capacidade cyber," a capacidade de um exército cibernético para proteger seus sistemas de ciberataques ou duplamente, para ser capaz de lançar ataques cibernéticos contra um alvo alcançando os resultados desejados .

Quase qualquer governo no mundo está investindo bilhões em desenvolver esse tipo de capacidade. Estados Unidos, Reino Unido, Israel, China e Rússia, são considerados os países mais avançados, mas, recentemente, governos como o Irã e Norte Korea estão entrando poderosamente para a arena virtual.

Indo fundo na análise do termo Information Warfare, podemos observar que as capacidades cibernéticas mencionadas por peritos militares são uma combinação de técnicas de hacking, guerra eletrônica, guerra cibernética e de operações psicológicas (operações psicológicas).

A nossa infraestrutura é resistente a ataques cibernéticos? Quais são os países com maior resistência contra ataques cibernéticos?

Somos todos vulneráveis ​​a ataques cibernéticos, o aumento da nossa superfície de ataque faz com que o nosso sistema exposto a uma ampla gama de ameaças cibernéticas, e os atores do estado-nação conhecemos.

O Fórum Econômico Palavra partilhadados interessantes sobre os governos e sua resistência a ataques cibernéticos. É o Índice Global de Segurança Cibernética (GCI), uma iniciativa de múltiplas partes interessadas para medir o compromisso dos países para a segurança cibernética. O nível de desenvolvimento de cada país é analisado dentro de cinco categorias: medidas legais, medidas técnicas, medidas organizacionais, capacitação e cooperação.

"O projeto é resultado de uma intensiva  e primeira pesquisa por ambos UIT e ABI Research. Pesquisas de nível nacional, complementada por pesquisa qualitativa em profundidade, foram enviados a todos os Estados-Membros da UIT. Foram coletadas informações sobre leis, regulamentos, CERT e CIRTs, políticas, estratégias nacionais, normas, certificações, formação profissional, sensibilização e parcerias de cooperação. O objetivo do GCI é fornecer um rápida visão de onde os países estão em seu engajamento sobre cibersegurança a nível nacional. "Lê o relatório intitulado" Índice de Segurança Cibernética Global e cibernéticos Perfis de Bem-estar. "



Razões principais relatadas sobre vazamentos de dados para o Advogado Geral da Califórnia em 2014.


DXXD ransomware, exibe aviso legal e criptografa arquivos em compartilhamentos de rede não mapeados


12 de outubro de 2016 por Pierluigi Paganini

Traduzido por Afonso Henrique Rodrigues Alves

http://securityaffairs.co/wordpress/52194/malware/dxxd-ransomware.html 

O ransomware DXXD visa especificamente servidores e é capaz de criptografar arquivos em compartilhamentos de rede, mesmo que não estejam mapeados.
Malware continua a evoluir, a última ameaça em ordem de tempo que implementou uma característica singular é o ransomware DXXD. As peculiaridades dessa ameaça é que ele também criptografa o arquivo em compartilhamentos de rede, mesmo que sejam, não mapeados (um recurso já implementado pelo Locky ransomware) e exibe um aviso legal.
O ransomware DXXD acrescenta a extensão .dxxd aos arquivos criptografados, então ele deixa uma nota de resgate para a máquina infectada. A nota de resgate DXXD contém instruções para as vítimas que precisam entrar em contato com rep_stosd@protonmail.com ou rep_stosd@tuta.io.to para os arquivos criptografados, então ele deixa uma nota de resgate para a máquina infectada. A nota de resgate DXXD contém instruções para as vítimas que precisam entrar em contato com rep_stosd@protonmail.com ou rep_stosd@tuta.io.
Outra característica interessante do malware é a capacidade de configurar uma definição do Registro do Windows, a fim de exibir uma espécie de "observação legal" quando as pessoas entram no computador. Os VXers usam esse recurso para permitir que um usuário que tente acessar o servidor possa ver o bilhete de resgate.
O ransomware DXXD muda o HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ LegalNoticeCaption chave de registo e o HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ LegalNoticeText para exibir a seguinte nota.
"Ao iniciar o Windows, Windows Defender trabalha para ajudar a proteger o seu PC através da varredura para software malicioso ou indesejado."

Ainda não está claro o vetor de infecção, Abrams especular a ameaça é disseminada por abusar do Remote Desktop Services.
"Com base em informações descobertas, acredito que o desenvolvedor ransomware invade servidores usando Remote Desktop Services e ataques de força bruta. Se você tem sido afetado pela DXXD ransomware, você deve redefinir todas as senhas para a máquina afetada. ", Escreveu Lawrence Abrams.
De acordo com Abrams, o autor do ransomware DXXD decidiu provocar vítimas e especialistas que ajudam as vítimas através da criação de uma conta no BleepingComputer e reivindicando que uma versão mais recente da ameaça que é mais difícil de decifrar. O desenvolvedor também alegou ter explorou uma vulnerabilidade zero-day para comprometer servidores e entregar o malware.

Como de costume, deixe-me desencorajar a todos sobre o pagamento do ransomware, porque não há garantia de que você vai receber de volta seus arquivos. Não se esqueça de fazer backup de seus dados com frequência e usar soluções anti-malware. No caso específico, poderia ser melhor desativar Remote Desktop Protocol (RDP) e arquivos em execução a partir de pastas AppData / LOCALAPPDATA.
Pierluigi Paganini
(Assuntos de Segurança - DXXD ransomware, malware)

Jogando através da dor - O Impacto dos Segredos e do sombrio Conhecimento em Profissionais de Segurança e Inteligência



Repudiar ou rir sem preocupações sobre o que uma pessoa sabe em relação aos segredos críticos de outra pessoa tem um impacto na vida que é difícil mensurar, podemos ver isto no trabalho e nas relações de construção de um mapa da realidade de "pessoas normais". Um deles tem de calibrar narrativas para o que o outro acredite. Um tem que viver na defensiva, com cautela. Isso faz com que haja uma dissonância cognitiva através da negação. Mas recusando-se a sentir a dor não fará isso ir embora. A situação se intensifica quando entra em erupção.
Philip K. Dick disse, a realidade é que, quando você já não acredita nela, não vai embora. Quando a dissonância cognitiva evolui para sintomas de stress traumático, um ignora esses sintomas à própria sorte. Mas as limitações do seu trabalho muitas vezes tornam impossíveis de falar em voz alta sobre esses sintomas, porque isso poderia ameaçar seu tempo livre, trabalho e carreira. E a proteção do delator é muitas vezes inexistente.
O custo real do trabalho de segurança e inteligência profissional vai além de dólares. Ele é medido na vida familiar, relacionamentos e bem-estar mental e físico. A taxa de divórcio é tão elevada entre os profissionais de inteligência, pois é entre os profissionais médicos, por uma boa razão - como os relacionamentos podem ser baseadas em transparência e confiança quando uma das partes não tem autorizações primárias para dizer a verdade?
Um veterano da CIA escreveu: "Eu estava sendo em um período um observador para o grupo de trabalho de Gestão de Pessoas no DO. Notei que eles / nós obscenamente orgulhosos de ter os mais altos índices de alcoolismo, adultério, divórcio e suicídio no governo dos EUA. Pessoalmente, tenho 23 suicídios profissionais em meu diário de bordo, o primeiro foi um instrutor que estourou os miolos com uma espingarda quando eu estava em treinamento. Os últimos eram figuras importantes que não poderia viver com o que sabiam. "
Richard Thieme tem por anos ouvido as pessoas com dor por causa das necessidades imperiosas de seu trabalho, as consequências das suas ações, os erros de planos imperfeitos, e os fardos de experiências de cortar a alma. Thieme tocado em algum desse impacto na sua história, "o norte para a noite", publicado no Ranfurly Review, Big City Lit, Andanças e histórias desconcertantes antes da coleta em "Mind Games". A história ilumina a carga emocional de gerenciar múltiplas personas e, finalmente, esquecer quem você é, em primeiro lugar.
A linha inferior é, trauma e trauma secundário têm sintomas identificáveis e eles estão por toda parte na "indústria". O espaço "hiper-real" que o estado de segurança nacional cria por sua própria natureza estende-se a toda a gente também, agora, mas é mais intensa para profissionais. Vivendo como "engenheiros sociais", sempre tentando entender POV do outro para que se possa manipular e explorá-la, corrói a própria personalidade. O desafio existencial constitui um ataque à autenticidade e integridade. Às vezes a sanidade está em jogo, também, e, por vezes, a própria vida.

Nós também podemos começar nossa discussão com a realidade. Escolhendo irrealidade, uma vez que significa que temos que gastar energia e tempo em uma caminhada de irrealidade à realidade simplesmente para começar. Esta conversa é sobre a realidade - os fatos reais da matéria e estratégias necessárias para respostas eficazes de servir a vida, uma maneira de gerenciar os imperativos paradoxais e pressões de identidade ameaçadora de nossas vidas e trabalho.



Richard Thieme

Playing Through the Pain – The Impact of Secrets and Dark Knowledge on Security and Intelligence Professionals

Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.
Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.
The real cost of security work and professional intelligence goes beyond dollars. It is measured in family life, relationships, and mental and physical well-being. The divorce rate is as high among intelligence professionals as it is among medical professionals, for good reason – how can relationships be based on openness and trust when one’s primary commitments make truth-telling and disclosure impossible?
One CIA veteran wrote: “I was for a while an observer to the Personnel Management working group in the DO. I noted they/we were obscenely proud of having the highest rates of alcoholism, adultery, divorce, and suicide in the US Government. I personally have 23 professional suicides in my mental logbook, the first was an instructor that blew his brains out with a shotgun when I was in training. The latest have tended to be senior figures who could not live with what they knew.”
Richard Thieme has for years listened to people in pain because of the compelling necessities of their work, the consequences of their actions, the misfiring of imperfect plans, and the burdens of soul-wrenching experiences. Thieme touched on some of this impact in his story, “Northward into the Night,” published in the Ranfurly Review, Big City Lit, Wanderings and Bewildering Stories before collection in “Mind Games.” The story illuminates the emotional toll of managing multiple personas and ultimately forgetting who you are in the first place.
The bottom line is, trauma and secondary trauma have identifiable symptoms and they are everywhere in the “industry.” The “hyper-real” space which the national security state creates by its very nature extends to everyone too, now, but it’s more intense for professionals. Living as “social engineers,” always trying to understand the other’s POV so one can manipulate and exploit it, erodes the core self. The existential challenge constitutes an assault on authenticity and integrity. Sometimes sanity is at stake, too, and sometimes, life itself.
We might as well begin our discussion with reality. Choosing unreality instead means we have to spend energy and time on a trek from unreality to reality simply to begin. This talk is about reality – the real facts of the matter and strategies needed for effective life-serving responses, a way to manage the paradoxical imperatives and identity-threatening pressures of our lives and work.

Cartoons sobre Cyber Security - Segurança da Informação da IBM

https://securityintelligence.com/online-safety-tips-ncsam-lessons-week-one/?linkId=29775011

Illustrations by Nathan Salla
Tradução - Afonso Henrique Rodrigues Alves





Remote Hybrid and Office work