The good news from Yahoo

yahoo_logo_detailYahoo has just acknowledged the theft of information relating to more than 1 billion customer account … in 2013. Yes, 3 years ago.

Faced with this situation, different interpretations can be found: either because of the analysis of the incident they suffered in 2014, which they reported in September they have extended the forensic analysis of what happened backwards and have discovered that in 2013 they had suffered the largest information theft ever suffered by a single company, or they already knew it and have decided to report it now before the news leaked out through another source. I can even think of a third possibility (and maybe even one of you could think a fourth): that it was a malicious leak now that Verizon is formalizing a bid for Yahoo.
[Read more…]

The Russian ICC (IV): A bit of history: FAPSI

fapsiWhen talking about Russia in the area of cybersecurity or, more specifically, information warfare, we must by force mention the FAPSI (Federal Agency of Government Communication and Information), operative between 1991 and 2003 and considered the Russian equivalent to the US NSA (Roland Heickerö, Emerging Cyber Threats and Russian Views on Information Warfare and Information Operations. FOI. Swedish Defense Research Agency, March, 2010.), which inherited the attributions and capabilities of the 8th (encrypted) and the 16th (Decryption and interception) General Directorates of the KGB. Among its functions there was the figure (cryptology and cryptanalysis), the interception of communications and even the incident response capabilities as a CERT. In 2003 this powerful agency was dissolved by the Russian government, possibly because of corruption, although it also shows that an agency with more than 50,000 people was becoming a great uncontrollable monster, as it was with the KGB at the time. After transforming the Special Information and Communications Service, an agency heir to the FAPSI that lasted only five months, its attributions were distributed among the four large Russian services, the GRU and the KGB derivatives: SVR, FSB and FSO. Each of these services has different attributions, although they obviously share capabilities, information, tactics or interests … or compete among them. In fact, in his Putin’s Hydra: Inside Russia’s Intelligence Services, and European Council on Foreign Relations, May 2016, Mark Galeotti presents us with a curious graphic summary of the roles of the Russian intelligence community, from which we then select only the main services – at least in our cyber sphere:
[Read more…]

The Russian ICC (III): the Community

Undoubtedly, many people mentally associate intelligence or Russian secret services – to be exact, Soviet – to the KGB (Komitet gosudárstvennoy bezopásnosti, Committee for State Security). Unfortunately for the followers of Bond, the KGB, the Soviet-Russian secret service par excellence, was dismantled at the beginning of the 1990s by Mikhail Gorbachev, probably because he had become a powerful monster in terms of attributions, skills and knowledge, but, especially for its alleged involvement in the failed coup d’état of August 1991. Its power was distributed mainly among three different agencies: FSB (Federal Security Service), SVR (Foreign Intelligence Service) and FSO (Federal Protection Service), who joined the historical rival of the KGB, the GRU (General Intelligence Directorate), the Russian military intelligence service that survived the fall of the USSR (perhaps because of the support for the Soviet president during the coup, unlike the KGB). SIGINT attributions focused on an agency called FAPSI, equivalent to the US NSA, dismantled in 2003 and whose power, as in the KGB, was distributed among the different Russian services.

151px-emblema_kgb-svgAfter the dismantling of the FAPSI, the four services listed above make up the bulk of the Russian intelligence community from the cyber point of view-at least the official one, as we will see in this series of posts. An excellent description of this intelligence community, as far as information security, SIGINT or CNO is concerned, can be found in chapter fifteen of the second edition of Jeffrey Car’s Inside Cyber Warfare: Mapping the Cyber Underworld (ed. O’Reilly, 2011).

To get an idea of the potential of Russian services it is necessary to talk about their budget. According to open sources (such as Julian Cooper’s The Funding of the Power Agencies of the Russian State. The Journal of Power Institutions in Post-Soviet Societies, Issue 6. 2007, or The Funding of the Power Agencies of the Russian State: An Update, 2005 to 2014 and Beyond. The Journal of Power Institutions in Post-Soviet Societies. Issue 16, 2014), in 2013 the budget for what the Russians call “Security Services” – a concept that includes the FSO, FSB (except the Border Service) and SVR – exceeded 4 billion euros. The distribution by service is classified, and obviously the budget of the GRU is included in the one corresponding to the Russian Ministry of Defense, with which it is completely unknown. This money joins the more than 300,000 people who work – again, classified data – in the different intelligence services.

To be able to compare these data with other services, here’s a curiosity: the budget corresponding to the CNI is estimated at about 240 million euros, seventeen times less than the Russian one, and its number of employees at about 2,500 people. Of course, comparisons are odious…

The Russian ICC (II). Context: Russia

Before talking about the Russian ICC, we must know that Russia is the largest country with the most kilometers (more than 20,000) in the world; it has the largest reserves of energy and mineral resources in the world still to be exploited, making it the largest energy superpower, as well as the world’s largest reserve of forest resources, and also has a quarter of the world’s unfrozen water.

From a cyber perspective, Russia is alleged to be the only country to have carried out combined (physical and logical) military action against another country (Georgia, August 2008) or has degraded critical infrastructure of a third party by cyber approach (Estonia, 2007). Their military and intelligence potential in this area is undoubted, as are their “physical” or traditional capabilities. The intelligence services are heavily involved in politics – as it happens, it is public that Vladimir Putin was an agent of the KGB and director of the FSB – or in the public or private sector, and they also maintain close relations – always supposed – with organized crime.
[Read more…]

The Russian ICC (I). Introduction: the Russians are coming!

We often talk about Russian APTs, Russian malware, Russian groups … But who are the “Russians”? We will analyze, in a series of posts, who “the Russians” really are, what Russia is (from the point of view of intelligence and security), what their services are – and their APTs -, what relations they have with the rest of the Ecosystem in the Russian information war, what objectives they have, what information they are looking for, etc. In short, we will try to get to know the Russian Cyber Intelligence Community a little better, to these supposedly Russian threats that we find all the time in different organizations.

Of course, all the information collected here was obtained from public sources and represents no more than private opinions, interpretations, analyses, issues … surely all of them wrong because … what exactly is attribution?

Let’s begin: as it could not be any other way (otherwise we would not be dedicating a series) one of the main actors in the field of (cyber) intelligence is Russia; perhaps this is currently the country that most sophisticated in its attacks: targeted, stealthy and technically brilliant, with very high rates of persistence due to the complexity of detection (of course, with the permission of the United States …). Russian APTs are often well-identified with the information they need, where it is, and who handles it, and so they focus on the exact theft of such data, as we said in the most secretive way possible.
[Read more…]

Linux.Mirai: Attacking video surveillance systems

During the Olympic Games in Rio de Janeiro, one of our sensors in Brazil detected a particularly interesting intrusion into a honeypot TELNET service.

This interaction used unusual credentials since the most received were, unlike what was expected, vyzxv and xc3511.

After an initial search no reference to attacks related to these credentials were found, but it was concluded that the credentials were recurring in DVRs (Digital Video Recorder) of the Chinese brand Dahua (e.g. DH-3004). Dahua is a leading global provider of surveillance solutions, because according to the IMS 2015 report they enjoy the largest mar-ket share.

[Read more…]

The end of passwords … or not

It is more than said and proven that passwords are the key that gives access to our information, and hence we give them so much importance. Today we use passwords to access our emails, the bank, social networks, online shopping sites … in short, we use passwords to access any site; and of course, as passwords must be robust, and on top of that we cannot use the same one for everything, so end up going crazy. That’s why some of us use password managers, mne-monics, etc. because otherwise it is impossible.

img1 [Read more…]

Blockchain and Cybersecurity I

Blockchain. Maybe some of you have heard of it. Others maybe not. Inside some circles, Blockchain is a concept that is resonating with force, even though a fair amount of people does not comprehend exactly what it is or why it is important. Any of us could ask: What is a blockchain?

Let’s read the definition from a random corner of the Internet: “A blockchain is a chain of blocks that contains batches of valid transactions. Each block includes the hash of the previous block of the blockchain, linking the two. The linked blocks form a chain, allowing only that block (successor) to be linked only to the other block (predecessor), giving its name to this database”.

Therefore, we could say that a blockchain is a chain of data blocks that contain transactions. Well, it doesn’t seem a promising thing, does it?

Let me highlight a little detail: a blockchain is a ledger of transactions that can’t be manipulated, nor forged. Can you imagine what we could do with this?
[Read more…]

Registration for the RHME2 embedded CTF is open

The RHME2 is an embedded CTF running on the Arduino Nano board. The participants have to prove their skills both on software and hardware exploitation. Buffer overflows, ROP, C++ exploitation, cryptoanalysis, side channel analysis, fault injection… and all these in an AVR architecture!

The pre-registration for the 2nd edition of the RHME challenge is open now. Pre-register now and get your Arduino Nano with the challenges. The boards will be sent for free at the end of October and the CTF will officially start on November 1st. There is a limit of 500 boards and the first to come, the first to ship!
More information at

Stay protected against Ransomware

Ransomware is here to stay. This is something becoming clearer by the minute. It is a very lucrative business if we judge it by the successful infection effectiveness rate and, to a lesser extent, due to rescue payment rates by the affected parts.

To the already infamous Cryptolocker, CryptoWall, TorrentLocker, TeslaCrypt and others, we have to add the recent HydraCrypt and UmbreCrypt. All of them with slight variations over the previous ones in an attempt to avoid the scarce barriers that Antivirus institutions are introducing, together with some initiatives more or less imaginative, and somewhat effective, in order to identify the activity of this kind of threat.

Recently, the CNI (Spanish National Intelligence Center), through the CCN-CERT, published a Ransomware guide where they had compiled some ransomware variants together with file decrypting tools that different Antivirus companies provided, after disarticulating several criminal networks or after deep analysis of malware samples.

[Read more…]