Vordel SOAPBox is Now Free!

http://www.vordel.com/products/soapbox/

Vordel SOAPbox allows developers to test the performance, scalability, and security of Web Services. Using SOAPbox, a developer can test how Web Services perform under load, how they deal with unexpected input, and what their traffic ceiling is.

Vordel SOAPbox highlights security tokens, XML Signatures, and encrypted content in XML documents. SOAPbox supports established security technologies such as SSL and HTTP-Auth, as well as next-generation security technologies such as WS-Security and SAML.

-------------------------

My team has been using this tool for quite some time...and it was worth the money.

But now it is free. Just input your e-mail...and download.

Vordel has made an attempt to block the use of free e-mail accounts (i.e. Mailinator) but they forgot to include the alternative mailinator domains, like sogetthis.com ;)

GAO: Many Federal Agencies Still Don't Meet Security Standards

Via DarkReading -

Virtually all of the U.S. federal government's key civilian agencies are still falling short of the security marks they have been asked to meet, according to the Government Accountability Office (GAO).

In a report (PDF) issued earlier today, the GAO says of the 24 agencies reviewed, almost all had deficiencies in security controls and management, "leaving them vulnerable to attack or compromise." The GAO says it has made "hundreds" of recommendations to the agencies, yet many have not been addressed.

During the past three years, the number of incidents reported by federal agencies to U.S.-CERT has increased by almost 200 percent -- from 5,503 in 2006 to 16,843 in 2008, according to the report. More than one-third of the incidents are still under investigation, and the sources of the compromises are not yet known.

Of the incidents in which the sources are known, approximately 22 percent were caused by improper use of computers by authorized users, the report states. Eighteen percent of the compromises were caused by unauthorized access, and 14 percent were caused by malicious code. About 12 percent of the breaches were caused by scans, probes, or attempted access by external attackers, the report says.

Of the 24 agencies reviewed, 13 reported "significant deficiencies" in information security, the GAO says. Seven agencies reported "material weaknesses" that still have not been repaired. Only four agencies reported "no significant weakness," the report states.

Indonesian TV Identifies Another Jakarta Hotel Bomber

Via xinhuanet.com -

An Indonesian television on Tuesday evening unveiled identity of another suicide bomber at Ritz Carlton Hotel as Ibrahim, a florist at the hotel, who conducted his action on Friday along with fellow Nurhasbi at JW Marriott Hotel in Jakarta.

Based on the cctv record seconds before the blast at 07:47 at Erlangga restaurant at Ritz Carlton Hotel, a man suspected as Ibrahim of 36, walked unsteadily carrying a black bag which seems very heavy, Metro television said.

The whereabouts of Ibrahim has been unknown since the bombings at the two luxurious hotels which located opposite each other on July 17 that killed nine people and wounded 55 others, half of them foreigners. The police conducted DNA test to make sure the body of Ibrahim.

Based on the hotel presentation list Ibrahim was working on Friday morning, the day of the bombings.

He called his family before the blasts.

After the bombings, his family had looked for him at some hospitals where the victims of the explosions were being treated.

Police are identifying parts of bodies found at the scene, but it is still unknown yet whether one of them is belonging to Ibrahim.

The perpetrators of the bombings assembled the bombs at room 1808 at JW Marriott Hotel. They ordered the room on July 10 and occupied it at 15:01 Jakarta time (0901 GMT) on July 15, two days before conducting their deadly acts. Police found active bomb in a black laptop computer bag after the blasts.

The police have found similarities in equipment and method of the bombs with those detonated in Bali in 2002 and 2005, and that found in recent raid in Cilacap of Central Java, in which the regional militant network of Jemaah Islamiyah was responsible.

Police widens investigation on the group.

The blasts in JW Marriott Hotel and Ritz Carlton Hotel in Jakarta's main business district occurred after four-years absence of major terrorist acts in the country.

Indonesia had been attacked by a series of terrorist attacks from 2000 to 2005, including Bali bombings, the JW Marriott explosion and the Australian embassy bombings in Jakarta that killed more than 250 people.

The police and analysts said that the bombings in the two hotels were led by a breakaway of Jemaah Islamiyah led by Malaysian fugitive Noordin Moh Top, who had organized the major bombings in Indonesia, targeting foreigners and facilities. He has been main target of the police.

U.S. Steps Up Pressure on 'The Company' - Leaders of Los Zetas

Via Yahoo! News (AP) -

The Department of State offered up to $50 million Monday for information leading to the arrests of 10 top Mexican drug suspects accused of key roles in a violent organization estimated to have sold more than $1 billion worth of drugs in the United States.

U.S. Attorney Benton J. Campbell said the reward money and new federal charges were among U.S. efforts to dismantle a powerful drug trafficking organization known as The Company, whose members came from an elite security force called Los Zetas.

The only name on an indictment unsealed in federal court in Brooklyn was Miguel Trevino-Morales, a fugitive charged with operating a continuing criminal enterprise, international cocaine distribution and firearms violations. The indictment also sought the forfeiture of $1 billion in drug proceeds.

Campbell said in a release that Trevino-Morales, who could face life in prison if convicted, was the principal leader of Los Zetas, a group that includes former members of the Air Mobile Special Forces Group of the Mexican military who went into the drug-smuggling business.

In Washington, the Department of State announced it was offering a total of $50 million for tips leading to the capture of the defendants, including four leaders who were designated as narcotics kingpins by the U.S. Department of the Treasury's Office of Foreign Assets Control.

The government said it was offering up to $5 million apiece for information leading to the arrests of 10 people, one of whom has been captured.

Nineteen defendants have been charged in an indictment in federal court in Washington with drug trafficking-related crimes, and others are charged in indictments in federal court in Houston.

"The joint efforts announced today are significant steps in the department's strategy to stop the flow of illegal drugs into our communities and the shipment of drug proceeds back to Mexico," Campbell said.

Assistant Attorney General Lanny A. Breuer said the actions taken Monday will at least make it more difficult for the drug dealers to move cash around.

"We have learned that the most effective way to disrupt and dismantle criminal organizations is to prosecute their leaders and seize their funding," she said in a release. "We stand shoulder-to-shoulder with our brave Mexican colleagues in the fight against these destructive cartels."

The Foreign Narcotics Kingpin Designation Act, which became law in 1999, prohibits all trade and transactions between U.S. companies and individuals and significant foreign narcotics traffickers, their organizations and associates who act on their behalf.

Fewer than 100 people have been designated narcotics kingpins since the first major targets were announced in June 2000.

The indictment unsealed in Brooklyn said the drug organization, formerly known as the Gulf Cartel, had become the dominant force in the drug trade along the Gulf of Mexico, transporting multi-ton quantities of cocaine each month from Mexico to Texas after obtaining it in Guatemala, Colombia, Venezuela and elsewhere.

XMLHTTPReqest “Ping” Sweeping in Firefox 3.5+

Via ha.ckers.org (Rsnake) -

Jeremiah brought my attention to the new Firefox 3.5+ CORS (Cross-Origin Resource Sharing) which is a way to do a cross domain XMLHTTPReqest. Does that sound scary? Well, it is, but there’s been a ton of work into hardening it. It has all sorts of cross domain opt-in verification built into it to limit the abuse. Honestly, if you look at the people who were acknowledged in it’s construction, it’s a who’s who of people who understand cross domain browser security issues. So it wasn’t surprising that it was fairly free of obvious flaws.

Anyway, I was poking around with it and I noticed that it had one fairly strange issue. Although an attacker is not allowed to know if the page was there or not (only if it was allowed to see the content or not), the attacker is still allowed to make an initial request. In doing so that initial request can be used as a pseudo “ping” sweep. You can tell if the site is there or not because it will either return immediately (latency and threading applies) or it will wait around much longer (between 20-75 seconds on the several networks I’ve run this on) before the browser gives up. That timing difference is pretty substantial - and as a result you can enumerate a substantial amount of internal address space behind the victim’s firewall and relatively quickly. I created a demo here (works only in Firefox 3.5+ and you must enable JavaScript globally for this to work). It won’t work if you just whitelist ha.ckers.org you have to globally allow JavaScript if you use Noscript for the demo to work - and you must disable ABE in Noscript as well.

You can read the page for the details, like the fact that basic and digest authentication popups are suppressed which makes this technique ideal for Intranets where those are common and would normally alert a user to the fact that something was wrong in the browser. It also doesn’t matter whether you do or don’t have port 80 open for this to work, I should note that there is a IE8.0 version of Firefox’s XMLHTTPRequest called XDomainRequest, but I didn’t have much time this weekend to try to get it working in both browsers so I have no idea if it has the same issue or not.

Incidentally, Jeremiah and I both gave the thumbs up to the idea of a cross domain XHR several years ago when the Mozilla team first asked us about the concept. Because there are so many other things wrong with the browser Jeremiah and I told them that it wouldn’t change much - the browser is already so broken from a security perspective that it really didn’t matter - a sad commentary thinking back. Of course, it really is all about the implementation.

How to Dismantle a Nuclear Bomb

Via BBC (h/t Tim of ubiwar.com) -

How do you dismantle a nuclear bomb? And how do you verify another country is genuinely disarming without compromising sensitive national security material?

BBC security correspondent Gordon Corera was given exclusive access to a unique exercise run by the UK and Norway to find out.

The nuclear weapon is carefully lifted out of a large container and moved onto the floor.

Two engineers use an electric screwdriver to open up a side compartment and remove the "physics package" containing the sensitive parts of the bomb.

A scientist with a radiation detector beckons me forward as he points his machine towards the box.

It begins to emit an accelerating beeping noise. "The measurement is approximately a hundred times normal background radiation," he tells me.

"But it is not dangerous, I promise," he adds with a smile.

he lack of danger is because the bomb is not real. To inject an element of realism into this experiment, a weak radioactive material - Cobalt 60 - is used.

The dismantlement experiment is a joint exercise between the UK and Norway - the first of its kind - and was held a few miles from Oslo.

The five-day exercise has been keenly anticipated internationally as a way of building trust between nuclear weapons states and non-nuclear weapons states.

It is designed to see if one country can verify the disarmament of another country's nuclear weapon, but without any sensitive information about national security and weapon design being compromised.

In a role reversal, the Norwegians play a nuclear weapons state (called Torland) and the UK team play inspectors from Luvania, a non-nuclear weapons state.

[...]

"The aim is to develop methodologies we could use in inspections of a real nuclear facility but in an environment in which can do trial and error," explains Andreas Persbo of Vertic, which helped organise the event.

It is not an exercise in which the nuclear state is trying to clandestinely divert nuclear material or the inspecting side search for a covert facility.

[...]

In practice no nuclear weapons state has ever allowed a non-nuclear weapons state to verify disarmament. But if there was to be multilateral disarmament in the future, it may well be important to provide such states with confidence over its actions.

Officials on both sides hope that this and any future events will lead to better understanding between nuclear weapons states and non-nuclear weapons states and more collaborations, allowing trust and confidence to be increased.

DC17 Badge Pre-Release Information

https://forum.defcon.org/showthread.php?t=10655

Here are a few useful pieces of information to help you get set up and/or prepare for the DC17 Badge Hacking Contest. Unlike last year, all of the badge design documentation, including development environment, should be on the CD this year, unless there was a last minute change that I'm unaware of. Even still, I'd HIGHLY recommend getting your tools set up in advance so you come to DEFCON ready to rock. Remember, the Badge Hacking Contest is now a BLACK BADGE contest, so the stakes are raised...

* The processor this year is a Freescale MC56F8006 Digital Signal Controller. It's a brand new part, but the DSC family has been around for a while and there is plenty of code samples/examples and application notes on Freescale's site.

Main product page:
http://tinyurl.com/lyorks

Direct link to data sheet:
http://www.freescale.com/files/dsp/d...06.pdf?pspll=1

* The development environment is Freescale CodeWarrior for DSCs. It's a similar IDE to previous badges (sorry, still Windows only AFAIK, but works fine in a VM). I used Processor Expert to help with the device configuration, so you'll probably want to familiarize yourself with that feature.

Link to the tool (free, no license required):

Special Edition: CodeWarrior for 56800/E Digital Signal Controllers
http://www.freescale.com/lgfiles/upd...SSET=Downloads
or
http://tinyurl.com/kuwloq

* There will a serial bootloader on-board to enable you to easily load your own firmware onto the badge (simply requiring a terminal program, like HyperTerminal, and the hex file). However, this year will require a bit more soldering skill to get it up and running and you will need a level shifter to convert the 3V TTL-level serial of the badge to RS232 or USB level. We'll have a few level shifter kits in the Hardware Hacking Village, but I'm sure those will go quickly, so if you're reading this, BRING YOUR OWN LEVEL SHIFTER, buy something like this: http://www.ftdichip.com/Products/Eva...L-232R-3V3.htm or bring components to put one together (an FTDI FT232R)

* In the case of completely bricking your badge during a firmware update via the bootloader, you can completely reprogram it via the MC56F8006 JTAG interface and the USB TAP hardware (I'll have one with me for emergencies).

Information on the USB TAP:
http://www.freescale.com/webapp/sps/...sp?code=USBTAP

* AFAIK, Freescale is sending at least one engineer to come and experience DEFCON, hang out, and offer technical support for hacking/developing with the badge. The Hardware Hacking Village will serve as the Badge Hacking HQ and he'll be located there. I'll try to spend as much time as I can up there, too, but the more help I give, the less likely you'll win the contest :P

Teenager Creates Fake Airline with Some Serious Social Engineering Skills

Via Times Online UK -

A teenage boy from Yorkshire succeeded in persuading British aviation executives that he was a tycoon about to launch his own airline. Using the pseudonym Adam Tait, the smooth-talking 17-year-old told airport and airline executives that he had a fleet of jets.

Tait, who said he was in his twenties, even flew to Jersey to attend a 1½-hour long meeting with the director of its airport. Their talks were considered promising enough for a further meeting to be arranged, which was due to be held next week.

Other air industry bosses found themselves dealing by telephone or e-mail with Tait’s fellow executives, David Rich and Anita Dash, who proposed to launch a cut-price Channel Islands-based airline servicing most of Europe.

What no one realised was that Tait, Rich and Dash were all the same person: an aircraft buff with the gift of the gab and an overactive imagination.

[...]

The Yorkshire teenager’s six-month-long ruse, which included placing articles in industry magazines, foundered only after one publication, Airliner World, became suspicious. It started to unravel the complex network that Tait had set up of fake websites, “virtual offices” complete with a real telephone receptionist and bogus names.

Last Monday he was questioned by Essex police while trying to gain access to a 93-seater jet at Southend airport, having convinced the plane’s marketing agent that his “company” wanted to lease it.

The police, who had intervened after being tipped off by Airliner World, discovered the boy’s true identity. Although no further action was taken, his fantasy was finally grounded.

The Sunday Times has agreed not to use Tait’s real name at the request of his father, who did not know of his son’s exploits until he was contacted last week.

He said that his son suffered from a form of autism and was “a phenomenal individual who is enterprising and creative” with an ability to recall the exact detail of every airline’s flight schedules. But the autism also made his behaviour highly challenging.

“He has been passionate about aeroplanes for about two years and his whole bedroom is plastered with them,” he said.

“Before that he came within two days of bringing the US cast of High School Musical to a 300-seat theatre in Shropshire by cutting and pasting mastheads from one company to another, masquerading as this or that.

“It would have happened, except when booking the hotel some queries were thrown up. I don’t know why he did it. He is not nasty or vindictive or malicious.”

Mozilla Says Stack Overflow Crash Not Exploitable (CVE-2009-2479)

Via Mozilla Blog -

In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability.

On Windows, Firefox 3.0.x is terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code. In Firefox 3.5.x on Windows, the allocations are more robustly checked and no crash will result.

On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code. We recommend that other developers who use these libraries consider a similar practice, and we have added mitigations in the past for similar bugs in these libraries.

As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox. Further, we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly.

Mike Shaver
VP Engineering, Mozilla Corporation

Captured U.S. Soldier in Taliban Video Identified

Via ABC News -

Department of Defense officials confirmed the identity of a captured American soldier in a video posted online Saturday by the Taliban.

Pfc. Bowe Bergdahl, 23, of Hailey, Idaho, went missing from his base in eastern Afghanistan on June 30. On July 3, officials declared him "missing-captured."

Early in the video, a captor holds up the soldier's dog tag to the camera. Later Bergdahl states his name and hometown.

Bergdahl is a member of 1st Battalion, 501st Parachute Infantry Regiment, 4th Brigade Combat Team, 25th Infantry Division, out of Fort Richardson, Alaska.

Taliban Releases Video of Captured U.S. Soldier

Via thestar.com -

The American soldier who went missing June 30 from his base in eastern Afghanistan and was later confirmed captured, appeared on a video posted Saturday to a website by the Taliban, two U.S. defence officials confirmed.

The soldier is shown in the 28-minute video with his head shaved and the start of a beard. He is sitting and dressed in a nondescript, grey outfit. Early in the video one of his captors holds the soldier's dog tag up to the camera. His name and ID number are clearly visible. He is shown eating at one point and sitting on a bed.

The soldier, whose identity has not yet been released by the Pentagon pending notification of members of Congress and the soldier's family, says his name, age and hometown on the video, which was released Saturday on a website pointed out by the Taliban. Two U.S. defence officials confirmed to The Associated Press that the man in the video is the captured soldier.

The soldier said the date is July 14. He says he was captured when he lagged behind on a patrol.

He is interviewed in English by his captors, and he is asked his views on the war, which he calls extremely hard, his desire to learn more about Islam and the morale of American soldiers, which he said was low.

Asked how he was doing, the soldier said on the video:

"Well I'm scared, scared I won't be able to go home. It is very unnerving to be a prisoner."

He begins to answer questions in a matter-of-fact and sober voice, occasionally facing the camera, looking down and sometimes looking to the questioner on his left.

He later chokes up when discussing his family and his hope to marry his girlfriend.

"I have my girlfriend, who is hoping to marry," he said. "I have a very very good family that I love back home in America. And I miss them every day when I'm gone. I miss them and I'm afraid that I might not ever see them again and that I'll never be able to tell them that I love them again and I'll never be able to hug them."

EPFL Playstation 3 Cluster Cracks 112-bit Elliptical Curve Encryption

Via H-Online.com -

Researchers at the École Polytechnique Fédérale (EPFL) in Lausanne, Switzerland, have succeeded in cracking 112-bit encryption based on elliptical curves (ECCp-112). They calculated the secret key associated with a public key by solving the Discrete Logarithm Problem (DLP) for elliptical curves, which displays a complexity of 2⁶⁰ for the numbers involved. The cracked ECC system is a set of parameters defined by the secp112r1 standard. That puts it at the lower end of the specifications for ECC encryption systems.

The computation required around half a year on the EPFL cluster, consisting of some 200 PlayStation 3s that had already served to calculate the MD5 collision for creating a fake SSL issuer certificate from RapidSSL. The ECC code designed for the cell processor of the PlayStation 3 was optimised several times during the computation period, and the researchers say that, if the optimised code had been running from the start, the computation would only have taken three and a half months. The previous record was set in 2002, when a distributed cluster consisting of around 10,000 PCs cracked an ECC key within 549 days. At that time, researchers at Notre Dame University cracked an ECCp-109 key, three bits shorter than the new record.

Dr. Arjen Lenstra, who took part in the EPFL project, told heise Security that this result isn't actually a threat to the EC encryption systems used in practice. He said the weakest encryption encountered is based on 160-bit ECC and future developments in encryption standards would in any case have to be based on at least 224-bit ECC. According to the NIST transition proposal, ECCp-160, whose encryption strength is comparable with RSA-1024, must be replaced with a stronger variant after 2010 in order to obtain FIPS certification.

See also:

• PlayStation 3 computing breaks 2^60 barrier, 112-bit prime ECDLP solved, publication by the EPFL researchers

Orwell in 2009: Dystopian Rights Management

Via EFF -

In George Orwell's Nineteen Eighty-Four, the protagonist Winston Smith labors in obscurity to make information appear and disappear at the whims of the Ministry of Truth:

This process of continuous alteration was applied not only to newspapers, but to books, periodicals, pamphlets, posters, leaflets, films, sound-tracks, cartoons, photographs — to every kind of literature or documentation which might conceivably hold any political or ideological significance. Day by day and almost minute by minute the past was brought up to date.

The Ministry of Truth would have truly appreciated DRM and tethered devices. As many owners of Kindle e-books discovered this morning, electronic books that come rigged with DRM "copy protection," stored on e-book readers subject to Amazon remote control, can be made to disappear at the whims of their publishers, as if they never existed in the first place.

David Pogue reports today in the New York Times that books published by MobileReference, including Orwell's Nineteen Eighty-Four and Animal Farm, were remotely deleted from customers' Kindles over night. (Customers had their accounts credited for the value lost.)

This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they had bought and paid for—thought they owned.

But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.

Orwell would have appreciated the irony. But he also would have been the first to predict that this problem would arise when one company sells both the books themselves and the device required to read them, when that company insists on locking up the books with "protection" that prevents them being shifted to any other device, and has the power of "remote deletion" at its fingertips. Big Brother, indeed!

This is Amazon choosing its "content partners" over its customers. There is nothing about copyright law that required these deletions -- if Amazon didn't have the rights to sell the e-books in the first place, the infringement happened when the books were sold. Remote deletion doesn't change that, and it's not an infringement for the Kindle owner simply to read the book. Can you imagine a brick-and-mortar bookstore chasing you home, entering your house, and pulling a book from your shelf after you paid good money for it? (Nor, for that matter, does Amazon reserve any "remote deletion" right the Kindle "terms of service".)

If people want books that won't evaporate on the orders of faceless bureaucrats, if they want their libraries to last, or the right to read privately, or if they want the same ability to share or loan books that they enjoy with printed books, they should avoid buying any book that can't be copied or any e-book reader with "remote deletion" features. Project Gutenberg has e-books that won't disappear at midnight, like a pumpkin coach. Cory Doctorow sells e-books that will live as long as your hard drive and your backups keep them around. They're in unrestricted formats — like plain text, HTML, or PDF — and you can read them on devices without an Amazon Big Brother on board.

Mozilla Firefox 3.5.1 Unicode Data Remote Stack Buffer Overflow Vulnerability

I'm sorry to say, but this vulnerability isn't new. It was released two days before the release of 3.5.1

Various analysts and sites have recently confirmed the vulnerability in FireFox 3.5.1. When exploited, the vulnerability can lead to system compromise or induce a DOS.

http://www.milw0rm.com/exploits/9158
http://www.securityfocus.com/bid/35707
http://isc.sans.org/diary.html?storyid=6829

US, Afghan Forces Overrun Haqqani Network 'Encampment' in Paktia

Via The Long War Journal -

The US and Afghan military have continued attacks against the Haqqani Network in eastern Afghanistan despite a threat from the group that a captured US soldier would be executed if the raids did not cease.

Last night, US and Afghan forces conducted two major raids in Paktia and Logar provinces. The raids were aimed at taking down the leadership of the Haqqani Network and gathering intelligence on the location of the captured US soldier.

The biggest raid took place against an "enemy encampment" situated "in the remote reaches of Paktia province" the US military said in a press release. The operation took place about 20 miles southeast of Gardez City, and was designed to stem the flow of foreign fighters and weapons moving from Pakistan's Taliban-controlled tribal agencies of North and South Waziristan through the Khost-Gardez Pass to the capital of Kabul.

The combined force killed "several" Haqqani Network fighters in firefights and with air support after repeatedly taking fire while moving to assault the Haqqani base. Several massive weapons caches were destroyed after US and Afghan forces overran the base.

Afghan and Coalition forces also conducted a targeted raid against a Haqqani Network safe house near the village of Ebad in Logar province. The compound is known to be used by a Haqqani commander to make roadside bombs. Three suspected Haqqani Network fighters were detained during the raid.

The US military conducted the raids the same day that Mullah Sangeen Zadran, a senior commander in the Haqqani Network, threatened to kill a US soldier unless Coalition forces end operations in two districts in Paktika and Ghazni provinces in eastern Afghanistan. The soldier was captured on June 30 after walking away from his combat outpost in Paktika province.

The US military has issued flyers in Paktia and Ghazni provinces, urging Afghans to provide intelligence on the location of the missing soldier. But the soldier may have already been moved into North Waziristan, a US intelligence official familiar with the search told The Long War Journal.

[...]

Just as the US has finally admitted that Taliban leader Mullah Omar and his senior commanders are running their Afghan operations from Quetta in Pakistan, the Haqqanis have been labeled as operating from Pakistan's tribal areas.

"The Haqqani network remains one of the most lethal Taliban organizations operating out of Pakistan's Federally Administered Tribal Areas," the US military admitted in a recent press release.

New Linux Flaw Enables Null Pointer Exploits

Via ThreatPost.com -

A researcher has published exploit code for a new vulnerability he discovered in the Linux kernel. The vulnerability is an especially interesting one in that the researcher who discovered it, Brad Spengler, has demonstrated that he can use the weakness to defeat many of the add-on security protections offered by SELinux and AppArmor.

The vulnerability is in the 2.6.30 release of the Linux kernel, and in a message to the Daily Dave mailing list Spengler said that he was able to exploit the flaw, which at first glance seemed unexploitable. He said that he was able to defeat the protection against exploiting NULL pointer dereferences on systems running SELinux and those running typical Linux implementations. SELinux is a set of security enhancements to the Linux OS developed by the National Security Agency.

Spengler also said he is able to turn off the auditing processes in SELinux, AppArmor and the Linux Security Module. He posted a video demonstration of the exploit in action on YouTube.

[...]

This code looks perfectly ok, right? Well, it is, until the compiler takes this into its hands. While optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code. This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland – and this finally pwns the box.

Until recently, exploiting NULL pointer dereferences was thought to be virtually impossible. But work done by Mark Dowd of IBM ISS last year put the lie to that. Dowd designed his technique to exploit a problem in Adobe Flash, but was able to extend it to exploit similar conditions in other applications.

-----------------------

Prefect example of how you can't find all vulnerabilities by just reviewing source code alone.

While code review is critical to reducing the number of vulnerabilities, it is only part of the overall security puzzle.

Of course, the security puzzle changes so fast...there isn't a real solution...but that is another blog altogether ;)

Firefix 3.5.1 Released

http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

Firefox 3.5.1 fixes the following issues:

• Several security issues.
• Several stability issues.
• An issue that was making Firefox take a long time to load on some Windows systems.

Please see the complete list of changes in this version. You may also be interested in the Firefox 3.5 release notes for a list of changes in the previous version.

Deadly Blasts Hit Two Luxury Hotels in Jakarta, Indonesia

Via CNN -

The death toll from bombings at two luxury hotels Friday morning in south Jakarta, Indonesia, has risen to eight, a presidential spokesman said. The number of wounded people was in the 40s, the spokesman said.

Antara News, a state-run agency, quoted a witness as saying he saw four foreigners among the wounded.

The Ritz-Carlton Hotel was to have accommodated soccer players from Manchester United of Britain, who are expected to arrive Saturday in Jakarta on Saturday.

The victims were taken to nearby MMC Hospital and Jakarta Hospital, the agency reported.

Police sealed off the area around both blasts, one of which occurred in the Ritz-Carlton Hotel and the other at the J.W. Marriott Hotel, about 50 meters away, about 7:50 a.m. (8:50 p.m. Thursday ET).

"There was a boom and the building shook, and then subsequently two more," said hotel guest Don Hammer, who was leaving his room in the Marriott when the blast occurred.

"The shocking part was entering the lobby, where the glass at the front of the hotel was all blown out and blood was spattered across the floor, but most people were leaving calmly."

[...]

Greg Woolstencroft had just walked past the hotels and had gone to his nearby apartment when he heard an explosion.

"I looked out my window and I saw a huge cloud of brownish smoke go up," he told CNN in a telephone interview. "I grabbed my iPhone to go downstairs ... and then the second bomb went off at the Ritz-Carlton, so I then ran around to the Ritz-Carlton and I was able to find that there had been a massive bomb that went off in this ... restaurant area and the explosion had blown out both sides of the hotel.

"I found inside the body of of what appears to be a suicide bomber, it looked like someone who had been a suicide bomber or someone who had been very, very close to the explosion.
"I also noticed that there were a number of injured people being taken off to hospital, but I only noticed one dead person at this point and time, that's all I saw. There has been extensive damage to both buildings, and at this point and time of course all the authorities are blocking up all the area and starting an investigation."

He added, "It's obviously targeted establishments where there are Westerners and expats ... I can only assume it's something to try and send a message."

---------------------------------

According to Stratfor....

Militant group Jemaah Islamiyah (JI) is a feasible perpetrator for the attacks.