Thursday, July 31, 2008

Executive Order 12333 Revised - Boosting DNI Oversight Powers

Via -

To put a winner/loser take on things — one that Bush administration officials would surely object to — the shake-up of the intelligence community that the White House announced this morning leaves the director of national intelligence, J. Michael McConnell, with at least an upper hand vis-a-vis the CIA.

The DNI ends up with more formal oversight of the CIA and the 15 other agencies that make up the U.S. intelligence community, many of them run by the Pentagon.

The administration presented the long-awaited reorganization in a White House executive order, press release, fact sheet and not-for-attribution telephone news conference with reporters.

The Times' Josh Meyer, preparing a lengthy report for and Friday's print edition, says that congressional leaders, who were not consulted in the redesign, were sharply critical of the plan.

The two senior officials who spoke with reporters about the document said it reinforced civil liberties protections and continued an existing ban on assassination and limitations on human experimentation.

But a congressional official briefed on the changes said that it would take a while until the full ramifications were worked out. In other words, in the vague and hazy world of spycraft, there will be some give-and-take before policy becomes reality. And just because it looks as though McConnell came out on top ...

Phoenix Lander Confirms Ice in Martian Soil - Srsly

Via AP -

The Phoenix spacecraft has tasted Martian water for the first time, scientists reported Thursday.

By melting icy soil in one of its lab instruments, the robot confirmed the presence of frozen water lurking below the Martian permafrost. Until now, evidence of ice in Mars' north pole region has been largely circumstantial.

In 2002, the orbiting Odyssey spacecraft spied what looked like a reservoir of buried ice. After Phoenix arrived, it found what looked like ice in a hard patch underneath its landing site and changes in a trench indicated some ice had turned to gas when exposed to the sun.

Scientists popped open champagne when they received confirmation Wednesday that the soil contained ice.

"We've now finally touched it and tasted it," William Boynton of the University of Arizona said during a news conference in Tucson on Thursday. "From my standpoint, it tastes very fine."

Phoenix landed on Mars on May 25 on a three-month hunt to determine if it could support life. It is conducting experiments to learn whether the ice ever melted in the red planet's history that could have led to a more hospitable environment. It is also searching for the elusive organic-based compounds essential for simple life forms to emerge.

The ice confirmation earlier this week was accidental. After two failed attempts to deliver ice-rich soil to one of Phoenix's eight lab ovens, researchers decided to collect pure soil instead. Surprisingly, the sample was mixed with a little bit of ice, said Boynton, who heads the oven instrument.

Researchers were able to prove the soil had ice in it because it melted in the oven at 32 degrees — the melting point of ice — and released water molecules. Plans called for baking the soil at even higher temperatures next week to sniff for carbon-based compounds.

China Blocks Journalists Access to Some Websites

Via AP -


This blocking is nothing new...but it will get more and get media play...

Regardless if you agree with the IOC view or least we can hope that this influx of outsiders into China might put more pressure on the current government

Pressure to be more open to press and information freedom.

Huge Rise in Fraud Against UK Banks

Via -

Serious fraud against UK banks in the first half of 2008 was greater than in the whole of any previous year, according to KPMG.

And the credit crunch is likely to make matters worse, the report's authors say.

The Forensic Fraud Barometer (PDF), now in its 20th year, reports fraud cases of £100,000 or more which come to court in the UK.

More than £630m worth of alleged fraud in 128 cases was reported in the UK, some £350m of which was perpetrated against the financial services sector. The previous "high watermark" of fraud against banks was £200m in 1998.

A large proportion of the sum was from one case, still being tried, in which hackers attempted to steal £220m from the Sumitomo Matsui Banking Corporation. The next largest was a £70m fraud attempted against HSBC's Securities Division.

Organised criminal gangs are behind the heists, according to the report.

"Banks are working extremely hard to protect themselves and their customers from fraudulent activity, but the signs are that organised criminals and syndicates have been relentless in their efforts," said Hitesh Patel, a partner at KPMG Forensic.

The majority of the cases in the latest report predate the credit crunch, and Patel expects more cases to come to light as firms go over their figures more carefully.

"The signs are that we could end up seeing some substantial losses being suffered," he said.


Damn, when I was reading this story on vnunet, I clicked on the Esst Nod32 ad and didn't realize my speakers were cranked. Scared the crap out of

Wednesday, July 30, 2008

FDA: Salmonella Strain Found on a Mexican Farm

Via -

U.S. Food and Drug Administration inspectors have found samples of Salmonella bacteria at a farm in Mexico that produces serrano peppers, officials said on Wednesday.

They matched the strain that has sicked more than 1,300 people across the United States and parts of Canada, David Acheson, FDA associate commissioner for food protection, told a congressional hearing.

"FDA found Salmonella saintpaul in a sample of serrano peppers and a sample of water from a farm in Mexico," FDA spokeswoman Stephanie Kwisnek confirmed.

Mexican officials have repeatedly denied that the outbreak, originally blamed on tomatoes but later traced to peppers, could be traced to Mexican farms.

U.S. congressional investigators have accused the FDA of mishandling the case.

Acheson told a hearing of the House Horticulture and Organic Agriculture Subcommittee that the FDA found the unusual strain at the Mexican farm.

On Monday, Colorado health officials said they had found a Salmonella-tainted jalapeno in the home of someone sickened in the outbreak, and a tainted pepper was found in a shipment of jalapenos from Mexico last week.

$10,000,000,000 Now $1 in Zimbabwe

Via NYTimes -

Zimbabwe will knock 10 zeros off the country's hyper-inflated currency next month, making 10 billion dollars one dollar, the nation's central bank governor said Wednesday.

President Robert Mugabe immediately warned in a televised address that he will impose a state of emergency if profiteers take advantage of the change on Aug. 1.

''Don't drive us further. If you drive us even more we will impose emergency measures. We don't want to place our country under emergency rule,'' Mugabe said.

Zimbabwe suffers the highest inflation rate in the world. Inflation is constraining operations of the country's computer systems, central bank Gov. Gideon Gono said.

Computers, electronic calculators and automated teller machines at banks have not been able to handle basic transactions in billions and trillions of dollars.

Just last week Gono introduced a new 100 billion-dollar note that is not enough to buy a loaf of bread.

Gono said on Aug. 1 the bank will issue a 500-dollar bill equivalent to 5 trillion dollars at the current rate.



DNS Attacks in the Wild - Austin

Via Metasploit Blog -

In a recent conversation with Robert McMillan (IDG), I described a in-the-wild attack against one of AT&T's DNS cache servers, specifically one that was configured as an upstream forwarder for an internal DNS machine at BreakingPoint Systems. The attackers had replaced the cache entry for with a web page that loaded advertisements hidden inside an iframe. This attack affected anyone in the Austin, Texas region using that AT&T Internet Services (previously SBC) DNS server. The attack itself was not malicious, did not load malware, and from an operational standpoint, had zero impact. I contacted the ISP, worked with our IT folks to switch forwarding services, and wrote a cache auditing tool. I found the "wild" attack interesting, so in a conversation with Robert McMillan, I brought up the incident and forwarded the associated logs and notes. Shortly after our conversation, Mr. McMillan published an article with a sensationalist title, that while containing most of the facts, attributed a quote to me that I simply did not say. Specifically, `"It's funny," he said. "I got owned."

Most of the facts of the article are correct. I have no problem detailing the attack, how it worked, and how we detected and resolved it. I am careful about the wording, because I want to be clear that while this type of attack can be serious, in this case it was a five minute annoyance that was designed as a revenue generator for the folks who launched it (click-through advertisement revenue). No systems were been compromised, no data was stolen, and most importantly, the target of the attack was the ISP, not the company that I work for. Stating that my company was "compromised" leads the reader to believe that there was some sort of security breach, which is reinforced by the fabricated quote. Mr. McMillan has since published a correction, but by the time this trickles down to all of the IDG publications, the damage will have been done. At this time (09:00 CST), the correction is posted, but the articles themselves have not been updated.

To add some content to my whining, I have included further details on the actual attack. The DNS server in question was ( This system accepted recursive requests from anywhere (not just subscribers) and is the default DNS server for anyone who purchased SBC Internet Services (in our case, a T1 line that was our primary until our fiber was run). Internally, we use two DNS servers, one going out the fiber, other going out the T1 as backup. Early Tuesday morning, some of the friends and family members of BreakingPoint employees noticed that the iGoogle web page was returning a 404 from their home internet connections. Once our folks got to the office, they noticed that every once in a while, they could also reproduce it from within our network. Digging into it, we discovered that one of our internal DNS servers was still using SBC/AT&T as an upstream forwarder and that this server was returning the wrong results for


We changed the upstream forwarder for our internal DNS to point to a patched server (the ubiquitous BBN 4.2.2.x systems (OpenDNS has issues[1]), contacted the ISP, and wrote a cache validator that does not require host access to the DNS server (see the previous post for more information on that). The lesson -- even if your own DNS servers are patched, make sure none of those systems use an upstream DNS that has not. Since we contacted the ISP, this particular DNS server was taken offline. I found a list of regional SBC DNS servers and prodded them with the service. The end result was that of the 19 servers still online, 12 of them are still using static source ports, and each of these can be reached by anyone on the Internet. I wonder if they are waiting on ISC to fix BIND's performance problems.


Moral of the Story - Everyone in Austin using this SBC/ATT DNS server was the victim of a click-thru ad'er trying to make some money. It easily could have been malicious, but it wasn't....this time.

Breaking Point wasn't hacked. The issue was caused by ATT/SBC's slow patching response. This might have happened in Austin, but with the huge number of DNS servers still not is bound to happen again somewhere else. And it will continue to happen for a long long time.

Tuesday, July 29, 2008

Hackers Shut Down Neosploit Attack Kit Business

Via ComputerWorld -

A noted hacker attack kit has been retired from service by its criminal creators, most likely because it was priced too high compared to the competition, researchers said today.

Last week, security analysts at RSA's FraudAction Research Labs said they had evidence that the makers of Neosploit, a well-known infection kit used by online criminals to apply multiple exploits against PCs, -- were abandoning the business.

RSA, which regularly monitored the forums and chat rooms where Neosploit's developers marketed their product, was confident that the group was giving up on the kit, though not on hacking. "Even we assume that this isn't necessarily the end of this group," said Sean Brady, a product marketing manager in RSA's ID and access assurance group, which includes the FraudAction lab.

In its blog post, RSA quoted a going-out-of-business message in Russian said to have originated with Neosploit's authors. "Unfortunately, supporting our product is no longer possible," RSA's translation read. "We apologize for any inconvenience, but business is business, since the amount of time spent on this project does not justify itself. Now we will not be with you, but nevertheless we wish that your businesses will prosper for a long time!"

According to RSA, updates to Neosploit, which had a reputation for frequent updates, slowed this summer, with just one new version since early June. In April and May, Neosploit's makers released two updates.

RSA speculated that Neosploit's demise was driven by the same problems that face legitimate capitalism. "Our gut feeling is that their cost structure was out of whack given its functionality and the price of the competition," Brady said. "It was entirely about price point. Many kits do succeed. They've been the genesis of the growth of phishing [attacks] and Trojan horses."

Brady wouldn't hazard a guess about recent prices Neosploit's developers charged for the kit, saying only that "it apparently did have a high cost." Others have previously pegged the price at $1,000 to $3,000.

Roger Thompson, chief research officer of Czech Republic-based security vendor AVG Technologies, said via instant message that the news of Neosploit's end was "plausible."

"They were very vigorous at updating Neosploit, sometimes two or three times a month, and I haven't seen anything new from them for a couple of months now. That would explain it," Thompson said.

Taliban Seizes 30 Pakistani Police, Kill Three Intel Officers

Via Al Jazeera -

Pro-Taliban fighters in Pakistan's North West Frontier Province have abducted 30 security forces personnel after surrounding a police station.

A Taliban spokesman said that the capture of the men from the post in Swat on Tuesday was a response to the earlier arrest of six fighters.

"Taliban attacked a police station in Kabal area of Swat and kidnapped 11 police and 19 Frontier Corps troops on Tuesday morning," a security official told the AFP news agency on condition of anonymity.

Pakistani security forces have launched an operation to find the men and the road leading into Mingora, the main city in the region, has reportedly been closed.

The seizure of the 30 security personnel followed the killing of three Pakistani army intelligence officers as they returned to Mingora on Monday.

Armed men opened fire on their vehicle leaving them dead at the scene.

Government officials confirmed the death of the three men, but refused to say which security agency they belonged to.


Pakistan Tribune is reporting that the fighters burnt a girl’s school in Chamtlay and a polio center in Mingora as well.

Today's Theme Song - Virus by Deltron 3030

Deltron 3030 is a supergroup of hip hop artists, composed of producer Dan the Automator, rapper Del tha Funkee Homosapien and DJ Kid Koala. Their work features many other artists as well, all taking on various futuristic pseudonyms.

The group's debut album Deltron 3030, released on May 23, 2000, is a concept album set in the year 3030 that tells of the fight against huge corporations that rule the universe by Del's alter ego, Deltron Zero. The lyrics were written in less than two weeks and are characterized by extravagant allusions to futuristic outer-space themes in the tradition of Afrofuturist works by Sun Ra and George Clinton.

Following the release of the album, all three members worked on the Gorillaz' self-titled debut album.

Before Guests Arrive, Beijing Hides Some Messes

Via NYTimes -

BEIJING — Tourists leaving the west gate of the Temple of Heaven next month will probably not notice Song Wei’s home across the street. Nor are spectators along the Olympic marathon route likely to stop by Sun Ruonan’s restaurant nearby.

Mr. Song and Ms. Sun live along Beijing’s central axis in neighborhoods that have been gutted to make the city look clean and orderly for the Olympics. Both have held on despite pressure to move. They will spend the Olympics behind walls or screens erected to keep their property out of public view.

A veil of green plastic netting now covers Ms. Sun’s restaurant. Mr. Song’s house and several shops that he rents to migrant families were surrounded by a 10-foot-tall brick wall last week, part of a last-minute beautification campaign. The authorities deemed his little block of commerce an eyesore.

“We all support the Olympics,” said Mr. Song, 42, a Beijing native who lives along the cycling and marathon routes. “But why are you building a wall around us?”

A mysterious notice appeared beside the shops on July 17, typed on white paper and signed by no one. It read, “In keeping with the government’s request to rectify the Olympic environment, a wall will need to be built around No. 93 South Tianqiao Road.” The next morning, several bricklayers showed up with a police escort.

Now a wall conceals a little cove of entrepreneurship where several migrant families sell socks, book bags, pants, noodles and shish kebabs cooked in a spicy soup. One family behind the wall sells ice cream, popsicles and cold drinks from a refrigerator on wheels.

Zhao Fengxia, a neighbor who owns three shops, said she believed that officials and developers were using Olympic beautification as a pretext to strangle their business and put pressure on them to leave. Feng Pan, 18, who helps her parents run a noodle shop, accepted the official view less critically. “We influence the city’s appearance,” she said.

A planning official, Zhi Wenguang, said, “We extended an existing wall to improve the overall environment for Olympic events.”

Many cities have sought to remake their image when hosting global events like the Olympics. Beijing is polishing off one of the world’s most expensive makeovers with a whitewash. Along the historic central axis of the city that runs from the Yongdingmen Gate due north to the Drum Tower, the authorities are doing their best to give the old city a new face. Beijing has spent $130 million to restore buildings, many of them temples along the five-mile axis, according to the city’s cultural relics bureau.

The Olympic Stadium was built on a northern extension of the traditional axis — a nod to the event’s historic importance. On the wide boulevards leading up to the stadium, roadblocks have been set up and flowers, grass and trees planted.

The southern part of the axis has proved more difficult to beautify. It cuts through densely populated neighborhoods south of Tiananmen Square that are home to many of the city’s migrants and working poor. To hide neighborhoods leveled for redevelopment in recent years or anything else the government considers unsightly, officials have put up walls.

Mr. Song and his wife and 8-year-old daughter now live behind one. They have lived here since 1994, Mr. Song said, renting out his shops to families from the provinces.

They live in close quarters. The Songs’ room is barely big enough for a double bed on which the couple and daughter sleep. Two pet birds live in metal cages by the door. The birds, brown starlings with dark feathers and orange beaks, can parrot human speech. Mr. Song taught the birds one of the most famous poems of the Tang Dynasty. Every few minutes, it squawks lines from the poem: “The white sun falls over the mountains” or “The Yellow River flows into the sea.”

Behind the room is a moonscape of weeds and rubble that used to be a slum. Mr. Song’s place survived while the city razed the poor Tianqiao neighborhood and transformed it with shopping malls, wider streets and subdivisions. Mr. Song’s predicament is familiar in the churn of this changing city. The developers want him to go, but he is holding out for more money.

Tree Shrew Lives on Nature-Brewed Beer

Via -

Even the most ardent beer fans would have trouble subsisting on their favorite brew day in and out, but scientists have just discovered that the pentailed treeshrew lives off a frothy, fermented nectar that smells like beer and has its same alcohol content.

Humans previously were thought to be the only animals that regularly imbibed alcohol, but the soft-furred, slender treeshrews drink far more than most humans ever could for their body weight, and have been doing so for up to 55 million years.

But are the treeshrews forever tipsy?

"They show no obvious signs of drunkenness when observed from only 9.8 feet away away," lead author Frank Wiens told Discovery News. "However we do not rule out psychopharmacological effects induced by alcohol."

"On the contrary, I believe that some psychological effects induced by alcohol, such as effects on the brain, mood and learning, are crucial in this system," added Wiens, a researcher in the Department of Animal Physiology at the University of Bayreuth in Germany.

Wiens and his team made the discovery, outlined in the latest Proceedings of the National Academy of Sciences, after first detecting a "strong alcoholic smell reminiscent of a brewery" from flowers of the bertam palm in the West Malaysian rainforest Segari Melintang Forest Reserve in the State of Parak. Nectar from this plant frequently frothed up and out of the palm's long, tubular flowers.

The researchers conducted video surveillance of visitors to the plant and determined that many species bellied up to the bar-like scene, particularly at night, when the number of visits more than doubled. Nocturnal imbibers included the gray tree rat, the Malayan wood rat, the chestnut rat, the slow loris and the pentailed treeshrew.

The latter two animals spent far more time than the others did moving up and down the palm flowers and licking off the available nectar and pollen. The shrews stayed an average of 138 minutes per night, while the lorises fed for an average of 86 minutes each night.

The natural brew contains up to 3.8 percent alcohol, which is very close to the alcohol content of most human-manufactured beers. Given variations in alcohol content and amounts consumed, Wiens and his team say the clawed, big-eyed treeshrews would have a 36 percent chance of being drunk, by human standards, on any given night.

Wiens said there are even "reports of Malaysian indigenous people harvesting the nectar in former times," with these people getting "a buzz from the nectar."



Rand Research: US Needs Strategy Shift to Defeat Al-Qaida

Via AP News -

WASHINGTON (AP) -- The United States can defeat al-Qaida if it relies less on force and more on policing and intelligence to root out the terror group's leaders, a new study contends.

"Keep in mind that terrorist groups are not eradicated overnight," said the study by the federally funded Rand research center, an organization that counsels the Pentagon.

Its report said that the use of military force by the United States or other countries should be reserved for quelling large, well-armed and well-organized insurgencies, and that American officials should stop using the term "war on terror" and replace it with "counterterrorism."

"Terrorists should be perceived and described as criminals, not holy warriors, and our analysis suggests there is no battlefield solution to terrorism," said Seth Jones, the lead author of the study and a Rand political scientist.

"The United States has the necessary instruments to defeat al-Qaida, it just needs to shift its strategy," Jones said.

Nearly every ally, including Britain and Australia, has stopped using "war on terror" to describe strategy against the group headed by Osama bin Laden and considered responsible for the Sept. 11, 2001 suicide attacks at the World Trade Center in New York and the Pentagon.

Based on an analysis of 648 terrorist groups that existed between 1968 and 2006, the report concluded that a transition to the political process is the most common way such groups end. But the process, found in 43 percent cases examined, is unlikely with al-Qaida, which has a broad, sweeping agenda, the report said.

The second most common way that terrorist groups end, seen in about 40 percent of the cases, is through police and intelligence services apprehending or killing key leaders, Jones said. Police are particularly effective because their permanent presence in cities helps them gather information, he said.

By contrast, the report said, military force was effective in only 7 percent of the cases.
Jones, in an interview, said, "Even where we found some success against al-Qaida, in Pakistan and Iraq, the military played a background or surrogate role. The bulk of the action was taken by intelligence, police and, in some cases, local forces."

"We are not saying the military should not play a role," he said. "But unless you are talking about large insurgencies, military force should not be the tip of the spear."


I believe most would agree that, in general, police and local intelligence / law enforcement forces are more better suited for counterterrorism than a full-blown army - which can be like using a sledgehammer to kill a fly.

United States Department of Defense policy, based on the Posse Comitatus Act, forbids domestic counter-terrorism operations by the US military.

Thus, it is very important to ensure that these types of institutions are build and supported locally.

On a side note, I agree with the report...on the term "War on Terror" has grown to be very misleading to the general public....and basically just a flash (tv friendly) replacement for counterterrorism (CT).

For this reason, I try very hard to avoid it.

Monday, July 28, 2008

ISR-Evilgrade Toolkit + DNS Flaw = Trouble

ISR-evilgrade: is a modular framework that allow us to take advantage of poor upgrade implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of specific applications/systems. Evilgrade needs the manipulation of the victim dns traffic.

Attack vectors - Internal scenary:
Internal DNS access
ARP spoofing
DNS Cache Poisoning
DHCP spoofing

Attack vectors - External scenary:
Internal DNS access
DNS Cache Poisoning

Implemented modules:
Java plugin
Linkedin Toolbar
DAP [Download Accelerator]

Demo Slides (PDF)
Demo Video


Basically, an attacker can exploit a program's auto or manual update function to fully pwn a client. Add that with the current widespread DNS flaw..and you have a very dangerous mix for massive client pwnage.

Given all the great work already put into this framework by Francisco Amato, its should be pretty easy to make it a MSF module. Which is in progress as you read this...

Korean Loan Sharks Feed on Hacked Personal Data

Via The Register UK -

Korean police are hunting a loan broker thought to have fled to China after allegedly fencing nine million credit records.

Police are working on the theory that Korean financial data files obtained by a Chinese hacker were resold by a 42-year-old go-between, named only by his surname Chun. The suspected crook, charged with raking in SouKorean Won 2.7bn ($2.67m), is reckoned to have high-tailed it to China before police could slap on the cuffs. Another suspect, 29-year-old Im, has also bolted.

Korean police arrested six of Chun's alleged accomplices including a 42-year-old suspect named as Shin, who ran a "loan mediating company". The gang allegedly bought personal data files obtained after a Chinese hacker broke into the systems of Korean banks, loan firm and internet shopping malls for Won 15m ($14,900) in May 2006. The information included names, addresses and residency card numbers. The majority (4.8 million) of the records were obtained from banks.

Instead of using this information to obtain credit cards or lines of credit under assumed names as in regular ID fraud, the gang used it as a marketing database. Members of the gang phoned up likely targets on behalf of local loan sharks. Chun's gang allegedly charged five to 15 per cent commission per deal, earning them Won 2.5 billion through an estimated 1,100 agreements. Chun is also accused of selling on the data he bought to another shady loan operation for a further Won 220m.

The English language version of Korean website Chosun Ilbo has more details here.

E-Gold Pleads Guilty to Money Laundering

Via SecurityFocus -

On Monday, the Nevis, West Indies, company, its founder and two senior directors all agreed to plead guilty to various charges related to money laundering and the operation of an unlicensed money transfer business. The agreement ends a nearly four-year investigation into the company and its digital currency service, which -- because of the anonymity it provided account holders -- became a popular method for cybercriminals to turn ill-gotten proceeds into clean cash.

"The operations of E-Gold Ltd. and the other defendants undermined the laws designed to maintain the integrity of our financial system and created opportunities for criminal activity," Jeffrey A. Taylor, U.S. Attorney for the District of Columbia, said in a statement announcing the agreement. "Because of the successful prosecution of these defendants, digital currency providers everywhere are now on notice that they must comply with federal banking laws or they will be subject to prosecution."

Under the terms of the agreement, E-Gold's founder, Dr. Douglas Jackson of Melbourne, Florida, and two principal directors will plead guilty to charges of operating an unlicensed money transfer business, according to the statement released by the U.S. Department of Justice. Jackson will also plead guilty to conspiracy to launder money. Both E-Gold and its corporate affiliate Gold & Silver Reserve, a Delaware corporation, have also agreed to plead guilty to conspiracy to launder money.

According to the Justice Department, Jackson faces a sentence of up to 25 years in prison and a fine of up to $750,000, while the two directors -- Barry Downey, 48, of Baltimore, and Reid Jackson, 45, of Melbourne -- could serve up to 5 years in prison and fines up to $25,000 each. In addition, the companies have agreed to forfeit $1.75 million in profits and could be fined up to a maximum of $3.7 million. In addition, the companies will begin to comply with all application federal and state laws governing money transfer businesses, hire a consultant to aid in the process of adding additional security to its systems, and contract with an auditor to verify the companies' claims that transactions are backed by gold, the U.S. Department of Justice said in its statement.

Despite the guilty pleas, the founder has vowed that the service will continue to operate.
In a statement titled
A New Beginning and posted the company's blog, Dr. Jackson promised that the company will redesign its service to be less hospitable to criminals.

"The resolution of the criminal case ... provides for a second chance, an opportunity to address the flaws embedded in the e-gold system and to transform the 'e-gold Operation' into the institutions (sic) I, the other directors, and our long-suffering employees and contractors have always envisioned, one that serves to advance the material welfare of mankind," Dr Jackson wrote.

In April 2007, the United States indicted E-Gold and its founders, charging the company with offenses related to money laundering. Digital cash services, such as E-Gold, have increasingly been used by cybercriminals as a way to launder money and to accept payment for delivering cybercrime services and malicious code.

A number of U.S. agencies cooperated to investigate E-Gold, including the U.S. Secret Service, the Internal Revenue Service's Criminal Investigation unit and the FBI.


Wow. When I first heard about this story, I figured they were going to fight it out in court. I knew they would lose, but I figured they would fight...

I guess they knew they would lose as well.

Sunday, July 27, 2008

'Hijacked' SF Passwords Made Public By DA

Via CNet -

Only days after the city of San Francisco regained control of its computer network after an alleged hijacking, a new vulnerability has come to light--this time brought on by the city itself.

The San Francisco district attorney's office has apparently made public nearly 150 usernames and passwords used by city officials to gain access to the city's network. The list was submitted to the court as Exhibit A in a case against Terry Childs, a 43-year-old network administrator for the city who was arrested July 13 on four felony charges of tampering with the city's computer network.

Co-workers accused Childs of setting a "time bomb" that would sabotage the network the next time it went down, either for maintenance or due to a power outage.

Childs had effectively taken the city's network hostage by locking administrators out and refusing to give up the passwords needed to regain access. In a secret meeting with Mayor Gavin Newsom earlier this week, the San Francisco Chronicle reported that Childs handed them over directly to the mayor.

Later in the week, the DA's office reportedly filed a court document to argue against a reduction of the $5 million bail set for Childs, who is being held in the county jail. Exhibit A of the document contained the usernames and passwords used by nearly 150 employees to get into the city's virtual private network. And despite saying the passwords pose an "imminent threat" to the city's computer network, they are now of public record.

A source tells InfoWorld that a second password is needed to gain access to the VPN. Still, giving up these so-called phase one passwords is hardly recommended security policy.

And here I thought we San Franciscans were supposed to be good with this computer stuff.




Pakistan Gov Flip-Flops on Control of Intelligence Agencies

Via Gulf News -

The Pakistan government's notification on Sunday, reversing an announcement made a day before to place the two top intelligence agencies under the interior ministry, has led to further confusion with a former top spy saying a conspiracy was foiled.

The government on Saturday issued a notification saying the prime minister has approved giving the interior ministry control of the Inter-Services Intelligence (ISI) Agency and the Intelligence Bureau (IB).

The notification, issued on a day Prime Minister Yousuf Raza Gilani left for a crucial meeting with President George W. Bush, was seen mostly as a positive step and a move towards complete civilian rule.

It said: "In terms of Rule 3(3) of the Rules of Business of 1973, the prime minister has approved the placement of the Intelligence Bureau and the Inter-Services Intelligence under the administrative, financial and operational control of the Interior Division with immediate effect."

However, early yesterday the government issued another notification saying that the earlier order was misunderstood and the ISI would remain under the prime minister.

Twitter - Tweet, Tweet

So I finally made a Twitter account...I figured it will be helpful during Blackhat/Defcon.

Saturday, July 26, 2008

IDA on iPhone

Via Hex Blog -

Good news for real iPhone fans: we ported IDA to iPhone! It can handle any application and provides the same analysis as on other platforms.


Only the biggest iPhone fans will consider using it for real, though. The input is awkward because everything runs within a terminal emulator window. For any action, the onscreen keyboard must be invoked and then hidden away to reclaim the screen estate. Improving TVision to run natively on iPhone GUI is the next step but we leave it for the most zealous iPhone supporters ;)


It was fun; I would not be surprised if IDA runs on more devices in the future ;)

British Cityware Project: Tracking People with Bluetooth

Via -

A Big Brother network of hidden scanners is monitoring hundreds of thousands of Britons without their knowledge, it emerged yesterday.

Scientists track people walking around cities, using the Bluetooth signals from their mobiles, laptops and handheld computers.

Scanners in bars, offices and universities register nearby Bluetooth devices and send the information to a central database.

The Cityware project, which is funded by £1.2million of taxpayer's money, started in Bath three years ago and is designed to chart how pedestrians use city centres.

It will be used to improve their design, learn how people use public transport and shops and work out how epidemics can spread.

There are thousands of scanners globally, of which 1,000 are actively tracking passers-by at any one time. Three-thousand people in Bath were monitored in one weekend alone.

The scientists behind Cityware deny they are intruding on privacy, despite growing concerns over Britain's surveillance society.

They say the signals they get from phones and laptops do not reveal personal information. But critics say the signals can contain the owner's details.

Bluetooth devices use radio signals to communicate with each other.

If Bluetooth is switched on, a gadget will broadcast its name and ID number to anyone within 100 yards.

The name can be changed by the owner and often includes their own name, email address or phone number.

The scanners convert the data into maps showing the movement of people over time.
Bath MP Don Foster said: 'This is another infringement of our civil liberties and another step closer to the Big Brother state.

'We need a guarantee that all data is made anonymous before it is analysed.'

Simon Davies, of human rights watchdog Privacy International, said: 'This could become the CCTV of the mobile industry.

'It would not take much to make this a surveillance infrastructure over which we have no control.'

Bath University academic Eamon O'Neill, director of Cityware, said: 'We are recording only radio signals that are publicly available.

'We don't know who is carrying the phone.'


Yet another reason why I don't use bluetooth...

Cityware Project website

Another Day of Terror: Seventeen Blasts Rock Ahmadabad, India

Via CT Blog -

Even as the investigations of July 25 Bangalore serial blasts continue for the second day, with another live bomb defused this morning near a city Mall, terrorists have struck Ahmadabad, capital city of Western Indian State of Gujarat with more than 17 low to medium intensity bomb blasts. On July 26 evening, within a span of one hour, explosions have occurred at Maninagar, Isanpur, Narol, Bapunagar, Hatkeshwar, Sarkej and Odhav. Unconfirmed reports said there were 20 blasts. Even there were blasts front of Civil Hospital’s trauma center, perhaps with a suicide bomb. TV footage showed mangled remains of cycles, motorbikes and a blood splattered passenger Bus and signs of gelatin rod and wires. As per the latest reports, 29 people have been killed so far and over 150 others sustained sever to minor injuries.

Meanwhile, the Indian Mujahedeen has claimed responsibility for latest Ahmadabad serial blasts. The syncronised blasts were preceded by an email threat underscoring: "The INDIAN MUJAHIDEEN. strike again! - Do whatever you can, within 5 minutes from now, feel the terror of Death!"

Some of the bombs were believed to have been placed in bicycles and Tiffin boxes, quite similar to Jaipur and Uttar Pradesh blasts. This is third in the series of terror attacks claimed IM, following serial blasts in Jaipur in May 13 this year and in three towns of Uttar Pradesh in November last year. There is little doubt that IM is trying to mislead the investigating agencies and trying to portray that India is experiencing a homegrown terrorism, not sponsored by any external agencies or outfit. It’s obvious that IM is a deadly cocktail of Harkat- Lashkar-SIMI foot soldiers.

Metasploit Tweaks DNS BailiWicked Attacks

The DNS BailiWicked Domain Attack can now be ran on FreeBSD and Mac OS X.
Raw socket support for FreeBSD, NetBSD, BSDi, and Mac OS X

Fix the resolver on darwin

Raw socket support for BSD systems
Of course, Apple is one of those vendors that hasn't released patches for this vulnerability....big shocker there.

Friday, July 25, 2008

New Iteration of Coreflood Botnet

Via -

The seven-year-old Coreflood botnet is quietly stealing thousands of passwords from corporate users and other large organizations, thanks to recent enhancements that allow it to spread like a worm, researchers say.

The enhancements were revealed June 30 by botnet expert Joe Stewart, director of malware research at SecureWorks. Stewart traced the botnet to a single command and control server that held more than 400,000 user IDs, passwords, and other information. (See SecureWorks Finds Massive Cache of Stolen Data.)

Since then, other researchers have had an opportunity to evaluate Stewart's findings, and they don't like what they see. In a nutshell, Coreflood has combined its old ability to deliver a password-stealing Trojan with a new ability to infect whole Windows domains in a matter of hours.

"This is potentially way more malicious than Storm, because it is collecting passwords -- rather than just sending out spam or denying service -- and because the user doesn't have to click on a link or do anything at all in order to be infected," says David Jevans, CEO of security vendor IronKey and chairman of the Anti-Phishing Working Group.

Coreflood, which started out as a simple Trojan in late 2001, has been reiterated more than 100 times during its long lifespan. But with the enhancements, the Trojan now has the ability to infect Windows administrators' machines and then use their privileges to infect all of the other machines in the administrator's domain.


Jevans is concerned that Coreflood will quickly become an attractive attack vector for cybercriminals, who want identity data from a highly qualified base of victims. "This is targeting corporate environments, which means there aren't any kids logging on to play Webkinz," he notes. "But a lot of adults access their bank accounts from the office."

The Coreflood vulnerability takes advantage of lax security practices in the Windows environment, where systems administrators often have broad rights to distribute software and other code, but whose authentication methods are simple, and even shared, Jevans observes. "And often, the domain administrator uses the same computer for surfing the Web that he does for sending out software," he notes. "It's relatively easy to find that one administrator who can infect a whole domain."

To defend themselves against Coreflood, enterprises should take a closer look at the way their Windows administrators operate, and which machines they use. Companies should also consider using anti-malware tools that are behavior-based, rather than signature-based, Nevans says.

Adeona: A Free, Open Source System for Helping Track and Recover Lost and Stolen Laptops

Adeona is the first Open Source system for tracking the location of your lost or stolen laptop that does not rely on a proprietary, central service. This means that you can install Adeona on your laptop and go — there's no need to rely on a single third party. What's more, Adeona addresses a critical privacy goal different from existing commercial offerings. It is privacy-preserving. This means that no one besides the owner (or an agent of the owner's choosing) can use Adeona to track a laptop. Unlike other systems, users of Adeona can rest assured that no one can abuse the system in order to track where they use their laptop.

Adeona is designed to use the Open Source OpenDHT distributed storage service to store location updates sent by a small software client installed on an owner's laptop. The client continually monitors the current location of the laptop, gathering information (such as IP addresses and local network topology) that can be used to identify its current location. The client then uses strong cryptographic mechanisms to not only encrypt the location data, but also ensure that the ciphertexts stored within OpenDHT are anonymous and unlinkable. At the same time, it is easy for an owner to retrieve location information.

Six Arrested in DC Metro Farecard Scheme

Via Washington Post -

Metro Transit Police have arrested six people in an elaborate fare card scam that has so far netted the agency $16,000 worth of stolen Farecards, officials said yesterday. The investigation is ongoing, and officials do not know how much the counterfeit operation has cost the agency.

"This was a sophisticated operation to defraud a public agency," Metro General Manager John B. Catoe Jr. said at a news conference. "We think there is a Mr. Big, and that's who we would like to find."

The thieves traded in counterfeit paper Farecards in Metro Farecard machines to receive legitimate ones, or used the counterfeit ones to add value to electronic SmarTrip cards, officials said.

The thieves also sold some of the legitimate cards on the street at half-price, officials said. Metro is investigating whether the cards were also sold online. Because many transit agencies have similar fare collection systems -- a magnetic strip that is electronically read by a Farecard machine -- Metro has also alerted the American Public Transportation Association, a major industry group, so other agencies can be on the alert.


The fraud was discovered this week but began early this year, officials said. Officials said the individuals created counterfeit paper Farecards that were detectable to a person but not to Farecard machines. The officials declined to provide details about how the operation worked or how the scam was detected. Officials have praised Transit Police, technology and financial transactions departments personnel for moving quickly to halt the theft.


Those little paper tickets almost seemed pretty insecure...but it was just a feeling.

Apple Looking to Hire iPhone Hacker

Via ZDNet -

Apple is in the market for someone capable of hacking into the iPhone.

According to this job listing, the company is looking for an iPhone Security Engineer capable of, among other things, developing “proof of concept” attacks on the device’s current security mechanisms.

The successful candidate will be tasked primarily with validating the security architecture for the iPhone.


This moves comes amidst news that the latest versions of iPhone are vulnerable to vulnerabilities that could aid phishing and spamming attacks.

Apple has also been criticized in the past for inordinate delays in shipping iPhone patches, a problem caused mostly because Apple’s agreement with carriers require every minor release is reviewed and approved, a mind-numbingly slow/exhaustive process.

India's IT City Bangalore Rocked by Seven Consecutive Terror Blasts

Via CT Blog -

Today afternoon (July 25) at least seven low intensity bomb blasts took place in Bangalore (also Bengaluru), the Information Technology hub of India. These blasts happened within a span of one hour and left two person dead and nearly 20 others injured. However, police confirmed about a single death till now.

Today’s event reminded us about the Jaipur serial blasts in May 2008 where nearly eight bicycle strapped bombs ripped through crowded places, killing scores of people.

It seems that crude improvised explosive devices (use of readily available gelatin rods and neogel chemicals can’t be ruled out) were used to trigger these blasts in the city. The first bomb reportedly went off near the Madiwala Bus stop at 1:20 PM which was followed by six blasts at Kormangla, Adugudi, Nayandahalli, Mysore Road and Hosur Road (outskirts). Till now, no terror outfits have claimed responsibility, even as the needle of suspicion pointed at the Lashkar e Toiba- SIMI- Harkat-ul-Jehadi Islami combined.

Even though the blasts looked amateurish vis-à-vis Hyderabad and Jaipur serial blasts in the past, this time terrorists have only succeeded in spreading panic throughout the city and other metros. And they very well knew any strike in Bangalore could have rippling effect in the US and other western countries, as many business processing outsourcing units (e.g. Infosys and Wipro) and other MNCs (e.g. IBM) are located in the City.

As usual the investigating agencies will be probing the attacks, only to reach nowhere. The war of words will follow with claims and counter claims. It’s high time for Indian agencies to look inward and put the sloppy investigations filled with rhetoric at bay.

Thursday, July 24, 2008

Iran Ends Cooperation with UN Nuclear Arms Probe

Via Yahoo News! -

VIENNA, Austria - Iran signaled Thursday that it will no longer cooperate with U.N. experts probing for signs of clandestine nuclear weapons work, confirming the investigation is at a dead end a year after it began.

The announcement from Iranian Vice President Gholam Reza Aghazadeh compounded skepticism about denting Tehran's nuclear defiance, just five days after Tehran stonewalled demands from six world powers that it halt activities capable of producing the fissile core of warheads.

Besides demanding a suspension of uranium enrichment — a process that can create both fuel for nuclear reactors and payloads for atomic bombs — the six powers have been pressing Tehran to cooperate with the International Atomic Energy Agency's probe.

Iran, which is obligated as a signer of the Nuclear Nonproliferation Treaty not to develop nuclear arms, raised suspicions about its intentions when it admitted in 2002 that it had run a secret nuclear program for nearly two decades in violation of its commitment.

The Tehran regime insists it halted such work and is now only trying to produce fuel for nuclear reactors to generate electricity. It agreed on a "work plan" with the Vienna-based IAEA a year ago for U.N. inspectors to look into allegations Iran is still doing weapons work.

At the time, IAEA chief Mohamed ElBaradei hailed it as "a significant step forward" that would fill in the missing pieces of Tehran's nuclear jigsaw puzzle — if honored by Iran. He brushed aside suggestions Iran was using the deal as a smoke screen to deflect attention from its continued defiance of a U.N. Security Council demand for a halt to uranium enrichment.

The investigation ran into trouble just months after being launched. Deadline after deadline was extended because of Iranian foot-dragging. The probe, originally meant to be completed late last year, spilled into the first months of 2008, and beyond.


On Thursday, Aghazadeh appeared to signal that his country was no longer prepared even to discuss the issue with the IAEA.

Investigating such allegations "is outside the domain of the agency," he said after meeting with ElBaradei. Any further queries on the issue "will be dealt with in another way," he said, without going into detail.

Britain, one of those suspicious of Iran's nuclear activities, was critical.

"We are concerned by reports that Iran is refusing to cooperate with the IAEA on allegations over nuclear weapons," the British Foreign Office said in a statement. "The IAEA has raised serious concerns over Iran's activities with a possible military dimension. If Iran is serious about restoring international confidence in its intentions, it must address these issues."

The IAEA asked in vain for explanations from Iran, and its last report in May said Iran might be withholding information on whether it tried to make nuclear arms. Reflecting ElBaradei's frustration, the report used language described by one senior U.N. official as unique in its direct criticism of Tehran.

Aghazadeh's comments Thursday appeared to jibe with those of diplomats familiar with the probe who told The Associated Press that the IAEA had run into a dead end.

A senior diplomat on Thursday attributed Tehran's intransigence in part to anger over a multimedia presentation by IAEA Deputy Director-General Olli Heinonen to the agency's 35 board members based on intelligence about the alleged weapons work. The diplomat, like others, agreed to discuss the matter only if not quoted by name because his information was confidential.


On Saturday, a U.S. diplomat had participated in talks with Iran held in Geneva, raising expectations that a compromise might be reached under which Iran would agree to temporarily stop expansion of enrichment activities. In exchange, the six world powers — the U.S., Germany, Britain, France, Russia and China — would hold off on adopting new U.N. sanctions against Iran.

But participants at Geneva said Iranian negotiators skirted the freeze issue despite the presence of U.S. Undersecretary of State William Burns.

Secretary of State Condoleezza Rice on Monday accused Iran of not being serious at the Geneva talks. She warned that all six nations were serious about a two-week deadline for Iran to agree to freeze suspect activities and start negotiations or else be hit with a fourth set of U.N. penalties.

Aghazadeh, who is also head of Iran's atomic agency, played down the international complaints, but he also evaded a direct answer on whether Tehran would give any ground on an enrichment freeze.

"Both sides are carefully studying the concerns and expectations of both sides," he told reporters.


Wishful thinking does not stopped nuclear arm development....

Hackers Start to Target Apple Macs

Via Times Online UK -

When Apple beat Wall Street expectations convincingly on Monday after its best quarter ever, its share price fell. Financial analysts were worried about Apple's once stellar profit margins, the health of its irreplaceable chief executive, Steve Jobs, and fears that a slowing global economy will mean weaker sales of iPods, iPhones and MacBooks.

Amid this uncertainty, a different type of analyst told me of another troubling development for Apple, one that is probably not yet written into any financial models: Apple is beginning to attract the attention of hackers and malware writers.

A big factor in Apple's success in selling 2.5 million computers last quarter is growing user disaffection with Windows. Everything from recurring Vista headaches to security fears are driving Windows users into the Mac camp. Ironically, the resulting Mac sales are coinciding with – and causing – a new upsurge in malware written specifically for Apple users.

"It's still a drop in the ocean compared to Windows vulnerabilities, but [Mac vulnerabilities] have become more sophisticated and more criminally minded, rather than just proof of concept", Graham Cluley, senior technology consultant at the security company Sophos, says.

The company reports today that two new Mac-ware Trojans that emerged in February and June ought to shake Mac users of their misconceptions that their computers (and, eventually, iPods and iPhones) are impenetrable. To put this in perspective, the first really pernicious piece of Mac malware emerged only in October, 2007, Mr Cluley adds, suggesting that a worrisome trend is about to get worse.

The piece of Mac malware identified in June, named "OSX/Hovdy-A Trojan", is the nastier of the two. It is capable of infiltrating a Mac, stealing passwords and opening the user's firewall to enable future exploits. If the modus operandi sounds familiar, that 's because a lot of the same virus gangs who perfected their exploits on Windows machines are now tweaking them for Macs, Mr Cluley adds.

Scarier still, the same tech-novice PC owners who failed to fortify their computers properly, allowing them to become spam relays and zombie DDOS attackers, are now making the switch to Macs. "I think the Mac user base will end up becoming polluted by some of the same people who have been infected time and time again in the Windows environment,” Mr Cluley says. “It's mainly the same people who buy a computer primarily to download porn and visit file-sharing sites."

For this reason, he says, "I think Apple will start to become a victim of its own success. I think hackers will see this community as a soft target."


I would say that Apple owners will become victims of their own complacency....

I suggest they take the redpill and come to the world were Apple computers are targets and where users have to take proactive security steps - otherwise known as the real world.

Part 2 of Metasploit DNS Exploit - NS Injection

Via ZDNet Blog -

Earlier today, noted researchers |)ruid and HD Moore released exploit code for the Metasploit tool for attacking the DNS flaw that was originally reported by Dan Kaminsky. The release was only part of the bigger picture of the exploit; however, and the second piece of exploit code has been released on the Computer Academic Underground blog and on Full-Disclosure. There is a subtle but important difference in the two pieces of exploit code, which is only readily apparent from reading the comments in the source code.


So let’s analyze this a bit, see if we can figure out what’s different. Good friend and noted researcher, Billy Rios, assisted me with some code review, and we tried to find as much as we could about this new twist on events. We found several things of note. The most obvious, the exploit just got worse. Now the code will use spoofed replies to hijack the name server entries for a target domain, allowing control over an entire domain, whereas the original hijacked an individual host. For example, before, we could hijack, now we can hijack all of

Further, within the credits portion of the code, |)ruid adds credit to a new researcher for “helping with the NS injection” confirming the idea that this is now about attacking nameserver entries, and not just address records.


Next, Rios clued me into a very interesting observation… as he said, “it went from rev 5585 5591 that’s 6 different changes in a few hours… it’s still being tuned.” Which means it’s going to get faster. Dan originally stated he could pull this off in a matter of seconds. With able programmers refining the existing code, it’s only a matter of time before this exploit becomes lightning quick.

Work to make the exploit quicker may be confirmed by noting that there has been changes to the rand code for the xidbase.

So things are getting worse. If you have not patched by now… well, you’re on your way to being pwned, so I’d get to it ASAP.

Researcher Warns of Unpatched iPhone Bugs

Via ComputerWorld -

Security vulnerabilities in the iPhone's e-mail application and Safari Web browser can be used by phishers to dupe users into visiting malicious sites or by spammers to flood the phone's in-box with junk mail, a researcher warned today.

Browser vulnerability researcher Aviv Raff said he reported three separate bugs to Apple Inc. about two weeks ago: two in the iPhone Mail program and one in its Safari browser.

Apple has acknowledged that the two vulnerabilities in Mail are security issues, Raff said, but the company is currently undecided on whether the Safari flaw meets its security bug criteria. At times, Apple has balked at labeling problems as security vulnerabilities, notably in May, when it initially said the so-called "carpet bomb" bug was not security-related. A month later, Apple did patch Safari to stymie the kind of attacks that Raff and other researchers had outlined.

"By creating a specially crafted URL and sending it via an e-mail [message], an attacker can convince the user that the spoofed URL, showed in the Mail application, is from a trusted domain such as a bank, PayPal or social networks," Raff said in a post to his blog Wednesday afternoon. "When clicking on the URL, the Safari browser will be opened, [and] the spoofed URL, showed in the address bar, will still be viewed by the victim as if it is of a trusted domain."

In lieu of any patches, Raff urged users to refrain from following links embedded in messages. If they want to avoid spam, he recommended that they stop using the iPhone's e-mail application completely.

Raff was hesitant to talk about the technical details of any of the three bugs in a follow-up interview conducted using instant messaging, saying that he would not disclose any specifics until Apple patches the problems. But when asked whether the spoofing flaws in Mail and Safari might be somehow related to protocol-handler issues -- a common source of bugs in browsers for more than a year now -- Raff at first said, "No, nothing to do with protocol handling." However, moments later, he added: "Hmmm. Let me rephrase it. Almost nothing to do with protocol handling."

Wednesday, July 23, 2008

CAU Releases Metasploit Kaminsky DNS Cache Poisoning Exploit

Exploit ID: CAU-EX-2008-0002
Release Date: 2008.07.23
Title: baliwicked_host.rb
Description: Kaminsky DNS Cache Poisoning
Tested: BIND 9.4.1-9.4.2
Attributes: Remote, Poison, Resolver, Metasploit
Exploit URL:
Author/Email: I)ruid
H D Moore


This exploit targets a fairly ubiquitous flaw in DNS implementations which allow the insertion of malicious DNS records into the cache of the target nameserver. This exploit caches a single malicious host entry into the target nameserver. By causing the target nameserver to query for random hostnames at the target domain, the attacker can spoof a response to the target server including an answer for the query, an authority server record, and an additional record for that server, causing target nameserver to insert the additional record into the cache.


Now the interweb can collapse...srsly.

Kudos to HDM and
I)ruid for the quick turnaround.

SF Admin Coughs Up Passcodes in Secret Jailhouse Meeting With Mayor

Via -

The city of San Francisco has regained control of its network after a "rogue" city employee hijacked the system and then coughed up the passwords nine days later to Mayor Gavin Newsom in a secret jailhouse interview, a city official told Threat Level late Tuesday.

"We were able to regain complete control of the network Tuesday," said Ron Vinson, the deputy director of the city's Department of Technology Information Services.

Admin Terry Childs, 43, is accused of locking out the city from its FiberWAN network containing city e-mails, payroll, police records, information on jail inmates and other data. He was arrested last week and jailed on $5 million bail after refusing to hand over passwords to the Wide Area Network system he built and is accused of taking control of illegally.

Childs' bail was set five times higher than most murder defendants' because the authorities feared that, if released, he might permanently lock the system and erase records. His attorney, Erin Crane, is expected to ask a local judge for his release or a reduced bail as early as Wednesday.

"The mayor showed up unexpectedly at the data center and provided the engineers and forensic experts on the case on site with the passcodes that Mr. Childs had provided the mayor," Vinson said.

San Francisco District Attorney Kamala Harris did not know Monday's jailhouse meeting was taking place between Harris and Childs. It was arranged by Childs' attorney, Erin Crane.

Vinson said the passcodes the mayor handed over did not work initially, but after clearing some confusion with the defendant's attorney, they did.

"Either the mayor got it wrong, or there was something else he had to mention that he was unaware of," Vinson said. "We're now looking into the remediation stage and we're going into the necessary vulnerability analysis and doing a complete look at our network architecture."


Childs has worked as a computer technician with the city for five years. He earned $126,000 in base pay last year, in addition to another $22,500 for being on-call to assist with network malfunctions. The city's data system has been functioning without error since it was discovered last week that the city had lost control of the bulk of its network.

"Mr. Childs obviously had a misinterpretation of actually who owns the network. It is the taxpayers of the city and county of San Francisco, not him," Vinson said.


He still sounds pretty "rogue" to me.

Sure, it isn't highly unlikely that a single person might be the only one to know some passwords. It isn't good practice, but it happens. Perhaps better internal security control systems could have offset that issue.

I just know, that if it were me..and my bail was set five times higher partly because I haven't given up my passwords, then I would be screaming them at the top of my lungs...

Salmonella Outbreak Exposes Food-Safety Flaws

Via -

After weeks of trying to get to the bottom of the outbreak, it occurred to investigators in late June that they had to look beyond fresh tomatoes. In at least two large clusters of illnesses, tomatoes weren't a factor, and cases kept piling up after the government had warned consumers to avoid eating fresh tomatoes.

Hurdles to the probe ranged from poor record-keeping for tracking fresh produce to some overwhelmed state health departments to the fact that jalapeños had never before been implicated in a salmonella outbreak.

"It's a mess -- that's part of the problem with the food-safety system we have today," said Michael Doyle, director of the University of Georgia's Center for Food Safety. "When folks get together at the table, no one is officially in charge. Sometimes one person talks over another."


In early stages of the investigation, jalapeño peppers weren't in the picture. The peppers, never before linked to a salmonella outbreak, weren't on the questionnaire health officials used to interview early patients. Officials in New Mexico and at the CDC decided raw tomatoes were the source of the outbreak because 86% of patients ate them before becoming ill. History also played a part: Tomatoes had caused at least a dozen prior salmonella outbreaks.

But the Food and Drug Administration's hunt for contaminated tomatoes was hampered by poor record-keeping and the common practice of mixing and processing tomatoes from many different farms together. Also, many tomato fields were no longer in production, and all 1,700 samples tested negative for salmonella.

What the federal government and the food industry learn from the investigation could help improve the system. Already, a system to enhance the FDA's ability to trace the source of contaminated food has gained support among some prominent lawmakers and the FDA.

Agricultural producers have been leery of such systems because they could bring liability to their doorstep, but Kathy Means, a vice president at the Produce Marketing Association, said that is changing since recent outbreaks of food-borne illnesses have been so costly for farmers and food companies.

The trade group last year began crafting a plan to set up a global, electronic tracking system. "We need to be able to trace produce in minutes or hours, not days or weeks," Ms. Means said.


Imagine that, a world were companies are liable for their products and any possible public health issues created by said

Using Tobacco Plants to Grow Lymphoma Vaccines

Via -

Plants may be a powerhouse for researchers making personalized vaccines for patients with follicular lymphoma, a type of non-Hodgkin's lymphoma.

The basic idea is to use plants as a factory to quickly and inexpensively grow vaccines tailored to each patient's follicular lymphoma.

That approach worked and was safe in a small, preliminary test noted in Proceedings of the National Academy of Science.

They tested their strategy on 16 follicular lymphoma patients, growing their personalized vaccines in tobacco leaves for three to four months.

Starting about six months after their last round of chemotherapy, the patients got their vaccine in a monthly shot, delivered to their thigh, every month for six months. Some also got shots of a chemical that boosted their immune response.

The point of the study was to see if the plant plan was practical and safe. It was; no side effects were reported and the plants grew the vaccines without messing them up.

More than 70% of the patients had an immune response to their vaccine and 47% had the specific immune response that was sought. But the study wasn't designed to test the effectiveness of the plant plan; further research is needed to see how well those vaccines work.

The researchers included A. A. McCormick of Large Scale Biology Corporation in Vacaville, Calif., which made the vaccines.

With DNS Flaw Now Public, Attack Code Imminent

Via PC World -

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon.

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."

The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. In a telephone interview, HD Moore, author of the Metasploit penetration testing software, agreed with Aitel that the attack code was not going to be difficult to write.


And that's bad news, according to Paul Vixie, president of the company that is the dominant maker of DNS software, the Internet Systems Consortium. Vixie, like others who were briefed on Kaminsky's bug, did not confirm that it had been disclosed by Matasano. But if it had, "it's a big deal," he said in an e-mail message.

The attack can be used to redirect victims to malicious servers on the Internet by targeting the DNS servers that serve as signposts for all of the Internet's traffic. By tricking an Internet service provider's (ISPs) servers into accepting bad information, attackers could redirect that company's customers to malicious Web sites without their knowledge.

Although a software fix is now available for most users of DNS software, it can take time for these updates to work their way through the testing process and actually get installed on the network.

"Most people have not patched yet," Vixie said. "That's a gigantic problem for the world."

Just how big of a problem is a matter of some debate.

Neal Krawetz, owner of computer security consultancy Hacker Factor Solutions, took a look at DNS servers run by major ISPs earlier this week and found that more than half of them were still vulnerable to the attack.

"I find it dumbfounding that the largest ISPs ... are still identified as vulnerable," he wrote in a blog posting. "When the [hackers] learn of the exploit, they will go playing. They are certain to start with the lowest hanging fruit -- large companies that are vulnerable and support a huge number of users."

He expects that users will see attacks within weeks, starting first with test attacks, and possibly even a widespread domain hijacking. "Finally will be the phishers, malware writers and organized attackers," he wrote in a Tuesday e-mail interview. "I really expect these to be very focused attacks."

Most ISPs will have probably applied the patch by the time any attacks start to surface, and that will protect the vast majority of home users, said Russ Cooper, a senior information security analyst with Verizon Business. And business users who use secure DNS-proxying software will also be "pretty much protected" from the attack at their firewall, Cooper said.

"If anyone actually tries to exploit this, the actual number of victims will end up being extremely small," he predicted.

HD Moore said he didn't exactly see things that way. Because the flaw affects nearly all of the DNS software being used on the Internet, he said that there could be lots of problems ahead.

"This is a bug we'll be worrying about a year from now," he said.


I know my ISP's DNS servers are still vulnerable....the countdown has begun.

Tuesday, July 22, 2008

President of Georgia's Site Under Attack

Via DarkReading -

Website of President Mikhail Saakashvili of Georgia was rendered unavailable for more than a day this weekend, thanks to a multi-pronged, distributed denial of service (DDOS) attack.

According to a
report by researchers at Shadowserver, at least one botnet is attacking the Georgian government site with a variety of simultaneous attacks, including TCP, ICMP, and HTTP floods.

The server that houses the Website has been largely offline since the attack started, Shadowserver says. The server also houses several other Websites, including the Social Assistance and Employment State Agency Website ( All of the sites on the host have been rendered inaccessible.

Shadowserver says it hasn't been able to definitively establish the DOS attack as the work of the Russian cyber attack force which took out many Estonian government sites in 2007 and several Lithuanian sites last month. (See
Russians Organizing 'Political Hack Force'.)

"We do not have any solid proof that the people behind this [command and control] server are Russian. However, the HTTP-based botnet C&C server is a MachBot controller, which is a tool that is frequently used by Russian bot herders," Shadowserver says. "On top of that, the domain involved with this C&C server has seemingly bogus registration information, but does tie back to Russia.

"Who else have these guys been attacking with this MachBot C&C server? The answer is no one," Shadowserver says. "This server recently came online in the past few weeks, and has not issued any other attacks that we have observed until recently. All attacks we have observed have been directed right at"

The researchers recommend blocking or monitoring traffic to the the IP address, which is located in the United States and is suspected of being a key server in the attack. Beaconing traffic from your network to this host may indicate that you have infected machines on your network and that your machines may be participating in this DDOS attack, Shadowserver says.

Cats Out the Bag: Kaminsky's DNS Attack Disclosed, Then Pulled

Via Matasano Chargen (Google Cached)-

The cat is out of the bag. Yes, Halvar Flake figured out the flaw Dan Kaminsky will announce at Black Hat.


Then there’s that other set of DNS vulnerabilities. These require you to pay attention in class. They haven’t really been talked about since 1997. And they’re hard to find, because you have to understand how DNS works. In other words, you have to be completely crazy. Lazlo Hollyfeld crazy. I’m speaking of course of RRset poisoning.


Check the Google cached version for all the details...

Everyone patch and lets move on. The internet is still least for now.

Word around the campfire is that exploits are being we speak. Look for them soon...

Moral of the Story - Get'em patched.

Last HOPE to Become Next HOPE

Via -

In case you were worried, HOPE is not dead.

Just as hackers experiment with technology, push boundaries, and subvert the concepts of what it means to be safe and secure, the organizers of the HOPE (Hackers on Planet Earth) conference have had some fun of their own.

Despite calling the event this weekend "Last HOPE," it won't be the final one; just the most recent one, organizer Emmanuel Goldstein told attendees at the closing ceremonies Sunday night.

There will be another one in two years. It will be called "Next HOPE," he said.

That was good news for the approximately 3,000 attendees of this year's confab, which was the seventh since 1994.

Word of plans to tear down the 90-year-old venue, Hotel Pennsylvania, and Goldstein's naming of the conference this year and use of funereal theme, had many in the community wondering if this was the event's swan song.

Goldstein has a predilection for wordplay--previous names were Beyond HOPE, H2K in 2000, and H2K2 in 2002.

As for the hotel, "plans to demolish have been shelved for the indefinite future," said Goldstein, aka Eric Corley, who also publishes the 2600 hacker magazine.


Good news indeed.

In the words of Crystal Method - "Keep HOPE Alive!"