Sunday, August 31, 2008

Dirty South Graffiti and Street Art

I personally like the the first Austin labeled true.

Stay in LA, please. Stop coming here already.

But if you still come here, at least bring me some chicken and waffles...

Saturday, August 30, 2008

Surveillance Society Sparks Psychosis

Via Wired Blog (Threat Level) -

If you think someone is watching you, you're probably right. But this doesn't mean you're not also crazy, according to psychiatrists who say that our surveillance and reality TV society is spawning a new kind of psychosis. They're calling it the Truman Show delusion.

Psychiatrists in the U.S. and Britain say they're seeing a growing number of psychotic patients who are paranoid that cameras are
watching their every move.

Not sure
why they might think this.

Others fear the World Wide Web is monitoring their lives or being used to transmit photographs or personal information.

The psychiatrists say such patients are often mirroring -- albeit, to an extreme -- what is occurring in the environment around them.

One way of looking at the delusions and hallucinations of the mentally ill is that they represent extreme cases of what the general population, or the merely neurotic, are worried about. Schizophrenics and other paranoid patients can take common fears - like identity theft because of information transmitted on the Internet, or the loss of privacy because of the prevalence of security cameras to fight crime - and magnify them, psychiatrists say.

Which would seem to suggest that these patients might not be so delusional after all.

The Diagnostic and Statistical Manual of Mental Disorders defines a delusion, considered still to be little understood in psychiatry, as, essentially, a false belief that is not grounded in reality and that is held with absolute conviction despite proof to the contrary. The manual lists a caveat that a belief is not delusional if it is something widely accepted by other members of a person's culture or subculture . .

Mastermind Body Snatcher Pleads Quilty

Via -

The mastermind behind nearly $4 million in illegal body parts sales has pleaded guilty and is expected to testify against his Philadelphia mortician partners.

Michael Mastromarino, 44, pleaded guilty to 1,353 counts, including charges of engaging in a corrupt organization, taking body parts from 244 dead people without the survivors' permission, deceptive business practices, forgery, tampering with public records and abuse of corpses. He could face up to 8,672 years in prison and fines totaling $18.6 million, The Philadelphia Inquirer reported Saturday.

Mastromarino developed a scheme for obtaining body parts for use in implant surgery that grew into a big business when he allegedly partnered with undertaker-brothers Louis and Gerald Garzone. He paid them and another partner $1,000 for each corpse to be harvested before cremation.

The crime ring allegedly also put about 13,000 transplant patients at risk from body parts taken from people infected with cancer, HIV or hepatitis.

Mastromarino will get credit for accepting responsibility for his crimes, but defense attorney A. Charles Peruto Jr. said he expected a "tough sentence" for his client. Mastromarino's guilty plea included a promise to testify at Tuesday's opening of the trial of the Garzone brothers.

High School Students Hacking Electronic Tests

Via -

[Alex Papadimoulis] wrote about ingenuity and hacking in high school. Immediately after the teacher's installed a new electronic note taking and test giving software, the students began hacking. They managed to find several ways to ace their tests, none of which involved studying hard the night before. Ultimately, the teachers went back to the old system to prevent such shenanigans.

Some Things Never Change...

First off, I would like to say "Happy Labor Day" weekend to all of those in the States.

On the topic of change, I would like to highlight some minor changes that I have made to the blog.
  • RSS Feed has been moved to FeedBurner. This should give me a better view of who is using my feed and how I can adjust the content to better suit your needs.
  • The "Security Links" and "Security Blogs" link groups have been merged into one new link group - "Information Security"
  • One new link group has been added - "Terrorism & Geopolitical Intelligence"
  • One link group has been removed - "Conferences"
  • The link group "Personal Links" as been renamed to "Miscellaneous Links"
  • I have strongly resisted the desire to add ads to my blog. I don't do this for the shiny coin, I do it because I love information. Plus, there are enough ads in the rest of the world.

Internet Traffic Begins to Bypass the U.S.

Via NY Times -

The era of the American Internet is ending.

Invented by American computer scientists during the 1970s, the Internet has been embraced around the globe. During the network’s first three decades, most Internet traffic flowed through the United States. In many cases, data sent between two locations within a given country also passed through the United States.

Engineers who help run the Internet said that it would have been impossible for the United States to maintain its hegemony over the long run because of the very nature of the Internet; it has no central point of control.

And now, the balance of power is shifting. Data is increasingly flowing around the United States, which may have intelligence — and conceivably military — consequences.

American intelligence officials have warned about this shift. “Because of the nature of global telecommunications, we are playing with a tremendous home-field advantage, and we need to exploit that edge,” Michael V. Hayden, the director of the Central Intelligence Agency, testified before the Senate Judiciary Committee in 2006. “We also need to protect that edge, and we need to protect those who provide it to us.”

Indeed, Internet industry executives and government officials have acknowledged that Internet traffic passing through the switching equipment of companies based in the United States has proved a distinct advantage for American intelligence agencies. In December 2005, The New York Times reported that the National Security Agency had established a program with the cooperation of American telecommunications firms that included the interception of foreign Internet communications.

Some Internet technologists and privacy advocates say those actions and other government policies may be hastening the shift in Canadian and European traffic away from the United States.

“Since passage of the Patriot Act, many companies based outside of the United States have been reluctant to store client information in the U.S.,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. “There is an ongoing concern that U.S. intelligence agencies will gather this information without legal process. There is particular sensitivity about access to financial information as well as communications and Internet traffic that goes through U.S. switches.”

But economics also plays a role. Almost all nations see data networks as essential to economic development. “It’s no different than any other infrastructure that a country needs,” said K C Claffy, a research scientist at the Cooperative Association for Internet Data Analysis in San Diego. “You wouldn’t want someone owning your roads either.”

Indeed, more countries are becoming aware of how their dependence on other countries for their Internet traffic makes them vulnerable. Because of tariffs, pricing anomalies and even corporate cultures, Internet providers will often not exchange data with their local competitors. They prefer instead to send and receive traffic with larger international Internet service providers.

This leads to odd routing arrangements, referred to as tromboning, in which traffic between two cites in one country will flow through other nations. In January, when a cable was cut in the Mediterranean, Egyptian Internet traffic was nearly paralyzed because it was not being shared by local I.S.P.’s but instead was routed through European operators.

The issue was driven home this month when hackers attacked and immobilized several Georgian government Web sites during the country’s fighting with Russia. Most of Georgia’s access to the global network flowed through Russia and Turkey. A third route through an undersea cable linking Georgia to Bulgaria is scheduled for completion in September.

Ms. Claffy said that the shift away from the United States was not limited to developing countries. The Japanese “are on a rampage to build out across India and China so they have alternative routes and so they don’t have to route through the U.S.”

Andrew M. Odlyzko, a professor at the University of Minnesota who tracks the growth of the global Internet, added, “We discovered the Internet, but we couldn’t keep it a secret.” While the United States carried 70 percent of the world’s Internet traffic a decade ago, he estimates that portion has fallen to about 25 percent.


I think people (including the intel community) have been expecting this shift for quite some time. It was only a matter of time, but other nations started to push against our controlled advantage.

Not long ago, it was cheaper / easier for a nation in South America to bounce their traffic thru Florida, and then back to the neighboring South American nation, then just talk to it directly.

As more and more nations begin to take control their own "cyber" assessments, we should expect to see this advantage reduce and those nations take it upon themselves to peer together, thus removing the US from the equation.

I see it sorta like energy dispersal according to the second law of thermodynamics...but instead of heat, its control.

There is a great Oct 2007 Wired article on this subject...

Hat-tip to my friend Fergie for the link....

Friday, August 29, 2008

Microsoft Windows GDI (CreateDIBPatternBrushPt) Heap Overflow DoS

CreateDIBPatternBrushPt Heap Overflow DOS
By Ac!dDrop

This was tested on
Windows XP SP2
GDI32.dll 5.1.2600.3099
Internet explorer 6.0.2900.2180


Causes Explorer.exe to crash and causes Internet explorer to close silently.


This is work in progress, i am still trying to make it run arbitrary code.

American RBN: Atrivo/Intercage

Via Gadi Evron's Blog -

This Washington Post story came out today:

In it, Brian Krebs discusses the SF Bay Area based Atrivo/Intercage, which has been long named as a bad actor, accused of shuffling abuse reports to different IP addresses and hosting criminals en masse, compared often to RBN in maliciousness. "The American RBN", if you like.

1. I realize this is a problematic issue, but when it is clear a network is so evil (as the story suggests they are), why are we still peering with them? Who currently provides them with transit? Are they aware of this news story?

If Lycos' make spam not war, and Blue Security's blue frog were ran out of hosting continually, this has been done before to some extent. This network is not in Russia or China, but in the silicon valley.

2. On a different note, why is anyone still accepting their route announcements? I know some among us re-route RBN traffic to protect users. Do you see this as a valid solution for your networks?

What ASNs belong to Atrivo, anyway?

Anyone has more details as to the apparent evilness of Atrivo/Intercage, who can verify these reports? As researched as they are, and my personal experience aside, I'd like some more data before coming to conclusions.

Hostexploit released a document [PDF] on this very network, just now, which is helpful:

Bank's Lost Backup Tapes Contained IDs of 12 Million

Via DarkReading -

The Bank of New York Mellon said yesterday that the backup tapes that were lost by its courier earlier this year may have included personal information on 8 million more people than the initial 4.2 million it originally announced.

The unencrypted storage tapes from BNY Mellon Shareowner Services were lost by a courier earlier this year while transporting the tapes to an offsite storage location. A forensics investigation of the breach determined that there was significantly more sensitive data on the tapes than first thought.

“When we announced [the lost tapes] back in May, we said we were going to do a top to bottom review across the company and go back and review it again,” a Bank of New York Mellon spokesperson said. “When we discovered [there was] this additional data that may have non-public personal data on it, we brought in a third party” to help investigate it, the spokesperson said.

The individuals whose names, addresses, and Social Security numbers were on the tapes are clients of BNY Mellon Shareholder Services, which provides administrative support to employee stock purchase programs, as well as other financial services. The bank is currently notifying these additional individuals, and has set up a Website for victims for information and updates.

The Bank of New York Mellon maintains that there’s been no evidence of abuse of the exposed personal data thus far. It is offering to the affected individuals two years of free credit monitoring; $25,000 in identity theft insurance with no deductible; and reimbursement for some credit freeze costs.

Meanwhile, the bank has been doing some in-house security rehabilitation, including an outside review of its policies, procedures, and controls, and moving to electronic, encrypted transmission of stored data where possible rather than the use of storage tapes. It’s also conducting employee education and awareness on data security.


OMG, I love this sentence..."A forensics investigation of the breach determined that there was significantly more sensitive data on the tapes than first thought."

You think? When have you ever seen it the other way around? Sensitive folders or tapes that don't actually have sensitive information in them? Never. lol

Yes, I know. Backup tapes aren't as go-and-grab thief friendly as unencrypted laptops and PDAs, but a serious attacker could get the information off. But lets forget the tapes for a second.

Where did the data come from? The information is coming from a system. A system which clearly contains a ton more sensitive data than the admins even know - perhaps stored on the system unencrypted.

Do you think that is the only server on the network that have unknown / unencrypted sensitive information on it? Highly Doubtful.

So, losing the tapes isn't good...clearly. But that simple sentence points to the possibility of more serious issues in overall information management - way beyond the tapes.

Towards The Next DNS Fix

Via DK's Blog -

Ultimately, I can’t at all complain about armchair engineering. The whole point of Source Port Randomization as an interim fix was to get things to the level that we could all have the big messy discussion about what to do now, without being illuminated by the actively burning state of the DNS infrastructure.

Now. When it comes to fixing DNS, we have to operate under the same constraint as when we suggest fixes to web browsers. Just as you’re not allowed to break the web, you’re not allowed to break DNS. There are indeed many things we could do to make the web a safer place, “if only a bunch of people would re-code their web sites”. That is, unfortunately, a naive approach that doesn’t actually lead to things getting any safer. If nobody will deploy the fix, it’s just as if the fix didn’t happen.

We needed this DNS fix to happen.

As I’ve said a couple of times, Dan Bernstein was right. Source Port Randomization (SPR) is not perfect — I’m pretty embarrassed that we didn’t recognize how common interactions would be with firewalls — but it’s a remarkably flexible and thorough improvement to the status quo. When I said in my talk that there’s fifteen ways around the TTL, I wasn’t kidding. From magic query types that are uncached by a recursive server, to nonexistent query types that are ignored by an authoritative server, there may not be a TTL to override. Or perhaps the attacker actually provides records for,,, and so on. In other words, the attacker might not even try to overwrite the NS for a domain — he may just want to get a domain in. How would this be useful? Consider the web security model, and Mike Perry’s research on cookies. will collect the cookie for Google just fine.

Or perhaps, as in the case of Google Analytics and Facebook and most large, CDN hosted sites, the actual TTL to override needs to be small, for reliability and scaling purposes.

In all of these situations, Source Port Randomization — a solution forged in 1999, long before we recognized all these problematic variant attacks — poses a significant barrier to attack. It’s not a panacea, but it was never said to be one. The hope, and it’s not unreasonable, is that it’s a lot easier for secondary defenses to detect and correct for a flood of billions of packets, than a couple of thousand. SPR’s purpose was to provide a safer environment for an active discussion that would hopefully yield better fixes. And that’s what it’s doing!

So, lets finally start talking about the better fixes that are emerging. Specifically, the problem is — how do we stop the blind attacker who’s willing to send us four billion packets in order to pollute a name? Four major strategies are, at least from what I’ve seen, making real strides towards a better fix.

Intel Patches the Q35 Bug

Via blog -

Yesterday Intel has published an official advisory that addresses the Q35 bug and attack, that we used during Black Hat as one of the ways to subvert Xen 3.3 on a VT-d enabled system (the alternative way was to use the Xen-specific FLASK exploit, that worked even from an unprivileged domain).

One small clarification though: in the advisory they stated that: "Software running administrative (ring 0) privilege can under certain circumstances change code running in System Management Mode." But in fact an attacker might also use this bug to directly modify the hypervisor memory, without jumping into the SMM first, just as we did it with our exploit. Also, in case of e.g. Linux systems, the Ring0 access is not strictly required to perform the attack, as it's just enough for the attacker to get access to the PCI config space of the device 0:0:0, which e.g. on Linux can be granted to usermode applications via the iopl() system call.

You can download a new firmware for your motherboard from here.

Intel did a good job on handling this bug - not only they recognized the importance of the attack, but also released the patch promptly. Quite positively surprising as for such a big company.

So, now we're free to publish all the missing slides about how we exploit this vulnerability that we had to remove from our Black Hat presentation, as well as the exploit code. However, as I'm going to give 2 presentations at the upcoming ISF conference in Sweden early next week, I thought it would be logical to wait with disclosing this material and present it at this conference, during my technical speech (I will also deliver the keynote for this conference). Of course, as soon as I will get back home (Thursday next week), we will publish the full slides, exploit codes and all the demos, as promised earlier.

Speaking of speaking: also next month, Rafal will fly to Oregon, to Intel campus, for the Intel Virtualization Security Summit, where he will deliver a "compressed" version of our Xen 0wning Trilogy to the technical crowd of Intel employees. Rafal will provide some more details about the HyperGuard project that we do in cooperation with Phoenix Technologies. Also, in October, Alex will visit Kuala Lumpur and present an updated Bluepilling the Xen Hypervisor talk at the Hack In The Box conference.

NEFA Foundation Interviews with Top Pakistani Taliban Spokesman Maulvi Omar

Via CT Blog -

The NEFA Foundation has obtained two exclusive interviews with Maulvi Omar, the main spokesman for and a Shura Council member of the Pakistani Taliban movement, Tehrik-e-Taliban Pakistan (TTP). During the first interview, recorded in May 2008, Maulvi Omar emphasized the connection between both the Pakistani and Afghan Taliban movements and Al-Qaida, saying there is no difference between them, and that they are merely different words for the same ideology, working towards precisely the same goals. Similarly, he accuses former Pakistani President General Pervaiz Musharraf together with the U.S. and its international allies of having "crusader" and "infidel" designs against the entire Muslim world and, as such, are to be considered irreconcilable enemies of Islam.

During the second interview, obtained by NEFA in August 2008, Maulvi Omar declared the TTP to be in total control of Pakistan's tribal areas. Maulvi Omar further claimed that all other local mujahideen militias--including foreign Uzbek militants and tribal fighters—have all been either incorporated into the TTP, or expelled from the tribal areas. He denies reports that al-Zawahiri was wounded, or even ever at the location, of the recent U.S. airstrikes in Damadola. Omar even suggests a link between the TTP and several terrorist attacks in Western countries—including the July 7, 2005 suicide bombings in London, which he claimed were planned from Bajaur.

Both interviews are available on the NEFA Foundation website.

Karadzic Refuses to Enter War Crimes Pleas

Via Guardian UK -

Radovan Karadzic today accused the UN war crimes tribunal in The Hague of being a "Nato court" that intended to "liquidate" him and refused to enter pleas on the 11 charges against him.

The Bosnian Serb genocide suspect - who was arrested last month in the Serbian capital after 13 years as Europe's most wanted war crimes fugitive - challenged the legitimacy of the court, and, as expected, refused to enter pleas on any of the 11 counts of genocide, crimes against humanity, and war crimes he is charged with.

He insisted again at today's pre-trial hearing that he would defend himself in the case.

Judge Iain Bonomy of Scotland, who previously presided over the trial of the late Serbian leader Slobodan Milosevic, entered pleas of not guilty on Karadzic's behalf.

Karadzic was ordered to stand to enter a plea by Judge Bonomy who said: "Count one, you are charged with genocide."

"I will not plead in line with my standpoint on this court," said the accused.

When the judge ordered a plea of not guilty to be entered, Karadzic interrupted him. "May I hold you to your word?" he asked.

"What word?"

"That I'm not guilty."

"We'll see in due course," said the judge, who was again interrupted by the former warlord when he sought to adjourn the hearing after 22 minutes.

Karadzic's attitude indicated he will try to turn the tribunal into a stage for performing the role of an innocent victim of western assassination plots, broken promises and treachery.

Since first appearing at the tribunal at the beginning of the month, he has already delivered 10 submissions complaining about his treatment, the translation of documents, his alleged fears for his life and how former US officials from the Clinton years allegedly want him dead.

The 63-year-old was the political leader of the Bosnian Serbs during the 1992-95 Bosnia war. He headed the main Serbian party in Bosnia and was president of the self-proclaimed Serbian republic in half of Bosnia.

He was indicted for genocide and crimes against humanity in 1995 because of his command role in the Serbian slaughter of almost 8,000 Muslims at Srebrenica in July 1995, the long siege of Sarajevo, and the genocide in north-western Bosnia in the autumn of 1992, when tens of thousands were killed and hundreds of thousands of non-Serbs uprooted and driven from their homes.

Karadzic retired from politics a year after the war ended and vanished until he was arrested on a bus in Belgrade in Serbia last month, disguised as a long-haired alternative medicine aficionado under the alias Dragan Dabic.

U.S. Weighs Halt to Talks With Russia On Nuclear Arms Curbs

Via -

The Bush administration, escalating its response to Russia's actions in Georgia, has placed under review talks with Moscow focused on missile defense and nuclear-weapons disarmament, according to U.S. officials.

A delay would cast uncertainty over the Strategic Arms Reduction Treaty, or Start, a successor to Cold War era arms-reduction agreements that expires at the end of 2009. The treaty restricts the number of long-range nuclear weapons each side is allowed to have.

The rethink comes amid a rising war of words between Russia and the West over Moscow's incursion into Georgia and its decision to recognize two breakaway Georgian regions. In an interview Thursday with CNN, Russian Prime Minister Vladimir Putin said the Bush administration might have pushed Georgia into battle to deflect attention from the U.S. economy and help a presidential candidate, presumably Republican Sen. John McCain.

"The suspicion arises that someone in the United States created this conflict deliberately to create tension and help one of the candidates in the U.S. presidential campaign," Mr. Putin said. The former Russian president said the resulting "hurrah-patriotism" would "unify the nation around certain political forces," adding: "I'm surprised that what I'm telling you surprises you. It's all on the surface, actually."

White House spokeswoman Dana Perino called Mr. Putin's claims "patently false" and said he must be getting "really bad advice" from his defense officials.


I guess the US staged columns of Russian tanks on the border before the invasion as well...please. The US and the West are not totally free of responsible for this violent outbreak, clearly....but point the finger @ the American political process is just silly. No one is going to fall for that.

I have to respectfully disagree with Miss Perino, I think Putin's defense officials had a plan and are sticking to far the chips are falling just like Putin wants.

Either way, I personally think we should continue talks on the reduction of nuclear arm stockpiles.

Global reduction talks should not be derailed by one single event...they are just too important.

The Dan Kaminskybox

Via -

So I had a little fun with my new soundboard I created, starring the famous Dan Kaminski. Yes the DNS dude, for those who don't know him. A soundboard is used for making prank phone calls, which in terms can be hilarious if you get the right victim to fall for it. Otherwise, it's just good old fun. I thought Dan was the right person for my new soundboard. Because, well it's always fun to hear him talk. I have many of his talks on mp3 so it was easy to compile a wide range of sound clips. Just enough for a good, but quirky prank call. So, enjoy. And if you intend to use it, use it with care eh? :)

It is very easy to use. Just click on a text to let Dan rant!


Click the link above for the full soundboard.

Headless Bodies Found Near Mexico Graveyard


MERIDA, Mexico - Eleven beheaded bodies were dumped close to a graveyard outside a sleepy southern city on Thursday in the latest shocking crime in Mexico's vicious drug war.

Police said a farmer found the 11 bodies, showing signs of torture, five miles from this southern colonial city in the Yucatan peninsula often where tourists stop off on their way to visit the world-famous Mayan pyramids at Chichen Itza.

All the bodies had star signs and the letter Z tattooed on them, police sources said. A 12th beheaded body was found 50 miles away in a small town to the east of Merida, also showing signs of torture.

It was the latest mass beheading in Mexico since drug traffickers rolled several heads onto the floor of a nightclub in Michoacan state in 2006 in a blatant message to rivals and the government.

More than 2,300 people have been killed in drug violence this year, as Mexico's most-wanted man, Joaquin "Shorty" Guzman, vies with rivals for control of the country's lucrative drug trade.

President Felipe Calderon has made crushing drug gangs a top priority, sending troops across the country in an attempt to restore law and order.

But drug violence has only spiraled as rival gangs fight each other and the army. Endemic police corruption has further complicated efforts to rid Mexico of cartels.

The United States has approved $465 million to help Mexico and Central America battle drug cartels.

Thursday, August 28, 2008

Ohio Police & Fire Pension Fund Database Breach

Via -

A database that contains the names, addresses and Social Security numbers of 13,000 retired Ohio police officers was improperly transmitted by a retired Ohio Police & Fire Pension Fund employee, officials said Wednesday.

While state officials do not believe anyone's personal information has been misused, they have sent a letter warning each pension fund member of the security breach.

The pension fund employee retired Aug. 15. Within 30 hours, the state discovered he had emailed the database to himself at home. Warning letters were mailed Monday.

State officials do not believe the unidentified employee would have used it for "malicious intent," so they do not plan to prosecute him at this point, according to pension fund spokesman David Graham. Last year, 1.33 million people were affected by the theft of a sensitive computer backup tape stolen out of a state intern's car. Gov. Ted Strickland ordered stricter security measures.

Hacking Toll Road Systems

Via Technology Review -

Drivers using the automated FasTrak toll system on roads and bridges in California's Bay Area could be vulnerable to fraud, according to a computer security firm in Oakland, CA.

Despite previous reassurances about the security of the system, Nate Lawson of Root Labs claims that the unique identity numbers used to identify the FasTrak wireless transponders carried in cars can be copied or overwritten with relative ease.

This means that fraudsters could clone transponders, says Lawson, by copying the ID of another driver onto their device. As a result, they could travel for free while others unwittingly foot the bill. "It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."

Lawson says that this also raises the possibility of using the FasTrak system to create false alibis, by overwriting one's own ID onto another driver's device before committing a crime. The toll system's logs would appear to show the perpetrator driving at another location when the crime was being committed, he says.

So far, the security flaws have only been verified in the FasTrak system, but other toll systems, like E-Z Pass and I-Pass, need to be looked at too, argues Lawson. "Every modern system requires a public security review to be sure there aren't different but related problems," he says.

US Gov to Deploy DNSSEC in Two Years

Via SecurityFocus -

The U.S. government issued a memo last week mandating that all major agencies adopt a proposed technology to enable trusted lookups of domain information by December 2009.

The technology, known as DNSSEC, promises to secure the domain name system (DNS) against attempts to subvert the infrastructure, such as the cache poisoning attack found by researcher Dan Kaminsky earlier this year. However, the system requires public-key cryptography to secure communications with names servers as well as validate the identity of authoritative servers. Because of the technical hurdles -- and the political problems in designating companies or governments to hold the keys to the domain-name system -- both governments and private sector companies have held off deploying DNSSEC for more than a decade.

In a memo (pdf) to agency chief information officers, Karen Evans, Adminstrator for the Office of E-Government and Information Technology at the White House's Office of Management and Budget, said its time to lock down the infrastructure.

"The Government's reliance on the Internet to disseminate and provide access to information has increased significantly over the years, as have the risks associated with potential unauthorized use, compromise, and loss of the .gov domain space," Evans wrote.

Three Charged in Britain in Relation to Online Threat Against PMs

Via SITE Intel Group -

Three men arrested in Britain in connection with threats made on the al-Ekhlaas jihadist forum were charged today, August 28, 2008, with terror offenses. Under the banner of “al-Qaeda Organization in Britain”, postings were made by the online identity, “umar rabie”, threatening suicide bombings on British political targets. The three individuals, Ishaq Kanmi, Abbas Iqbal, and Ilyas Iqbal, all from Blackburn in Lancashire, England were arrested on August 14 as suspects related to these threats. While Abbas Iqbal and Ilyas Iqbal were charged with possession and dissemination of terrorist publications, Kanmi was also charged with soliciting murder and for claiming to belong to al-Qaeda.


al-Ekhlaas is not a place for normal people to frequent....or just browse.

I would strongly advise against attempting to "check it out". You are just asking for trouble.

For more information on the online threats...check out this NEFA report (PDF).

Scientists Reprogram Adult Cells' Function

Via Washington Post -

Scientists have transformed one type of fully developed adult cell directly into another inside a living animal, a startling advance that could lead to cures for a variety of illnesses and sidestep the political and ethical quagmires associated with embryonic stem cell research.

Through a series of painstaking experiments involving mice, the Harvard biologists pinpointed three crucial molecular switches that, when flipped, completely convert a common cell in the pancreas into the more precious insulin-producing ones that diabetics need to survive.

The experiments, detailed online yesterday in the journal Nature, raise the prospect that patients suffering from not only diabetes but also heart disease, strokes and many other ailments could eventually have some of their cells reprogrammed to cure their afflictions without the need for drugs, transplants or other therapies.

"It's kind of an extreme makeover of a cell," said Douglas A. Melton, co-director of the Harvard Stem Cell Institute, who led the research. "The goal is to create cells that are missing or defective in people. It's very exciting."

North Korean Woman Arrested on Spying Charges

Via Yahoo News! -

SEOUL, South Korea - A North Korean woman accused of using "sex as a tool for her spy activity" and plotting to assassinate South Korean intelligence agents with poisoned needles has been arrested, prosecutors said Wednesday.

The suspect, identified as Won Jeong-hwa, 34, confessed after her July 15 arrest that she was a spy trained and commissioned by North Korea's intelligence agency, prosecutors said in a statement.

She is the first alleged North Korean spy arrested in South Korea since 2006, and the second in a decade, the statement said.

No trial date has been set for Won, who was arrested on charges of spying and is in custody. If convicted, she faces anywhere from seven years in prison to execution.

Won entered the South in 2001 after marrying a South Korean businessman in China, falsely reporting to authorities that she was a defector from the communist North, prosecutors said. She and her husband immediately divorced.

While in the South she gathered and passed classified information on to the North, including the locations of key military installations, lists of North Korean defectors and personal information on South Korean military officers, the statement said.

She dated a South Korean army captain and the officer cooperated with her, providing a list of North Korean defectors and destroying her faxed reports to the North's spy agency. The captain, identified only by his surname Hwang, also was arrested, the statement said.

The statement said Won often traveled to China to visit the Chinese office of the North's spy agency, where she received instructions and money for her mission. Prosecutors said she received a total of $60,000 worth of cash and goods from the office.

Man Uses Telephone Password to Poke Fun at Bank

Via BBC -

A man who chose "Lloyds is pants" as his telephone banking password said he found it had been changed by a member of staff to "no it's not".

Steve Jetley, from Shrewsbury, said he chose the password after falling out with Lloyds TSB over insurance that came free with an account.

He said he was then banned from changing it back or to another password of "Barclays is better".

The bank apologised and said the staff member no longer worked there.

Mr Jetley said he first realised his security password had been changed when a call centre staff member told him his code word did not match with the one on the computer.

"I thought it was actually quite a funny response," he said.

"But what really incensed me was when I was told I could not change it back to 'Lloyds is pants' because they said it was not appropriate.

"I asked if it was 'pants' they didn't like, and would 'Lloyds is rubbish' do? But they didn't think so.

"So I tried 'Barclays is better' and that didn't go down too well either.

"The rules seemed to change, and they told me it had to be one word, so I tried 'censorship', but they didn't like that, and then said it had to be no more than six letters long."

Mr Jetley said he was still trying to find a suitable password which met the conditions.

He said his dispute with the bank started over some travel insurance, but that issue had been dealt with by managers independently.

A statement released by the bank said: "We would like to apologise to Mr Jetley.

"It is very disappointing that he felt the need to express his upset with our service in this way. Customers can have any password they choose and it is not our policy to allow staff to change the password without the customer's permission.

"The member of staff involved no longer works for Lloyds TSB."

iPhone Passcode Lock Rendered Useless

Via ZDNet -

Do not trust that passcode lock on Apple’s iPhone.

The feature, which lets users set a four-digit pincode to limit access to the device, can be easily bypassed with a few finger taps on the iPhone to give an intruder access to sensitive information.

Here are a few steps to reproduce this vulnerability (requires physical access to a passcode-protected device) to access the phone, e-mail and SMS messages, Google Maps and the full Safari browser:

  • Set up a passcode lock (Settings > General > Passcode Lock and enter a 4-digit passcode. iPhone then requires you to enter the passcode to unlock it).
  • Set up contacts in address book with e-mail address, phone numbers and Web sites.
  • Turn off/on iPhone and move slider to get to “Enter Passcode” screen.
  • Tap “Emergency Call” button (buttom left).
  • Double tap home button.
  • This pulls up all contacts in the Favorites list.
  • Tap on the blue arrow next to contact’s name to get full access to e-mail, SMS, Safari, etc.

Here’s the most troubling thing about this vulnerability: It was fixed by Apple (see advisory) for iPhone v1.1.3 and iPod touch v1.1.3 back in January this year.

  • Passcode Lock
    CVE-ID: CVE-2008-0034
    Available for: iPhone v1.0 through v1.1.2
    Impact: An unauthorized user may bypass the Passcode Lock and launch iPhone applications
    Description: The Passcode Lock feature is designed to prevent applications from being launched unless the correct passcode is entered. An implementation issue in the handling of emergency calls allows users with physical access to an iPhone to launch an application without the passcode. This update addresses the issue through an improved check on the state of the Passcode Lock.

I have confirmed this issue affects iPhone and iPod Touch 2.0, which means the January fix never made it into the newer versions of the software.

The obvious workaround: Remove all Favorites until Apple ships a proper fix.

UPDATE: In the TalkBack section, reader zrds comes up with a better workaround:

  • I’d like to point out that a good workaround is setting your home button “Settings->General->Home Button” to “Home” will effectively negate the issue.

This does work much better as a mitigation.


How does that unencrypted corporate data look on the iPhone now?

Yet another nail in the "iPhone is not ready for secure business" coffin.

CERT Warns of Active Attacks Against Linux - Phalanx2 Rootkit

Via ZDNet -

The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed, US-CERT said in a note on its current activity site.

From the advisory:

  • Phalanx2 appears to be a derivative of an older rootkit named “phalanx”. Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site.

Phalanx, which dates back to 2005, is a self-injecting kernel rootkit designed for the Linux 2.6 branch. It allows an attacker to hide files, processes and sockets and includes a tty sniffer, a tty connectback-backdoor, and auto injection on boot.

Details on the attacks — and targets — remain scarce but it’s a safe bet this is linked to the Debian random number generator flaw that surfaced earlier this year. A working exploit for that vulnerability is publicly available.


If people haven't updated their broken / weak SSH keys by now, they never will....that is, until they get pwned.

THEN they will fix their SSH keys issues.

Sad world.

Wednesday, August 27, 2008

Cookin’ Soul’s OJAYZIS: Jay-Z vs OASIS (Mixtape)

Download -

Computer Virus Taken to International Space Station

Via BBC -

A computer virus is alive and well on the International Space Station (ISS).

Nasa has confirmed that laptops carried to the ISS in July were infected with a virus known as Gammima.AG.

The worm was first detected on Earth in August 2007 and lurks on infected machines waiting to steal login names for popular online games.

Nasa said it was not the first time computer viruses had travelled into space and it was investigating how the machines were infected.

Space news website SpaceRef broke the story about the virus on the laptops that astronauts took to the ISS.

Nasa told SpaceRef that no command or control systems of the ISS were at risk from the malicious program.

The laptops infected with the virus were used to run nutritional programs and let the astronauts periodically send e-mail back to Earth.

The laptops carried by astronauts reportedly do not have any anti-virus software on them to prevent infection.

Once it has scooped up passwords and login names the Gammima.AG worm virus tries to send them back to a central server. It targets a total of 10 games most of which are popular in the Far East such as Maple Story, HuangYi Online and Talesweaver.

Nasa is working with partners on the ISS to find out how the virus got on to the laptop in the first place.

The ISS has no direct net connection and all data traffic travelling from the ground to the spacecraft is scanned before being transmitted.

It is thought that the virus might have travelled via a flash or USB drive owned by an astronaut and taken into space.

The space agency also plans to put in place security systems to stop such incidents happening in the future.

Nasa told Wired News that viruses had infected laptops taken to the ISS on several occasions but the outbreaks always only been a "nuisance".


Why not just use anti-virus on computers?

Wow, that might make too much sense.

Tuesday, August 26, 2008

Russia Threatens Military Response to US Missiles

Via Yahoo News! (AP) -

MOSCOW - Russian President Dmitry Medvedev is warning his country may respond to a U.S. missile shield in Europe through military means.

Medvedev says that the deployment of an anti-missile system close to Russian borders "will of course create additional tensions."

"We will have to react somehow, to react, of course, in a military way," Medvedev was quoted as saying Tuesday by the RIA-Novosti news agency.

Russian officials have already warned of a military response to the U.S. plans, but the statement by the Russian leader was likely to further aggravate already tense relations with the West. The comments come after Medvedev recognized two Georgian regions as independent nations, prompting criticism from the U.S. and Europe.


Russian President Dmitry Medvedev stated the following in ITAR-TASS recently:
Russia does not feel scared at the thought of another ‘cold war’, Russian President Dmitry Medvedev told the Russia Today television channel in an interview.

“There is nothing we find scaring, this is true of the risk of a cold war, too. We do not want it, though, but in a situation like this all depends on our partners,” Medvedev said. “If the West wishes to preserve a good relationship with Russia, then they will have to understand the reasons for our decision.”

North Korea Suspends Nuclear Reactor Disablement

Via AP -

SEOUL, South Korea (AP) — North Korea said Tuesday it has suspended work to disable its nuclear reactor in anger over Washington's failure to remove it from the U.S. list of terror sponsors. The North said it will soon consider a step to restore the plutonium-producing facility.

The announcement poses the biggest hurdle yet to the communist nation's denuclearization process under a landmark deal last year.

"The U.S. postponed the process of delisting the (North) as a 'state sponsor of terrorism,'" the Foreign Ministry said in a statement carried by the official Korean Central News Agency. "Now that the U.S. breached the agreed points, the (North) is compelled to take" countermeasures, it said.

The Foreign Ministry also said the government will "consider soon a step to restore" the nuclear facility at Yongbyon, but it did not elaborate. The disablement was suspended as of Aug. 14, it added.

The U.S. offered to remove North Korea from the list of state sponsors of terrorism as one of the key concessions in exchange for the North shutting down and disabling the nuclear reactor under a landmark deal reached last year in six-party negotiations that include China, Japan, the two Koreas, the U.S. and Russia.

In June, the U.S. said it would remove North Korea from the list after it turned in a long-delayed account of its nuclear programs and blew up the reactor's cooling tower in a symbolic move to demonstrate its commitment to disarm.

North Korea began disabling the plutonium-producing facilities in November but the North slowed the work in a dispute with Washington over how to verify a declaration of its nuclear programs.

The two sides have been negotiating on that issue with Washington insisting it would remove the North from the terror list only after it agrees to a verification plan.

That has angered North Korea.


South Korean and U.S. officials have said eight of the 11 disablement measures have been finished and that when the entire disablement is completed, it would take at least a year for the North to restart the facilities.

Whang Joo-ho, a nuclear expert at South Korea's Kyung Hee University, said it would take about three to six months for North Korea to restore its nuclear facilities at Yongbyon. He said it would take only one month to rebuild the kind of cooling tower the North destroyed in June.

British Counterterrorism Police Make Arrest

Via Yahoo News! (AP) -

LONDON - British counterterrorism police say they have arrested a 25-year-old man in Blackburn, northern England.

The arrest came just before 7 a.m. on Tuesday morning. Lancashire Police say he was arrested on suspicion of committing offenses under Britain's terror laws. Officers are searching the man's house.

He is the fourth person to be arrested on terror charges in the area in the past two weeks. Police are still questioning three men they arrested Aug. 14.

Police would not comment further on Tuesday's arrest.

Monday, August 25, 2008

Tools of the Trade - Johari Window Edition

A Johari window is a cognitive psychological tool created by Joseph Luft and Harry Ingham in 1955 in the United States, used to help people better understand their interpersonal communication and relationships. It is used primarily in self-help groups and corporate settings as a heuristic exercise.


The Blind Spot quadrant has always interested me....

On to the tools...

On August 25th, CCleaner 2.11.636 was released. CCleaner is a freeware system optimization and privacy tool. It removes unused and temporary files from your system - allowing Windows to run faster, more efficiently and giving you more hard disk space. Check the version history for all the change details.

On August 25th, Carnegie-Mellon's School of Computer Science and College of Engineering released Perspectives, a Mozilla Firefox 3 Extension. Perspectives is a new approach to help clients securely identify Internet servers in order to avoid "man-in-the-middle" attacks. Perspectives is simple and cheap compared to existing approaches because it automatically builds a robust database of network identities using lightweight network probing by "network notaries" located in multiple vantage points across the Internet.

On August 23rd, CDBurnerXP was released. CDBurnerXP is a free application to burn CDs and DVDs, including Blu-Ray and HD-DVDs. This release is primarily bug fixes.

On August 22nd, Microsoft and Mark Russinovich released AutoRuns v9.33. Autoruns shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. A "show non-Microsoft only" option helps you to zoom in on third-party auto-starting images that have been added to your system.

On August 22nd, Tor 0.2.30 was released. Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.

On August 20th, OWASP DirBuster 0.11.1 was released. DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. DirBuster comes a total of 9 different wordlists, this makes DirBuster extremely effective at finding those hidden files and directories.

On August 20th, David Byrne released Grendel v1.0. Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests. This tool was originally released at Defcon 16 - see accompanying presentation materials. Next the release notes for all the change details.

On August 19th, Pidgin 2.5.0 was released. Pidgin is a multi-protocol Instant Messaging client that allows you to use all of your IM accounts at once. Pidgin is licensed under the GNU General Public License (GPL) version 2. Check out the news section for the change details.

On August 14th, KeePass 1.12 was released. KeePass is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk. Check out the release notes for all the change details.

On August 12th, Sandro Gauci released Surf Jack 1.0 during Defcon 16. A tool which allows one to hijack HTTP connections to steal cookies - even ones on HTTPS sites. Works on both Wifi (monitor mode) and Ethernet. The proof of concept tool allows testers to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag.

On August 12th, FileZilla 3.1.11 was released. FileZilla is a powerful FTP-client for Windows NT4, 2000 and XP. It has been designed for ease of use and with support for as many features as possible, while still being fast and reliable.

On August 10th, 757 Labs released PDFResurrect v0.04. PDFResurrect is a tool aimed at analyzing PDF documents. This tool attempts to extract all previous versions while also producing a summary of changes between versions. This tool can also "scrub" or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read. Check out the following whitepaper - Faith in the Format: Unintentional Data Hiding in PDFs.

On July 18th, Solar Designer release John the Ripper John the Ripper is a fast password cracker, currently available for many flavors of Unix, DOS, Win32, and BeOS. Its primary purpose is to detect weak Unix passwords, but a number of other hash types are supported as well. This version corrected the x86 assembly files for building on Mac OS X and merged in some generic changes from JtR Pro.

On July 17th, Irfan Skiljan released IrfanView 4.20. IrfanView is a very fast, small, compact and innovative FREEWARE (for non-commercial use) graphic viewer for Windows 9x/ME/NT/2000/XP/2003/Vista. This is the first updated version he has released in 2008 (v4.10 was released on 10/2007). Check out the changelog for all the details.

On July 13th, WinSCP 4.1.5 was released. WinSCP is an open source free SFTP client and FTP client for Windows. Legacy SCP protocol is also supported. Its main function is safe copying of files between a local and a remote computer. WinSCP has been nominated for 2008 Community Choice Awards in category Best Tool or Utility for SysAdmins. Check the history file for all the details.

On July 10th, Gmail Drive 1.0.13 was released. GMail Drive is a Shell Namespace Extension that creates a virtual filesystem around your Google Gmail account, allowing you to use Gmail as a storage medium. This new version was released since some users complained that they had problems with login.

Despite Airlines' Promises, Customers Find a Way to Make VOIP Calls on Flights

Via -

We knew it would happen eventually, but we figured it would take longer than a week.

Just days after American Airlines made the big-deal announcement that it had
rolled out in-flight internet on certain routes, hackers have found a way to use the service for voice-over-internet protocol calls, despite promises from the airline that its air-to-ground system, developed by Aircell, would block voice calls.

A tip before we go any further: Voice calls on airplanes will result in chatty passengers who yap their way through an entire six-hour flight, which is likely to increase the chance of an air-rage incident. Fly at your own risk.

The workaround, called Phweet, allows users to call friends who are linked via Twitter. Andy Abramson from VoIP Watch says that he recently used Phweet to chat with a friend on an American Airlines flight, and that the conversation was so clear he could hear the flight attendant ordering people to get back to their seats in preparation for landing.


Is American Airlines the only party that didn't see this coming? WTF?

Facebook Markup Language - Execution of Arbitrary JavaScript

Via The Register UK -

Facebook's hip new application platform contains a gaping hole that allows attackers to run malicious javascript on unsuspecting users' machines, a developer has demonstrated.

Proof of concept code examined by El Reg shows how the platform can be used to steal Facebook user's session identification cookies, deliver pop-up messages or change the layout of Facebook pages. With a little extra work, an attacker could probably do much more, including send and read messages from a user's account, change privacy settings and add or delete Facebook friends.

"This is quite a big security hole," said Artur Wachelka, a Munich-based developer of online games who stumbled upon the bug while writing a chess game for Facebook. He said he decided to take the vulnerability public after reporting it to Facebook privately and receiving a single sentence reply that the security issue didn't exist.

Evidently the Facebook drone didn't bother to run the Wachelka's proof-of-concept code. It clearly shows that javascript can be executed on on a browser to display session cookies, display a pop-up windows that says "Oooops" and even change the color of the Facebook banner.

A Facebook spokeswoman said members of the company's security team were investigating the report. As of Monday afternoon, the bug had yet to be squashed.

The bug exists in a component of what's known as FBML, short for Facebook markup language, which developers can use to write games and other applications that run on Facebook. For reasons that aren't clear, a tag that translates text from one language to another fails to parse input for javascript before sending it to users' browsers. The bug appears to work only on Facebook's recently updated pages, and only after users have logged in to their accounts.

Wachelka said he filed a bug report with Facebook on Friday and promptly received a message saying the matter had been closed. "Our FBML tags are written not to run Javascript," Facebook asserted.

The failure to sanitize the content of third-party applications is one of several privacy and security gaffes that have threatened Facebook users over the past few years. In May they were poked by a cross-site scripting (XSS) flaw, and a separate security hole exposed the private pictures of Paris Hilton and who knows how many other users. Recently, security researchers have reported a worm that attacks users of Facebook and other social networking sites.

Tom Parker, manager of security consulting at Mu Dynamics, a security vendor, examined the proof of concept and validated Wachelka's claim that the vulnerability allowed the execution of arbitrary javascript.

Says Parker: "It's certainly a flaw that needs to be fixed."


Of course, malware has been spreading via Facebook for a while now.

Sharif Quits Pakistan Coalition, Setting Up President Contest

Via Bloomberg -

Nawaz Sharif, head of Pakistan's second-largest party, quit the six-month-old ruling alliance, setting up a fight with Pakistan Peoples Party leader Asif Ali Zardari over who will replace Pervez Musharraf as president.

"We have been forced to take this decision, which we take with great regret," Sharif told a news conference in the capital, Islamabad, today after meeting senior party leaders. "Zardari pledged in writing to reinstate the judges within one day of Musharraf leaving."

Zardari reneged on several pledges to reinstate judges fired by Musharraf and to nominate a presidential candidate from outside the main parties, Sharif said. His party nominated former chief justice Saeed-uz-Zaman Siddiqui to run for head of state in the Sept. 6 presidential election.

Zardari, widower of former prime minister Benazir Bhutto, will need support from smaller parties including the Mutahidda Qaumi Movement to ensure the majority needed to win the parliamentary vote for president. Sharif's departure removes an opponent to military action against extremists as the government today banned the Pakistani Taliban after a string of suicide attacks.

Sharif's withdrawal "won't cause the government to fall but the PPP will fight for stability because it will be dependent on smaller groups," said Khalid Mahmud, a research analyst at Institute of Regional Studies in Islamabad. "Even without the support of the Muslim League, the PPP can elect its president."

The PML-N "won't try to bring down the government," PPP spokesman Farhatullah Babar told GEO TV in a telephone interview. "The coalition was in the interest of the nation."

The benchmark Karachi Stock Exchange 100 index, which has declined 30 percent this year, has lost 10.5 percent in the last four sessions. The rupee, which has shed 24 percent this year, declined to a record low of 76.68 to the dollar today.

Pakistan Muslim League-Quaid-e-Azam, which backed Musharraf, will announce its presidential candidate today, parliamentary opposition leader Chaudhry Parvez Elahi told reporters in Islamabad.

Sharif's Pakistan Muslim League exited the alliance a week after forcing Musharraf out. Differences between Zardari, 52, and Sharif, 59, have stalled the work of Pakistan's government as it tries to tackle a slowing economy, faster inflation and increased terrorist violence.

"These repeated defaults and violations have forced us to withdraw our support from the ruling coalition and sit on the opposition benches," Sharif said. "However, we will play a constructive role."

Saturday, August 23, 2008

Double-Stegging - Jamming Steganography

Via -

Earlier this year, someone at the United States Department of Justice smuggled sensitive financial data out of the agency by embedding the data in several image files. Defeating this exfiltration method, called steganography, has proved particularly tricky, but one engineering student has come up with a way to make espionage work against itself.

Keith Bertolino, founder of digital forensics start-up E.R. Forensics, based in West Nyack, N.Y., developed a new way of disrupting steganography last year while finishing his electrical engineering degree at Northeastern University, in Boston.


Bertolino’s method turns this technology on itself. The key to jamming steganography, he says, is using steganography—what he calls “double-stegging.” Double-stegging adds some noise, scrambling some of the image’s least-significant bits. “As long as you’re damaging at least some part of the file,” Bertolino explains, the hidden file becomes garbled and cannot be deciphered. If the cat in the picture is just a cat, the file comes to no harm. But a hidden file, once processed by the double-stegging algorithm, will yield only gibberish. “Our results are simple,” Bertolino says. “An extremely high percentage of the hidden files were destroyed.” Though the jamming techniques were tested only on image file carriers, Bertolino is confident that his method can be extended to other file formats, like audio and video files, which can also carry hidden messages. Digital steganography relies on the same basic principles to hide data for any digital carrier. In January, Bertolino will present his research at the Defense Department’s annual digital forensics conference, the Cyber Crime Conference. 

According to Bertolino, the steganography-jamming application would be made available to organizations as part of a software package and would work at the e-mail server level to scour all outgoing communication of nefarious content. Filtering e-mail automatically through an algorithm could give an organization peace of mind without chewing up a lot of billable hours. (Steganography can be detected by trained examiners if the images are passed through a variety of filters to reveal visual indicators, but that requires hours of manpower.) 

One major disadvantage, Bertolino concedes, is that his method does nothing to alert authorities to the presence of the mole. However, despite well-funded research, the bottom line remains that it is easier to jam steganography than it is to detect its presence. “Is it better to know who is doing the attacking or to stop the attack from happening?” Bertolino asks. “Sometimes catching an intruder is less important than preventing the potential damage caused by releasing that information.”

WetStone CEO Chet Hosmer says Bertolino’s research is founded on legitimate principles. In fact, what Bertolino calls double-stegging is similar to a server-level technology called stego stomping that WetStone sells to companies to filter outgoing e-mail. 

The main advantage of such an approach, says Northeastern University computer science professor Ravi Sundaram, under whose guidance Bertolino pursued his research, is that it mitigates a major problem of the espionage “arms race.” As soon as security personnel figure out how to circumvent one algorithm, 10 more are invented to take its place. Double-stegging could provide a stopgap. No matter how sophisticated steganography methods become, those technology advances could be used against the malefactors. By attacking the applications using the applications themselves, the algorithms become their own worst enemy. 

Bertolino thinks his method would be most useful when used alongside detection methods like those being developed at WetStone and Backbone Security, another cybercrime-detection firm, headquartered in Fairmont, W.Va. These firms specialize in detection. Letting Bertolino’s double-stegging application run quietly on an e-mail server means that an examiner could take his time sussing out the intruder while remaining confident that no outgoing e-mails are exporting hidden files.

Thwarting steganography that makes use of static carriers like JPEG or MP3 files is important, says Hosmer. However, steganography is a moving target. Now exfiltrators are beginning to make use of streaming data technologies like voice over Internet Protocol (VoIP). Disrupting or even detecting hidden transmissions inside real-time phone calls is the next hurdle for digital forensics companies, and Hosmer says it poses a significantly more challenging problem.


Very interesting work.

Huntsville School Computers Encounter USB Jumper Virus

Via Gar Warner's Blog -

Computer viruses are crippling the Huntsville City Schools. How can you be sure your student (or school) won't be a carrier?

In yesterday's Huntsville Times Steve Campbell reported that computer viruses had nearly shut down the Huntsville City schools. Teachers couldn't use their prepared computer lessons, student attendance could not be tracked, and lunch room accounts could not be accessed because of the virus.

Virus researchers at UAB Computer Forensics have been looking at these types of viruses, called "USB Jumpers", since January and have been amazed that there hasn't been a devastating outbreak earlier.

While many viruses spread via email or by visiting infected webpages, this network spreads by network connections and via "USB Thumb Drives".

When a USB drive is inserted into a computer, the computer scans the drive for an "AutoRun.inf" file. If the AutoRun.inf file is present, the computer does whatever it is told to do.

If a stranger (or a student, in this case) gives you a USB thumb drive and you stick it into the computer, the default setting on any Windows computer is to execute that AutoRun sequence.

The way this family of viruses, which we call "USB Jumpers", works is that they modify the AutoRun.inf file to execute a copy of the virus, which is often present on the thumbdrive as a "hidden file" called "Setup.exe".

Once a computer is infected, every thumb drive inserted into that computer will be updated to also be a USB Jumper. So, if a teacher has students turn in their homework on USB sticks, the first student may give the teacher an infected thumb drive. The teacher then also gathers homework from all of the other students. As each student's thumb drive is inserted into the teacher's computer, it also becomes infected, and can now be used to spread the virus to their home computer or other teachers' computers.

Once a trusted computer on a network is infected, the infection can spread quickly to every other computer on the network, especially if an Administrator logs in to the computer. When someone with "Domain Administrator" privileges logs in to the computer, the virus on that computer now has "Administrator privileges" on the entire network. When the virus realizes it is an Administrator, it attempts to open a "network share" with every other computer on the network. If the share is successful, it will copy itself to the setup routines on the remote computer, and then close the connection.

This is especially devastating! When a computer is first infected, the infection is limited to the local machine and to USB drives inserted into that computer -- but the person who is called from the IT Department to remove the virus will almost certainly log in with "Administrator" access to remove the virus. As soon as that happens, every machine on the network can be infected within a matter of seconds.


I had the pleasure of working along with Gar Warner during my time as a CastleCop PIRT handler.

Good guy.

Friday, August 22, 2008

Hopes for a Softer Russia Dashed?

Via Reuters -

The Russian tanks which rolled into Georgia this month did not just crush a troublesome former Soviet neighbour. They also squashed hopes of a more liberal agenda back home in Moscow.

Kremlin leader Dmitry Medvedev, an Internet-savvy 42-year-old former corporate lawyer, took office in May pledging to fight corruption and lawlessness at home, promote democracy and set a softer tone overseas.

Medvedev's arrival aroused hopes among Western powers of a more liberal, investor-friendly Kremlin after what they saw as eight years of eroding democracy and hawkish foreign policy under his predecessor and mentor Vladimir Putin.

Those hopes lasted just three months.

Then Moscow unleashed its biggest show of military might since the 1991 collapse of the Soviet Union to crush an attack by neighboring Georgia on the pro-Russian separatist province of South Ossetia.

Now, the Kremlin chief's complex, lawyerly phrases have given way to the clipped expletives of a military leader.


Showing a tough streak that seemed unthinkable only a month earlier, Medvedev promised war veterans in televised comments that Russia would deliver a "crushing response" to any future aggressor.

One of his top generals threatened Poland with a possible future nuclear strike after it agreed to deploy a U.S. anti-missile system.

"There is no doubt the hardliners are totally in control," one senior Moscow diplomat said, speaking on condition of anonymity. "This intervention in Georgia has changed the game."

ID Theft Ringleader Gets Three Days in Jail

Via DarkReading -

Some Canadian critics are outraged today over the sentencing of Bradley Moisan, the man convicted of heading up the largest identity theft ring in the history of the country.

Moisan walked out of jail about three days after his sentence, according to Canadian news reports about the identity theft conviction. He had faced a maximum of 14 years in prison.

Moisan pleaded guilty to his crimes, and the judge gave him a year in jail. But because he had spent six months in custody awaiting trial -- time which is weighed twice because it's before trial -- he had effectively finished the sentence before it began.

Last February, police discovered that a nondescript building in Newton, Canada, was actually an identity theft factory, with hundreds of CDs packed with names, address, phone numbers, and mothers' maiden names. They recovered stacks of passports, driver's licenses, and credit cards -- both real and fake -- as well as reams of stolen mail. Moisan and an accomplice were charged and convicted of the thefts.

"It's absolutely outrageous," said Mike Farnworth, the provincial public safety critic. "There should be severe and swift consequences and the sentence that was handed down is frankly a slap on the wrist."


This is pretty silly....the judge made a fatally mistake in judgment on this one.

This guy didn't grab 20 bucks out of some lady's purse....this person is a very serious criminal.

RedHat Compromise Sparks a Critical Openssh Security Update

Via Red Hat -

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only). As a precautionary measure, we are releasing an updated version of these packages and have published a list of the tampered packages and how to detect them.

To reiterate, our processes and efforts to date indicate that packages obtained by Red Hat Enterprise Linux subscribers via Red Hat Network are not at risk.


If you believe you may have installed these tampered packages, then follow the link above and get the updated OpenSSH blacklist scipt. This was created by Redhat to assist in identifitying the tainted packages.

Mozilla Unleashes TraceMonkey For Firefox

Via InformationWeek -

In a move to make Firefox more competitive with desktop applications and proprietary graphics technology like Microsoft (NSDQ: MSFT) Silverlight and Adobe (NSDQ: ADBE) Flash, Mozilla on Friday released TraceMonkey, a project that adds native code compilation to SpiderMonkey, Mozilla's JavaScript engine.

Mozilla has included TraceMonkey in an alpha version of Firefox 3.1, the next major release of the open-source Firefox Web browser. TraceMonkey is off by default, because it's not entirely bug-free. But when it's more stable and enabled, Firefox's JavaScript should get faster "by an order of magnitude or more," as Mozilla CTO Brendan Eich put it in a blog post.

If you're doing something like image processing, we can demonstrate six to seven times speed-ups and we can probably double those," said Eich in a phone interview. "If you're doing a tight [programming] loop that's just manipulating bits, you can go 20 to 40 times faster."

Trace Monkey was built with the help of UC Irvine research scientist Andreas Gal, using a technique called "trace trees."

Mike Schroepfer, VP of engineering at Mozilla (soon to leave for Facebook), has posted a screencast demo that shows how TraceMonkey makes image editing done through Firefox competitive with dedicated image editing applications, at least in terms of the responsiveness of the user interface.

"What we're trying to do is extend the capability of the browser," said Eich, adding that graphics applications and games in particular stand to benefit from improved JavaScript performance. "Not everyone wants to get a plug in," he said.

Improving browser performance is necessary to provide an open-source alternative to proprietary rendering technologies. "If browsers are only doing JavaScript and doing it slowly, we worry that content will migrate to closed platforms like Silverlight," said Eich.

Mozilla's support for the canvas graphic rendering element in the HTML 5 specification and the Ogg video format also reflects this goal.