Sunday, November 30, 2008

iTunes 8.0.2.20 / Quicktime 7.5.5 Multiple Remote Off By One Overflow PoC

Quicktime / iTunes Multiple Remote Off By One Overflow
Applications: iTunes 8.0.2.20 / Quicktime 7.5.5 (249.26)
Web Site: www.apple.com
Platform: Windows *, OS X *
Bug: Off by one overflow
Tested against: iTunes 8.0.2.20 / Quicktime 7.5.5 on XP SP3 fully patched

http://www.milw0rm.com/exploits/7296

Aqazadeh: IAEA Declares Iran Green Salt Issue as Solved

Via IRNA (Islamic Republic News Agency) -

Head of the Iran's Atomic Energy Organization (IAEO) Reza Aqazadeh said on Sunday that the international Atomic Energy Organization (IAEA) has declared the issue of Green Salt in Iran's peaceful nuclear program as resolved.

Aqazadeh made the remark on the sidelines of the First International Seminar on 'Nuclear Power Plants, Environment and Sustainable Development in Tehran on Sunday.

"We have received an official letter from IAEA in which it has declared that the issue of Green Salt is now over," he said.

On construction of Bushehr nuclear power plant, he said Russia has accelerated the pace of construction work and increased the number of its workforce, he said.

DOD Targeted by Widespread Malware

Via LATimes -

The 'malware' strike, thought to be from inside Russia, hit combat zone computers and the U.S. Central Command overseeing Iraq and Afghanistan. The attack underscores concerns about computer warfare.

Reporting from Washington -- Senior military leaders took the exceptional step of briefing President Bush this week on a severe and widespread electronic attack on Defense Department computers that may have originated in Russia -- an incursion that posed unusual concern among commanders and raised potential implications for national security.

Defense officials would not describe the extent of damage inflicted on military networks. But they said that the attack struck hard at networks within U.S. Central Command, the headquarters that oversees U.S. involvement in Iraq and Afghanistan, and affected computers in combat zones. The attack also penetrated at least one highly protected classified network.

Military computers are regularly beset by outside hackers, computer viruses and worms. But defense officials said the most recent attack involved an intrusive piece of malicious software, or "malware," apparently designed specifically to target military networks.

"This one was significant; this one got our attention," said one defense official, speaking on condition of anonymity when discussing internal assessments.

Although officials are withholding many details, the attack underscores the increasing danger and potential significance of computer warfare, which defense experts say could one day be used by combatants to undermine even a militarily superior adversary.

Bush was briefed on the threat by Navy Adm. Michael G. Mullen, chairman of the Joint Chiefs of Staff. Mullen also briefed Defense Secretary Robert M. Gates.

[...]

The first indication that the Pentagon was dealing with a computer problem came last week, when officials banned the use of external computer flash drives. At the time, officials did not indicate the extent of the attack or the fact that it may have targeted defense systems or posed national security concerns.

The invasive software, known as agent.btz, has circulated among nongovernmental U.S. computers for months. But only recently has it affected the Pentagon's networks. It is not clear whether the version responsible for the cyber-intrusion of classified networks is the same as the one affecting other computer systems.

The malware is able to spread to any flash drive plugged into an infected computer. The risk of spreading the malware to other networks prompted the military to ban the drives.

Defense officials acknowledged that the worldwide ban on external drives was a drastic move. Flash drives are used constantly in Iraq and Afghanistan, and many officers keep them loaded with crucial information on lanyards around their necks.

Banning their use made sharing information in the war theaters more difficult and reflected the severity of the intrusion and the threat from agent.btz, a second official said.

Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

In response to the attack, the U.S. Strategic Command, which oversees the military's cyberspace defenses, has raised the security level for its so-called information operations condition, or "INFOCON," initiating enhanced security measures on military networks.

[...]

On Tuesday, Gen. Norton A. Schwartz, Air Force chief of staff, received a specialized briefing about the malware attack. Officers from the Air Force Network Operations Center at Barksdale Air Force Base in Louisiana outlined their efforts to halt the spread of the malware and to protect military computers from further attack.

Schwartz, praising those efforts, said that the attack and the military's response were being closely monitored by senior military leaders.

The offending program has been cleansed from a number of military networks. But officials said they did not believe they had removed every bit of infection from all Defense Department computers.

"There are lots of people working hard to remove the threat and put in preventive measures to protect the grid," said the defense official. "We have taken a number of corrective measures, but I would be overstating it if I said we were through this."


----------------------------

Some media outlets are reporting malware connected to China being discovered on the DoD networks.

It is important to remember that most of the general Internet malware is commonly traced and found to have either Russia or Chinese roots....so it is possible that the DoD is fighting common (non-targeted) infections....just like the rest of the corporate world.

Without more public information...it is hard to tell determine if this is a targeted attack or just a piece of common everyday malware that found a foothold and spread uncontrolled (due to bad security policy and practies)...the public may never know.

Saturday, November 29, 2008

Pakistan U-turns on Sending Spy Chief to India

Via Asharq Al-awast -

Pakistan on Saturday withdrew an offer to send its spy chief to India to help investigate the Mumbai terrorist attacks, damaging efforts to head off a crisis between the nuclear-armed rivals.

Indian officials have linked the attacks to "elements" in Pakistan, raising the prospect of a breakdown in painstaking peace talks between South Asian rivals that has alarmed the U.S. However, Washington also kept up the pressure on Pakistan with a suspected missile strike on an al-Qaeda and Taliban stronghold near the Afghan border that reportedly killed two people.
Pakistan's Prime Minister Yousuf Raza Gilani insisted on Friday that his country was not involved in the carnage that left more than 190 people dead in India's financial capital.


With Pakistan promising to help identify and apprehend those responsible, Gilani's office said the head of the Inter Services Intelligence agency would go to India at the request of India's prime minister, Manmohan Singh. However, Zahid Bashir, a spokesman for Gilani, told The Associated Press on Saturday that the decision had been changed and that a lower-ranking intelligence official would travel instead. He declined to explain the about-face, which followed sharp criticism from some Pakistani opposition politicians and a cool response from the army, which controls the spy agency.

NASA Curbs Removable Media Use

Via GCN -

NASA chief information officer Jonathan Pettus clarified the agency’s policy curbing the use of removable media in the wake of recent security concerns. The policy appeared in an internal memo.

New details about security concerns at NASA, independent of the memo, emerged in a report by BusinessWeek published last weekend. It details a series of significant and costly cyberattacks on NASA systems in the past decade.

The memo from Pettus instructs employees not to use personal USB drives or other removable media on government computer systems. It also directs employees not to use government-owned removable devices on personal machines or machines that do not belong to the agency, department or organization. And it warns employees not to put unknown devices into any systems and to ensure that systems are fully patched and have up-to-date antivirus software.

Pettus also said he is in the process of updating security policies and is “working with center CIOs on additional measures recommended by [the U.S. Computer Emergency Readiness Team] to mitigate removable media risks, including implementation of Federal Desktop Core Configuration settings.”

The directive is not as sweeping as one issued by the Defense Department, which temporarily forbids the use of USB drives and other removable media devices of all types as a step toward mitigating the spread of detected malware.

But it is indicative of new concerns about controlling the use of portable media.

“I'm surprised it has taken this long for some organizations to act on this attack vector,” said Ed Skoudis, co-founder and a senior security analyst at Washington-based information security group InGuardians, in a newsletter from the SANS Institute. “Windows ships with Autorun for CDs enabled, [and] USBs with U3 technology look just like a CD to a Windows box, making compromise trivial. Enterprises should address this threat with clear policy and instructions for employees, shored up with technical implementations that turn off Autorun via Group Policy.”

He added that Microsoft describes how to turn off the policy here.

Estonian ISP Shuts Srizbi Back Down, For Now

Via Slashdot.org -

In response to the recent resurrection of the Srizbi botnet, an Estonian ISP has shut down the hosting company that was housing its new control servers. Starline Web Services, based in Estonia's capital Tallinn, had become the new home for the Srizbi botnet control center after the McColo hosting company (which was taken down earlier this month) has briefly come back to life last week, allowing the botnet to hand-off control to the Estonian network. After Estonia's biggest ISP Linxtelecom demanded that Starline Web Service be taken offline, the newly acquired Srizbi control servers went down with it. However, as the rootkit is armed with an algorithm that periodically generates new domain names where the malware then looks for new instructions, it is only a matter of time before a new set of control servers is created and used to manipulate one of the biggest spam botnets in the world.

Hardware Hacking Mashup

How-to: Read a FedEx Kinko’s smart card (SLE4442)

The FedEx Kinko’s prepaid card is actually a SLE4442 smart card. There’s nothing secret about the SLE4442, it’s completely documented in the datasheet (PDF), and you can buy blank cards on the web. The card is openly readable, we’ll be able to look at the contents without any sort of malicious intrusion. It’s protected from writes by a three byte password, with a ‘three strikes you’re out’ policy that renders the card useless after three failed assword attempts.

Unlocking iPhone 3Gs--the Vietnamese way

The obstacle in question: the iPhone 3G. Since its launch, it has proven a much tougher nut to crack than the original iPhone. Without a viable software-based unlock solution, the only way to make the phone work with any GSM carrier has been the use of a proxy SIM. Put this piece of very thin circuitboard in the iPhone 3G atop the carrier's SIM, and you can make calls and text on a new network. Unfortunately, the recently released 2.2 software update, for now, has made the iPhone 3G impossible to unlock--unless you happen to be in Hanoi. Here, I met a man who takes the job quite seriously and gets it done the hard way, literally.

Elcomsoft Claims Acrobat 9 PDF Passwords are Easier to Crack than in Version 8

Via Heise Security -

Russian manufacturer of password recovery software Elcomsoft claims to have discovered a weakness in the password verification system use in Adobe Acrobat 9 that makes password recovery much easier. According to the product description for Version 5.0 of Advanced PDF Password Recovery (APDFPR), because of this weakness, administrators should be able to recover passwords for encrypted Adobe 9 files on their networks 100 times faster than with the previous version.

Manufacturers have been using verification systems to prevent brute force and dictionary attacks for a long time. These systems don't just hash the password once with MD5, but several times – which requires a lot of computing time to crack. The method has been used successfully in applications such as MS Office 2007. Although Adobe has implemented it in all versions of Acrobat since Acrobat 5, Elcomsoft has informed heise Security that the password protection implemented in version 9 is different.

Adobe 9.0 uses the SHA-256 algorithm – considered more secure than 128-bit MD5 – but the mechanism for verifying the password is so weak that even passwords with eight characters are no longer secure. The larger bit-lengths are not enough to provide the level of security available with the previous version, Acrobat 8.0.

Friday, November 28, 2008

FBI Sends Agents to Mumbai, Three US Citizens Killed

Via WSJ.com -

The Federal Bureau of Investigation is sending agents to Mumbai to investigate attacks that now include American victims, a counterterrorism official said.

The U.S. government's "working assumption" that the Pakistani militant groups Lashkar-e-Taiba and Jaish-e-Mohammed are suspects in the attacks "has held up" as Indian authorities have begun their investigation, the official said. The two Kashmiri militant groups have ties to al Qaeda.

At least three Americans were among the more than 150 people killed in the attacks. Alan Scherr, 58 years old, and his daughter Naomi, 13, were visiting Mumbai from Virginia, where they are part of a community that promotes a form of meditation. Rabbi Gavriel Noach Holtzberg of the group Chabad, who was killed at the group's Mumbai headquarters, holds dual U.S.-Israeli citizenship, according to the Associated Press.

Kathy Plunket Versluys, owner of a bed and breakfast near the community's property, has known the Scherr family since 1996.

"I am still reeling," she said. "We're in the beautiful area of the Blue Ridge mountains. It's peaceful and it's what our inn and their foundation are about. It's hard to fathom what has happened. We've never been struck by the horrors of the international world until now."

Chemical Tanker Hijacked by Somali Pirates

Via UPI.com -

MOGADISHU, Somalia, Nov. 28 (UPI) -- A chemical tanker and its crew of primarily Indian nationals were under the control of Somali pirates Friday after a maritime hijacking, officials say.

Anonymous diplomatic officials said while a patrolling warship was in the same area as the hijacked vessel, the military ship only arrived on the scene after the pirates had gained complete control of the tanker, The Daily Telegraph reported.

Three British security guards were able to be rescued by helicopter after they leaped from the tanker into the sea, the officials said.

But 25 Indian crew members, along with their two Bangladeshi co-workers, are still being held by the pirates.

Details regarding the hijacking were sparse and no information was available regarding the current condition of the 27 prisoners, the Telegraph said.

The newspaper said the hijacking of the Liberian-flagged ship marked the 40th ship to have been taken by pirates off the coast of Somalia so far this year. A total of 97 ships have been the targeted for attacks during that same time period.

Apple Confuses Speech with a DMCA Violation

Via EFF -

Slashdot reports that Apple has sent a "cease and desist" email to bluwiki, a public wiki site, demanding the removal of postings there by those who are trying to figure out how to write software that can sync media to the latest versions of the iPhone and iPod Touch.

Short answer: Apple doesn't have a DMCA leg to stand on.

At the heart of this is the iTunesDB file, the index that the iPod operating system uses to keep track of what playable media is on the device. Unless an application can write new data to this file, it won't be able to "sync" music or other content to an iPod. The iTunesDB file has never been encrypted and is relatively well understood. In iPods released after September 2007, however, Apple introduced a checksum hash to make it difficult for applications other than iTunes to write new data to the iTunesDB file, thereby hindering an iPod owner's ability to use alternative software (like gtkpod, Winamp, or Songbird) to manage the files on her iPod.

The original checksum hash was reverse engineered in less than 36 hours. Apple, however, has recently updated the hashing mechanism in the latest versions of the iPhone and iPod Touch.

Those interested in using software other than iTunes to sync files to these new iPods will need to reverse engineer the hash again. Discussions about that process were posted to the public bluwiki site. Although it doesn't appear that the authors had yet figured out the new iTunesDB hashing mechanism, Apple's lawyers nevertheless sent a nastygram to the wiki administrator, who took down the pages in question.

Here are just a few of the fatal flaws in Apple's DMCA argument.

Where's the "technology, product, service, device or device"?

The DMCA provides that:
No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that ... is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner....


The information posted on the wiki appeared to be text, along with some illustrative code. Nothing that I saw on the pages I was able to review would appear to constitute a "technology, product, service, device, component, or part thereof." In fact, the authors had apparently not yet succeeded in their reverse engineering efforts and were simply discussing Apple's code obfuscation techniques. If Apple is suggesting that the DMCA reaches people merely talking about technical protection measures, then they've got a serious First Amendment problem.

Who owns the copyrighted work?

The iTunesDB file is not authored by Apple, nor does it appear that Apple has any copyright interest in it. Instead, the iTunesDB file on every iPod is the result of the individual choices each iPod owner makes in deciding what music and other media to put on her iPod. In other words, the iTunesDB file is to iTunes as this blog post is to Safari -- when I use Safari to produce a new work, I own the copyright in the resulting file, not Apple.

So if the iTunesDB file is the copyrighted work being protected here, then the iPod owner has every right to circumvent the protection measure, since they own the copyright to the iTunesDB file on their own iPod.

Where's the access control?

The contents of the iTunesDB file is not protected at all -- any application can read it. So, as a result, the obfuscation and hashing mechanisms used by Apple to prevent people from writing to the file cannot qualify as "access controls" protected by Section 1201(a) of the DMCA.

Apple might argue that the checksum hash prevents people from preparing derivative works, which means that it's a "technological measure that effectively protects the right of a copyright owner" (as noted above, however, it's the user, not Apple, who owns any copyright in the iTunesDB file). The DMCA, however, does not prohibit circumvention of technical measures that are not access controls, although it does restrict trafficking in tools that circumvent these measures. But, as mentioned above, there are no "tools" on the bluwiki pages.

What about the reverse engineering exemption?

Apple's lawyers also appear to have overlooked the DMCA's reverse engineering exception, 17 U.S.C. 1201(f), which permits individuals to circumvent technological measures and distribute circumvention tools "for the purpose of enabling interoperability of an independently created computer program with other programs, if such means are necessary to achieve such interoperability, to the extent that doing so does not constitute [copyright] infringement."

Enabling iPods to interoperate with "independently created computer programs" (like gtkpod, Winamp, and Songbird) is precisely what the reverse engineering exception was intended to protect.

Where's the nexus to infringement?

Finally, Apple's DMCA theory fails because any "circumvention" that might be involved here has no connection to any potential copyright infringement. Two decisions by federal courts of appeal (1, 2) have held that without a nexus to potential infringement, there is no violation of the DMCA. And here, it's hard to see how reverse engineering the iTunesDB checksum hash can lead to any infringement of the iTunesDB file -- after all, the reverse engineers presumably aren't interested in making piratical copies of the iTunesDB file. Instead, they just want to sync their iPhones and iPods using software other than iTunes. No infringement there.

Of course, without more than the bare "cease and desist" emails sent by Apple's lawyers to bluwiki, we can't know for certain what other DMCA arguments they may have had in mind. But I certainly can't see any DMCA violation here based on Apple's nastygrams thus far.

-------------------------------------

This is exactly the type of activity that makes me seriously dislike Apple in general.

They generally treat their own customers like morons....as if they don't know better...well we do.

Pakistani Intelligence Chief to Visit India

Via IHT (AP) -

The chief of Pakistan's powerful intelligence organization will make an extraordinary visit to India to assist in the investigation of the Mumbai attacks, Pakistani officials said Friday.

The decision to send Lieutenant General Ahmed Shuja Pasha, the director general of Inter-Services Intelligence, or ISI, will mark the first time an ISI chief will visit rival India. It was not immediately clear, however, when Pasha would leave for India.

The move is being seen as an attempt by Pakistan's civilian government to allay Indian concerns after accusations of Pakistani involvement in the attacks surfaced almost immediately.

In a televised speech Thursday, Prime Minister Manmohan Singh of India blamed forces "based outside this country" of involvement in the attacks. A day later, India's foreign minister, Pranab Mukherjee, was quoted by the Press Trust of India as saying that, according to preliminary reports, "some elements in Pakistan are responsible."

India and Pakistan, which have fought two wars, have repeatedly accused each other of fomenting unrest. While India has accused the ISI of abetting terrorism in the disputed Himalayan region of Kashmir, Pakistan has accused India of supporting an insurgency in southwestern Baluchistan Province.

Distrust and acrimony between the two nuclear powers has hampered efforts toward normalizing relations. The Mumbai attacks, which killed more than 140 people, fueled apprehension that relations would between the two neighbors would plunge to a new low.

Pakistani officials said the decision to send General Pasha to India was reached during a conversation between the prime ministers of both countries Friday.

"Prime Minister Syed Yousaf Raza Gilani called the Indian Prime Minister Manmohan Singh Friday morning at 11 a.m. to condemn the attacks," Zahid Bashir, Gilani's spokesperson, said by telephone.

"The Indian prime minister stressed the need of intelligence sharing and evolving a joint strategy to counter terrorism. Dr. Singh requested the prime minister to send the D.G. ISI to India to help in the investigations," Bashir said.

"Once the modalities are worked out, the ISI chief will leave for India," Bashir said.

Officials here said President Asif Ali Zardari also called Singh to promise cooperation "in exposing and apprehending the culprits and the master minds behind the attack," according to a presidential spokesperson.

Zardari said both countries should avoid being manipulated by militants.

--------------------------------

Of course, the Times of India makes it clear that the visit was requested by India...
Pakistan Prime Minister Yousuf Raza Gilani has accepted a request from his Indian counterpart Manmohan Singh to send the Inter-Services Intelligence (ISI) chief to India for sharing of information related to the terrorist attack in Mumbai.

Surging Shoppers Kill New York Wal-Mart Worker

Via Reuters -

A man working for Wal-Mart was killed on Friday when a throng of shoppers surged into a Long Island, New York, store and physically broke down the doors, a police spokesman said.

The 34-year-old man was at the entrance of the Valley Stream Walmart store just after it opened at 5 a.m. local time and was knocked to the ground, the police report said.

The exact cause of death was still to be determined by a medical examiner.

Four shoppers, including a 28-year-old pregnant woman, were also taken to local hospitals for injuries sustained in the incident, police said.

Wal-Mart said it was saddened by the death of the man, who was working for a temporary employment agency serving the discount retailer, and by the injuries suffered by shoppers.

"The safety and security of our customers and associates is our top priority," the world's largest retailer said in a statement. It said the incident was still under investigation and referred any other inquiries to local police.

The Friday after America's Thanksgiving holiday is known a Black Friday and marks what is traditionally the busiest retail day of the year, kicking off the Christmas shopping season.

U.S. stores across the country opened in the early hours of Friday to offer discounts to consumers hit by a contracting economy. Hundreds of shoppers waited on line before dawn at some locations to secure deals on holiday gifts.

--------------------------------

This is the sad side of our world...

Thursday, November 27, 2008

FRHACK 01 - French Security Conference - by Hackers, for Hackers

http://www.frhack.org/

FRHACK 01 will be held in September 7-8, 2009, at the Great Kursaal Hall of Besançon.

FRHACK is not commercial - but - highly technical.

Call For Papers is open; please see the Call For Papers section for more information.

Spam Volumes Expected to Rise with Botnet Resurrection

Via Washington Post -

Spam volumes could rise considerably over the next few days now that one of the world's largest networks of compromised computers used for blasting out junk e-mail was brought back to life tonight.

The "Srizbi" botnet, a collection of more than half a million hacked PCs that were responsible for relaying approximately 40 percent of all spam sent worldwide, was knocked offline two weeks ago due to pressure from the computer security community.

On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers.

Turns out, Srizbi's authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web site domain name to check for new instructions and software updates.

With such a system in place, the malware authors can regain control over the bots merely by registering the Web site names that the infected machines are trying to visit and placing the instructions there.

According to FireEye, a security company in Milpitas, Calif., that has closely tracked the botnet's actvity, a number of those rescue domains were registered Tuesday evening, apparenly directing at least 50,000 of the Srizbi-infected machines to receive new instructions and malicious software updates from servers in Estonia.

FireEye senior security researcher Alex Lanstein said he fully expects spam volumes to recover to their pre-Nov. 11 levels within a couple of days.

"Srizbi was the spam king," Lanstein said. "And now it's back."

Much more to come tomorrow with the very interesting back story about how all this happened. Stay tuned.

Terrorists Came From Karachi via Sea to Mumbai

Via ExpressIndian.com -

Mumbai The terrorists who attacked Mumbai came via sea routes from Karachi in Pakistan, according to an intelligence report.

The reports had warned that there could be a possible entry of terrorists into Mumbai through the sea route, a top police official claimed.

"This intelligence was available six months ago and subsequently a barge was found by the locals on Shrivardhan coast in Raigad district four months back," the official, who did not wish to be identified, said.

Locals feared that the barge might have contained explosives but nothing was found when customs and naval personnel inspected it.

The terrorists, who created havoc in Mumbai overnight, came by boats, Chief Minister Vilasrao Deshmukh has said.

Militants armed with automatic weapons and grenades attacked Taj and Oberoi hotels, hospitals and a famous tourist cafe in Mumbai late on Wednesday, killing more than 100 people.

* WHO IS BEHIND THE ATTACKS?

Witnesses say the attackers were young South Asian men speaking Hindi or Urdu, suggesting that they are probably members of an Indian militant group rather than foreigners.

The attacks were claimed by a previously unknown group calling itself the Deccan Mujahideen in an e-mail to news organisations. Deccan is an area of southern India.

Analysts say that while it is not clear whether the claim is genuine, the attacks were most likely carried out by a group called the Indian Mujahideen. The name used in the claim of responsibility suggests the attackers could be members of a south Indian offshoot or cell of the Indian Mujahideen.

* WHO ARE THE INDIAN MUJAHIDEEN?

Indian police say the Indian Mujahideen is an offshoot of the banned Students' Islamic Movement of India (SIMI), but that local Muslims appear to have been given training and backing from militant groups in neighbouring Pakistan and Bangladesh.

SIMI has been blamed by police for almost every major bomb attack in India, including explosions on commuter trains in Mumbai two years ago that killed 187 people.

Police said the Indian Mujahideen may also include former members of the Bangladeshi militant group Harkat-ul-Jihad al Islami.

-------------------------------

The Times of India is reporting...
"At least six foreigners have been killed and the death figure has gone up to 101 now," Ramesh Tayde, a senior police officer told from Mumbai's control room.

Wednesday, November 26, 2008

India's Financial Hub Mumbai Under Multiple Terror Attacks

Via CT Blog -

Co-Editor's Update, 6:00 pm ET: "India Times" reports over 80 dead, 900+ injured, with the head of Mumbai's anti-terrorism killed. "Express India" reports over 100 dead. Official reports put the death toll at 78 with 200 injured. The BBC website has a map of the affected area. The "India Times" reports 7 foreigners are among 15 hostages at the Taj Mahal Hotel and that the Army has entered the Taj and the Trident (formerly the Oberoi) Hotels, and a fire continues to burn inside the Taj. Multiple outlets report that an unknown outfit, Deccan Mujahideen, claims that it carried out the attacks. Streaming live coverage video is available at the CNN IBN Live site. CNN IBN also reports 9 terrorists taken into custody across Mumbai, but no official confirmation yet. India Times has a chronology of terror attacks in India, which have killed over 600 in the past 6 years.

----------------------

Suspected Islamic terrorists have attacked at least eight places in Mumbai, the financial hub of India on November 26 evening. They fired indiscriminately, and lobbed grenades around while making their way to Hotels and Railway Stations and Airport. At least 60 people, many foreigners have reportedly died and nearly 150 injured in these terror attacks. Times of India report quoting hospital sources, indicated that at least 80 people were dead and 250 injured in the terror attacks. There are unconfirmed reports of a Hostage situation also in Taj Mahal and Oberoi Hotels (with most foreign guests). The first incident of firing was reported at Leopold Cafe, a well-known watering hole for tourists and foreigners in Colaba. The second incident was near Taj Mahal hotel, the third was near Oberoi hotel in Nariman Point and the fourth one was at Chhatrapati Shivaji Terminus railway station. Also a major blast was also reported in Vile Parle in suburban Mumbai. As per the latest reports around 15 people, half of them foreigners are taken hostage on the roof of the Taj Mahal Hotel.

The needle of the suspicion is on the Lashkar-e-Toiba and Student Islamic Movement of India combine (Now they credibly calling and proving them as Indian Mujahedeen terror group).

The incidents took place one day after the reported arrest of
Lashkar-e-Toiba linked Raheel Sheikh by the Interpol in London. Raheel is one of the alleged masterminds of the conspiracy and was involved in the funding of the July 11, 2006, Mumbai serial train blasts that killed nearly 200 commuters and wounded over 500 people on that fateful day.

---------------------------

Thanks to Chris I. for the text message alerting me to this breaking news several hours ago....

I was driving to my parents' house for the holidays...

http://en.wikipedia.org/wiki/Lashkar-e-Toiba

http://en.wikipedia.org/wiki/Indian_Mujahideen

Pakistan & Russia Looking to Use UAVs

http://www.janes.com/news/defence/air/jdw/jdw081125_1_n.shtml

The Pakistan Air Force (PAF) will formally induct unmanned aerial vehicles (UAVs) into service for the first time in 2009, the chief of the PAF has told Jane's.

This comes five years after the PAF launched a programme to acquire UAVs for intelligence-gathering and reconnaissance operations.

------------------------------------------------------------------------------

http://www.janes.com/news/defence/jdw/jdw081124_2_n.shtml


Israel is to seek the approval of the US government for a potential sale of unmanned aerial vehicles (UAVs) to Russia, say sources, in what could mark the first Russian acquisition of advanced defence systems from Israel.

The requirement for reconnaissance UAVs stems from lessons learned by the Russian Army after the five-day war with Georgia in August over South Ossetia, in which Georgian forces operated Israeli Elbit Systems Hermes 450 medium-altitude long-endurance (MALE) UAVs.


"The Russians realised during the fighting in Georgia that they are years behind in the area of UAVs," an Israeli defence source told Jane's on 20 November.

Brazilian and Russian Military Cooperation Deepens

Via Jamestown Foundation -

According to Russia's Economic Development Ministry, Russia is negotiating to supply helicopters to the Forca Aerea Brasileira (Brazilian Air Force, or FAB). The Ministry noted in a statement, "In order to promote Russian helicopters, the Mi-171A helicopter has completed, and the Ka-32A helicopter is currently going through, the certification procedure in Brazil" (Interfaks-Agentstvo Voyennykh Novostei, November 19).The FAB is the largest air force in Latin America, operating 729 aircraft, including 165 fighters and 90 helicopters (www.fab.mil.br/portal/capa/index.php). The FAB does not currently operate a single Russian-built aircraft, though last year it considered the Sukhoi Su-35 fighter for its Project FX-2 fighter upgrade replacement program. What is notable about the FAB's aerial fleet is that Brazil's growing aeronautical industry is responsible for an increasing share of its planes, as 479 FAB aircraft, nearly 66 percent of the total, were manufactured or assembled in Brazil; they included 107 combat aircraft (65 percent) and 35 helicopters (38 percent). Just over half of the FAB helicopter fleet is American-made and consists of 43 Bell UH-1 Iroquois and three Bell 206 JetRangers. FAB also operates 10 Eurocopter AS-332 Cougars.

India Navy Defends Piracy Sinking

Via BBC -

The Indian navy has defended its action in sinking a ship near Somalia that maritime officials have confirmed was a hijacked Thai fishing boat.

The International Maritime Bureau said the Ekawat Nava 5 had been captured by pirates earlier in the day on 18 November and the crew was tied up.

One crewman was found alive after six days adrift but 14 are still missing.

The Indian navy said the ship was a pirate vessel in "description and intent" and had opened fire first.

[...]

Indian navy spokesman, Commander Nirad Sinha, told AFP news agency: "The vessel was similar in description to what was mentioned in various piracy bulletins.

"The Indian navy ship asked them to stop for investigation. On repeated calls, the vessel responded by saying it would blow up the Indian ship," he said.

"Pirates were seen roaming on the deck with rocket-propelled grenade launchers."

Commander Sinha insisted that the INS Tabar only opened fire after being fired upon, and that "exploding ammunition was also seen" on the target.

Noel Choong, who heads the International Maritime Bureau's (IMB) piracy reporting centre in Kuala Lumpur, Malaysia, confirmed the vessel was the Ekawat Nava 5.

"The Indian navy assumed it was a pirate vessel because they may have seen armed pirates on board the boat which had been hijacked earlier," Mr Choong told Associated Press.

"We are saddened with what has happened. It's an unfortunate tragedy. We hope that this incident won't affect the anti-piracy operation by the multi-coalition navies there," he said.

The owner of Ekawat Nava 5, Wicharn Sirichaiekawat, said his company had informed the IMB the boat had been hijacked and had asked for assistance.

The British navy confirmed the boat had been boarded and that any action could harm the crew.

The IMB sent an alert to other multi-coalition patrol vessels but Mr Choong said it was unclear whether the Indian vessel had received it as it had no direct IMB links.

Mr Choong urged more cooperation in the future.

Mr Wicharn said the boat had been headed from Oman to Yemen to deliver fishing equipment when it was approached by the pirates in two speedboats.

The Indian navy mistook the vessel for a pirate "mother ship", he said.

Mr Wicharn said he had learnt the fate of his trawler from a Cambodian crew member who had survived the bombardment and had been rescued by a passing ship after six days adrift in the Indian Ocean.

The sailor was now recovering in a hospital in Yemen, he said.

The survivor said all the crew were tied up except the captain and translator.

Mr Wicharn said the Thai foreign ministry had summoned the Indian ambassador to issue a complaint.

Tuesday, November 25, 2008

Jail Time Dropped in Dubai Beach Sex Trial

Via Yahoo! News -

A British couple convicted of having sex on a Dubai beach had their prison sentences suspended by an appeals court on Tuesday in a case that exposed a cultural divide in this glitzy Gulf boomtown.

Michelle Palmer and Vince Acors were convicted and sentenced to three months in prison in October for having sex outside of marriage, public indecency and drunkenness.

The Dubai Court of Appeals upheld the guilty verdict but dropped their prison sentences - though it ruled the couple must still be deported from the United Arab Emirates and pay a fine of about $272 each.

"This is a good result," said Hassan Matter, the couple's Dubai-based lawyer. "This means the law in Dubai is just and shows the judge has a good mind and a good heart."

The two Britons, who are both in their 30s, met at an all-you-can-drink champagne brunch before they were arrested in July. Both previously admitted they were drunk but denied having sex.

The case revealed a fault line between Dubai's expatriate majority and the city's conservative Arab, Muslim minority.

Public displays of affection are illegal in Dubai - a city that has worked hard to cultivate an image as a party hot spot for Western tourists and businesses in the Middle East but has a conservative legal code based on Islamic laws and tribal rules.

The couple's trial prompted at least one Dubai five-star hotel chain to issue an advisory for Western tourists on appropriate behavior.

The Jumeirah Group cautioned guests at the Medinat Jumeirah hotel that "drunken behavior, especially outside licensed premises in the hotel, is punished severely." It also recommended tourists be discreet with displays of affection in public.

"Anything more than a peck on the cheek could offend those around you and even possibly lead to police involvement," the advisory said.

---------------------------------

I am glad to hear the Dubai Court of Appeals has removed the jail time.....

Venezuela's Chavez Welcomes Russian Warships

Via Yahoo! News -

Russian warships sailed into port in Venezuela on Tuesday in a show of strength as Moscow seeks to counter U.S. influence in Latin America. Russia's first such deployment in the Caribbean since the Cold War is timed to coincide with President Dmitry Medvedev's visit to Venezuela, the first ever by a Russian president.

Russian sailors dressed in black-and-white uniforms lined up along the bow of the destroyer Admiral Chabanenko as it docked in La Guaira, near Caracas, and Venezuelan troops greeted them with cannons in a 21-gun salute. Two support vessels also docked, and the nuclear-powered cruiser Peter the Great, Russia's largest navy ship, anchored offshore.

Chavez, basking in the support of a powerful ally and traditional U.S. rival, wants Russian help to build a nuclear reactor, invest in oil and natural gas projects and bolster his leftist opposition to U.S. influence in the region.

He also wants weapons — Venezuela has bought more than $4 billion in Russian arms, including Sukhoi fighter jets, helicopters and 100,000 Kalashnikov rifles, and more deals for Russian tanks or other weaponry may be discussed after Medvedev arrives Wednesday.

Russia's ambitions in Latin America, however, may be checked by global events. Both Venezuela and Russia are feeling the pinch of slumping oil prices, and their ability to be major benefactors for like-minded leaders is in doubt given the pressures of the world's financial crisis.

The deployment of the naval squadron is widely seen as a demonstration of Kremlin anger over the U.S. decision to send warships to deliver aid to Georgia after its battles with Russia, and over U.S. plans for a European missile-defense system.

But U.S. officials mocked the show of force.

"Are they accompanied by tugboats this time?" U.S. State Department spokesman Sean McCormack joked to reporters in Washington. He noted that Russia's navy is but a shadow of its Soviet-era fleet.

"I don't think there's any question about ... who the region looks to in terms of political, economic, diplomatic and as well as military power," McCormack said. "If the Venezuelans and the Russians want to have, you know, a military exercise, that's fine. But we'll obviously be watching it very closely."

When Russia sent two strategic bombers to Venezuela in September, some drew comparisons to the Soviet Union's deployments to Cuba during the Cold War.

But both countries have shown signs of trying to engage President-elect Barack Obama, and Chavez told reporters that it's ludicrous to invoke the Cold War to describe these naval exercises.

"It's not a provocation. It's an exchange between two free countries," Chavez said Monday night.

Thousands At Risk After Hacker Breaches Luxottica Retail Mainframe

Via wlwt.com (Cincinnati) -

Thousands of people could be affected after a massive security breach at a local company.

A routine check by the information technology department of Luxottica Retail, the former owner of the Things Remembered stores, discovered the breach in mid-September.

A hacker got inside a computer mainframe and downloaded the personal information of more than 59,000 former workers.

"Basically, we have potential victims in all 50 states,” Warren County Cyber Crimes Task Force Lt. Jeff Braley said.

The breach includes names, addresses and Social Security numbers.

Investigators were allegedly able to trace the hacker’s IP address to Molly Burns, of Glendale, Ariz.

"You not only see the criminal history this suspect has, but you see the ties that they have and that is much more worrisome,” Braley said.

News 5 obtained the 30-year-old’s five-page long arrest record that includes theft, forgery and drug charges.

Police confiscated a number of computers from her apartment during a heroin raid this summer.
Investigators are now waiting on the results of a forensics exam before officially filing charges.
Officers said that Burns is currently on the run.


Warren County authorities said that three different police departments in Arizona are also looking for her.

The case is expected to be handed over to the FBI soon.

The company sent letters to all the former employees letting them know what happened.

In a statement, the company said it deeply regretted the incident and has improved it's computer security so this doesn't happen again.

Google Chrome MetaCharacter URI Obfuscation Vulnerability

http://www.securiteam.com/windowsntfocus/6L00O1FN5S.html

Google chrome is vulnerable to URI Obfuscation vulnerability. An attacker can easily perform malicious redirection by manipulating the browser functionality. The link can not be traversed properly in status address bar.This could facilitate the impersonation of legitimate web sites in order to steal sensitive information from unsuspecting users. The URI specified with @ character with or without NULL character causes the vulnerability.

Credit:The information has been provided by
Aditya K Sood.

The original article can be found at: http://www.secniche.org/gcuri/index.html

Proof of Concept:
Link1: ftp://anoymous:guest@microsoft.com
Link2: [Without NULL] http://www.google.com@yahoo.com [Google --> Yahoo [Obfuscation]]
Link3: http://www.secniche.org@www.milw0rm.com [With NULL] SecNiche --> Milw0rm [Obfuscation]

-----------------------------------------------------

http://www.milw0rm.com/exploits/7226

Specifcally Tested on 0.4.154.25 [Latest]

Synthetic Viruses Could Explain Animal-to-Human Jumps

Via Wired -

In a technical tour de force with potentially profound implications for the study of emerging diseases, researchers have built the largest-ever self-replicating organism from scratch.

The organism is a virus based on genome sequences taken from a bat-borne version of SARS, a lethal respiratory disease that jumped from animals to humans in 2002. The synthetic virus could help explain how SARS evolved, and the same approach could be used to investigate other species-hopping killers.

"This gives us a system to more quickly answer the questions of where a virus came from, of how to develop vaccines and treatments for a brand-new virus that leaps to humans like SARS did," said Vanderbilt University microbiologist Mark Denison.

Just a decade ago, artificially constructed viruses seemed like science fiction. But the field of synthetic biology has progressed with extraordinary rapidity. Six years ago, polio became the first virus to be synthesized. Three years ago, biologists reconstructed an influenza strain from the 1918 epidemic, in the process discovering what made it so lethal. The synthetic SARS virus is even more complicated than either of those creations. And as such research has progressed, concerns have intensified over viruses jumping from animals to people, then spreading rapidly through a globalized world of international travel and migration.

In some cases, scientists might — as with SARS — suspect the identity of the original animal virus, but not understand the murky process by which it became infectious in humans. In other cases, they might want to know what is needed for an existing animal virus to enter people. But it's not always easy to study viruses: many are impossible to grow in a lab, or known from just a few wild samples. That's when synthetic viruses could be useful.

"It can be very hard to study where a virus originally came from," said Denison. "If you start from where you think the virus was, and let the virus tell you where it's going, then you learn a tremendous amount about viral evolution and movement."

In the case of SARS, which killed nearly 800 people before being contained, scientists think it came from bats, but have been unable to keep the bat version alive in laboratory cell cultures.

Denison's team used the genetic sequence of bat SARS to build the virus. Bat SARS doesn't normally infect people, but the researchers added a critical tweak: a gene present only in the human version of the virus. The new version flourished in human cell cultures, suggesting that a mutation in the gene, known as Bat-SRBD, was responsible for SARS' lethal spread.

The new virus did not kill mice, however. Other genetic differences between the synthetic and natural strains can now be studied to learn what makes SARS so virulent, said Denison, and the technique applied to other viruses similar to SARS. These include the Ebola, Hanta, Nipah and Chikunguya viruses, all of which originated in animals and are lethal to people.

"You could get to a point where, within a couple weeks of an epidemic being identified, you've already grown and generated viruses for the study of immune response," said Denison.

Whether the technique is useful elsewhere remains be seen, but "there's a good possibility" that it will, said Peter Palese, a Mount Sinai Medical Center microbiologist. Palese edited the paper, published today in the Proceedings of the National Academy of Sciences, but was not involved in the research itself.

Even if it's experimental, he said, researchers need to try.

"If we were successful with conventional approaches," said Palese, "then they would have worked already."

Synthetic recombinant bat SARS-like coronavirus is infectious in cultured cells and in mice [PNAS]

Somali Pirates Hijack Yemeni Cargo Ship

Via Swissinfo.ch -

NAIROBI (Reuters) - Somali pirates have hijacked a Yemeni ship loaded with steel, officials said on Tuesday, and one of Asia's biggest shippers said it was diverting vulnerable vessels away from the dangerous Gulf of Aden.

Scores of attacks this year have brought the pirates millions of dollars in ransoms, hiked up shipping insurance costs, sent foreign navies rushing to the area, and left about a dozen boats with more than 200 hostages still in pirate hands.

[...]

Yemen's official SABA news agency said the Yemeni ship MV Adina was travelling from Mukalla port to the southern island of Socotra and had been due to dock on November 20 with 507 tonnes of steel.

Yemeni security sources said the authorities were in touch with the pirates, who were demanding a $2 million ransom.

The sources said the vessel was owned by Yemeni shipping firm Abu Talal and was carrying seven crew -- three Somalis, two Yemenis and two Panamanians.

Taiwan shipping company TMT, meanwhile, said it is re-routing 20 oil tankers via the Cape of Good Hope. TMT's fleet is regularly employed to ferry crude oil supplies to consumers in Europe and the United States.

[...]

Following the hijack of an Iranian-chartered ship last week, a senior Iranian government official was quoted as saying Tehran could use force against the buccaneers if needed.

In neighbouring Kenya, the United States military's Africa Command said it was worried the pirates may forge ties with terrorist groups but that it had no evidence of links between the hijackers and al Qaeda.

Africom commander General William Ward told a news conference in Nairobi that the international community was looking "very seriously" at piracy.

Germany could send up to 1,400 soldiers to the Gulf of Aden as part of a European Union force due to start operation next month, government sources in Berlin said.

The piracy has been fuelled by civil strife onshore, where the western-backed government is fighting Islamist insurgents.


-------------------------------------------

There were 15 ships with nearly 300 crew still in the hands of Somali pirates, who dock the hijacked vessels near the eastern and southern coast as they negotiate for ransom. That does not include the Yemeni cargo vessel.

Ships currently in the hands of the pirates include the Ukrainian ship hijacked with 33 T-72 tanks on board (hijacked in Oct 2008) and the giant Sirius Star oil tanker (hijacked in Nov 2008).

Ten Arrested in Afghan Acid Attack

Via NYTimes -

KABUL, Afghanistan — The police in Kandahar have arrested 10 Taliban militants they said were involved in an attack earlier this month on a group of Afghan schoolgirls whose faces were doused with acid, officials in Kandahar said Tuesday.

The officials said that the militants, who were Afghan citizens, had confessed to their involvement in the attack on the schoolgirls and their teachers on Nov. 12 and that a high-ranking member of the Taliban had paid the militants 100,000 Pakistani rupees for each of the girls they managed to burn.

The girls were assaulted Nov. 12 by two men on a motorcycle who were apparently irate that the girls dared to attend high school. The men drove up beside them and splashed their faces with what appeared to be battery acid.

Zalmay Ayobi, the spokesman for the governor of Kandahar, said that the orders to carry out the attack had been given from a foreign country, although he did not name the country.

The militants were arrested by the police last week. Mr. Ayobi said a joint delegation from the Interior Ministry and the office of the attorney general in the capital, Kabul, had arrived in Kandahar on Monday to evaluate the cases of the suspects.

The “Kabul delegation led by the deputy interior minister along with the governor of Kandahar announced today that the suspects confessed for their involvements for the acid attack on school girls in Kandahar city which happened on Nov 12,” Mr. Ayobi said.

Mr. Ayobi said Afghanistan’s public courts would decide the attackers’ fate after the investigation was completed.

At least two of the girls were hospitalized by the attack, with their faces blackened and burned.

Pamela Systems Security Breach Gives PayPal Phish the Personal Touch

Via The Register UK -

Skype users who use a piece of software dubbed Pamela to manage their online phone accounts should be on the lookout for customized phishing attacks following revelations that one of more user databases containing names and email addresses have been breached.

The attack, which took place last week, has already led to one phishing campaign that calls recipients by their real names and then tries to trick them into turning over personal information. That added personal touch could throw some users off guard because most phishing emails address their marks by generic terms such as "Dear PayPal User."

The online thieves managed to penetrate the defenses of Pamela Systems by exploiting a security hole in an unnamed application the website uses, Dick H. Schiferli, Pamela's founder and CEO told The Register. He declined to say how many of the site's users had their information stolen, or how many users have registered with his site. Pamela boasts 4.5 million downloads, although the number of registered users is probably much smaller.

Schiferli said his team was still in the process of contacting customers whose information was stolen.

"This is our first experience with something like this," he said. "We're taking this very seriously. We contacted PayPal last week." So far, they've yet to get a response.

The breach could prove valuable because ostensibly everyone in the user database uses Skype. That allows fraudsters with important leads and information to tailor scams. Pamela users who have received phishing emails are encouraged to post in the comments section of this story, or contact the reporter at the above contact link.

-------------------------------

This has the classic MO of SQLi (SQL Injection) - which is an all too common security issue.

The comment by Mr. Schiferli is quite telling...
"This is our first experience with something like this," he said. "We're taking this very seriously. We contacted PayPal last week." So far, they've yet to get a response.
Apparently not serious enough to test your application for security vulnerabilities before allowing millions of people to download and use it.

Every piece of software has security issues....and no single test will ever find all security problems...but putting your software through the security paces before moving it into production might have solved this vulnerability before it even left the gate.

This should not be your first run-in with a security vulnerability...and from the sound of it, it won't be your last.

US Rolls Out 'Vicinity RFID' to Check IDs in Moving Vehicles

Via The Register UK -

RFID technology that allows the remote identification of travellers in moving vehicles is being rolled out at US land border crossings this month. Crossing points with Canada at Blaine, and with Mexico at Nogales, came online last week, with Buffalo, Detroit and San Ysidro to follow, and a total of 39 planned.

The system uses the US PASSport (People, Access Security Service) card, which is intended to operate within the Western Hemisphere Travel Initiative (WHTI) for US citizens entering the US via land and sea ports. Using "Vicinity RFID" it can read the cards from a healthy skimming distance of 20-30 feet, but according to the Department of Homeland Security this isn't a problem. The RFID chip on the card doesn't contain any personal information, only a unique identification number, and skimmers wouldn't have access to the data the number matches up with.

The system is intended to work like this. As a vehicle approaches the border post, the numbers of the cards inside it are read, and pictures and data on the holders are called up from a database. Then, presumably, the immigration officers check the faces of the passengers to make sure they match, and bust any who happen to be flagged as terrorists or loose criminals.

In addition to the PASSport card, some US states are beginning to issue Enhanced Driver's Licence/ID cards (EDL/ID), which have the PASSport RFID functionality added to a standard driver's license. These can also be used for land or sea entry to the US, but neither variety of card is valid elsewhere, or for WHTI air travel into the US. Obviously, they'd only be of any use at anybody else's border post if there were compatible readers there, and if the US had kindly shared its ID database with the relevant country.

So it's an internal passport system, one that's entirely incompatible with the biometric ID system that the US has gone to such pains to get the world to adopt. Were they only kidding, then?

Operation Swift: Crime Syndicate Busted in South Africa

Via iol.za (South Africa) -

A hi-tech Internet crime syndicate responsible for the theft of hundreds of millions of rands - from government departments, parastatals and financial institutions to computer spy programmes - has been bust.

The syndicate, which has operatives within banks and government departments, is alleged to be behind the theft of more than R400-million from bank accounts of the departments of home affairs and public works and the licensing department, several parastatals, and financial institutions and staff working in the various organisations over the past two years.

The gang of 13, who all operate from Pretoria, was bust last week during an operation conducted by the SA Police Service's Covert Intelligence Collective Directorate and the Commercial Crime Unit.

The week-long operation, dubbed Operation Swift, saw police detectives and undercover agents raiding houses throughout suburbs north of Pretoria.

The arrests bring an end to what has been described by well-placed police sources as the biggest cyber-crime attack on government organisations in the country.

The theft allegedly took place through fraudulent electronic fund transfers (EFTs) from the various institutions and its staff members' accounts since 2006, and saw the syndicate, comprising small business owners and IT specialists employed in both the government and private sector, siphoning off money to fictitious bank accounts.

Police spokesperson Senior Superintendent Tummi Golding said the syndicate had stolen more than R400-million in the past two years.

Explaining how the gang worked, she said the syndicate, which had unscrupulous government employees on its payroll, operated by infiltrating targeted departments and institutions, and installing spyware on IT systems.

"The spyware is used to collect the user name and passwords of users of the government salary systems. Once this information is compromised, it is used to effect fraudulent EFTs into bank accounts opened by runners using fraudulent documents."

Commenting on the arrests, Golding said police had raided the suspected ringleader's home in Mabopane last week.

Videotape of 9-11 Hijacker Reveals Al-Qaida Propaganda Efforts

Via NBC Deep Background -

Ziad Jarrah will forever be known as the 9-11 hijacker who deliberately crashed United Flight 93 into a field in Pennsylvania, killing a plane full of people just as they were bravely storming the cockpit.

But now videotape obtained by NBC News appears to confirm that Jarrah was stage-managed--and at times even prodded along by al-Qaida--during the early stages of the terrorist’s training.

he 9-11 Commission found that Jarrah was an odd fit for al-Qaida. The Beirut-born student was Westernized, and almost backed out of the plot at the last minute. “Jarrah clearly differed from the other hijackers in that he maintained much closer contact with his family and continued his intimate relationship with” his German girlfriend, the 9-11 Commission wrote. “These ties may well have caused him to harbor some doubts about going through with the plot, even as late as the summer of 2001.”

The videotape was shot in Afghanistan in late 1999 or January 2000, when investigators know that Jarrah and other members of the Hamburg cell traveled to Osama Bin Laden’s camps in Afghanistan for training and plot instructions. The unedited tape is meant to be Jarrah’s “martyrdom” video, in which he explains why he’s committed a terrorist act and killed himself and others.

But Jarrah frequently stumbles through his own martyrdom tape, and often can't maintain a serious tone. His al-Qaida handlers coach him, off-screen, to be more dramatic.

"This speech requires passions and enthusiasm," one of them scolds Jarrah off camera. “Start again!" the man scolds a bit later.

"Why didn’t you try a different approach? I mean another style," a second man chimes in. “Something for the Muslim youths…”

25th Chaos Communication Congress (25C3)

The 25th Chaos Communication Congress (25C3) is the annual four-day conference organized by the Chaos Computer Club (CCC). It takes place at the bcc Berliner Congress Center in Berlin, Germany. The Congress offers lectures and workshops on a multitude of topics and attracts a diverse audience of thousands of hackers, scientists, artists, and utopians from all around the world. The 25C3s slogan is "Nothing to hide".

25C3: Nothing to hide
25th Chaos Communication Congress
December 27th to 30th, 2008
bcc Berliner Congress Center, Berlin, Germany

Pharmacy Extortionists Take on CIA, DoD, FBI, NSA

Via Washington Post -

Extortionists targeting clients of Express Scripts -- one of the nation's largest pharmacy benefits management firms -- may have inadvertently picked a fight for which they were ill-prepared. Security Fix has learned that among the company's biggest customers is the federal government, and specifically almost every federal law enforcement, military and intelligence agency in the country.

Last month, St. Louis-based Express Scripts said extortionists are threatening to disclose personal and medical information about millions of Americans if the company fails to meet payment demands.

Express Scripts is the third-largest U.S. pharmacy benefit management firm, which processes and pays prescription drug claims. Working with more than 1,600 companies, it handles roughly 500 million prescriptions a year for about 50 million Americans.

The company has refused to pay the demand, and since then the extortionists have moved on to targeting clients of its member companies directly. The Fairfax County Public Schools system is among those known to have been contacted by the extortionists, but other than that, Express Scripts has been fairly tight-lipped about naming their customers.

According to the 2009 Association Benefit Plan, a fee-for-service plan for civilian active and retired employees of the following organizations and one of several plans available through the Federal Employees Health Benefits Program, employees at a laundry list of three-letter agencies are Express Scripts customers. They include:

Office of the Director of National Intelligence (ODNI)
Central Intelligence Agency (CIA)
Defense Intelligence Agency (DIA)
Department of Defense (DOD)
Department of Energy, Office of Intelligence and Counterintelligence
Department of Homeland Security, Office of Intelligence and Analysis
Department of Treasury, Office of Intelligence and Analysis
Drug Enforcement Administration, Intelligence Division
Federal Bureau of Investigation (FBI)
National Geospatial Intelligence Agency (NGA)
National Reconnaissance Office (NRO)
Office of Naval Intelligence
State Department
U.S. Air Force, Office of Intelligence and Air Intelligence Agency
U.S. Army, Office of Intelligence and Security Command
U.S. Coast Guard, Office of Intelligence and Criminal Investigations
U.S. Marine Corps, Office of Intelligence and Marine Intelligence Activity

The Association Benefit Plan is administered by Coventry Health Care of Gastonia, N.C., which acquired the plan when it bought out Mutual of Omaha's health plan coverage in April 2007.

Little wonder that Express Scripts is now offering a $1 million reward for information leading to the arrest and conviction of anyone who may be responsible for these attacks: Employees of the agency investigating the attack may be the target of this ongoing threat.

I shudder to think how much damage a creative criminal could do armed with the Social Security numbers and other sensitive information belonging to the nation's top intelligence officials.

Avocado: NASA's Titan Rain

Via BusinessWeek -

America's military and scientific institutions—along with the defense industry that serves them—are being robbed of secret information on satellites, rocket engines, launch systems, and even the Space Shuttle. The thieves operate via the Internet from Asia and Europe, penetrating U.S. computer networks. Some of the intruders are suspected of having ties to the governments of China and Russia, interviews and documents show. Of all the arms of the U.S. government, few are more vulnerable than NASA, the civilian space agency, which also works closely with the Pentagon and American intelligence services.

In April 2005, cyber-burglars slipped into the digital network of NASA's supposedly super-secure Kennedy Space Center east of Orlando, according to internal NASA documents reviewed by BusinessWeek and never before disclosed. While hundreds of government workers were preparing for a launch of the Space Shuttle Discovery that July, a malignant software program surreptitiously gathered data from computers in the vast Vehicle Assembly Building, where the Shuttle is maintained. The violated network is managed by a joint venture owned by NASA contractors Boeing (BA) and Lockheed Martin (LMT).

Undetected by the space agency or the companies, the program, called stame.exe, sent a still-undetermined amount of information about the Shuttle to a computer system in Taiwan. That nation is often used by the Chinese government as a digital way station, according to U.S. security specialists.

By December 2005, the rupture had spread to a NASA satellite control complex in suburban Maryland and to the Johnson Space Center in Houston, home of Mission Control. At least 20 gigabytes of compressed data—the equivalent of 30 million pages—were routed from the Johnson center to the system in Taiwan, NASA documents show. Much of the data came from a computer server connected to a network that tracks malfunctions that could threaten the International Space Station.

Seven months after the initial April intrusion, NASA officials and employees at the Boeing-Lockheed venture finally discovered the flow of information to Taiwan. Investigators halted all work at the Vehicle Assembly Building for several days, combed hundreds of computer systems, and tallied the damage. NASA documents reviewed by BusinessWeek do not refer to any specific interference with operations of the Shuttle, which was aloft from July 26 to Aug. 9, or the Space Station, which orbits 250 miles above the earth.

The startling episode in 2005 added to a pattern of significant electronic intrusions dating at least to the late 1990s. These invasions went far beyond the vandalism of hackers who periodically deface government Web sites or sneak into computer systems just to show they can do it. One reason NASA is so vulnerable is that many of its thousands of computers and Web sites are built to be accessible to outside researchers and contractors. Another reason is that the agency at times seems more concerned about minimizing public embarrassment over data theft than preventing breaches in the first place.

In 1998 a U.S.-German satellite known as ROSAT, used for peering into deep space, was rendered useless after it turned suddenly toward the sun. NASA investigators later determined that the accident was linked to a cyber-intrusion at the Goddard Space Flight Center in the Maryland suburbs of Washington. The interloper sent information to computers in Moscow, NASA documents show. U.S. investigators fear the data ended up in the hands of a Russian spy agency.

[...]

The agency refers internally to its efforts to stop intrusions linked to China under the code name "Avocado," according to interviews. Despite this formal recognition of the problem, at least some senior NASA officials have seemed determined publicly to minimize the seriousness of the security threat.

--------------------------------

The breaches keep happening...and happening ...and happening. Check out the full article for all the details.

Monday, November 24, 2008

More Details on the US Military USB Virus Threat

For a little bit of background, check this blog entry from Nov 21st, 2008.

According to Wired (Nov 19th)....

The problem, according to a second Army e-mail, was prompted by a "virus called Agent.btz." That's a variation of the "SillyFDC" worm, which spreads by copying itself to thumb drives and the like.

According to Sophos, the version of Agent.BTZ detected in 2007 does not infect other filesystems (which would include USB drives)...so the version detected by the military might be a new or customized version.

While keeping track of virus names can be very difficult (as different companies use different names for the same piece of malware), Kaspersky Labs seems to think that Agent.BTZ might have originally came out of China.

In my mind, we are looking at one of two scenarios....

  1. An employee (or consultant/contractor) become infected outside the military network and the malware was accidentally passed into the military network...by laptop or removable drive. This would mean it wasn't a direct attack using customized malware against the military network. The question of why anti-virus did not catch the bug quickly...would remind open.
  2. A group created a customized piece of malware (making it undetectable) and targeted the military network. The purpose might be to steal files and pull data out of the network....just like the attacks that have been made public in recent years.

But I am only taking an educated guess.....we may never know....

A "Grey Hat" Guide for Security Researchers

http://www.eff.org/issues/coders/grey-hat-guide

In counseling computer security researchers, I have found the law to be a real obstacle to solving vulnerabilities. The muddy nature of the laws that regulate computers and code, coupled with a series of abusive lawsuits, gives researchers real reason to worry that they might be sued if they publish their research or go straight to the affected vendor. By reporting the security flaw, the researcher reveals that she may have committed unlawful activity, which might invite a lawsuit or criminal investigation. On the other hand, withholding information means a potentially serious security flaw may go unremedied. I discuss this problem, and offer some ideas about what researchers can do about it, in a new document called "A 'Grey Hat' Guide". Constructive feedback is welcome, as I can use it to improve the paper.

Hydrogen Fuel Tank of the Future

Via newscientist.com -

If the hydrogen economy is ever going to become reality, we will need a way to store the stuff without having to compress it to dangerously high pressures. The gas could then be fed to fuel cells to power the phones, laptops and automobiles of the future.

Just such a technique may now be coming together in a Dutch lab, in the shape of a material in which billions of carbon buckyballs are sandwiched between sheets of graphene - another form of carbon.

The US Department of Energy reckons that to be viable, hydrogen stores should hold at least 6 per cent by weight of the gas. Until now, materials designed to do the job have fallen well short of this target. Metal hydrides which bind loosely to hydrogen can hold only 2 per cent. So the race is on to develop a molecular matrix that can store more.

Last month, George Froudakis and his team at the University of Crete in Greece reported that computer simulations of a layer cake of graphene sheets connected by hollow carbon nanotubes (see right) indicate that it could store 6.1 per cent of its weight in hydrogen (Nano Letters, vol 8, p 3166).

Now Dimitrios Gournis of the University of Groningen in the Netherlands has started to make this exotic sandwich. So far he has created a 40-layer structure in which the sheets are separated by buckyballs, and is aiming to replace these with the nanotubes envisaged by Froudakis by the end of the year. The next step will be to fill the structures with hydrogen to see whether Froudakis's predictions hold true.

BT Bans Talking About Phorm, Erases Earlier Discussions

Via Techdirt.com -

You may recall that BT was one of the bigger supporters of Phorm, the controversial clickstream tracking system that would allow ISPs like BT to insert their own behaviorally targeted ads into your web surfing. The company held extensive trials with the system, without letting users know that their clickstream data was being sold to advertisers in order to do more targeted advertising. Now that UK officials have decided that Phorm is legal, if clearly explained to consumers, BT has chosen a funny way to make sure there's clarity around the system. Slashdot points out that BT has apparently banned discussion of Phorm on its forums and erased earlier forum discussions about the technology. How's that for openness?

Is it really so hard to allow open discussion on such a topic? If BT believes that it's reasonable to use the technology, then why not explain why clearly, responding to the critics? The only reason to erase these discussions is if BT knows that what's it's doing is highly questionable, and BT would rather not have to explain itself.

Hezbollah - An Imminent Danger?

Via CT Blog -

I wrote an article for the Middle East Times on Hezbollah's capabilities around the world. You can find the full article here.

Here is an excerpt:

CIA Director Michael Hayden said last week that al-Qaida was still the largest threat to the United States. He added, "If there is a major strike on this country, it will bear the fingerprints of al-Qaida."

But some analysts say that the focus should not go entirely on al-Qaida, stressing that the capabilities of the Shiite organization Hezbollah should not be underestimated.

Pre Sept. 11, 2001, Hezbollah was the organization believed to be responsible for the deaths of the largest number of Americans killed in terrorist attacks. Former Deputy Secretary of State Richard Armitage called Hezbollah "the A-team of terrorists, while al-Qaida may actually be the B-team."

Today in a context of major tension with Iran regarding its nuclear program, Iraq and Lebanon, just to mention a few, intelligence analysts warn that the Hezbollah threat against the West should not be taken off the radar.

Hezbollah is believed to maintain a vast network of operatives across the world; from Europe to Africa to the Middle East, to Latin America and even North America.

In Africa, and in particular in the predominantly Sunni Maghreb, extremist Shiites are making inroads. The threat of potential Shiite terrorism is something Morocco knows something about, having dismantled earlier this year a large terrorist cell known as the Belliraj network. Members of this cell included a correspondent of the Hezbollah-run Al-Manar TV. According to intelligence sources they were planning terror attacks in Morocco.

-----------------------------------------

According to the JPost...

Defense Minister Ehud Barak on Monday cautioned that Hizbullah had greatly
improved its capabilities since the Second Lebanon War and was in possession of
rockets that could reach as far south as Dimona. The defense minister also
warned Beirut that the Shi'ite militia's integration into the Lebanese
government could lead to extensive attacks on Lebanese infrastructure in the
event of a military conflagration.

"Hizbullah has three times the ability it had before the Second Lebanon War and now has 42,000 missiles in its possession, as opposed to the 14,000 it had before the war," Barak said in a Knesset speech, warning that Hizbullah's recent maneuvers south of the Litani River were a liability for Lebanon. "In practice, UN Resolution 1701 isn't working, and Hizbullah's integration within the Lebanese republic exposes Lebanon and its infrastructures to a more massive hit in the event of a future standoff."