Thursday, December 31, 2009

Uranium Is So Last Century — Enter Thorium, the New Green Nuke

Via Wired.com (Dec 21, 2009) -

The thick hardbound volume was sitting on a shelf in a colleague’s office when Kirk Sorensen spotted it. A rookie NASA engineer at the Marshall Space Flight Center, Sorensen was researching nuclear-powered propulsion, and the book’s title — Fluid Fuel Reactors — jumped out at him. He picked it up and thumbed through it. Hours later, he was still reading, enchanted by the ideas but struggling with the arcane writing. “I took it home that night, but I didn’t understand all the nuclear terminology,” Sorensen says. He pored over it in the coming months, ultimately deciding that he held in his hands the key to the world’s energy future.

Published in 1958 under the auspices of the Atomic Energy Commission as part of its Atoms for Peace program, Fluid Fuel Reactors is a book only an engineer could love: a dense, 978-page account of research conducted at Oak Ridge National Lab, most of it under former director Alvin Weinberg. What caught Sorensen’s eye was the description of Weinberg’s experiments producing nuclear power with an element called thorium.

At the time, in 2000, Sorensen was just 25, engaged to be married and thrilled to be employed at his first serious job as a real aerospace engineer. A devout Mormon with a linebacker’s build and a marine’s crew cut, Sorensen made an unlikely iconoclast. But the book inspired him to pursue an intense study of nuclear energy over the next few years, during which he became convinced that thorium could solve the nuclear power industry’s most intractable problems. After it has been used as fuel for power plants, the element leaves behind minuscule amounts of waste. And that waste needs to be stored for only a few hundred years, not a few hundred thousand like other nuclear byproducts. Because it’s so plentiful in nature, it’s virtually inexhaustible. It’s also one of only a few substances that acts as a thermal breeder, in theory creating enough new fuel as it breaks down to sustain a high-temperature chain reaction indefinitely. And it would be virtually impossible for the byproducts of a thorium reactor to be used by terrorists or anyone else to make nuclear weapons.

Mysterious Life of Soviet Spy Couple Unveiled

Via LATimes.com (h/t to IntelNews.org) -

For five years, as the world convulsed with war, the unassuming Soviet couple rubbed elbows with the likes of Walt Disney and Orson Welles. They took in a private screening of "The Great Dictator," at the invitation of Charlie Chaplin.

Their son's earliest memories are set in Los Angeles -- the yellow house nestled in flower beds with a view of the Griffith Observatory; the animal crackers bought with the proceeds of a sidewalk lemonade stand; the author Theodore Dreiser drinking so much vodka that he crawled under the table.

Their handlers called them Zefir and Elza, and from Los Angeles they went on to roam undercover through dozens of countries, from Israel to Czechoslovakia, Soviet spies all the way.

Lost for decades in the shadows of Cold War spookery, the tale of Mikhail and Yelizaveta Mukasey has been blasted over state-controlled media this year. Yelizaveta's death this fall, as a 97-year-old widow, gave Russian officials the chance to trumpet the derring-do of the two star agents.

[...]

When their superiors suggested that the Mukaseys' children might be trained to follow their parents into espionage, the parents were appalled.

"They categorically said no," Mukasey said. "They said, 'We don't want our children to be far away like we were and to suffer like we did.' "

The couple's taste for show business stretched to the end of their lives. Upon returning to Moscow, Yelizaveta found work as a theater secretary and the two longtime spies installed themselves as fixtures on the arts scene. Mikhail died last year.

Anatoly, who established a career as one of Russia's most prominent cinematographers, said that at the end of their parents' lives, he and his sister pressed them: Why were other spies profiled on television while nobody mentioned the two of them?

"My father said, 'In our profession, son, only those who blow their cover become famous. And we never blew our cover. We never made an error.' "

Pandemic (H1N1) 2009 - Update

http://www.who.int/csr/don/2009_12_30/en/index.html

30 December 2009 -- As of 27 December 2009, worldwide more than 208 countries and overseas territories or communities have reported laboratory confirmed cases of pandemic influenza H1N1 2009, including at least 12220 deaths.

The most active areas of pandemic influenza transmission currently are in central and eastern Europe.

In North America, influenza transmission remains widespread but has declined substantially in all countries. Rates of hospitalization among cases aged 5-17 years and 18-49 year far exceeded rates observed during recent influenza seasons, while rates of hospitalizations among cases aged >65 years were far lower than those observed during recent influenza seasons.

-------------------------------------

http://www.cdc.gov/flu/weekly/

During week 51 (December 20-26, 2009), influenza activity decreased slightly in the U.S.

  • 154 (3.9%) specimens tested by U.S. World Health Organization (WHO) and National Respiratory and Enteric Virus Surveillance System (NREVSS) collaborating laboratories and reported to CDC/Influenza Division were positive for influenza.
  • All subtyped influenza A viruses reported to CDC were 2009 influenza A (H1N1) viruses.
  • The proportion of deaths attributed to pneumonia and influenza (P&I) was above the epidemic threshold.
  • Four influenza-associated pediatric deaths were reported. Two of these deaths were associated with 2009 influenza A (H1N1) virus infection and two were associated with an influenza A virus for which the subtype was undetermined.
-------------------------------------

Via Virology Blog -

Reinfection with 2009 influenza H1N1


In healthy individuals, the first encounter with a virus leads to a
primary antibody response. When an infection occurs with the same or a similar virus, a rapid antibody response occurs that is called the secondary antibody response. Antibodies are critical for preventing many viral infections, including influenza. But reinfection may occur if we encounter the same virus before the primary response is complete.

Iran Faces Nuclear Deal Deadline

Via aljazeera.net -

The deadline for Iran to agree to international demands that it ship its nuclear material abroad for enrichment is set to expire.

Iran has until Thursday to agree to the International Atomic Energy Agency (IAEA) proposal, designed to calm the fears of the US and its allies that Iran might use its nuclear programme to make a nuclear weapon.

Under the terms of the deal, Tehran would transfer its low-grade nuclear material abroad where it will be further enriched and returned to fuel a medical research reactor.

[...]

Kristen Saloomey, Al Jazeera's correspondent in New York, said efforts were under way to establish a multi-lateral approach to sanctions should Iran miss the deadline.

"Diplomatic sources tell Al Jazeera that the United States is considering a menu of sanctions," she said.

"Those could be imposed on Iran by the United Nations if they can get the entire five permanent, veto-wielding members of the Security Council to agree to them, or could be imposed unilaterally by the United States and by its European allies.

"As for what sanctions might be considered, the United States is reportedly looking at targeting the oil sector with an eye towards destabilising Iran's economy.

"Of course, it must tread very carefully here - it doesn't want to be seen as hurting the Iranian people or interfering in any way in Iran's domestic affairs."

CIA Confirms Seven Killed by Afghan Suicide Bomb

Via BBC -

Seven CIA agents were killed in a bomb attack in Afghanistan, the US agency's director, Leon Panetta, has confirmed.

A bomber wearing an explosive vest entered Forward Operating Base Chapman in Khost Province, near Pakistan.

A Taliban spokesman said a member of the group working for the Afghan army had carried out the attack.

Earlier reports said eight CIA agents had been killed in the attack - the worst against US intelligence officials since 1983.

The attack has raised questions about the coalition's ability to protect itself against infiltrators, analysts say.

Paying tribute to the fallen, Mr Panetta said six other agents were injured in Wednesday's attack at the Forward Operating Base in Khost Province.

"Those who fell yesterday were far from home and close to the enemy, doing the hard work that must be done to protect our country from terrorism," he said.

"We owe them our deepest gratitude, and we pledge to them and their families that we will never cease fighting for the cause to which they dedicated their lives - a safer America."

Taliban spokesman Zabiullah Mujahid told the BBC the Khost bomber was wearing an army uniform when he managed to breach security at the base, detonating his explosives belt in the gym.

----------------------------

As I noted in June 2009, it is extremely rare for the names of those killed in action to be released. But this year, the CIA revealed the identity of a clandestine officer killed in Ethiopia in 2003. Even now, only 30 names are known out of the more than 90 stars on the CIA Memorial Wall.

Yemeni Forces Raids Al-Qaeda Hideout

Via Freep.com -

Yemeni forces raided an Al Qaeda hideout and set off a gun battle today as the government vowed to eliminate the group that claimed it was behind the Christmas bombing attempt on a U.S. airliner on approach to Detroit.

The fighting took place in an Al Qaeda stronghold in western Yemen, haven for a group that attacked the U.S. Embassy here in 2008, killing 10 Yemeni guards and four civilians. A government statement said at least one suspected militant was arrested during the clashes.

"The (Interior) Ministry will continue tracking down Al Qaeda terrorists and will continue its strikes against the group until it is totally eliminated," Deputy Interior Minister Brig. Gen. Saleh al-Zawari told senior military officials at a meeting in Mareb, another province believed to shelter Al Qaeda fighters.

Al Qaeda in the Arabian Peninsula, an offshoot of Osama bin Laden’s group, claimed it was behind the attempt to bomb a Detroit-bound airliner. Nigerian Umar Farouk Abdulmutallab, a 23-year-old passenger, was arrested Friday after he allegedly tried to bring down the Northwest Airlines flight, carrying 289 people.

U.S. investigators said Abdulmutallab told them he received training and instructions from Al Qaeda operatives in Yemen. Yemen’s government has said Abdulmutallab spent two periods in the country, from 2004-2005 and from August to December of this year, just before the attempted attack.

Abdulmutallab’s Yemen connection has drawn attention to Al Qaeda’s growing presence in the impoverished and lawless country, which is located on the tip of the Arabian Peninsula across the Gulf of Aden from Somalia.

Wednesday’s clashes took place in Hudaydah province, an Al Qaeda stronghold along the Red Sea coast. A security official said the target was a house owned by an Al Qaeda sympathizer. The official said the owner was arrested, a suspected Al Qaeda member was injured and several militants who fled were being pursued. He spoke on condition of anonymity because he was not authorized to speak to the press.

Wednesday, December 30, 2009

26C3: Protection Against Flash Security Holes

Via h-online.com -

Felix "FX" Lindner of
Recurity Labs presented his open source "Blitzableiter" (lightning rod) project at the 26th Chaos Communication Congress (26C3). The tool analyses and cleans up Flash code before playback and is designed to prevent security holes in Adobe Flash from being exploited. Flash is one of the most commonly used points of entry for attackers who try to compromise PCs during visits to web pages.

To prevent the frequently recurring security issues in Adobe's software from being exploited, the Blitzableiter tool checks SWF files for their integrity. Embedded ActionScript code is detected, analysed and cleaned up. The wrapper can also verify whether embedded objects such as JPEG images comply with the specification.

However, Flash malware tends to use the multimedia format within its specification, for example to simulate clicks on ads or redirect users to pages that try to make them install alleged virus scanners which turn out to be scareware. To prevent this, the wrapper redirects certain security-related function calls, such as
ActionGetURL2 for opening web pages, to its own code, which can then monitor it use with mechanisms such as a same origin policy. The tool can reportedly even prevent CSRF attacks that, for instance, allow small Flash movies to secretly reconfigure a router.

To ensure that Blitzableiter was doing its job well, the security expert checked it with 20 real, functionally different exploits. None of them slipped through the tool's net. One problem with the concept is, however, that legitimate Flash files may no longer function correctly; in a test involving a set of 95,000 SWF files, 92 per cent passed the format check, but only 82 per cent survived the entire debugging procedure. However, larger Flash portals such as YouTube or YouPorn remain functional without restrictions, said Lindner.

DECAF 2 Launched, Takes on More Than Just COFEE

Via thetechherald.com -

DECAF has returned, and COFEE is not the only forensic set that it will monitor. After the first version of DECAF was pulled on December 18, with a notice that it was all a “stunt” and anyone who downloaded the software discovered it wasn’t working. Now it’s back, with new features, and an explanation as to why it was really pulled. Legal fears.

[...]

The removal caused issues, the statement noted, including a DoS attack on the site. After that, another researcher and programmer (SoldierX) reactivated DECAF and enabled it for use. There was also talk about a phone home feature, which wasn’t at all malicious as originally speculated.

“We were going to use the phone home feature to notify private tracker admins of a seeder/node who had COFEE ran on his/her machine. This feature was not complete before release but we did have it semi-working, hence the COFEE usage reporting…We decided v2 will not report usage back. We also do not perform automated version checking,” the statement said.

The new version of DECAF will monitor for the usage of Microsoft COFEE. At the same time it will also watch for Helix, EnCase, Passware, ElcomSoft, FTK Imager Port, Forensic Toolkit, ISOBuster, and ophcrack. In addition, users can add their own custom signatures, as well as CD-Rom monitoring and the ability to execute files, to disable the device where the signatures were found, and start-up in monitor mode.

Tools like DECAF can be used by criminals, but so can tools like TrueCrypt. Does that mean TrueCrypt is something to be shunned? If not, then why shun DECAF? A tool is just a tool; the person using it determines its risk. The automation of evidence collection with tools is nice, but most experts will tell you that those tools are only one part of the process.

GSM A5/1 Cellphone Encryption Code Is Divulged

Via NYTimes.com -

A German computer engineer said Monday that he had deciphered and published the secret code used to encrypt most of the world’s digital mobile phone calls, saying it was his attempt to expose weaknesses in the security of global wireless systems.

The action by the encryption expert, Karsten Nohl, aimed to question the effectiveness of the 21-year-old G.S.M. algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of mobile calls worldwide. (The abbreviation stands for global system for mobile communication.)

“This shows that existing G.S.M. security is inadequate,” Mr. Nohl, 28, told about 600 people attending the Chaos Communication Congress, a four-day conference of computer hackers that runs through Wednesday in Berlin. “We are trying to push operators to adopt better security measures for mobile phone calls.”

The G.S.M. Association, the industry group based in London that devised the algorithm and represents wireless companies, called Mr. Nohl’s efforts illegal and said they overstated the security threat to wireless calls.

“This is theoretically possible but practically unlikely,” said Claire Cranton, an association spokeswoman. She said no one else had broken the code since its adoption. “What he is doing would be illegal in Britain and the United States. To do this while supposedly being concerned about privacy is beyond me.”

Some security experts disagreed. While the disclosure does not by itself threaten the security of voice data, one analyst said companies and governmental organizations should take the same steps to ensure the security of their wireless conversations as they do with antivirus software for computer files.

“Organizations must now take this threat seriously and assume that within six months their organizations will be at risk unless they have adequate measures in place to secure their mobile phone calls,” said Stan Schatt, a vice president for health care and security at the technology market researcher ABI Research in New York.

Tuesday, December 29, 2009

Microsoft Claims IIS Semicolon Issue is Inconsistency, Not Vulnerability

http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx

We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.

What we have seen is that there is an inconsistency in IIS 6 only in how it handles semicolons in URLs. It’s this inconsistency that the claims have focused on, saying this enables an attacker to bypass content filtering software to upload and execute code on an IIS server.

The key in this is the last point: for the scenario to work, the IIS server must already be configured to allow both “write” and “execute” privileges on the same directory. This is not the default configuration for IIS and is contrary to all of our published best practices. Quite simply, an IIS server configured in this manner is inherently vulnerable to attack.

----------------------------------

Well, Microsoft should still fix the vulnerability...errr, I mean inconsistency.

New Spyplane Lands in Afghanistan, Ready to Snoop

Via Wired.com (Danger Room) -

For years, troops in Afghanistan have been short of some crucial assets: Helicopters, blast-resistant trucks and eyes in the sky. But with the influx of new boots on the ground, the Afghanistan theater has the arrival of more gear.

The newest addition: The MC-12W, the Air Force’s new piloted surveillance plane. According to an Air Force news release, the newest MC-12W – tail number 090623, for all you planespotters out there — arrived two days ago at Bagram Airfield, the main U.S. hub for central and eastern Afghanistan. The aircraft is part of a new unit, the 4th Expeditionary Reconnaissance Squadron, which will operate an undisclosed number of the aircraft over Afghanistan.

Like the Mine-Resistant Ambush Protected vehicle, the MC-12W is the result of a crash procurement effort. The surveillance planes are secondhand Hawker Beechcraft C-12s outfitted with full-motion video and signals intelligence sensors.
According to Caitlin Harrington of Jane’s, “Project Liberty” is slated to cost just under $1 billion; it will involve the procurement of a total of 37 MC-12Ws, plus the stand-up of intelligence fusion centers on the ground to analyze the data collected by the aircraft.

Secretary of Defense Robert Gates, who famously complained in 2008 that getting intelligence, surveillance and reconnaissance assets to theater was like “pulling teeth,” praised Project Liberty as a model for a more rapid and responsive military acquisition.


And more aircraft are on the way. Lolita Baldor of the Associated Press, quoting Air Force Lt. Gen. David Deptula, reported recently that six of the turboprop aircraft are now in the skies over Iraq; the Air Force plans to have a total of 30 in Iraq and Afghanistan by the late summer of 2010.

Monday, December 28, 2009

First Case of Drug-Resistant TB Discovered in U.S.

Via NewsMax.com -

It started with a cough, an autumn hack that refused to go away.

Then came the fevers. They bathed and chilled the skinny frame of Oswaldo Juarez, a 19-year-old Peruvian visiting to study English. His lungs clattered, his chest tightened and he ached with every gasp. During a wheezing fit at 4 a.m., Juarez felt a warm knot rise from his throat. He ran to the bathroom sink and spewed a mouthful of blood.

I'm dying, he told himself, "because when you cough blood, it's something really bad."

It was really bad, and not just for him.

Doctors say Juarez's incessant hack was a sign of what they have both dreaded and expected for years — this country's first case of a contagious, aggressive, especially drug-resistant form of tuberculosis. The Associated Press learned of his case, which until now has not been made public, as part of a six-month look at the soaring global challenge of drug resistance.

Juarez's strain — so-called extremely drug-resistant (XXDR) TB — has never before been seen in the U.S., according to Dr. David Ashkin, one of the nation's leading experts on tuberculosis. XXDR tuberculosis is so rare that only a handful of other people in the world are thought to have had it.

"He is really the future," Ashkin said. "This is the new class that people are not really talking too much about. These are the ones we really fear because I'm not sure how we treat them."

Forty years ago, the world thought it had conquered TB and any number of other diseases through the new wonder drugs: Antibiotics. U.S. Surgeon General William H. Stewart announced it was "time to close the book on infectious diseases and declare the war against pestilence won."

Today, all the leading killer infectious diseases on the planet — TB, malaria and HIV among them — are mutating at an alarming rate, hitchhiking their way in and out of countries. The reason: Overuse and misuse of the very drugs that were supposed to save us.

26C3: GSM: SRSLY?

http://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html

The worlds most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM's security hasn't received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising.

From the total lack of network to handset authentication, to the "Of course I'll give you my IMSI" message, to the iPhone that really wanted to talk to us. It all came as a surprise – stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet.

Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS'ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever.

---------------------------

Hat-tip to Dave @ Liquidmatrix Security Digest

Eight Basic Rules to Implement Secure File Uploads

https://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/

The IIS semicolon file extension issue prompted me to jot down some of the rules to implement file uploads securely. This is in particular complex as there is usually no easy way to validate the content of the file.

The overall goal is to build a set of defensive layers that tightly control the process of uploading the file and later retrieval of the file. The user will always interact indirectly with the file and never directly access the file system without application control.

---------------------

Microsoft has released a note on their MSRC blog regrading the new vulnerability.

AQAP Claims Responsibility for Failed Christmas Day Attack

Via CNN -

Al Qaeda in the Arabian Peninsula claimed responsibility for the attempted Christmas Day terrorist attack on a plane about to land in the United States, saying it was in retaliation for alleged U.S. strikes on Yemeni soil.

In a message written in Arabic, dated Saturday and published Monday on radical Islamist Web sites, the group hailed the "brother" who carried out the "heroic attack."

The group said it tested a "new kind of explosives" in the attack, and hailed the fact that the explosives "passed through security."

"There was a technical problem that resulted in a non-complete explosion," the message said.

----------------------------

The NEFA Foundation has a translation of the official communique....
http://www.nefafoundation.org/miscellaneous/nefaAQIYChristmas1209.pdf

For more information on Umar Farouk Abdulmutallab, check out this BBC profile... http://news.bbc.co.uk/2/hi/americas/8431530.stm

Sunday, December 27, 2009

Microsoft IIS ASP Multiple Extensions Security Bypass

http://secunia.com/advisories/37831/

Soroush Dalili has discovered a vulnerability in Microsoft Internet Information Services (IIS), which can be exploited by malicious people to potentially bypass certain security restrictions and compromise a vulnerable system.

The vulnerability is caused due to the web server incorrectly executing e.g. ASP code included in a file having multiple extensions separated by ";", only one internal extension being equal to ".asp" (e.g. "file.asp;.jpg"). This can be exploited to potentially upload and execute arbitrary ASP code via a third-party application using file extensions to restrict uploaded file types.

---------------------------

Original Advisory PDF
http://soroush.secproject.com/downloadable/iis-semicolon-report.pdf
Work successfully on IIS 6 and prior versions – IIS7 has not been tested yet – does not work on IIS7.5

South Korea to Build First Nuclear Reactors in UAE

Via NYTimes -

The United Arab Emirates said Sunday that it had chosen a South Korean-led consortium for a $20 billion contract to create the first nuclear power reactors in the Middle East.

The Korean consortium beat out a General Electric-Hitachi team and a French consortium that included Électricité de France and Areva.

The deal, one of the largest in the energy sector this year, comes amid a resurgence of nuclear power projects and had involved high-profile lobbying from officials including the presidents Nicolas Sarkozy of France and Lee Myung-bak of South Korea.

The deal went forward after the U.A.E. signed an agreement with Washington on Dec. 17 to alleviate proliferation concerns. The Arab country, a federation of seven Gulf principalities, agreed in that protocol that it would not enrich uranium or reprocess spent fuel.

After a decade of strong growth, the U.A.E., a leading oil producer, is seeking to modernize its utilities sector and diversify its energy sources. It imports most of the natural gas that it burns to generate electricity and using its own oil would reduce amounts available for export.

Under the deal announced in Abu Dhabi on Sunday, Korea Electric Power will lead a group that includes Westinghouse, the American subsidiary of Toshiba, in designing, building and helping to operate four 1,400-megawatt nuclear power plants for the Emirates Nuclear Energy Corporation. The first of the third-generation units is supposed to be online in 2017, with the others providing electricity to the grid by 2020.

Saturday, December 26, 2009

High Explosive PETN Used In Failed Flight 253 Terror Plot

Via politico.com -

The U.S. charged a 23-year-old Nigerian man with attempting to destroy a Northwest Airlines aircraft on its final approach to Detroit Metropolitan Airport on Christmas Day, and with placing a destructive device on the aircraft, the Justice Department announced.

The announcement said the device contained PETN (pentaerythritol), which the Justice Department called “a high explosive.”

“FBI agents recovered what appear to be the remnants of the syringe from the vicinity of Abdulmutallab’s seat, believed to have been part of the device,” the released added.

U.S. Charges Suspect in Foiled Plane Attack, Eyeing Link to AQAP

Via NYTimes.com -

The 23-year-old Nigerian man who was charged on Saturday with trying to blow up a Detroit-bound airliner on Christmas told investigators he had obtained explosive chemicals from a bomb expert in Yemen associated with Al Qaeda in the Arabian Peninsula, a law enforcement official said.

Authorities have not independently corroborated the Yemen connection claimed by the suspect, Umar Farouk Abdulmutallab, who was burned in his failed attempt to bring down the airliner. But the law enforcement official said the suspect’s account was “plausible,” adding, “I see no reason to discount it.”

“The facts are still emerging, but there are strong suggestions of a Yemen-Al Qaeda connection and an intent to blow up the plane over U.S. airspace,” said Representative Jane Harman, a California Democrat who heads the House Homeland Security subcommittee on intelligence.

Mr. Abdulmutallab told F.B.I. agents he was connected to the Al Qaeda affiliate, which operates largely in Yemen and Saudi Arabia, by a radical Yemeni cleric whom he contacted via the Internet.

A senior Obama administration official said Mr. Abdulmutallab had come to the attention of American officials at least “several weeks ago,” but the initial information was not specific enough to raise alarms that he could potentially carry out a terrorist attack.

The investigative file was opened after Mr. Abdulmutallab’s father warned officials at the United States Embassy in Nigeria of his son’s increasingly extremist religious views, the official said.

“The information was passed into the system, but the expression of radical extremist views were very nonspecific,” said the senior administration official, who has been briefed on the inquiry but spoke on condition of anonymity because it is continuing. “We were evaluating him, but the information we had was not a lot to go on.”

The incident prompted a significant change to airline security. International passengers will not be allowed to move about aircraft during the last hour of a flight, and there will be extra screening of baggage at airports.

Mr. Abdulmutallab was charged with attempting to destroy an aircraft and placing a destructive device on an aircraft, the Justice Department announced on Saturday. He was arraigned later on Saturday in a conference room on the first floor of the University of Michigan Hospital burn unit, where he has been in intensive care with third-degree burns since Friday.

Prominent Chinese Human Rights Activist Sentenced to 11 Years in Jail

Via guardian.co.uk -

One of China's most prominent human rights activists was condemned today to 11 years in prison, prompting a furious backlash from domestic bloggers and international civil society groups.

Liu Xiaobo, the founder of the Charter 08 campaign for constitutional reform, was given the unusually harsh jail term on Christmas Day in an apparent attempt to minimise international attention.

The case has raised fears that other drafters of Charter 08 could also face retribution from the authorities.

Following a year in detention and a two-hour trial, it took the No 1 intermediate people's court in Beijing just 10 minutes to read out the 11-page sentence.

Liu was found guilty on Wednesday of subversion, the vaguely defined charge that Communist party leaders often use to imprison political opponents.

In a statement released by the state-controlled Xinhua news agency, the court said it had "strictly followed the legal procedures" and "fully protected Liu's litigation rights".

However, the author and academic had been detained without trial for a year. His wife, Liu Xia, was not allowed into an earlier hearing, nor were foreign diplomatic observers. Liu's lawyers have been warned not to discuss the case.

But the defence team said they were prepared to appeal against the verdict.

"We cannot accept this sentence because we have argued in court that Liu is innocent," said one of his lawyers, Mo Shaoping. His wife could not be reached as her mobile phone was suddenly out of order.

Amnesty International expressed outrage at the sentence, which it said was the harshest in 35 subversion cases since 2003.

"Liu Xiaobo's detention and trial shows the Chinese government will not tolerate Chinese citizens participating in discussions about their own form of government," said Sam Zarifi, director of the group's Asia pacific program.

Thursday, December 24, 2009

Al-Qaida Fighters Killed in Yemen Air Strikes

Via The Guardian UK -

Yemeni forces backed by US intelligence have struck a series of suspected al-Qaida hideouts, including a meeting of senior leaders, killing at least 30 militants, the government said.

The air strikes on Christmas Eve were Yemen's second such assault on al-Qaida in a week, at a time when the US has dramatically increased aid to eliminate the expanding presence of the terror group.

Washington fears al-Qaida could turn fragmented, unstable Yemen into a new Afghanistan-like safe haven in a highly strategic location on the border with oil-rich US-ally Saudi Arabia.

The Pentagon recently confirmed it is has poured nearly $70m (£44m) in military aid to Yemen this year – compared to none in 2008.

The US military has also boosted its counterterrorism training for Yemeni forces, and is providing more intelligence, which may include surveillance by unmanned drones, according to US officials and analysts.

Yemen's deputy defence minister, Rashad al-Alaimy, told parliament the latest strikes were carried out "using intelligence aid from Saudi Arabia and the US".

The strikes killed three important leadership members, al-Alaimy said, but he did not identify them.

Yemeni officials refused to comment on the main target: a gathering of senior al-Qaida figures in Rafd, a remote mountain valley in eastern Shabwa province, a region where militants have been given refuge with tribes discontent with the Sana'a government.

Researchers Show Off Functional Single-Molecule Transistor

Via arstechnica.com -

As semiconductor manufacturers continue to push down the size of their products' wiring, a number of research labs have started looking into whether they can simply take the process to its logical conclusion: a transistor made from a single molecule. A number of these items have been demonstrated, and they do manage to control the current flow through the molecular transistor, but they do so through a variety of tricks that have nothing in common with the methods used for the semiconductors in our electronics. In today's issue of Nature, an international team reports producing the first voltage-gated molecular transistors.

The basic principle behind a transistor is simple. All it needs is two electrodes, a source and a sink, and a gate that controls the flow of current between them. In semiconductor transistors, the gate contains a semiconductor and another electrode: raising or lowering the voltage in this electrode controls whether current can flow across the semiconductor between the source and sink.

For molecular transistors, the semiconductor is replaced by a single molecule. Electrons can flow through a variety of molecules, but controlling that process is not the easiest thing. A few of the past efforts have switched currents on and off by changing the charge on the molecule or playing with the spin of the electrons that pass through it, but these are difficult challenges in their own right, and far more complex than simply applying a voltage to the gate.

The new work involved creating a nanoscale gap in a gold wire that was placed directly above an aluminum oxide electrode that controls the gate. The gold had been covered with one of two types of molecules in advance and, once the gap was created, there was a chance that one of those molecules dropped into the newly vacated space, bridging the gap and enabling the molecule to conduct currents between the two gold electrodes.

Insurgents Intercepting Predator Video? No Problem

Via Wired.com -

Sometimes mediocre encryption is better than strong encryption, and sometimes no encryption is better still.

The Wall Street Journal reported this week that Iraqi, and possibly also Afghan, militants are using commercial software to eavesdrop on U.S. Predators, other unmanned aerial vehicles, or UAVs, and even piloted planes. The systems weren't "hacked" -- the insurgents can’t control them -- but because the downlink is unencrypted, they can watch the same video stream as the coalition troops on the ground.

The naive reaction is to ridicule the military. Encryption is so easy that HDTVs do it -- just a software routine and you're done -- and the Pentagon has known about this flaw since Bosnia in the 1990s. But encrypting the data is the easiest part; key management is the hard part. Each UAV needs to share a key with the ground station. These keys have to be produced, guarded, transported, used and then destroyed. And the equipment, both the Predators and the ground terminals, needs to be classified and controlled, and all the users need security clearance.

[...]

Contrast this with the additional risks if you encrypt: A soldier in the field doesn't have access to the real-time video because of a key management failure; a UAV can't be quickly deployed to a new area because the keys aren't in place; we can't share the video information with our allies because we can't give them the keys; most soldiers can't use this technology because they don't have the right clearances. Given this risk analysis, not encrypting the video is almost certainly the right decision.

There is another option, though. During the Cold War, the NSA's primary adversary was Soviet intelligence, and it developed its crypto solutions accordingly. Even though that level of security makes no sense in Bosnia, and certainly not in Iraq and Afghanistan, it is what the NSA had to offer. If you encrypt, they said, you have to do it "right."

The problem is, the world has changed. Today's insurgent adversaries don't have KGB-level intelligence gathering or cryptanalytic capabilities. At the same time, computer and network data gathering has become much cheaper and easier, so they have technical capabilities the Soviets could only dream of. Defending against these sorts of adversaries doesn't require military-grade encryption only where it counts; it requires commercial-grade encryption everywhere possible.

This sort of solution would require the NSA to develop a whole new level of lightweight commercial-grade security systems for military applications — not just office-data "Sensitive but Unclassified" or "For Official Use Only" classifications. It would require the NSA to allow keys to be handed to uncleared UAV operators, and perhaps read over insecure phone lines and stored in people's back pockets. It would require the sort of ad hoc key management systems you find in internet protocols, or in DRM systems. It wouldn't be anywhere near perfect, but it would be more commensurate with the actual threats.

Wednesday, December 23, 2009

Paper-Based Breaches Just As Damaging

Via Darkreading.com -

IT tends to forget about things that aren't electronic. But you remember that stuff called paper, right? Have you considered that printed documents are just as damaging to a company's reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server?

I'll be the first to admit I rarely think about paper. And I hardly ever think about printers unless it's during a penetration test and insecure printers on the network allow me to pivot and gain further access into a target's network. Lessons from my friends' stories about all of the information they've found during dumpster diving should be enough of a reminder, but it was a recent blog entry from Brian Krebs that really drove the point home.

"Paper-based Data Breaches on the Rise" is a great read and contains some surprising statistics. For example, "at least 27 percent of the data breaches disclosed publicly in 2009 stemmed from collections of sensitive consumer information printed on paper that were lost, stolen, inadvertently distributed, or improperly disposed of."

I would have never guessed the number of paper-based breaches to be that high, but, again, people simply don't think of data on paper being at risk like data on computers. But data on paper is just another form of data that needs to be protected by information security policies.

Note that I said "information security" and not "information technology security." That's because people get hung up on the technology part and forget they need to secure ALL information, not just what resides on servers, laptops, and smartphones. And it's not only IT people glossing over the threat of paper breaches: Turns out most state data breach laws focus only on electronic breaches, and so do federal breach notification measures that are in the works.

Securing sensitive information on paper is one of those issues that IT people don't consider because it's not electronic, and, well, paper just isn't sexy. Next time you're putting together plans for a penetration test, make sure you add to your list the tasks of finding unsecured filing cabinets full of sensitive information, dumpster diving, and reviewing print jobs -- I'm betting you'll be surprised at what you find.

Attackers Buying Own Data Centers for Botnets, Spam

Via ThreatPost.com -

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.

And that's the way it's supposed to work everywhere. Applicants who can't show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don't have the resources to investigate every application as fully as they'd like.

The criminals will buy servers and place them in a large data center and then submit an application for a large block of IP space. In some cases, the applicants are asked for nothing more than a letter explaining why they need the IP space, security researchers say. No further investigation is done, and once the criminals have the IP space, they've taken a layer of potential problems out of the equation.

"It's gotten completely out of hand. The bad guys are going to some local registries in Europe and getting massive amounts of IP space and then they just go to a hosting provider and set up their own data centers," said Alex Lanstein, senior security researcher at FireEye, an antimalware and anti-botnet vendor. "It takes one more level out of it: You own your own IP space and you're your own ISP at that point.

"If there's a problem, who are you going to talk to? It's a different ball game now. These guys are buying their own data centers. These LIRs and RIRs aren't going to push back if you say you need a /24 or /16. They're not the Internet police," Lanstein said.

Hackers Break Amazon's Kindle DRM

Via The Register UK -

Hackers from the US and Israel say they have broken copyright protections built in to Amazon's Kindle for PC, a feat that allows ebooks stored on the application to work with other devices.

The hack began as an open challenge in this (translated) forum for participants to come up with a way to make ebooks published in Amazon's proprietary format display on competing readers. Eight days later, users going by the handles Labba and i♥cabbages had a working program that did just that.

[...]

Amazon representatives have yet to indicate how they plan to respond. Queries put to a spokesman on Tuesday weren't returned.

According to a writeup of the Kindle hack here, Amazon engineers went to considerable lengths to prevent their DRM from being tampered with. The Kindle for PC uses a separate session key to encrypt and decrypt each book "and they seem to have done a reasonable job on the obfuscation," the author, i♥cabbages, says.

Labba and the US-based i♥cabbages, who declined to give his real name, discovered the attack vector independently around the same time. The resulting crack is a piece of software called unswindle, which was written by the latter hacker and is available here. It relies on reverse engineering from a hacker called darkreverser to discover the encryption algorithm used by the universal Mobipocket reader and most Kindle books.

Once unswindle is installed, proprietary Amazon ebooks can be converted into the open Mobi format. And from there, you can enjoy the content any way you like.

--------------------------------------

The B&N Nook isn't to be left out, of course...


Circumventing Barnes & Noble DRM for EPUB

Inmate Gets 18 Months for Hacking Prison Computer

Via Computerworld.com -

A former Massachusetts prison inmate has been given an 18-month prison sentence for hacking prison computers while he was incarcerated.

Francis "Frank" Janosko, 44, was sentenced Tuesday in federal court in Boston for abusing a computer provided by the Plymouth County Correctional Facility. The computer had been set up to help inmates with their legal research.

In 2006, Janosko managed to circumvent computer controls and use the machine to send e-mail and cull data on more than 1,100 Plymouth County prison employees. He gained access to sensitive information such as their dates of birth, Social Security Numbers, telephone numbers, home addresses and employment records.

The computer he used was a so-called thin client computer that simply connected to another machine on the network and did not store any data itself, prosecutors said in Janosko's indictment. The only program it was supposed to run was the prison's legal research application.

However, Janosko found a way of "exploiting an idiosyncrasy in the legal research software" so he could access other programs via the terminal. He even found a way of downloading Internet video, prosecutors said.

TIME Magazine: Should the U.S. Destroy Jihadist Websites?

Via CT Blog (Evan Kohlmann) -

TIME Magazine has published a new article on the simmering debate over whether the U.S. government should be aggressively shutting down and destroying jihadist Internet websites. This debate has received added attention in recent weeks from a series of unrelated incidents, including the Ft. Hood massacre and the arrest of several would-be American Al-Qaida recruits in Pakistan. In each of these cases, Internet websites and "virtual radicalization" have played a significant role in either persuading someone to carry out an act of violence--or even by providing the apparent contacts necessary to join a real terrorist group.

In reflecting on this series of events, some well-intentioned observers have suggested that the appropriate remedy for the Internet being used as a recruitment machine by terrorist networks is to methodically take apart the underground jihadi social networking forums, one after the next. While I understand where those sentiments come from, I personally don't agree with them -- and I don't believe I'm alone. From TIME:
"But Arquilla's logic doesn't add up, counters Evan Kohlmann of the non-profit NEFA Foundation, created following 9/11 to track Islamic terrorism. Shutting down jihadist web sites "would be like firing cruise missiles at our own spy satellites," he argues, referring to the intelligence the U.S. and its allies glean from such sites. Besides, it can't be done. "If you shut down one of their websites today, they have a complete copy elsewhere and can put it up on a new server and have it up tomorrow," Kohlmann says. Such websites are the only window the rest of the world has into al-Qaeda and other such groups. "If you start shutting down the websites," he adds, "it's like chopping up a jellyfish — you end up with lots of little pieces that are very difficult to monitor." Kohlmann believes that the websites are a treasure trove of valuable intelligence, most of which is being overlooked by the U.S."
And this, of course, does not even take into account the myriad of freedom of speech and civil liberty issues that would inevitably arise if the U.S. government was to start blacking out independent websites on the basis of content. And what about YouTube, which allegedly has served as the point of contact for Taliban recruiters looking for American volunteers -- are we planning on shutting them down, too? In this case, perhaps it is a wiser policy to walk softly and carry a big stick -- as opposed to swinging it around wildly in hopes of randomly hitting something.

-----------------------------

I asked myself this very question several years ago. At the time, I was watching the AQIM website go and down every couple of months.

Back in those days, I was helping Castlecops take down dozens and dozens of phishing sites....so it was easy for me to apply the same mindset to jihadist websites. However, it was clear that these sites don't serve the same functions.

Phishing sites are commonly hosted on hacked servers and the bad guys rapidly get their stolen data and run away....so the faster it is taken down, the less viable information the attackers can get...thus its a no-brainier takedown decision. But phishing sites do offer some OSINT to professionals - how the sites are constructed, attacker e-mails addresses embedded in backend scripts, how the sites are packed and deployed, etc.

Was what type of information could you get out of jihadist websites?

Think Shadowcrew (and Operations Firewall)....and you start to see what could be done, OSINT on a massive scale - especially with sites hosted in the US or in nations that are willing to assist.

An E-Book Buyer's Guide to Privacy

Via EFF -

As we count down to end of 2009, the emerging star of this year's holiday shopping season is shaping up to be the electronic book reader (or e-reader). From Amazon's Kindle to Barnes and Noble's forthcoming Nook, e-readers are starting to transform how we buy and read books in the same way mp3s changed how we buy and listen to music.

Unfortunately, e-reader technology also presents significant new threats to reader privacy. E-readers possess the ability to report back substantial information about their users' reading habits and locations to the corporations that sell them. And yet none of the major e-reader manufacturers have explained to consumers in clear unequivocal language what data is being collected about them and why.

As a first step towards addressing these problems, EFF has created a first draft of our Buyer's Guide to E-Book Privacy. We've examined the privacy policies for the major e-readers on the market to determine what information they reserve the right to collect and share.

Tuesday, December 22, 2009

Encryption of Predator Video Feeds Could Take Five Years

Via DefenseSystems.com -

It could take as long as five years before video feeds from Predator drones are fully encrypted and U.S. forces are able to keep enemy forces from intercepting the information, reports Ellen Nakashima in the Washington Post .

U.S. forces uncovered over the past year a number of instances of Iraqi insurgents intercepting video feeds from Predator drones, the Wall Street Journal reported Dec. 17. The insurgents were able to intercept extensive video footage from the unmanned aerial vehicles by using inexpensive, off-the-shelf software.

The Air Force has begun encrypting the UAV fleet, but that work will not be finished until 2014, according to the Air Force Unmanned Aircraft Systems Flight Plan. The long-range plan released in July outlines the Air Force’s strategy for changes in doctrine, organizational structure, training, equipment, leadership, education, personnel, facilities and policy.

--------------------------------

http://www.wired.com/dangerroom/2009/12/fixing-drone-data-a-not-so-modest-proposal/#more-20780

But according to Rex Buddenberg of the Naval Postgraduate School, the military’s data security problem is bigger — and much more difficult to fix — than the original reporting lets on.

[...]

According to Buddenberg, solutions that focus exclusively on protecting the link – in geekspeak, protecting individual bytes (Layer 1 of the ISO model) or frames (Layer 2) — ignore a larger issue: What happens when the data gets relayed. The Predator drones, for instance, are flown from Nevada. The data has to go places to be useful, with much of it being routed through the terrestrial Defense Information Systems Network.

“The disadvantage is that the encryption is stripped off at the [DISN] ground terminal,” he says. “So you get direct interception protection (which is what this exploit appears to be). But you don’t get any protection for the YouTube effect — wiretapping the terrestrial internet.”

Intel Patches Critical Security Bug in vPro Processors

Via The Register UK -

Intel has released a patch for its series of silicon-based security protections after researchers from Poland identified flaws that allowed them to completely bypass the extensions.

The implementation errors in Intel's TXT, or trusted execution technology, mean the feature can't be counted on as advertised to protect sensitive files and prevent systems from booting operating systems that have been tampered with. The vulnerability affects the Q35, GM45, PM45 Express, Q45, and Q43 Express chipsets.

"We again showed that an attacker can compromise the integrity of a software loaded via an Intel TXT-based loader in a generic way, fully circumventing any protection TXT is supposed to provide," researchers with the Invisible Things Lab stated in a press release (PDF) issued Monday.

The researchers laid out a variety of ways their software-only attack could defeat the security measures, which Intel has built into its vPro-branded processors and held out as a way for large corporate customers to make their servers and PCs more resistant to criminal hackers. One TXT feature that can be overridden is a setting that restricts the use of USB-based flash drives. The researchers also said that attacks could allow them to defeat procedures for securely launching applications and encrypting hard disk contents.

The attacks exploit implementation errors in Intel's SINIT Authenticated Code modules, which are digitally signed pieces of code that can't be modified. The researchers brought the defects to the attention of Intel officials in late September and agreed to withhold publication of their findings until the chipmaker was able to patch the vulnerability. In July, the researchers presented research that showed how to attack another Intel technology known as AMT, or active memory technology, using what's known as a Ring -3 rootkit. A PDF of the most recent research paper is here, and Intel's advisory is here.

Monday, December 21, 2009

Terrorists Distributing Training CDs in Pakistan City

Via The Daily Times (Pakistan) -

KARACHI: As the militants continue being tracked down by the city’s security forces, the militants are coming up with innovative ideas to swell its ranks and bring aspiring militants to its fold.

The militants, who were earlier making good use of CDs and DVDs as a means of spreading propaganda, terrorising people and glorifying their victories in the battlefield, have now turned to the same media for training hopeful militants. The CDs provide information regarding physical fitness requirement of a militant, using modern weaponry and developing bombs out of raw material.

These CDs not only focus on providing theoretical guidance, but also display militants in action as they operate different weapons and produce bombs.

Some shots from the battlefield are also included in these CDs, which give the watchers an idea on how they should attack the enemy and then escape from the battlefield.

The training CD, which contains a 54-minute long video, also shows a man developing a suicide jacket and explaining what material to use to make it functional.

Some of the shots included in the CD have been taken from the battlefield of Helmand and some from the attacks on Pakistani security forces.

According to sources, the CDs were developed in the country’s tribal areas and then distributed by the militants “through proper channels”.

According to media experts, these militants are cleverer than expected.

The otherwise anti-media militants properly know how to use modern technology for their cause.

Al-Qaeda and Taliban elements were earlier known for glorifying their on-field achievements and beheading of the “Jasoos”.

This is the first time that such CDs have come on the surface.

Faizullah Jan, a media expert who has been following the activities of the militants, said the tactics of the militants change with time and they know how and what they should do and when.

“Now that they have been under fire from all sides, the militants are looking for inventive techniques for their survival,” he added. However, officials of the Crime Investigation Department have denied existence of any such CDs - at least in Karachi.

Bin Laden's Brother-in-law Target of Latest US Strike in Pakistan

Via The Long War Journal -

The US targeted a senior al Qaeda leader and brother-in-law of Osama bin Laden during Thursday's swarm attack in Pakistan's Taliban-controlled tribal agency of North Waziristan.

The US believed Sheikh Saeed al Saudi was scheduled to attend a high-level al Qaeda meeting in the Datta Khel region in North Waziristan, The News reported.

The nature of the strike indicates the US was targeting a high-value target. Up to seven unmanned US Predator and Reaper strike aircraft converged on the target and launched up to 10 missiles. Sixteen al Qaeda and Haqqani network fighters were reported killed in the attack.

Sheikh Saeed al Saudi is married to bin Laden's sister and serves on al Qaeda's Shura Majlis, or executive council, a senior US intelligence official told The Long War Journal. The official also confirmed that al Saudi was the target of the attack. Al Saudi also is involved in al Qaeda's "financial activities," the official said.

Al Saudi is thought to have survived the strike, but the US believes it killed Zuhaib al Zahibi, a general officer in al Qaeda's Shadow Army, or the Lashkar al Zil. The Taliban have denied that senior al Qaeda leaders were killed in the strike.

The Datta Khel region in South Waziristan borders the Jani Khel region in the settled district of Bannu.

SRI: An Analysis of the iKee.B iPhone Botnet

http://mtc.sri.com/iPhone/

We present an analysis of the iKee.B (duh) Apple iPhone bot client, captured on 25 November 2009. The bot client was released throughout several countries in Europe, with the initial purpose of coordinating its infected iPhones via a Lithuanian botnet server. This report details the logic and function of iKee's scripts, its configuration files, and its two binary executables, which we have reverse engineered to an approximation of their C source code implementation. The iKee bot is one of the latest offerings in smartphone malware, in this case targeting jailbroken iPhones. While its implementation is simple in comparison to the latest generation of PC-based malware, its implications demonstrate the potential extension of crimeware to this valuable new frontier of handheld consumer devices.

Sunday, December 20, 2009

Reading Mission Control Data Out of Predator Drone Video Feeds

Kingcope posted the following whitepaper on the Full Disclosure mailing list today.

-----------------------

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-12/pdfFKFWwDxFdE.pdf
There have been recent reports of insurgents intercepting unencrypted U.S. Predator drone video feeds in Iraq and Afghanistan. The predator drone video feeds were sent in some cases from the predator drones without any encryption technology so the insurgents were in a rather simple situation to intercept the video feeds and save them to hard disks and share them among each other. WSJ states that a software called “SkyGrabber” was used to read the video feeds. The intention of this software is to read images and videos off the air by using
satellite antennas.

After doing some research on the issue we found that in the predator video feeds aside from image data there is also mission control data carried inside the satellite signal to the ground control stations. It is theoretically possible to read off this mission control data both in the intercepted video feed and saved video data on harddisks.

The Day Before Zero - Malware QA & Botnet Helpdesk Services

Gunter Ollmann, VP of Research for Damballa, has posted two interesting entries on his blog.

He highlights two unique services which are available to criminals looking to spread malware - illustrating just how complex and extensive the malware underground service community has grown.

---------------------------

The Botnet Distribution and Helpdesk Services
http://blog.damballa.com/?p=454
To think of botnets as being the domain of a single criminal operator is to seriously underestimate the sophistication of modern cybercriminal operations. “Botnets” are a growing industry with multiple layers of service providers and entrepreneurs hawking their specialized tools and knowledge. Yesterday I covered the botnet service providers that specialize in malware and drive-by-download quality assurance (QA) practices. Today I’ll discuss helpdesk support. Browsing the web and hacking forums will reveal literally hundreds of online botnet malware providers. It’s a competitive business. Not only must these providers compete on a per-feature basis within their malware DIY construction kits, but they must also provide differentiated support for their customers.
---------------------------

Malware QA and Exploit Testing Services – Virtest.com
http://blog.damballa.com/?p=444
An integral part of modern cybercrime and the successful release of new botnet malware components lies with quality assurance (QA) – i.e. testing malware samples against current antivirus technologies prior to release, and guaranteeing evasion....the most interesting feature of this service though is the ability to scan malicious infecting payloads. Subscribers to the service can provide the URL(s) of their drive-by-download infector sites and scan them using this service – checking to see whether their malicious javascripts, latest exploit kits and payloads, and shellcode escape detection.

Saturday, December 19, 2009

NIST Releases FIPS 140-3 Draft

Via Nextgov.com (Dec 14, 2009) -

The National Institute of Standards and Technology released on Friday a revised draft to security metrics used by federal agencies to test how well their computer systems fight off hacking attempts.

NIST announced the new draft of the Federal Information Processing Standard 140-3, "Security Requirements for Cryptographic Modules," which guides agencies in their efforts to protect sensitive data. The standard specifies the security requirements for information systems' cryptographic modules, which provide services for confidentiality, integrity and authentication of information. A computer system's cryptographic modules might enforce password rules, for example, or data encryption requirements.

"FIPS 140-3 adds new security features that reflect recent advances in technology and security methods," said the draft document, which includes requirements for ensuring data protection in software applications and preventing non-invasive attacks that can be performed against a security application without direct physical contact.

US Launches Cruise Missle Strikes Against Al-Qaeda (AQAP) Training Camps in Yemen

Via The Long War Journal -

The US military carried out cruise missile attacks against two al Qaeda camps in Yemen, killing several terrorist commanders and fighters as well as civilians.

The attacks, which took place on Dec. 17, were carried out in conjunction with the Yemeni military, who targeted al Qaeda bases in the provinces of Sana'a and Abyan. The Yemeni government and the US launched the raids after intelligence indicated al Qaeda was planning to conduct attacks against Yemeni and US installations in the region.

Abyan is a known al Qaeda haven. The terror group opened a large training camp in Yemen this year, which reportedly housed more than 400 al Qaeda fighters from the Middle East [see LWJ report, "Al Qaeda opens new training camp in Yemen"]. Many of the fighters were Yemenis, Saudis, and Somalis.

The Yemeni government claimed 34 al Qaeda fighters were killed and 17 more were captured in the joint air and ground strikes. Muhammad Salih al Awlaqi, al Qaeda's leader in Abyan province, and commanders Muhammad al Amburi and Munir al Amburi were also reported killed in the Abyan strikes, according to reports in Quds Press and Al Sahwah.net.

Qasim al Rimi, a member of al Qaeda in the Arabian Peninsula's shura, or executive council, was reportedly the main target of the strike. He is thought to have escaped. Al Rimi is a senior lieutenant to Nasir al Wuhayshi, the leader of al Qaeda in the Arabian Peninsula, a senior US military intelligence official told the Long War Journal.

Leaders in Abyan disputed the government's claims that only al Qaeda fighters were killed, and claimed more than 60 civilians have died in the strikes. Ali Husayn Ashal, a Member of Parliament and a leader in the opposition Islah Party, accused the government of President Ali Abdullah Saleh of intentionally targeting civilians.

"The government took pride in saying that some al Qaeda members have been targeted in this monstrous operation, while it knows very well where do these wanted elements move around," Ashal said, according to Al Sahwah.net. "These elements move around openly and publicly before the government's eyes. The government can, at any given time, target those who are believed to be outlaws, without inflicting dozens of innocent casualties."

The Islah Party is closely aligned with the radical cleric Sheik Abdulmajid al Zindani, who is designated as a terrorist financier by the UN's 1267 committee and as a spiritual adviser to bin Laden by the US Treasury. Zindani is also close ally to the Yemeni government.

Saleh and the weak Yemeni government are also known to collude with al Qaeda, including using the terror group's foot soldiers to battle the Houthi rebels in the North in exchange for safe haven.

Al Qaeda in the Arabian Peninsula [AQAP] has reportedly battled back after the cruise missile strikes and ground operations in Abyan. According to a report in Al Hayat, AQAP "raided government centers" in the Ludat district in Abyan.

Unencrypted Drone Video Advantageous to U.S. Military, Despite Risks

Via NetworkWorld.com -

The reason the U.S. military didn’t encrypt video streams from drone aircraft flying over war zones is that soldiers without security clearances needed access to the video, and if it were encrypted, anyone using it would require security clearance, a military security expert says.

“Operational information that’s considered perishable has by and large been treated by the military as unclassified,” says David Kahn, CEO of Covia Labs, which sells software for encrypted communications among devices used in military and emergency response missions. Since the video is unclassified, no special clearance is required by personnel who access it to do their jobs, he says.

Drone video traffic was intercepted by insurgents in Iraq and Afghanistan from satellite broadcasts from the unmanned drones to the ground. The insurgents used commercial satellite intercept software sold over the Internet that is advertised to grab movies and other entertainment out of the air without benefit of service-providers’ gear or service contracts.

The military says it has taken care of the drone problem since it was discovered in July, but didn’t specify how.

Kahn says that the video information loses its value so rapidly that the military may have decided it wasn’t worth the effort to encrypt it. “Even if it were a feed off a drone with attack capabilities, and even if the bad guys saw that the drone was flying over where they were at that moment, they wouldn’t have the chance to respond before the missile was fired,” he says.

Classified data would have to be encrypted using hardware encryption, which would require upgrades of a significant amount of equipment, and the military might have determined it just wasn’t worth the effort. The military likes to minimize hardware encryption especially in devices used in the field in case the gear falls into the hands of the enemy, Kahn says. “The answer to the question of why people know about the hole and allowed it to persist is that it was so difficult to plug the hole,” he says. “There was a legitimate need for people without clearance to see the data, so a decision was made to let it continue. Now they know it was exploited, they need to close it.”

Kahn says his company offers a middle ground that supports a software sandbox for secure end-to-end encryption of data and issuance of public and private keys to all the devices that need to communicate with each other during a particular mission. When the mission is over, the keys are revoked and the devices lose the ability to communicate with each other, he says.

Friday, December 18, 2009

Reactivating DECAF in Two Minutes

Via Praetorian Prefect -

The misinformation on DECAF being shut down and a hoax is alarming and the quality of reporting on this security topic actually worse than usual. Earlier tonight we noticed this update from @slashdot on Twitter: “DECAF Was Just a Stunt, Now Over”, along with this: “Anti-COFEE tool taken down & d/l’ed copies disabled.”. Ok, fair enough, releasing DECAF was a stunt according to its two creators. But then we saw this train wreck of an article by Nick Eaton, the Microsoft Reporter over at the Seattle PI Blogs. So now we’re going to respond, because the incorrect DECAF as a big hoax story, a tool that supposedly never worked, is propagating through the Intertubes. DECAF was a working tool that can be easily re-enabled, because the shut down appears to only be a call back to decafme.org that is now disabled, but is easily spoofed, and we’ll demonstrate how.

Hackers Nab South Korean-US Military Defense Plans

Via sbs.com.au -

South Korea's military says it's investigating a hacking attack that netted secret defence plans with the United States and may have been carried out by North Korea.

The suspected hacking occurred late last month when a South Korean officer failed to remove a USB device when he switched a military computer from a restricted-access intranet to the internet, Defence Ministry spokesman Won Tae-jae said.

The USB device contained a summary of plans for military operations by South Korean and US troops in case of war on the Korean peninsula. Won said the stolen documents were not a full text of the operational plans but about an 11-page document used to brief military officials.

Won said authorities have not ruled out the possibility that Pyongyang may have been involved in the hacking attack by using a Chinese IP address - the Web equivalent of a street address or phone number.

The Chosun Ilbo newspaper reported, citing the January edition of its sister magazine Monthly Chosun, that hackers used a Chinese IP address and that North Korea is suspected of involvement. The Monthly Chosun cited South Korea's National Intelligence Service and Defence Security Command.

Yonhap news agency also reported the hackers used a Chinese IP address. It said the North's involvement was not immediately confirmed, also citing military officials it did not identify.

Officials at the NIS - South Korea's main spy agency - were not immediately available for comment.

The US stations 28,500 troops in South Korea to deter any potential North Korean aggression. The two Koreas have remained technically at war since the 1950-53 Korean War ended with an armistice, not a peace treaty.

"As a matter of policy, we do not comment on operational planning or intelligence matters, nor would we confirm details pertaining to any security investigation," said David Oten, a spokesman for the US military in Seoul.

Iran Making New Model Centrifuges for Uranium Enrichment

Via Yahoo! News (AP) -

Iran's nuclear chief said Friday the country has started making more efficient centrifuge models that it plans to put in use by early 2011 — a statement that underscores Tehran's defiance and adds to international concerns over its nuclear ambitions.

The official, Vice President Ali Akbar Salehi, said Iranian scientists are still testing the more advanced models before they will become operational at the country's enrichment facilities.

Tehran has been saying since April that it is building more advanced centrifuges capable of enriching uranium with higher efficiency and precision, but Salehi's remarks were the first indication of a timeline when the new models could become operational.

The new centrifuge models will be able to enrich uranium much faster than the old ones — which would add to growing concerns in the West because they would allow Tehran to accelerate the pace of its program. That would mean Iran could amass more material in a shorter space of time that could be turned into the fissile core of missiles, should Tehran choose to do so.

[...]

Centrifuges are machines used to enrich uranium — a technology that can produce fuel for power plants or materials for a nuclear weapon. Uranium enriched to low level is used to produce fuel but further enrichment makes it suitable for use in building nuclear arms.

"We are currently producing new generation of centrifuges named IR3 and IR4," Salehi told the semiofficial Fars news agency. "We hope to use them by early 2011 after resolving problems and defects."

DEA Charges Three Men in AQIM Linked Drug Case

Via reuters.com -

The U.S. Drug Enforcement Administration said the arrests mark the first time U.S. authorities have established a link suggesting al Qaeda is funding its activities in part through drug trafficking in West Africa.

Oumar Issa, Harouna Toure, and Idriss Abelrahman, who are all believed to be in their 30s and nationals of Mali, were arrested in Ghana on Wednesday as part of a sting operation and taken to New York early on Friday, prosecutors said.

According to a criminal complaint unsealed on Friday, the men are accused of plotting to transport cocaine through Africa with the intent to support al Qaeda, al Qaeda in the Islamic Maghreb and the Revolutionary Armed Forces of Colombia (FARC).

All three groups have been designated as foreign terrorist groups by the U.S. State Department.

Government informants posed as FARC representatives and were told by the defendants their drug shipment would be protected by al Qaeda in the Islamic Maghreb, a group formerly known as the Salafist Group for Preaching and Combat that joined Osama bin Laden's network in 2006 and changed its name.

The men said in recorded conversations that their associates in al Qaeda could ensure safe passage through the West African country of Mali, into North Africa and onto Spain, prosecutors said.

"Al Qaeda of the Maghreb is obviously earning money from this illicit trafficking based on the statements of these individuals," Russell Bensen, the DEA's regional director for Europe and Africa, told Reuters in an interview from Rome.

He said the arrests are the first time the DEA has established that drug traffickers "utilize al Qaeda elements to facilitate security for drug trafficking in West Africa."

The men are each charged with anti-terrorist conspiracy, conspiracy to provide material support to a foreign terrorist organization. They were due to appear on Friday at U.S. District Court in Manhattan.

Drug flights from South America to West African countries such as Guinea Bissau became common in the last three years and officials have seized ton-quantities of cocaine, the DEA said.

-----------------------------

Douglas Farah posted a recent entry - Al Qaeda and the West African Drug Trade
http://www.douglasfarah.com/article/519/al-qaeda-and-the-west-african-drug-trade.com