Saturday, February 28, 2009

'Tokenization' Touted to Increase Credit Card Data Security

Via -

Remember the business bestseller, "Who Moved My Cheese?"

Even the most sophisticated hackers may be asking that very question the next time they attempt a Heartland-size credit card heist if a new data security technology called tokenization catches on with the payment industry.

The concept behind tokenization is remarkably simple: Data thieves can't steal what isn't there.

Tokenization intercepts your card information at the point-of-sale terminal or online payment interface and replaces your cardholder data with randomly generated proxy numbers, or tokens. The transaction then continues, under an assumed name as it were, through the normal authorization process.

The biggest difference: Your card data is never stored intact anywhere, making it nearly impossible for hackers to reassemble it through decryption or reverse engineering.

Hack into your merchant's database or that of the payment processor and all you'll receive for your trouble are worthless tokens.

The only place your card data actually resides is at the data facility of the third-party provider that administers the tokenization program. But hack into their database and all you'll find is the digital equivalent of jigsaw puzzle pieces scattered across multiple locations.

"People ask, 'Why can't what happened to Heartland happen to you?'" says Randy Carr, vice president of marketing for Shift4, developer of the 4GO tokenization technology. "You would have to steal numerous people in numerous buildings to actually steal a credit card number from us." While no system built by man can be considered 100 percent hack-proof, tokenization may be the next best thing.

"I think the concept of tokenization is good," says Troy Leach, technical director of the Payment Card Industry (PCI) Security Standards Council. "That is why the council is exploring the concept this year. We're asking, 'Does tokenization simplify the process of PCI compliance for merchants, or does it provide additional complexity?'"


The March 2009 issue of INSECURE Magazine (PDF) is a good write-up on tokenization as well.

BT Reprograms Business Customers as Hotspots

Via The Register UK -

BT has begun transforming its commercial customers' Business Hubs into OpenZone hotspots for any passing Tom, Dick or Harry to share, and leaving businesses to figure out how to opt out of the scheme after the fact.

Under the scheme, 20,000 BT Business Broadband customers have already had their hubs upgraded, with another 200,000 being seconded into the OpenZone network over the next few months.

BT assures us that everyone received a notification e-mail providing details of how to opt out of the sharing arrangement.

The e-mail sent out to business customers explains that the hub will receive an overnight upgrade, warning the user to leave it switched on and so forth, before slipping in the exciting news, at paragraph four, that following the upgrade total strangers will be able to share their bandwidth:

"After the upgrade BT Openzone will be ENABLED, offering your visitors and customers secure, public wireless internet access using your Hub as a BT Openzone wireless hotspot."

BT reckons this is just want businesses want: they'll be able to resell OpenZone vouchers to visitors and make a few quid, as well as sharing their bandwidth with all and sundry.

We spoke to BT who passed on a press release that was apparently sent out to selected media (El Reg comms editor excluded, natch) at the end of January.

"Free BT public wi-fi hotspot for every business broadband customer" claims the release, proudly suggesting that "Hub owners buy BT Openzone access vouchers ... and can choose to pass the vouchers to their customers or resell the prime business service and add revenue", so you can either screw visitors to your office by selling them vouchers, or pay BT twice for the same bandwidth by giving them away.

BT claims the OpenZone users are securely separated from local users, and has the experience of Fon to back that up. But hitting customers twice for the same bandwidth is certainly a new low for the former-monopoly telco.

BT does offer instructions for turning off the hotspot, and the company isn't expecting customers to share their bandwidth for nothing. Assuming you don't disable the hotspot then you get entered into a prize draw and could be the lucky owner of an iPod Touch (8GB), or even a few hours of free OpenZone access - which might be useful if you're visiting a company that wants to sell you access.

Reg reader Tim was not convinced, telling us "I wouldn’t mind so much if we didn’t get such a paltry speed from our BT connection. Well, no, actually I would still mind then too."

DARPA Orders 'Katana' Monoblade Nano-Copter

Via The Register UK -

Famed Pentagon crazytech bureau DARPA has handed out half a million greenbacks to buy a tiny one-bladed robot helicopter slightly bigger than a coin, dubbed "Katana" and apparently intended for "indoor military missions".

DARPA - renowned for being of the dungeon laboratory school of science rather than the ivory tower one - made the ink-on-contract announcement this week, awarding $546,076 to US arms gigantocorp Lockheed "to perform the Katana: Mono-Wing Rotorcraft for Tactical Applications effort".

Lockheed had previously done early development work on a tiny, single-rotor aircraft modelled on the "samara" whirling winged seeds found in nature. That effort was dubbed "Samarai", as a portmanteau of samara and samurai.

The Samarai, developed under DARPA's Nano Air Vehicle plan, was intended to be a remarkable gadget which US soldiers or intelligence operatives could carry pocketed in a small blister pack. To take off it would spin up on a handheld spindle, driven by a blade-tip jet running off a tiny propane reservoir in the hub.

The propane tip-jet would offer flight endurance of twenty minutes, allowing the tiny whirling Samarai to fly off and into a target building up to a kilometre away under remote control. Advanced micro-electronics would allow it to deliver a useable video image back to its operator despite the fact that the whole thing was spinning very fast. (A Lockheed paper (pdf) gives the impression that the operator might be using a Sony PSP to control the machine.)

Having reconnoitred the building, and perhaps dropped off a small 2g "payload" - presumably a bug - the Samarai would fly out again and stall in to land on command for recovery. Though an operator could easily carry several spare microchoppers, refuelling "approximating the ease with which a cigarette lighter would be refuelled" would allow easy re-use.

But following Phase I design studies for the Nano Air Vehicle effort, DARPA seemed to favour Aerovironment's rival micro-ornithopter concept and Samarai seemed to be kicked into touch.

Given the name*, the relatively small amount of money involved, and the fact that it is a "mono-wing rotorcraft" it seems pretty clear that Katana is in fact son of Samarai. The boffinry chiefs at DARPA have awarded the Katana money not under the Nano Air Vehicle programme, but under a general heading of "Innovative Systems" funding for which inventors are invited to apply with their own ideas.

It would seem that someone at Lockheed has jazzed up the Samarai plans in some unspecified fashion, re-applied to DARPA under the name "Katana", and so breathed life back into the programme.

*In old-time Japan the Katana was the long sword of the Samurai warrior, of course.

Friday, February 27, 2009

UK Encryption Demands Ignored by Quarter of MoD Contractors

Via -

Companies working on confidential UK defence information are not complying with government demands to encrypt data.

One-quarter of contractors which either access the Ministry of Defence Restricted Network or who work on classified or above information have failed to confirm they encrypt all defence data held on laptops and portable media - a requirement under the MoD's List-X Notice security standards.

In a written answer to Parliament, defence minister Bob Ainsworth this week said that just over eight per cent of contractors confirmed they do not comply with the MoD's List-X Notice on laptop and media encryption, while just over 18 per cent have not confirmed whether or not they meet the standard.

An MoD spokeswoman told that a small number of contractors have said that compliance with the encryption standards was "not practicable". The MoD is working with those contractors to minimise the risk of losing data, she added.

Ainsworth said almost 23,000 contracts were placed in the financial year 2007/08 and that the MoD expects to confirm full compliance with all its suppliers by the end of March.

The MoD issued the List-X Notice in response to the government's Data Handling Review last year, which recommended personal data on all portable computers and media be encrypted.

The review was introduced following a number of data losses by the government, starting with HM Revenue and Customs' loss of 25 million child benefit records in 2007.

-------------------------- about cutting ties with those that don't comply?

Demands or requirements with no teeth / bite are pretty much worthless.

Pakistan Foreign Minister: Al Qaeda Not Allowed ‘in Swat’

Via Gulf Times -

Pakistan’s foreign minister vowed yesterday his government would not tolerate Al Qaeda in its Swat Valley despite accepting a peace deal that includes imposition of Shariah law. The West has voiced fears that the scenic valley, just 100 miles from Pakistan’s capital, will turn into a safe haven for militants much like nearby Afghanistan during the 1996-2001 reign of the Taliban.

But Foreign Minister Shah Mehmood Qureshi, in Washington for a three-way strategy review with the United States and Afghanistan, said the presence of Al Qaeda in the Swat Valley was “negligible if any.”

“The Taliban will not be in charge. The government of Pakistan will be in charge there. We are not compromising with the Taliban,” Qureshi told PBS public television. “We have pushed Al Qaeda out ... of Swat and we are going to drive them out of the tribal belt,” he said.

The Pakistani government has accepted the ceasefire with militants in the Swat Valley who waged a bloody two-year campaign that included forcibly shutting girls’ schools and curbing entertainment.

Qureshi said Pakistan wanted girls’ schools to reopen but stood by his stance that the Shariah deal was a local agreement aimed at better administering justice.

Grand Jury Charges Enemy Combatant With Supporting Al-Qaeda

Via -

Prosecutors today unsealed criminal charges against suspected al-Qaeda sleeper agent Ali Sahleh Kahlah al-Marri, setting in motion his transfer from a South Carolina naval brig into the custody of the Justice Department in one of the government's most closely watched terrorism cases.

Marri, 43, has spent the past 5 1/2 years in confinement in the military prison as the country's sole remaining "enemy combatant."

With the conspiracy and material support for terrorism charges unveiled today in federal court in Peoria, Ill., U.S. law enforcement officials are seeking to avert a Supreme Court hearing that could tie their hands in the handling of future terrorism suspects.

"This indictment shows our resolve to protect the American people and prosecute alleged terrorists to the full extent of the law," said Attorney General Eric H. Holder Jr. "In this administration, we will hold accountable anyone who attempts to do harm to Americans, and we will do so in a manner consistent with our values."


"This case is now finally where it belongs: in a legitimate court that can fairly determine whether Mr. al-Marri is guilty of a crime," said Jonathan Hafetz, attorney with the ACLU National Security Project and lead counsel in al-Marri's Supreme Court case.

If Marri is convicted, the Qatar citizen faces as many as 15 years in prison, authorities said.

Research: 76% of Phishing Sites Hosted on Compromised Servers

Via ZDNet -

In a newly released paper entitled “Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing” Tyler Moore and Richard Clayton provide empirical evidence according to which 75.8% of the phishing sites that they’ve analyzed (2486 sites) were hosted on compromised web servers to which the phishers obtained access through Google hacking techniques (search engine reconnaissance).

The research also indicates that not only are legitimate sites (unknowingly) providing hosting services to scammers, but also that 19% of the vulnerable sites that they’ve analyzed were recompromised within six months.

This efficient exploitation approach using “evil searches” is in fact so efficient, that the majority of large scale SQL injection attacks that took place in 2008 were performing automatic search engine reconnaissance and later on exploiting the affected sites.

The trend has proven itself with cases where for instance the web sites of U.K’s Crime Reduction Portal, a Police Academy in India, government servers across the world and even a Chinese bank were all hosting phishing pages through the exploitation of their web servers.


Search engine reconnaissance or “Google hacking” is a legitimate penetration testing practice that cybercriminals naturally take advantage of as well.


The bottom line - if you don’t take care of your web application based vulnerabilities, someone else will. And yes, they will come back six months later to find out whether the web servers still remain vulnerable.


During my time as a CastleCop's PIRT handler, I was personally involved in reporting & assisting in the takedown of hundreds of phishing sites...most of them on hacked servers.

Sadly, many of the administrators of the hacked servers didn't even know they were hacked and lacked the general security experience to properly secure their servers. Many (if not most) were running out-dated versions of software, like PHP.

The work was tedious and often very repetitive but I was honored to work on the project while it lasted.

FBI Raids University of Florida Nuclear Power Institute

Via (Jacksonville) -

A nuclear space power institute at the University of Florida has been raided by the FBI.Supervisory Assistant U.S. Attorney Karen Rhew in Tallahassee said search warrants were served at the university's Innovative Nuclear Space Power and Propulsion Institute.

Rhew would not comment on the target of the investigation, but University of Florida spokesman Steve Orlando said the FBI was in the office of professor Samim Anghaie, the Iranian-born director of the institute.

Rhew would not comment on the investigation but did say no arrest warrants have been issued.Orlando said the university is cooperating with the investigation and Anghaie's employment status is being reviewed.

Bulgarian Hacker Sentenced for Stealing Millions from U.S. Credit Cards

Via (TechTarget) -

A Bulgarian man was given a 4-1/2 year jail sentence for his connection to a cybercriminal gang that bilked millions of dollars from stolen credit cards.

Reuters news agency reported Monday that Issa Mehmed, 28, and four members of an organized cybercriminal gang were given varying sentences for money laundering, financial fraud and extortion tied to spending millions on stolen credit cards. Mehmed pled guilty to the crimes.

Reuters said most of the credit and debit cards belonged to U.S. citizens. The Bulgarian District Court of Varna said the gang conducted operations from June 2003 until January 2008, when the members were arrested.

The sentence requires Mehmed to pay back $1.19 million in stolen funds and pay a $3,000 fine.

Local Governments Allegedly Selling Social Security Numbers Online

Via WkowTV (Madison, WI) -

Dr. Joe Campana a privacy and information security expert and author of a book on privacy and information security, Privacy MakeOver: The Essential Guide to Best Practices recently produced a short video for National Data Privacy Day 2009, "Stealing Social Security Numbers on the Web" which demonstrates how easy it is to access Social Security Numbers on government Web sites. Campana produced and published the video to bring this common risk to the attention of consumers.

Campana said, "What I didn't realize, when I produced the video last month, was that the County I reside in allows access to taxpayer Social Security Numbers through Web access to land and other legal records." He said, "you don't even have to go to the County Clerk's Office to get them, the county is selling Social Security Numbers through the web for $5.95.

Dr. Campana said he accessed the records through the Dane County, Wisconsin Web site. The county provides online access through Tapestry, a third party system operated by Fidlar Technologies (Rock Island, IL) that maintains the records. Web access to records on Tapestry is available for 17 counties in Wisconsin and nearly 100 counties nationwide in nine states.

The video Campana produced last month highlighted a County in Oklahoma whose database is maintained by operated by ACS Government Land Records, which provides services to about 50 counties in several states. Access to that county's records is free.

Campana said, "These data management companies ought to be taking a responsible role in managing consumer records. They should be advising their clients, local government, that today they shouldn't allow Social Security Numbers and other sensitive information to be visible for crooks to cherry pick!"

Campana notes, "Social Security Numbers can be used to perpetrate a wide variety of identity theft crimes including medical identity theft; committing crimes under the identity of an innocent person; obtaining false government identification such as driver's licenses and passports that can be used for nefarious purposes such as eluding law enforcement and acts of terrorism; and for various types of fraud--financial, account, employment, Social Security, tax, and insurance"

Campana says that Wisconsin's Breach Notification Law (895.507) specifically requires any organization including local government to notify consumers when their personal information is disclosed if the information is not publicly available and is not encrypted, redacted or rendered unreadable.

North Korea 'Satellite' Launch Expected in Early March

Via Yahoo News! (AP) -

North Korea announced earlier this week that it was preparing to shoot a communication satellite into orbit as part of it space program. The U.S., South Korea and other neighboring countries believe the launch may be a cover for a missile test-fire, saying the action would trigger international sanctions.


Rodger Baker, director of East Asia analysis at STRATFOR, a global intelligence company, said the launch of the Taepodong-2 will most likely take place around the first week in March, around the time of elections for the North's rubber-stamp parliament.

The long-range Taepodong-2 missile is believed capable of reaching Alaska. Some experts think the North is preparing to test an advanced version that could reach the western continental U.S.

Baker said that North Korea's missile capability was "fairly sophisticated" given the country's isolation and lack of access to technology.

"They are really good with short-range and anti-ship missiles, mostly those they've modified from Soviet and Chinese missiles," Baker told The Associated Press.


South Korea's Dong-a Ilbo newspaper reported Thursday that North Korea has built an underground fueling facility near its launch pad, making it harder for spy satellites to detect signs that a missile is being prepared for launch.

Wednesday, February 25, 2009

Russia Says Found Stolen Weapons Heading to China

Via Yahoo! News (AP) -

Russian news agencies are quoting a senior prosecutor as saying that his office has exposed an attempt by military officers to smuggle $18 million worth of stolen Russian weapons to China.

The agencies quoted Chief Military Prosecutor Sergei Fridinsky as saying Wednesday that some officers and businessmen shipped the weapons to the ex-Soviet republic of Tajikistan for subsequent smuggling to neighboring China.

Fridinsky said the stolen weapons included 30 anti-submarine missiles and about 200 bombs.

China has been a top customer for Russian weapons since the 1990s. But Russian authorities have also nabbed some military officers and civilians who they accuse of smuggling weapons and sensitive technologies into China.

US Holds 750 in Mexican Drug Cartel Raids

Via BBC -

US federal agents have arrested some 750 people across the country in a crackdown on Mexican drug cartels, US Attorney General Eric Holder has said.

Among them were 52 people arrested on Wednesday in California, Minnesota and Maryland in raids targeting the powerful Sinaloa cartel, he said.

Agents also seized 23 tonnes of drugs in the 21-month operation.

A 2008 justice department report found Mexican traffickers were the biggest organised crime threat to the US.

Most of the cocaine available in the US is smuggled via the US-Mexican border, while Mexican drug traffickers control most of the US drug market.

Mexican smugglers are also increasingly working with US gangs, the report found.

The Sinaloa cartel is one of four main Mexican drug-trafficking groups, the others being the Gulf cartel, the Tijuana cartel and the Juarez cartel.

The US Congress has authorised the spending of $1.6bn (£1.1bn) dollars to confront the threat of drug trafficking and organised crime from Mexico and Central America.

So far, $197m (£138m) has been released for military and law enforcement training and equipment in Mexico.

Some 6,000 people were killed last year in Mexico in violence linked to organised crime. Mexican media reported that by mid-February this year there had already been 1,000 killings.

Tuesday, February 24, 2009

UK Government Wants UAVs to Watch Bad Guys (and You)

Via DailyMail UK -

Pilotless planes used to track the Taliban could soon be hovering over our streets, it has emerged.

Remote-controlled drones are already used widely by the military. Now ministers believe they are likely to become 'increasingly useful' for police work.

Armed with heat-seeking cameras, the Unmanned Aerial Vehicles would hover hundreds of feet in the air, gathering intelligence and watching suspects.

In theory, their advantages are clear. They are cheaper and quieter than conventional helicopters, can circle their target for hours without refuelling - and they don't get bored on long surveillance missions.

However, their use is likely to further fuel concerns about our march towards a Big Brother state. Britain already has more CCTV cameras than the rest of Europe put together.

More than four million closed-circuit TV cameras cover the streets; cars are monitored using cameras that check registration plates and a new law will see footage taken of shoppers buying alcohol.

The plan to deploy 'spy in the sky' planes is outlined in the Home Office's latest Science and Innovation Strategy. It says: 'Unmanned Aerial Vehicles are likely to be an increasingly useful tool for police in the future, potentially reducing the number of dangerous situations the police may have to enter and also providing evidence for prosecutions and support police operations in "real time".'

Two years ago, Tony McNulty, then a Home Office minister, acknowledged that scientists were exploring the use of UAV technology for a 'range of policing and security applications'.

They could be used by MI5 to watch a suspect's address for long periods or track a car for miles.

The drones could also help officers plan raids in locations that are hard to reach, to record and monitor accidents or to spot speeding offences or reckless or uninsured drivers.


Mark Wallace, of the Taxpayers' Alliance, said: 'I think a lot of people would be concerned at the Home Office looking to use technology more generally associated with the tribal borders of Pakistan and the fight against terror over British towns to watch the British public.

'It is not necessarily as glamorous or as high-tech, but a bobby snapping cuffs on a criminal is the most productive approach.'

Beijing's Top Internet Spy Arrested

Via -

The head of the internet monitoring department of Beijing's Municipal Public Security Bureau was arrested on suspicion of taking more than RMB 40 million ($5.8 million) in bribes to help an anti-virus company defeat its competitor.

Yu Bing, whose bureau monitors e-mail and web usage in the country as part of China's Great Firewall surveillance system, is accused of taking money from Rising, an anti-virus firm, to frame an executive at its competitor, Micropoint Technology. A vice president of Rising has been arrested as well under suspicion of bribing Yu.

Yu and fellow police officers allegedly manufactured evidence against Micropoint Vice President Tian Yakui proving that he spread computer viruses and broke into a computer system to steal trade secrets. Tian reportedly spent 11 months in prison on the charges, and Micropoint encountered three years of obstacles to launch its anti-virus software. Tian was targeted apparently because he was a former vice president at Rising who left the company with Rising's former managing director to build Micropoint.

Micropoint is planning to sue Rising for an estimated RMB 30 million ($4.3 million) in losses.
Rising has fired back at the allegations accusing Micropoint of
manufacturing the claims to ruin Rising.

Over 80,000 Zimbabweans Infected With Cholera

Via -

Over 80,000 people have been infected with cholera in Zimbabwe, according to the latest figures released by the World Health Organization (WHO).

With 3,759 lives lost already, the Case Fatality Rate (CFR) of the outbreak - described as "one of the world's largest ever recorded" by the WHO - has also remained shockingly high.

Cumulatively, since the outbreak started in August 2008, 4.7 percent of those infected have died, the WHO's update on 19 February said. In some areas daily CFRs as high as 74 percent have been registered. The WHO has noted that the acceptable level should be below 1 percent.
Over 60 percent of deaths were being recorded at community level rather than within health facilities, the report said.

Somali Suicide Bomber Radicalized in Minnesota

Via NYTimes -

The F.B.I. director, Robert S. Mueller III, said Monday that a Somali-American man who was one of several suicide bombers in a terrorist attack last October in Somalia had apparently been indoctrinated into his extremist beliefs while living in the United States.

The man, Shirwa Ahmed, was the first known suicide bomber with American citizenship. He immigrated with his family to the Minneapolis area in the mid-1990s, Mr. Mueller said, but he returned to Somalia after he was recruited by a militant group.

“It appears that this individual was radicalized in his hometown in Minnesota,” Mr. Mueller said, speaking at a meeting of the Council on Foreign Relations. Minneapolis claims the country’s largest Somali population.

Mr. Ahmed was driving a vehicle laden with explosives that blew up in northern Somalia in an attack that killed as many as 30 people, according to news reports. His body was returned to the United States with the help of the F.B.I.

Federal authorities have said that Mr. Ahmed was one of as many as two dozen young men of Somali descent who had disappeared in the past two years from their homes in the Minneapolis area after being recruited by the Shabab, a militia that is suspected of having ties to Al Qaeda and that has waged a war against the Somali government.

Mr. Mueller suggested that Somali recruiting posed a serious issue for the F.B.I., which has sought the cooperation of the Somali community to try to understand whether the recruiting represents a threat.

“It raises the question of whether these young men will one day come home, and, if so, what might they undertake here,” he said.

The Best Defense is Information

Via Metasploit Blog -

Over the last two months, rumors of an unpatched vulnerability in the Adobe Acrobat products have been circulating. Last Thursday (the 19th), the Shadowserver folks confirmed that there is an exploit in the wild and that they had obtained a sample. A few hours later, Adobe confirmed the issue in their official advisory. McAfee, Symantec, and others have all chimed in saying that they have samples dating back as far as January and even December of last year. Symantec published a response almost a week before the Adobe advisory.

The exploit was detected in the wild, is being actively exploited, and it wasn't until the Shadowserver folks wrote a summary of the issue that Adobe bothered to issue an advisory. With the February 12th coverage date from Symantec, we can only assume that they contacted Adobe as well and provided any sample they had access to. Adobe's official response is that a patch for Adobe Acrobat 9 will be made available on March 11th, but no timeline has been issued for older versions. Compare this Microsoft's response to MS08-078, MS08-067, or even MS06-001 and you can see a clear difference in how these companies respond to real-world attacks against their user base.


The strongest case for information disclosure is when the benefit of releasing the information outweighs the possible risks. In this case, like many others, the bad guys already won. Exploits are already being used in the wild and the fact that the rest of the world is just now taking notice doesn't mean that these are new vulnerabilities. At this point, the best strategy is to raise awareness, distribute the relevant information, and apply pressure on the vendor to release a patch.

Adobe has scheduled the patch for March 11th. If you believe that Symantec notified them on February 12th, this is almost a full month from news of a live exploit to a vendor response. If the vendor involved was Microsoft, the press would be tearing them apart right now. What part of "your customers are being exploited" do they not understand?


Well said...

Adobe, are you listening? Hello?

SSLStrip Hacking Tool Gets 'Hacked,' Then Released

Via DarkReading -

In a bizarre twist, a hacker hacked into another hacker's Web server and forced the release of a hacking tool that was first demonstrated last week at Black Hat DC. The so-called SSLStrip tool, which basically makes users think they are visiting a secure Website when they are not, is now available for download.

Moxie Marlinspike, the hacker who created and demonstrated the tool in his Black Hat talk, had planned to eventually release the tool, but went ahead and officially did so late yesterday after an unknown hacker apparently sniffed out the URL Marlinspike was using to develop the tool and blasted it on Slashdot.

"Greetings slashdotters. Apparently the demand for this has been so great that someone went to the trouble of wardialing for the unpublished URL where sslstrip was being staged on my webserver. Then having guessed the correct URL, and not content to merely have access, they also slashdotted it," Marlinspike wrote in a message on his Website.

Marlinspike's tool lets an attacker or researcher stage a man-in-the middle attack against a Secure Sockets Layer (SSL) Web session. Marlinspike says there's no simple fix for defending against the attack because it's not a typical software bug or protocol vulnerability that can be patched. "It's hard to fix," he said in an interview. "This attack comes closer to an implementation's a problem with the way SSL is deployed."

Heartland Related Phishing Scam Hits Texas Bank

Via BankInfoSecuirty -

A bank in Texas reports that its customers are being targeted in a phishing scam related to the Heartland breach. Extraco Bank in Killeen, TX had to replace 9,000 cards that were compromised. On Saturday, the bank told customers in an email that if they received a text message or page that told them to call an 866 number and asked for debit or credit card number, expiration date and PIN numbers, to contact the bank. It is a phishing scam, the bank told its customers.

The local paper, The Killeen Daily Herald, reported the bank's phishing scam on Sunday. Identical scams were already reported in other local area cities, says Extraco. The bank is working with AT&T and the U.S. Secret Service to trace the scammer and get the number disconnected.


The number of financial institutions that stepped forward to say their customers' credit or debit cards were compromised because of the Heartland Payment Systems (HPY) data breach has now reached more than 500.

Chicago Major Wants Camera on Every Street Corner

Via SunTimes -

Mayor Daley has argued that security and terrorism won’t be an issue if his Olympic dreams come true because, by 2016, there will be a surveillance camera on every street corner in Chicago.

But even before that blanket coverage begins, the “Big Brother’’ network is being put to better use.

Call takers and dispatchers now see real-time video if there is a surveillance cameras within 150 feet of a 911 call, thanks to a $6 million upgrade to the city’s “computer-aided dispatch” system.

When live video appears, call takers can pan, tilt and zoom those cameras to get the best possible view of a crime or disaster scene.

“As a first responder, I can’t tell you how important it is to have a set of eyes on an emergency scene prior to your arrival. The valuable information they provide from the camera network can ultimately mean the difference between life and death,” said Ray Orozco, executive director of the city’s Office of Emergency Management and Communications.

“Whether you send one ambulance or three, two squad cars or four, it all depends upon the information we are able to gather from the 911 caller,” said Orozco, a former fire commissioner.

During a December test, live video was used to catch a petty thief in the act of sticking his hand in a Salvation Army kettle outside Macy’s on State Street.

But, the crime-fighting potential is “limitless,” said Police Superintendent Jody Weis.

“You know what the suspect’s vehicle might be. It can give us instant leads. . . . We may get some information from that where we may not even respond to that location. We could actually get ahead of it and go to a place where that vehicle maybe was last seen or the individual might be running to,” Weis said.

And, “If we can warn our officers of any dangers they’re facing ahead of time, it’s a tremendous advantage.”

Although the city’s vast surveillance network includes cameras installed at private businesses, universities and homes, Orozco said civil libertarians have nothing to fear.

“We do not and we will not take access to any camera inside of a building,’’ he said. When the city accesses private cameras, workers only see “what you would see if you were sitting on a park bench in front of that building,” he said.

Adobe Flash Player Invalid Object Reference Vulnerability

Remote exploitation of a invalid object reference vulnerability in Adobe Systems Inc.'s Flash Player could allow an attacker to execute arbitrary code with the privileges of the current user.

During the processing of a Shockwave Flash file, a particular object can be created, along with multiple references that point to the object. The object can be destroyed and its associated references removed. However a reference can incorrectly remain pointing to the object. The invalid object resides in uninitialized memory, which the attacker may control to gain arbitrary execution control.


Adobe has just released a security advisory for this vulnerability. The vulnerability affects Adobe Flash Player and earlier. So, patch'em if you got'em.

I was hearing "chatter" about this vulnerability on Twitter this morning...

Then you have the confusing aspect of Adobe's actions in this manner. Why patch the flash player when people are actively exploiting the Reader vulnerability?

On other note, Sourcefire said an analysis of its malware database showed that attackers have been exploiting the Adobe Acrobat / Reader flaw for more than six weeks. Still no word from Adobe on suggested mitigation techniques. Security professionals in the know, still suggest to disable JavaScript.

SHA-3 Round 1: Buffer Overflows

Via Fortify Blog -

NIST is currently holding a competition to choose a design for the SHA-3 algorithm (Bruce Schneier has a good description of secure hashing algorithms and why this is important). The reference implementations of a few of the contestants have bugs in them that could cause crashes, performance problems, or security problems if they are used in their current state. Based on our bug reports, some of those bugs have already been fixed. Here's the full story:

The main idea behind the competition is to have the cryptographic community weed out the less secure algorithms and choose from the remainder. A couple of us at Fortify (thanks to Doug Held for his help) decided to do our part. We're not hard-core cryptographers, so we decided to take a look at the reference implementations.

This competition is to pick an algorithm, but all of the submissions had to include a C implementation, to demonstrate how it works and test the speed, which will be a factor in the final choice. We used Fortify SCA to audit the 42 projects accepted into Round 1. We were impressed with the overall quality of the code, but we did find significant issues in a few projects, including buffer overflows in two of the projects. We have emailed the submission teams with our findings and one team has already corrected their implementation.

Mumbai Terrorists' Cell Phone Payments Connected to Italy

Via -

Terrorists behind 2008's attacks on Mumbai used cell phones that were activated in the United States and paid for with funds sent from Italy, an Italian newspaper reported on Tuesday.

‘Corriere della Sera’ daily said India sent the intelligence information to Italy and other countries so anti-terrorism investigators could attempt to expose any ties to the network behind the November attack that killed at least 179 people.

Islamabad acknowledged for the first time this month that the November assault was launched from, and partly planned in, Pakistan.

‘Corriere’ said Italian authorities were investigating a wire transfer sent to the United States from the northern Italian city of Brescia by a Pakistani-born suspect.

The suspect, named as Javaid Iqbal, sent the funds via Western Union to pay for five cell phones with Austrian country codes -- three of which were used by the attackers, ‘Corriere’ said, citing the Indian dossier.

Iqbal, a former resident of Barcelona, has been arrested in Pakistan and Italian authorities were attempting to understand how he arrived in Brescia and whether he had support from anyone there.

The cell phones were activated in the United States by a US company, ‘Corriere’ reported, and registered to another man, who identified himself as an Indian citizen.

India, in its intelligence dossier, highlighted the importance of cell phone communication between the plotters and terrorists carrying out the attacks.

It offered partial transcripts of the conversations detailing orders given by phone to kill hostages, and how the plotters relayed the media impact of the assault in real-time.

"Everything is being registered by the media. You must inflict the maximum damage. Fight to the end. Don't leave any survivors," read one of the excerpts, in a call to an attacker at the Trident-Oberoi hotel, reported by ‘Corriere’.

"Kill the hostages, except the Muslims. Take the telephone and activate it so we can hear the shots," a terrorist says, according to ‘Corriere’.

Iran’s Uranium: Don’t Panic Yet

Via FAS Strategic Security Blog -

Last week, the New York Times and the Financial Times USA ran stories that implied that Iran had been hiding enriched uranium and had been caught red-handed during the most recent International Atomic Energy Agency (IAEA) physical inventory inspection. While supposedly based on the IAEA report (GOV/2009/8), the articles more closely followed the ISIS analysis of the report. [Jeffery Lewis, as usual, also has good analysis and comments on Arms Control Wonk.] The IAEA report itself raises few alarm bells. Yes, the Iranians are continuing to enrich uranium; yes, they claim it is exclusively for a civilian nuclear reactor program, a claim for which no one can provide credible assurances, and, yes, every day they enrich uranium, they are closer to having enough for nuclear weapon capability, once that political decision is made. But the IAEA report does not reveal any sudden jump in enrichment capability or even uranium inventory and it goes out of its way to say that the result of the inspection is consistent with what was previously declared by Iran, within “the measurement uncertainties normally associated with enrichment plants of similar throughput”. So what is the issue here?

The Financial Times headline, “Iran holds enough uranium for bomb” with the subtitles “UN report reveals leap in nuclear stocks” and “Capacity breaches Israel’s ‘red line’ limit,” and the New York Times headline, “Iran Has More Enriched Uranium than Thought” are both more provocative than warranted by the IAEA report itself. Both articles report that, in the most recent IAEA report from 19 February, the estimated inventory of low-enriched uranium (LEU) had jumped by a third. The New York Times said that the IAEA had “discovered” an additional 460 pounds (or 209 kg) of LEU. This number is wrong to begin with because the IAEA reported an additional 209 kg, not of uranium, but of uranium hexafluoride (UF6). UF6 is about 68 percent uranium, so there is only an additional 142 kg of uranium in 209 kg of UF6. We will come back to this.

“Discovered” is stretching. The origin of that 209 kg is the difference between the amount of enriched UF6 reported in IAEA documents GOV/2009/8 and GOV/2008/59 — two consecutive reports for Iran’s inventory as of November 2008. The IAEA report of 19 November 2008 states that from February 2007 to 7 November 2008 “…based on the operator’s daily accounting records, Iran had produced approximately 630 kg of low enriched UF6 [uranium hexafluoride]. All nuclear material at FEP [Fuel Enrichment Plant], as well as all installed cascades, remain under Agency containment and surveillance.”


We do not want to seem to be apologists for Iran. Their uranium enrichment program makes no economic sense. It could be consistent with a nuclear power fuel program but it is also consistent with a nuclear weapons program. It seems undeniable that Iran wants to at least maintain the option of developing a nuclear weapon. An Iranian nuclear weapon would be a danger to the world, and to Iran. We believe the rest of the world should work hard to avoid such a development but the world should develop policies based on the best analysis available. The hard facts are bad enough, there is no need for exaggeration.

Terminated Employees Take Company Data With Them

Via DarkReading -

More than half of all employees who lost or left their jobs last year took confidential company data with them, according to a study published today.

According to a study released by the Ponemon Institute and Symantec, 59 percent of ex-employees admitted to stealing confidential company information. The most commonly taken data included e-mail lists, employee records, customer information, and nonfinancial information.

Fifty-three percent of respondents downloaded information onto a CD or DVD, 42 percent onto a USB drive, and 38 percent sent attachments to a personal e-mail account, the study says. Seventy-nine percent of respondents said they took the data without their employer's permission.

Officials at both Ponemon and Symantec say they expect the trend to continue, if not worsen, as the economy deteriorates and layoffs increase. "If your organization is planning a RIF [reduction in force], you need to understand the attitudes of the people who are being let go," says Michael Spinney, an analyst at Ponemon Institute. "Once they've lost their jobs, they feel like they don't really have a lot to lose."

Legally, corporations could take action against terminated employees who make off with sensitive data, but "most enterprises aren't interested in suing people -- they just want to protect the data and keep it from getting out," says Kevin Rowney, founder of the data loss prevention (DLP) unit of Symantec, formerly known as Vontu.

Rowney believes the egress of data via terminated employees is mostly preventable. "Most employees who've lost their jobs aren't sneaking the data out in sophisticated ways," he observes. "They're emailing it to themselves or carrying it out on a USB memory stick. These are the kinds of things that a good DLP solution can stop."

Spinney notes that many IT organizations still aren't following common-sense best practices when employees leave their companies. "Twenty-four percent of respondents said they still had access to their employer's computer system or network after they left the company," he says. "Cutting off that sort of access should be a no-brainer for most IT departments."

Monday, February 23, 2009

Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance

A consortium of federal agencies and private organizations today released Version 1.0 of the Consensus Audit Guidelines that define the most critical security controls to protect federal
and contractor information and information systems. The draft may be found at

The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington DC to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.

Brand Spanking New Excel 0-day Being Exploited in the Wild

Via ZDNet -

Symantec is reporting that a new remote vulnerability has been discovered in Microsoft Excel 2007, and that this vulnerability is being exploited in the wild.

Details are sparse, but it looks like Symantec has discovered a code-execution vulnerability in Excel 2007 and Excel 2007 SP1. The issue is being actively exploited in the wild by a variant of the Mdropper trojan.

There is no patch for the vulnerability yet, so until one arrives, don’t open anything that looks like an Excel document from sources you cannot completely trust and verify.

Flu Treatment Stops Many Strains at Once in Animal Research

Via Bloomberg (Science) -

An experimental treatment made from human proteins neutralized a wide variety of influenza germs in a study, including the H5N1 avian flu, the 1918 pandemic virus and some seasonal forms of the illness.

Mice that were injected with the treatment three days after being infected with bird flu didn’t show any symptoms, according to an Online report in the journal Nature Structural and Molecular Biology. The treatment also protected mice from other strains of flu virus, researchers said.

Normally, flu vaccines are specific to only one strain of virus at a time. The new results suggest a single treatment may be developed that works for many strains. Such a treatment could be used to help slow outbreaks while more precise treatments are developed, researchers said. Human trials for proteins could begin as soon as the 2011-2012 winter flu season, they said.

“These antibodies have important therapeutic potential and pave the way for the generation of a universal vaccine,” said Ruben Donis, a study author and researcher at the Centers for Disease Control and Prevention, in a conference call.

The treatment is made from a laboratory-produced version of human immune system defenses called monoclonal antibodies. It targets a different part of the flu virus than the body’s naturally produced antibodies.

The body produces antibodies to the rounded head of the flu virus, which can mutate quickly, said Wayne Marasco, an associate professor of medicine at Harvard Medical School in Boston and one of the study’s authors. The neck of the virus remains relatively stable, so that’s what he and his team targeted, he said.

Scientist Looks to Weaponize Ball Lightning

Via DangerRoom -

Two hundred years ago this week, the warship HMS Warren Hastings was struck by a weird phenomenon: "Three distinct balls of fire" fell from the heavens, striking the ship and killing two crewmen, leaving behind "a nauseous, sulfurous smell," according to the Times of London.

Ball lightning has been the subject of much scientific scrutiny over the years. And, as with many powerful natural phenomena, the question arises: "Can we turn it into a weapon?" Peculiar as it may seem, that's exactly what some researchers are working on -- even though it hasn't even been properly replicated in the laboratory yet.

The exact cause and nature of ball lighting has yet to be determined; there may be several different types, confusing matters further. But generally it manifests as a grapefruit-sized sphere of light moving slowly through the air which may end by fizzling out or exploding.

In the mid-'60s, the U.S. military started exploring ways that the phenomenon might be weaponized. Take this 1965 Defense Technical Information Center report on Survey of Kugelblitz Theories For Electromagnetic Incendiaries, (Kugelblitz is German for ball lighting). The document summarizes and evaluates the ball lightning theories then prevalent, and recommends "a theoretical and experimental Kugelblitz program... as a means of developing the theory into a weapons application." This led to an Air Force program called Harness Cavalier, which seems to have ended without producing anything conclusive.

However, some years later scientist Dr. Paul Koloc was looking at methods of containing high-temperature plasma during nuclear fusion. There are many schemes for containing plasma in donut-shaped magnetic fields using a device called a Tokomak. Koloc's insight was that, under the right conditions, a donut-shaped mass of moving plasma would generate the required fields for containment itself. No Tokomak would be required for this "plasmoid," which would be completely stable and self-sustaining. It is a very close equivalent of the smoke ring -- another type of dynamic "vortex ring," which remains stable over a period of time, unlike an unstructured cloud of smoke.

Koloc also theorized that if a donut-shaped plasmoid was created accidentally -- say, during a lightning strike -- it would remain stable for a period of seconds of minutes. This he believes is the explanation for ball lightning. He has a lot of competition from other, wildly different theories of ball lightning, though, from nanobatteries to vaporized silicon to black holes. There is no scientific consensus.

In the '80s, Koloc's team succeeded in creating small, short-lived plasmoids from "chicken egg to softball" size in the laboratory. It was a good start, but not enough to convince the world that he's right about ball lightning. Ultimately the work might lead to a means of containing nuclear fusion... but there were some engineering challenges to tackle. Moreover, the scientific mainstream has not bought into the concept. While giant programs to achieve controlled fusion like ITER are sucking up billions, Koloc has found it much harder to attract funding. This is not like cold fusion or bubble fusion which has been challenged on scientific grounds, but it's been very much sidelined in favor of other "confinement concepts" for fusion power.

However, in 2002, Koloc's company, Prometheus II, briefly obtained funding from the Missile Defence Agency. The aim was to create stable 'magnetoplasmoids' a foot in diameter which would last between one and five seconds. In the subsequent phase, the magnetoplasmoid would be compressed and accelerate to two hundred kilometers a second. This "encapsulated EMP bullet" would make an idea anti-missile weapon, generating an intense electromagnetic pulse on impact which would scramble the guidance system and any electronics, as well as causing thermal damage.

Koloc called the weapon "Phased Hyper-Acceleration for Shock, EMP, and Radiation" -- PHASER.

"It can be used for a range of purposes from stunning personnel to destroying the functionality of electronically operated devices, smaller rockets, vehicles and packages that represent an immediate threat to the United States," he wrote. "This dial-able PHASER weapon can be set on 'Stun' or dialed down, selecting a non-lethal level for persons needed for later interrogation... One mundane application for law enforcement would be the disruption of the engine electronics to stop vehicles that would otherwise be the target of a high-speed chase. Dialable versions of the PHASER will be available for use in civilian encounters."

Nothing seems to have resulted after the Phase I contract, so I contacted Koloc to see how his research had progressed. He confirmed that they had successfully formed plasmoids a foot in diameter, but that these could not be made sufficiently stable.

To make it work and overcome the stability problem, they need a device known as a "fast rising parallel plate transmission line." There was not enough funding for this and the company is still trying to raise funds.

"Once the re-engineered formation system becomes operational, we will proceed to form plasmoids of approximately 35 to 45 centimeters in diameter with a stable lifetime of from one to thirty seconds," says Prometheus II Vice President D. M. Cooper. "The plasmoids should be rugged and energetic, and should attain quiescence (thus becoming very stable) within two or three milliseconds of the formation pulse. The plasmoids will be useful for energy applications even if the military applications are not pursued."

So a ball lightning weapon remains tantalizingly out of reach –- or does it? As I noted in a previous article on military ball lightning, the USAF’s Phillips Laboratory examined a very similar concept in 1993. Again, this involved accelerating a donut-shaped mass of plasma to high speed as an anti-missile weapon in a project called Magnetically Accelerated Ring to Achieve Ultra-high Directed Energy and Radiation, or MARAUDER. Based on the Air Force's awesome Shiva Star power system, experiments spat out plasmoids at ultra-high speed that were expected to reach 3,000 kilometers a second by 1995. But nothing was published after 1993, and MARAUDER was classified, disappearing into the black world of secret programs.

Ball lighting is still mysterious 200 years later… and the next time a warship gets struck by weird fireballs they will probably be as baffled as were the sailors aboard the HMS Warren Hastings.

Saturday, February 21, 2009

Confirmation of Second Major Processor Breach

Earlier this week, Visa and MasterCard began issuing accounts involved in a merchant processor breach. The reported incident involves confirmed unauthorized access to a U.S. acquirer processor’s settlement system of stored transaction information that included Primary Account Numbers (PANs) and expiration dates. No magnetic stripe track data has been identified at risk in this alert. As the entity involved has not yet issued a press release, Visa and MasterCard are unable to release the name of the merchant processor.

It is important to note that this event is not related to the Heartland Payment Systems breach. While it has been confirmed that malicious software was placed on the processor’s platform, there is no forensic evidence that accounts were viewed or taken by the hackers. Since the final forensic report has not been provided there is no estimate available at this time of the number of accounts involved in this event. Law enforcement is activity engaged in an investigation into this situation.


The security breach occurred at a Merchant Processor. Visa is not disclosing the name or location of the Merchant Processor. This is a very large compromise, similar to the Heartland compromise, but slightly smaller.

Pakistan Concedes Mumbai Attack Executed From Its Soil

The Long War Journal (Feb 12, 2009) -

After weeks of signaling the investigation of the Mumbai terror assault would not be traced back to Pakistan, the Pakistani government admitted for the first time that the operation was plotted in and executed from inside Pakistan. The government released its findings today and three Lashkar-e-Taiba leaders have been implicated.

"Some part of the conspiracy took place in Pakistan," Rehman Malik, the adviser to Prime Minister Gilani said. "We have lodged an FIR [first information request or criminal case] against eight perpetrators, including mastermind Zakiur Rehman Lakhvi." Pakistan has charged eight men with “abetting, directing, conspiring and facilitating a terrorist act.”

"We have gone an extra mile in conducting an investigation on the basis of information provided by India and we have proved that we are with the Indian people on the matter," Malik said in an attempt to ease the tensions with India. Relations with India deteriorated after Pakistan's ambassador to Britain claimed the investigation proved Pakistani territory was not used for the strike and said India's evidence "could be fabricated."

Malik admitted that 10 members of the assault team left from the Pakistani port city of Karachi via boat to conduct the attack on India's financial capital of Mumbai. He also said the planning and other support activities occurred outside of the country.

Lakhvi is the military commander of the Lashkar-e-Taiba, a terrorist outfit that has close links to al Qaeda and is supported by elements within Pakistan's Inter-Service Intelligence agency and the military. Zarar Shah, a communication expert for Lashkar-e-Taiba and another leader named Hamad Amin Sadiq also have been charged with involvement in the Mumbai attack.

Shah provided the communications expertise that allowed the Mumbai attackers to talk to their handlers when the terror attack was in progress. Pakistan also traced the e-mail sent by the so-called Indian or Deccan Mujahideen that claimed credit for the attack back to Shah. The Mujahideen is a front group for the Lashkar-e-Taiba, the Students Islamic Movement of India, and the Harkat-ul-Jihad Islami operating inside India.Yusuf Muzammil, Lashkar's senior operations commander, has not been charged. The Indians have said Muzammil was a key leader in the Mumbai attack.

The government has also charged Mohammad Kaif, Mohammad Ashfaq, and Javed Iqbal with involvement in the conspiracy. All six men are in custody. Javed Iqbal, who has been extradited from Spain, is said to have received money that was transferred through a Pakistani foreign exchange.

The Pakistanis have also charged Abu Hamza and Al Qaima with involvement in the attack, but these men are not in custody. Hamza was indentified as being involved in the plot by Sabauddin Ahmed, a Lashkar-e-Taiba operative currently in Indian custody.

Pakistan also has detained the owners and crews of the Al Farooq and Al Hussani boats, which were used to transport the assault team from Pakistan to Mumbai. Pakistan has additional requests from India to further the investigation. To aid the interrogation of the lone survivor of the Mumbai attackers, India wants the identities of the Mumbai terrorists, and information on the SIM cards and phones used during the assault.

Greek Car Bomb Failed Due to Faulty Wiring

Via ekathimerini (Greece) -

The 60-kilo car bomb left outside the offices of Citibank in Kifissia on Wednesday was intended to explode but did not because of a mistake in its wiring, police sources said yesterday.

Forensic tests indicate that the bomb failed to explode despite the fact that most of the detonators were activated, which appears to dispel speculation that the device was not meant to go off.

Although Revolutionary Struggle is suspected, no group has yet claimed responsibility for planting the bomb, which consisted of explosives that were packed in five propane gas canisters attached to two mechanical clocks, batteries and detonators.

The explosives were made from a mixture of ammonium nitrate fuel oil (ANFO), which is a common explosive used in mining and quarrying. But sources said that tests have revealed that the substance was made by the terrorists and did not come from an industrial source.

Anti-terrorist squad officers had investigated the possibility that the ANFO was part of a batch stolen from a construction company in Grevena. But the tests carried out by forensic experts indicate the explosive was made with agricultural-grade ammonium nitrate, which is a widely used fertilizer that the terrorists purchased through regular channels.

Intellipedia Suffers Midlife Crisis

Via GCN -

The U.S. intelligence agencies' internal wiki Intellipedia has gotten glowing press reports and accolades, as well as input from thousands of analysts. However, the wiki still struggles to make a permanent home in the spy agencies, according to one of its evangelists.

"We are struggling to take it to the next level," said Chris Rasmussen, a social-software knowledge manager and trainer at the National Geospatial Intelligence Agency, speaking by phone to the Semantic Community–Semantic Exchange Workshop held yesterday in Falls Church, Va. "Grass roots will only get you so far. [Intellipedia] is going well. But we're not replacing the big-agency systems," he added.

The problem? The growth of the collective intelligence site so far largely has been fueled by early adopters and enthusiasts, according to Rasmussen. About all those who would have joined and shared their knowledge on the social networking site have already done so. If the intelligence agencies want to get further gains from the site, they need to incorporate it into their own formal decision making process, he contended. Until that happens, the social networking aspect of Intellipedia is "just a marginal revolution," he said.

Established in 2005, Intellipedia, now managed by the Office of the Director of National Intelligence, has approximately 100,000 user accounts. Open to anyone with a government e-mail account, it has social bookmarking tool, a document repository, a home page for each user, and collaboration spaces.

Some agencies already have incorporated it into their official routines, Rasmussen said. The Defense Department's Joint Chiefs of Staff uses Intellipedia as the official conduit for vetting and publishing its weekly reports. State Department diplomats use it as the internal communication of record for some reports.

In each of those cases, the agency uses the site for its official records, rather than using it as a duplicate or shadow system. For true change to occur, other agencies must use Intellipedia as their official conduit, at least for some functions, Rasmussen said. Otherwise, it is just creating additional work for contributors.

Taliban Network Developing in Karachi

Via Daily Times (Pakistan) -

The banned organisation Tehreek-e-Taliban Pakistan (TTP) has established a strong network in Karachi, in association with local jihadi outfits and other groups, it has been learnt. This network is involved in major illegal activities and sending funds worth millions of rupees to the militants in Tribal Areas. Well-placed sources in the police department have disclosed that banned sectarian outfits are active in various parts of Karachi and are closely connected to the Baitullah Mehsud-led TTP. The six associates of Baitullah Mehsud who were recently arrested in Manghopir have told intelligence agencies that jihadis are present in large numbers in the city and have a close coordination with each other. Groups involved in crimes such as drug smuggling, car lifting etc are also in contact with the Taliban. Through this network in which even some political and ethnic parties are involved, large sums of money are being sent to aid the Taliban in the Tribal Areas. The CID and Special Investigation Branch have also apprehended dozens of people affiliated to the Taliban bringing drugs and arms to Karachi travelling in passenger coaches.

AQIM Releases Pictures of Hostages Kidnapped in Niger

Via Yahoo! News (AP) -

Al-Qaeda's North African branch has released pictures it claims are of four European tourists it kidnapped last month in Niger, a US group which monitors Islamist websites said.

SITE Intelligence Group said late Wednesday that Al-Qaeda in the Islamic Maghreb had released a written statement and photos of a Swiss couple, a German woman and a British man they say they are holding hostage.

The statement followed an earlier audio message from the group's spokesman, Salah Abu Mohammed, claiming the kidnapping in January of the four Europeans as well as of two Canadian diplomats abducted in December.

One photograph shows a haggard-looking man with tangled hair and closed eyes seated next to a turbaned woman whose face is blurred. Another shows a turbaned woman, again with blurred face, while a third shows a distressed-looking balding man also with eyes closed.

In all three photographs, turbaned armed men whose faces are covered appear in the background in what seems to be a desert terrain.

Al-Jazeera television reported late Tuesday that Al-Qaeda in the Islamic Maghreb said it had seized the two Canadians, one of whom is a UN envoy, in December, and the four tourists in January.

The abductions marked the first incursion by Osama bin Laden's jihadist network into the West African state of Niger.

Al-Qaeda in the Islamic Maghreb seeks to unify armed Islamist groups in Tunisia, Algeria and Morocco with emerging groups in countries bordering the Sahara. They include Senegal, Mauritania, Mali, Burkina Faso, Niger, Nigeria, Chad, Sudan, and Eritrea.

The group claimed a series of deadly suicide bombings in Algeria last year.

Free Adobe Acrobat 0-Day


Playing with much smaller (0x9000) or much larger would result in crashes in different areas, but in general you would control within multiples of four where you write. If you were to add to this a quick heap spray with some javascript, I don't doubt that you could write a rather reliable exploit across multiple versions of Acrobat Reader for XP, and if one were really inclined (or bored), for linux or OS X also! Yes, it crashes on all three, in versions 8 and 9. So to all of you security pros who were looking forward to a nice quiet weekend, I can't fix it, but hopefully this will make the fire drill a little less long and arduous. Have a good one!Oh, by the way, I forgot to mention. If you happen to open an explorer window, or a browser window, or anything at all that even has the ICON of the pdf file, you're owned.


Pseudo-Confirmation of Second Large Breach

02/17/09 – Two large data compromises affecting credit and debit cards were announced the weeks of 1/21/09 and 2/09/09. BBOK BankCard actively monitors all alerts from Visa®, MasterCard®, and our processor for compromised card data.

BBOK is committed to protecting your customers’ confidential information. If you have any questions regarding your card accounts including responses taken to minimize risk with compromises, please contact Christy Simonsen or Karen Robinson at 1-800-675-6284.


We know about Heartland...but what is the other large data compromise?

Friday, February 20, 2009

Texas Health Dept Takes Over Peanut Recall

Via (Houston) -

The Texas Department of State Health Services is taking over the recall of products shipped from a peanut processing plant that shut down amid salmonella fears.

The state agency said Friday that it's taking over because of unresponsiveness from the Peanut Corp. of America plant in Plainview, in the Texas Panhandle. The company filed for Chapter 7 bankruptcy the day after the recall was announced.

The agency ordered a recall Feb. 12 of all products ever shipped from the plant after inspectors found dead rodents, rodent excrement and bird feathers in a crawl space above a production area.


Even if they do file for Chapter 7 bankruptcy, food safety lawyers are optimistic that victims and their families can still be compensated. The bankruptcy proceeding could postpone litigation against the company, but lawyers plan to push a judge to allow civil lawsuits to go forward anyway. And many have also filed lawsuits against Solon, Ohio-based King Nut Co. and Battle Creek, Mich.-based Kellogg Co., which they say used the tainted ingredients in their products.

New Conficker B++ Variant Poses Even Greater Threat

Via TechWorld -

Shortly after Microsoft offered a bounty on the heads of the criminals behind the widespread Conficker worm, a new version of the malware has appeared that could signal a major shift in the way the worm operates.

The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines.


The new B++ variant uses the same algorithm to look for rendezvous points, but it also gives the creators two new techniques that skip them altogether. That means that the Cabal's most successful technique could be bypassed.

Conficker underwent a major rewrite in December, when the B variant was released. But this latest B++ version includes more subtle changes, according to Phil Porras, a program director with SRI. "This is a more surgical set of changes that they've made," he said.

To put things in perspective: There were 297 subroutines in Conficker B; 39 new routines were added in B++ and three existing subroutines were modified, SRI wrote in a report on the new variant. B++ suggests "the malware authors may be seeking new ways to obviate the need for Internet rendezvous points altogether," the report states.

Porras could not say how long Conficker B++ has been in circulation, but it first appeared on 6 February, according to a researcher using the pseudonym Jart Armin, who works on the website, which has tracked Conficker.

Though he does not know whether B++ was created in response to the Cabal's work, "it does make the botnet more robust and it does mitigate some of the Cabal's work," Support Intelligence CEO Rick Wesson said in an e-mail interview.

Also known as Downadup, Conficker spreads using a variety of techniques. It exploits a dangerous Windows bug to attack computers on a local area network, and it can also spread via USB devices such as cameras or storage devices. All variants of Conficker have now infected about 10.5 million computers, according to SRI.

University of Florida Student & Employee Record Breach

Via Gainesville Sun -

A foreign hacker gained access to a University of Florida computer system containing the personal information of more than 97,200 students, faculty and staff, UF announced Thursday.

The files included the names and Social Security numbers of individuals who used UF's Grove computer system since 1996. A hacker in the Caribbean nation of Antigua and Barbuda accessed the system Dec. 22 and exploited a security hole, according to a UF police report.

An information technology staff member discovered the breach Jan. 14 during a review of computer systems. UF sent notification letters Tuesday to most individuals with information on the system, but was unable to find addresses for about 5,000 of them.

UF spokeswoman Janine Sikes said it's unknown whether the hacker accessed personal information.

"We know somebody got in a hallway, for example, but we don't know if they opened any doors with information in them," she said.

After the breach was discovered, UF shut down the Grove system. The system contained course information with Social Security numbers and at one time required users to verify their identities using Social Security numbers.

It took two weeks to investigate the breach and another two weeks to prepare notification letters and set up a call center, according to UF. The law requires that individuals whose information was breached be notified within 45 days.

Concerned individuals can call UF's Privacy Office hotline at 1-877-657-9133 or visit the office's Web site at


What exactly is a "foreign hacker"?

Lets just say it was a hacker...from somewhere.

Adobe Acrobat BoF Zero-Day Update

This is just a minor update on yesterday's blog entry...

A vulnerability has been reported in Adobe Reader/Acrobat, which can be exploited by malicious people to compromise a user's system.The vulnerability is caused due to an unspecified error and can be exploited to cause a buffer overflow. No further information is available. Successful exploitation allows execution of arbitrary code.


Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009


According to my friend @ TrendMicro...there are several different exploits out in the wild for this vulnerability. Disabling JavaScript is an effective countermeasure for all the exploits he has seen up to this point.

Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript

It is important to remember that the Javascript workaround does not address the buffer overflow hole directly, but mitigates the only known exploitation path at this point (heap spraying to get shellcode into the heap..thus triggering the buffer overflow).

Intel SSDs May Suffer From Irreparable Fragmentation Slowdowns

Via -

PC Perspective's review of Intel's X25-M SSD, a custom-designed solid state drive, showed that the manufacturer's sector remapping actually lowered overall performance dramatically over time as the drive became irreparably fragmented.

Some background info. First, sector remapping—a custom solution from Intel— is a method that makes sure wear and tear on the drive is spread over the entire space instead of just in a small area (which would cause the drive to fail earlier). Intel's algorithm unfortunately makes files become fragmented eventually, and defragmenting software currently on the market just screw things up further.

Intel says it's working on a solution, but currently customers with the X25-M can only completely wipe the drive and start fresh in order to reclaim that lost performance. It's not a death knell to SSDs, since the problem can (theoretically) be fixed by either allowing defragmentation software access to the distribution algorithm so as to actually defragment, or having the SSD controller keep track of the fragmentation in the first place and try and minimize it.

When PDFs Attack - Acrobat [Reader] 0-Day On the Loose

Via Shadowserver Foundation -

The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited. We are aware of several different variations of this attack, however, we were provided with a sample last week in which we were permitted to analyze and detail in this post. We want to make it clear that we did not discover this vulnerability and are only posting this information to make sure others are aware and can adequately protect themselves. All of our testing was done on Adobe Acrobat Reader 8.1.0, 8.1.1, 8.1.2, 8.1.3 (latest release of 8), and 9.0.0 (latest release of 9). We have not confirmed via testing that the exploit actually works on Adobe Acrobat (non-Reader) but believe that it will also affect it as well.

Right now we believe these files are only being used in a smaller set of targeted attacks. However, these types of attacks are frequently the most damaging and it is only a matter of time before this exploit ends up in every exploit pack on the Internet. As a result we are also not going to provide any specific details on how the exploit works despite the fact that information is known.


Adobe has since issued a public advisory about this issue that has been posted here. They are expecting an update by March 11th, 2009 for Adobe 9 and updates for other version (8 and 7) to follow soon after. We have also received some other feedback and information that may be useful that we will post in the near future.

Thursday, February 19, 2009

DHS: The 2009 National Infrastructure Protection Plan

The National Infrastructure Protection Plan provides the unifying structure for the integration of a wide range of efforts for the enhanced protection and resiliency of the nation's critical infrastructure and key resources (CIKR) into a single national program.

The overarching goal of the NIPP is to build a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our nation's CIKR and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency.

The 2009 NIPP replaces the 2006 version and reflects changes and updates to program elements and concepts. It captures the evolution and maturation of the processes and programs first outlined in 2006 without changing the underlying policies. The revised NIPP integrates the concepts of resiliency and protection, and broadens the focus of NIPP-related programs and activities to an all-hazards environment.