Friday, July 31, 2009

Windows 7 Ultimate Activation Cracked with OEM Master Key

Via -

Windows 7 Ultimate has been cracked. The pirate milestone, reached almost three months before Windows 7 is set to hit General Availability on October 22, 2009, was achieved via OEM instant offline activation that passes Windows Genuine Advantage validation and keeps the operating system permanently activated. Previous cracks weren't as solid: while they may be working now, they can easily be disabled by Microsoft. This one won't be so easy.

Both 32-bit and 64-bit Windows 7 Ultimate can now easily be activated, according to My Digital Life. For Windows 7 Professional, Windows 7 Home Premium, Windows 7 Home Basic, and Windows 7 Starter, the OEM-System-Locked Preinstallation (SLP) keys haven't been leaked, so they cannot be OEM-activated yet. It won't be long before easy-to-use Windows 7 activation toolkits start appearing in the wild.

The story begins with a Windows 7 Ultimate OEM DVD ISO from Lenovo leaking to a Chinese forum. The boot.wim file was then used to retrieve the OEM-SLP product key and OEM certificate for Windows 7 Ultimate. The SLP is a procedure used by Microsoft to preactivate the Windows operating system for mass distribution by major OEMs. Windows 7 and Windows Server 2008 R2 use SLP version 2.1, which is backwards-compatible with version 2.0, the version Windows Vista and Windows Server 2008 use. As such, after the OEM certificate and OEM product key were extracted, it was discovered that Windows 7 uses the same digitally signed OEM certificate, which has an .xrm-ms extension, that Vista uses.

The extracted Windows 7 Ultimate OEM-SLP product key can be used to activate an installed Windows 7 Ultimate system, and since the product key appears to be a master OEM-SLP product key for Windows 7 Ultimate, it can activate Windows 7 Ultimate from any OEM. Furthermore, even if the user already has a retail version of Windows 7 Ultimate installed, it can be converted to an OEM version with two simple commands, and then activated.

This is a major breakthrough for the Windows piracy world and a huge blow to Microsoft. Even if it was imminent, the fact that it has occurred so soon means pirates will have activated copies of Windows 7 a good week before even MSDN and TechNet subscribers get their hands on the RTM build on August 6, not to mention all the other groups Microsoft plans to give the build to. The Windows 7 RTM and Windows Server 2008 RTM build was compiled on July 13, 2009 and the official announcement was made on July 22, 2009.

Al Qaeda’s Training Changes In Response To US Strikes

Via CNN (h/t National Terror Alert) -

The interrogations of two accused Westerners who say they trained and fought with al Qaeda in the Pakistan-Afghanistan border region provide an inside view of the terror group's organizational structures.

Arguably, they shed more light on the state of al Qaeda than any material previously released into the public domain.

The documents reveal training programs and the protective measures the terrorist organization has taken against increasingly effective U.S. missile strikes.

Bryant Vinas -- a U.S. citizen who says he traveled to Pakistan in September 2007 to fight against Americans in Afghanistan -- stated that between March and July 2008 he attended three al Qaeda training courses, which focused on weapons, explosives, and rocket-based or -propelled weaponry.

During these classes, attended by 10-20 recruits, Vinas was taught how to handle a large variety of weapons and explosives, some of them of military grade sophistication, according to his account.

Vinas stated he became familiar with seeing, smelling and touching different explosives such as TNT, as well as plastic explosives such as RDX, and Semtex, C3 and C4 -- the explosive U.S. authorities have stated was used in al Qaeda's attack on the USS Cole in 2000. Vinas also learned how to make vests for suicide bombers.

Vinas stated he was also instructed how to prepare and place fuses, how to test batteries, how to use voltmeters and how to build circuitry for a bomb.

According to his account, al Qaeda also offered a wide variety of other courses including electronics, sniper, and poisons training. Instruction in the actual construction of bombs, he stated, was offered to al Qaeda recruits who had become more advanced in their training.


Othmani provided interesting new details about the training facilities being used by al Qaeda in the tribal areas.

His group trained in a small mountain shack, a far cry from the large camps al Qaeda had run in Taliban-era Afghanistan, when it had been able to operate with little danger of being targeted by military strikes.

Othmani's account made clear that al Qaeda has had to decentralize its operations in Pakistan in response to the growing effectiveness of U.S. Predator strikes.

However the wide number of training courses described by both Vinas and Othmani suggest that al Qaeda has been able to adapt well to the new security environment.


Vinas stated that when they completed their training, Al Qaeda instructors did a written evaluation of their performance. Vinas had been judged qualified to participate in missile attacks against U.S. and NATO bases in Afghanistan, according to his account.

That suggests al Qaeda has maintained its capacity for administration and paperwork even in a harsher security environment.


He is believed to be still at large in the Pakistan-Afghan border area. Vinas was told that the training course that Hafith set up focused on kidnapping and assassination, including instruction on the use of silencers and how to break into and enter a property.

The revelations raise the possibility that al Qaeda was developing a program of targeted assassinations. Though al Qaeda has carried out some assassinations in the past, most of its attacks in the West have not targeted any particular individuals but crowded areas, such as mass transport.

According to Othmani, al Qaeda fighters totaled between 300-500 in Pakistan's Tribal Areas - spread out in groups of 10. Such decentralization was a function of the growing deadliness of U.S. Predator strikes.

Hicham Beyayo, a Belgian jihadist volunteer, said the group moved around a lot because such strikes were known to be "very effective," his lawyer Christophe Marchand, told CNN.

The loss of an increasing number of operatives, stated Othmani, prompted an order from al Qaeda's top command for fighters to remain inside as much as possible. In order to keep in touch jihadists operated a courier service across the region, according to the Frenchman's testimony.

FCC Opens Investigation into Apple's Rejection of Google Applications

Via -

And they are opening an investigation into it.

According to a Dow Jones Newswire report, on Friday afternoon the FCC sent letters to Apple, AT&T, and Google. The federal inquiry asks Apple why the Google Voice application was rejected from its App Store for the iPhone and iPod Touch, and why it removed third-party applications built on the Google app that had been previously approved. The federal commission also asks whether AT&T was allowed to weigh in on the application before it was rejected, and seeks a description of the application from its creator, Google, according to the report.

For background, see my piece chastising Apple here.

Thursday, July 30, 2009

Algorithm Sought by Air Force to Analyze Insider Behavior

Via -

The Air Force is seeking an entrepreneurial innovator to develop technology to analyze the conduct of insiders to determine if they pose a threat to government IT systems.

In a call for proposals aimed at small businesses, posted on Tuesday, the Air Force is asking outside developers to "define, develop and demonstrate innovative approaches for determining 'good' (approved) versus 'bad' (disallowed/subversive) activities, including insiders and/or malware." For their initial efforts, the Air Force will pay up to $100,000.

The proposal says current techniques that monitor illicit activities only address the most blatant violations of policy or the grossest deviations from accepted behavior. Most systems concentrate their resources on repelling attacks at the network borders with little attention devoted to threats that evade detection and/or emanate from within. The proposal states:
"As such, there currently exists a great need across the federal, military and private sectors for a viable and robust means to provide near-real-time detection, correlation and attribution of network attacks, by content or pattern, without use of reactive previously-seen signatures. Many times, these trusted entities have detailed knowledge about the currently-installed host and network security systems, and can easily plan their activities to subvert these systems."
In the first phase, Air Force planners envision the development of a prototype algorithm that incorporates heuristic analysis for determining approved versus disallowed or subversive activities, including insiders and/or malware. The awarded contractor also would propose an architecture and perform a feasibility analysis of the algorithm and architecture during the initial phase.

In the second phase, the contractor would implement the best approach from Phase 1 in an experimental hardware/software environment, representative of the Air Force cyber infrastructure. They'd be asked to correlate Phase 1 analysis with experimental results as well as analyze the prototype system with respect to performance, scalability, cost, security and vulnerability.

Hafiz Mohammad Saeed – India’s Most Wanted Man Free Again in Pakistan

Via The Jamestown Foundation -

The release of Hafiz Mohammad Saeed, founder of proscribed Lashkar-e-Taiba (LeT) and Amir of Jama'at-ud-Da'wa (JuD), from detention last month in Pakistan has raised eyebrows in the West as well as India. He was released from house arrest on June 2 when the Lahore High Court ruled it did not have enough evidence against him on terrorism charges. However, Pakistan's Deputy Attorney General Shah Khawar says that Pakistan's law enforcement and intelligence agencies have enough evidence to suggest that a freed Hafiz Saeed is a continuing security threat. The Punjab provincial government and the federal government of Pakistan have already filed petitions before the Pakistani Supreme Court seeking a reversal of the decision of Lahore High Court. Nevertheless, the federal government continues to struggle to make an adequate case for his preventive detention and the Punjab provincial government has admitted its evidence is insufficient (The News [Islamabad], July 17; Daily Times [Lahore], July 17).


Hafiz Mohammad Saeed also met with Shaykh Abdullah Yusuf Azzam, an influential Palestinian jihad ideologue and mentor of Osama bin Laden. Azzam influenced him to found the Markaz Dawa-wa’l-Irshad (Center for Call and Guidance) in Muridke, Lahore in 1987. The institution preached jihad and the Wahhabi- Salafi form of Islam. Hafiz Saeed founded LeT in the early 1990s, allegedly with support from Inter-Services Intelligence (ISI), Pakistan's military intelligence agency. LeT then shifted the focus of its jihad from Afghanistan to Indian-administered Kashmir (The Hindu, June 3).

LeT is believed to have been involved in almost all major attacks against India over the disputed territory of Kashmir. Hafiz Saeed stepped down from the leadership of LeT soon after India blamed this group for the terrorist attack on its parliament in December 2001. He handed over leadership of the group to Maulana Abdul Wahid Kashmiri, who is based in Srinagar, part of Indian-administered Kashmir. Shortly after this, Pakistan banned LeT after the United States added it to its list of designated terrorist organizations.

However, Saeed was quick to revive his old Markaz Dawa-wa’l-Irshad organization with a slight modification of its name to Jama'at-ul-Da'wa, beginning as a charity and public welfare organization. It is common practice for militant organizations in Pakistan to rename themselves so as to bypass the law and avoid official bans. The old offices of LeT simply changed the names on their signboards with no significant change to the nature of the activities carried out inside. However, after 9/11, due to changes in Pakistan's policies towards India and pressure from the United States, Hafiz Saeed and his organization stepped back from aggressive jihadi activities in Kashmir. Despite this, several offices of LeT continued to recruit militants for jihad in Pakistan-administered Kashmir (BBC News, June 2).

India has long asked for the extradition of Hafiz Saeed, whom it suspects of being the mastermind behind all major terrorist attacks inside India. However, Pakistan’s government wants him to be tried inside Pakistan. So far, Pakistan has not brought sufficient evidence to punish him for his involvement in terrorist activities (Daily Times, June 5). Since 2001, he has been detained three times, but in every instance he was freed due to the apparent lack of evidence against him. In July 2006, India asked the Government of Pakistan to ban the JuD and arrest its leaders, including Hafiz Saeed, for their alleged involvement in the July 11 Mumbai train bombings that killed over 200 people. Pakistan rejected the Indian claims and put Hafiz Saeed under house arrest. He was released a month later (Hindustan Times, June 2).

The Pwnie Awards 2009 Winners

The Pwnie Awards is an annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community.

Pwnie Awards 2009 Winners....

Best server side bug =
Linux SCTP FWD Chunk Memory Corruption

Best client side bug =
msvidctl.dll MPEG2TuneRequest Stack buffer overflow

Best privilege escalation = Linux udev Netlink Message Privilege Escalation

Mass 0wnage = Red Hat Networks Backdoored OpenSSH Packages

Most innovative research = From 0 to 0day on Symbian

Lamest vendor response = Linux / Linus Torvalds

Most overhyped bug = MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow

Best song = Nice Report

Most epic fail = Twitter Gets Hacked and the "Cloud Crisis

Lifetime achievement award
= Solar Designer


Special thanks to @shazzzam for the play-by-play on twitter. I had to run out after the "most epic fail" to catch my reservation @ MESA Grill.

For the curious foodies out there, I had the Fire Roasted Veal Chop with a glass of Voss Estate Pinot Noir...then the toasted coconut layer cake and black coffee for desert. So very good.

Venezuela Increases Military Co-operation with Russia

Via -

The televised signing of the 'New Statute on Military-Technical Co-operation' followed an earlier announcement by Venezuelan President Hugo Chávez on 24 July that Venezuela was intending to buy enough Russian tanks to double its fleet.

BIND 9 Denial of Service Attacks in the Wild


Earlier today Marc posted a short diary about a vulnerability in the Internet Systems Consortium's BIND 9 (all versions). As you almost certainly know, BIND is the most popular DNS service application running on majority of DNS servers today – and DNS is one service that we *really* need.

As the DoS attacks have been seen in the wild, and simple scripts that can be used to reproduce the attack are also easily available, this is not really surprising.

I wanted to draw your attention to this vulnerability (if you are running a BIND DNS server) – although the vulnerability exists in the dynamic update feature of BIND, even installations that have dynamic updates disabled are affected! This makes this vulnerability especially dangerous.

Only servers hosting master zones are vulnerable though, so even if the master DNS servers are down, all slaves should still continue to work (I'm not sure what happens if those slaves are masters for some other zones and they are subsequently taken down).

No workarounds exist – you might be able to create some firewall rules that will drop these packets though. In any case, it is recommended to upgrade your BIND DNS servers urgently from

Apple: Jailbreaking Could Knock out Transmission Towers

Via PC World -

Apple has told the U.S. Copyright Office that modifying the iPhone's operating system could crash a mobile phone network's transmission towers or allow people to avoid paying for phone calls.

The claims are Apple's contribution to the Copyright Office's regular review of the U.S. Digital Millennium Copyright Act (DMCA), a law that forbids the circumvention of copy control mechanisms.

Apple says that modification of the phone's software, a process known as jailbreaking, could lead to major network disruptions. Jailbreaking gets around the copyright control features that prohibit, for example, the installation of applications unapproved by Apple.

Apple's arguments, filed June 23, seek to rebut a request to the agency by the digital rights group Electronic Frontier Foundation (EFF) that modifications to the iPhone's software do not violate the DMCA and should be allowed.

The U.S. Copyright Office holds hearings every three years to consider requests to make exceptions to the nation's copyright law.

Jailbreaking continues to be popular with iPhone users, who can also then use their devices on the networks of operators who have not signed distribution deals with Apple.

Apple argues that the practice constitutes copyright infringement. No one has been prosecuted for jailbreaking, although Apple discourages it.

Apple's latest filing describes potentially severe technical problems operators could face with jailbroken phones.

Since the OS code is accessible on a jailbroken phone, Apple said it would be possible to reprogram one to gain access to the phone's BBP (baseband processor), which controls the connection to the operator's network.

"Because jailbreaking makes hacking of the BPP software much easier, jailbreaking affords an avenue for hackers to accomplish a number of undesirable things on the network," the filing said.

By gaining access to the BPP, hackers could change the phone's ECID (exclusive chip identification), which identifies a phone to the transmission towers, Apple said.

"With access to the BBP via jailbreaking, hackers may be able to change the ECID, which in turn can enable phone calls to be made anonymously (this would be desirable to drug dealers, for example) or charges for the calls to be avoided," Apple said.

While some of Apple's claims may be true, network operators rely on a separate identifier, contained in the phone's SIM (Subscriber Identity Module), to distinguish between customers for billing and authentication purposes.

Apple went on to say that if several phones were modified to have the same ECID, it could cause a transmission tower to malfunction or kick phones off the network. Also, operator limits on data transmission could be circumvented, allowing a hacker to conduct a denial-of-service attack and crash the tower.

"In short, taking control of the BPP software would be much the equivalent of getting inside the firewall of a corporate computer -- to potentially catastrophic result," Apple said.

Technical considerations aside, the EFF has argued that Apple's lock on the iPhone is unmerited from a copyright protection perspective and aims to "suppress competition from independent iPhone application vendors."

The Copyright Office is expected to make a decision in the case later this year.

Data Detailing New York Stock Exchange Network Exposed on Unsecured Server

Via (Threat Level) -

Sensitive information about the technical infrastructure of the New York Stock Exchange’s computer network was left unsecured on a public server for possibly more than a year, Threat Level has learned.

The data, which was removed after Threat Level disclosed the situation to the NYSE, included several directories of files containing logs; server names; IP addresses; lists of hardware; lists of software versions running on the network; and configuration and patch histories, including what patches have not yet been installed. It was all available on a publicly accessible, unprotected FTP server maintained by EMC, a company that sells storage systems and managed services to the NYSE and other companies.

“We have discussed the matter with EMC and at this point we believe that there has been no impact on our operations or our customers,” said NYSE spokeswoman Mirtha Medina in an e-mail.

“Unless the NYSE knows that this stuff is out there and has approved for it to be out there (highly doubtful), I see no good reason why EMC is allowing this to happen,” said an information security specialist via e-mail who asked not to be named because he works in the financial industry. “Leaving information like this in a ‘public’ place definitely would make a bad guy’s job somewhat easier.”

The information could allow an intruder to map the NYSE’s network architecture and determine what vulnerabilities exist in the system.

Cheerleader Sues School, Coach After Illicit Facebook Log-in

Via -

At this point, you would think that most users would be aware that they should keep embarrassing information off of Facebook. Everyone from potential employers to the press regularly check users' accounts on the service, looking for evidence of illicit or debauched behavior, and a number of jobs have been lost due to the information found there. Still, many fail to exercise discretion when using the service, people in positions of power are catching on, and there continue to be problems that result from the blurring of boundaries between public and private.

In what may be the latest example, a suit was filed in Mississippi that alleges a school official—more specifically a teacher acting in her capacity as a cheerleading coach—demanded that members of her squad hand over their Facebook login information. According to the suit, the teacher used it to access a student's account, which included a heated discussion of some of the cheerleading squad's internal politics. That information was then shared widely among school administrators, which resulted in the student receiving various sanctions.

As we noted when Bozeman, Montana attempted to obtain login credentials from anyone applying for a municipal job, it's easy for anyone to view pictures and text that a Facebook user has chosen to make public simply by signing up for an account with the service. By demanding login credentials, authorities gain access to materials that users have chosen to keep private. Whether this is done because people intend to get access to private data or because they are simply unfamiliar with how Facebook operates isn't always obvious, and probably varies from case to case.

According to this suit, the student's login details were requested during school hours, and the teacher accessed the account the same day. The account included the contents of a discussion between the student and a fellow member of the school's cheerleading squad about its internal politics, which was then allegedly shared with other squad supervisors and the school administration. The student was then "publicly reprimanded, punished, and humiliated" due to the contents of that discussion.

The student was allegedly forced to sit out of various school activities and had difficulties arranging her academic schedule to avoid taking classes from any of the individuals who were both coaches and teachers. Her parents claim that attempts to discuss the problem with school administrators brought them no relief.

The Student Press Law Center has more detailed account (via TechDirt) of the events, in which it reports that several other students asked for their logins simply deleted their accounts using their cell phones, preventing this sort of intrusion; the schools apparently have a filter that blocks access to its Web interface from school computers. It also suggests that the initial search of the Facebook accounts was done with the intent of finding pictures of the students smoking or drinking.

In any case, the suit alleges that the school's administration and staff, along with five John Does, violated the student's Constitutional rights to privacy, free speech and association, and subjected her to cruel and unusual punishment. There are also charges of causing emotional distress, defamation of character, and civil conspiracy. In general, courts have concluded that public school students have some constitutional rights, but only a subset of those afforded to the general populace. It may be that the student's lawyers are aiming broadly in order to find some area of constitutional law in which the student is clearly protected.

In any case, the message should be clear: either through malice or cluelessness, people in positions of authority are increasingly demanding complete access to users' personal accounts and, in moments of weakness, many users appear to be giving it to them. If there's information you're not comfortable sharing with the world, Facebook, Twitter, and similar services aren't the place for it.

Monday, July 27, 2009

Vegas Baby! Vegas!

So, I am packing for Blackhat 2009 and Defcon 17. Should be there before 5pm local time tomorrow.

Blog might be a little quiet this week, but I will try to post when I can...when I am not "working" or being social. =)

Russian Navy Accidentally Dummy Shells Vladivostok

Via Moscow Times -

A dummy shell fired from a warship veered off course Friday and landed just feet from a building in a residential area of Vladivostok, less than two months after a similar incident off the Gulf of Finland.

The anti-ship shell was fired during rehearsals for Sunday’s Navy Day celebrations in the far eastern port. For reasons yet to be determined, the projectile changed course after takeoff and landed beside a nine-story building, breaking windows and leaving a 1.5-meter crater, RIA-Novosti reported.

No one was hurt in the incident, and the Navy said it was investigating.

A bomb disposal team from the Pacific Fleet was sent to dig out and remove the shell. Military officials said it was intended only to make a sound effect for the parade.

Pacific Fleet spokesman Roman Martov said experts would evaluate what caused the bomb to deviate from its course. “All the parameters were set right, it was supposed to fall into the ocean,” he said, Interfax reported.

On May 28, a similar incident happened in the Leningrad region, when a Russian warship in the Gulf of Finland fired 14 shells in the direction of a dacha settlement on shore.

Fragments of the shells rained down on the village, but damage was minimal and no one was injured. The Navy later promised the dacha settlement “several tens of thousands of rubles” in damages, Ekho Moskvy reported.

Microsoft Office Visualization Tool (OffVis)

A free tool designed to help combat file format-based software vulnerabilities and exploits, OffVis will allow customers to better understand and deconstruct Microsoft Office-based attacks. As a result, security vendors can build deeper, more precise malware detection signatures and develop new techniques for analyzing malware. The tool is available for no-charge

Advance Notification for July 2009 Out-of-Band Releases

We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009.

While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:

1. One Security Bulletin for Visual Studio
2. One Security Bulletin for Internet Explorer

While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported.

Customers who are up to date on their security updates are protected from known attacks related to this Out of Band release.

Nearly Half Of Companies Lack A Formal Patch Management Process

Via DarkReading -

An open initiative for building a metrics model to measure the cost of patch management found that one-fourth of organizations don't test patches when they deploy them, and nearly 70 percent don't measure how well or efficiently they roll out patches, according to survey results released today.

Project Quant, a project for building a framework for evaluating the costs of patch management and optimizing the process, today also rolled out Version 1 of its metrics model today. Project Quant is an open, community-driven, vendor-neutral model that initially began with financial backing from Microsoft.

"Based on the survey and the additional research we performed during the project, we realized that despite being one of the most fundamental functions of IT, patch management is still a relatively immature, inconsistent, and expensive practice. The results really reinforced the need for practical models like Quant," says Rich Mogull, founder of Securosis, and one of the project leaders of the initiative.

The survey of around 100 respondents was voluntary and participation was solicited mainly via metrics and patch management organizations, so the organizers say the respondents were most likely organizations that take patch management seriously: "The corollary to this interpretation is that we believe the broader industry is probably LESS mature in their patch management process than reflected here," the report says.

Even so, over 40 percent of them have either no patch management process in place, or an informal one. And 68 percent say they don't have a metric for measuring how well they deploy patches, such as the time it takes them to deploy a patch, etc. One-fourth say they don't do any testing before they roll out a patch, and 40 percent rely on user complaints to validate the success of a patch, according to the survey.

And over 50 percent don't measure adherence to policy, including compliance when it comes to patching.

"It's clear we have a very long way to go on something we all assume is a boring, basic task. Considering where the bad guys are shifting attacks to, we desperately need better methods and means of keeping our systems up to date," Mogull says. "My hope is that Quant can help fill this gap."

Patch management for workstation and server operating systems was one of the most mature processes. "What's most interesting is the variation of maturity [of patch management] across platforms. Not that this was totally unexpected, but the least mature areas of patching seem to correlate almost directly with the fastest-growing areas of attacks," Mogull says, such as device drivers, database servers, business application servers, and networking hardware and software.

Meanwhile, Project Quant's survey is ongoing, so if you'd like to participate, visit this link.


As a former patch administrator ...this topic hits home with me.

So many companies are behind the curve on patch management, it is quite shocking.

Kevin Spacey Tries, Fails To Explain Twitter To Letterman

802.11N Becomes Official In September

Via -

Last Friday, Bob Heile, the chairman of the IEEE 802.15 working group on Personal Area Networks, noted that the 802.11N Wi-Fi standard has finally been sent on to the Standards Review Committee. That means, assuming no further hiccups, that the standard will become finalized by September. The ratification process stems back nearly five years, slowed by a factionalized debate over competing technologies. A draft version of 802.11n was approved in January 2006, and the first wave of 802.11N hardware hit the market -- with all subsequent evolutions (supposedly) applied by firmware update.

Sunday, July 26, 2009

Matasano Hack by Anti-Sec Supporters

Mirror Screenshot

Currently the Matasano website appears to be down, which is it a good indication that this is no fake.

PhreakNIC 12 Videos

PhreakNIC is a annual convention for hackers, phone phreaks, cypherpunks, programmers, civil libertarians, ham/scanner enthusiasts, security experts, feds, and culture jammers held in Nashville, TN. has put together an index page for all the videos...

Defcon iPhone Application

DEFCON® Hacker Conference - The Hacker Community's Foremost Social Network.

After years of misplaced, begged, borrowed, stolen Defcon schedules, we decided to do something to help. Introducing the Defcon iPhone app. Get all the up to date details on the con on your iPhone/iPod Touch. In addition to that, you can view the official Defcon RSS feed and #defcon Twitter posts. Talk and event calendars, speaker and dj bios, and a map of the venue.


1. Talk Calendar
2. Event Calendar
3. Speaker/DJ Biographies
4. Defcon RSS Feed Reader
5. Twitter #defcon

Status: Available Soon

The app has currently been submitted for Apple’s approval into their store. We’re looking at other options for distribution in case the app does not get approved in time. Follow @dtjedi or @tkimball via twitter for updates or check back here.

Saturday, July 25, 2009

Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses

Via -

Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware.

“It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

With its easy-to-use interface and wealth of applications available for download, the iPhone may be the most attractive smartphone yet for business use. Many companies seem to agree: In Apple’s quarterly earnings conference call Tuesday, Apple chief operating officer Tim Cook said almost 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones apiece; multiple corporations and government organizations have purchased 25,000 iPhones each; and the iPhone has been approved in more than 300 higher education institutions.

But contrary to Apple’s claim that the new iPhone 3GS is more enterprise friendly (for reference, see Apple’s security overview for iPhone in business [pdf]), the new iPhone 3GS’ encryption feature is “broken” when it comes to protecting sensitive information such as credit card numbers and social-security digits, Zdziarski said.

Zdziarski said it’s just as easy to access a user’s private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first generation iPhone, both of which didn’t feature encryption. If a thief got his hands on an iPhone, a little bit of free software is all that’s needed to tap into all of the user’s content. Live data can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes, Zdziarski said.

Wondering where the encryption comes into play? It doesn’t. Strangely, once one begins extracting data from an iPhone 3GS, the iPhone begins to decrypt the data on its own, he said.

To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer.

To demonstrate the technique, Zdziarski established a screenshare with, and he was able to tap into an iPhone 3GS’ data with a few easy steps. The encryption did not pose any hindrance.

Nonetheless, professionals using the iPhone for business don’t seem to care, or know, about the device’s encryption weakness.

“We’re seeing growing interest with the release of iPhone 3.0 and the iPhone 3GS due in part to the new hardware encryption and improved security policies,” Cook said during Apple’s earnings call. “The phone is particularly doing well with small businesses and large organizations.”

Clearly, the gigantic offering of iPhone applications is luring these business groups. Quickoffice Mobile, for example, enables users to access and edit Microsoft Word or Excel files on their iPhone. For handling transactions, merchants can use apps such as Accept Credit Cards to process a credit card on an iPhone anywhere with a Wi-Fi or cellular connection.

Several employees of Halton Company, an industrial equipment provider, are using iPhones for work, according to Lance Kidd, chief information officer of the company. He said the large number of applications available for the iPhone make it worthy of risk-taking.

“Your organization has to be culturally ready to accept a certain degree of risk,” Kidd said. “I can say we’ve secured everything as tight as a button, but that won’t be true…. Our culture is such that our general manager is saying, ‘I’m willing to take the risk for the value of the applications.’”

Kidd noted that Halton employees are not using iPhones for holding confidential customer information, but rather for basic tasks such as e-mailing and engaging with clients via social networking sites such as Facebook and Twitter. Halton also plans to code apps strictly for use at the company, Kidd said.

According to Kidd, a security expert performed an evaluation of Halton, and he said it was possible for any hacker to find an infiltration no matter the level of security. Therefore, Halton has measures in place to respond to an information security threat rather than attempt to avoid it.

“It’s like business continuity,” Kidd said. “You prepare for disasters. You prepare for if there’s an earthquake and the building breaks down, and you prepare for if there’s a crack in [information] security.”

But Zdziarski stands firm that the iPhone’s software versatility isn’t worth the risk for use in the workforce. He said sensitive information is bound to appear in e-mails or anything that can be contained on the iPhone’s disk, which can be easily extracted by thieves thanks to the new handset’s shoddy encryption.


Lets get real here, the iPhone was never designed for business. It was born from the hugely popular iPod, which we would all agree wasn't designed with business needs in mind either.

Beyond the weak encryption on the device itself...why would any company want iTunes and Quicktime installed on its laptop, especially if they aren't required for business. Personally, I don't see many business benefits in iTunes anyways.

Every piece of software that is installed on a system increases its possible attack surface. Combined with Apple's lack luster security practices (both on a coding level & a communication level) have a recipe for increased risk of data breach...both on the iPhone and the machines used to manage it.

In 2007, Gartner suggested to keep the iPhone out of enterprise...and from a strictly security perception, I see few reason overall to change that suggestion.

Friday, July 24, 2009

Blackhat 2009 Preview - Bypassing IE ActiveX Killbits

Preview Video

Blackhat 2009 - The Language of Trust: Exploiting Trust Relationships in Active Content

SHA-3 Second Round Candidates

NIST has selected the Second Round Candidates of the SHA-3 Competition. A report summarizing NIST’s selection of these candidates will be forthcoming. A year is allocated for the public review of these algorithms, and the Second SHA-3 Candidate Conference is being planned for August 23-24, 2010, after Crypto 2010.


Make sure you check out the SHA-3 Zoo as well...good stuff.

Al-Shabaab Takes Over Two United Nations Offices in Somalia

Via Shimron Letters -

The Somali armed rebel group, Al Shabaab, looted two UN compounds and demanded an end to UN relief work in the impoverished Horn of Africa nation, the UN said Monday.

Al Shabaab, which has been trying to overthrow the transitional government in Mogadishu, looted the UN compound in Baidoa of emergency communication equipment, forcing the organisation to evacuate personnel and suspend its operations.

The UN said it was powerless when challenged by the rebels because the compound had no security guards.

In Wajid, protected by a minimum security, the rebels entered the compound of the World Food Programme and drove away with two vehicles and some furniture that did not belong to the UN.

“These two events happened as Al Shabaab broadcast on Monday a message on local Somali radio calling for the closing of offices” of several UN agencies, including the UN Development Programme, the UN said.

“The UN is reassessing the situation on the ground and is optimistic that the minimal conditions on the ground will be restored to allow the critical humanitarian work to resume in Baidoa and continue elsewhere in Somalia,” the UN said.

Russian Navy Declassifies Cold War Close Encounters

Via (Danger Room) -

Great catch by Phil Ewing at Navy TimesScoop Deck blog: the Russian navy has just declassified its records of Cold War UFO sightings. Turns out “50 percent of UFO encounters are connected with oceans. Fifteen [percent] more — with lakes. So UFOs tend to stick to the water,” one Russian officer explained.

“On several occasions the instruments gave reading of material objects moving at incredible speed,” a sub commander recalled. “Calculations showed speeds of about 230 knots, or 400 kph. Speeding so fast is a challenge even on the surface. But water resistance is much higher. It was like the objects defied the laws of physics. There’s only one explanation: the creatures who built them far surpass us in development.”

Insert jab about superior U.S. Navy submarine technology, here.

All joking aside, in one alleged incident in 1982, three navy diver trainees reportedly died pursuing what survivors described as “a group of humanoid creatures dressed in silvery suits” in Baikal, the world’s deepest lake.

Heap Spraying with Actionscript

Via FireEyes Malware Intelligence Lab -

As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.

Most of the Acrobat exploits over the last several months use the, now common, heap spraying technique, implemented in Javascript/ECMAscript, a Turing complete language that Adobe thought would go well with static documents. (Cause that went so well for Postscript) (Ironically, PDF has now come full circle back to having the features of Postscript that it was trying to get away from.) The exploit could be made far far less reliable, by disabling Javascript in your Adobe Acrobat Reader.

But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the %ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll and %ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]

Anyway, here's why… Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash.

Thursday, July 23, 2009

Microsoft Scrambling to Close Stubborn Security Hole

Via Security Fix -

Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month, Security Fix has learned.

Last week, on its regularly scheduled Patch Tuesday (second Tuesday of the month), Redmond issued software updates to plug nine security holes. Among those was a patch for a flaw in Windows and Internet Explorer that hackers were exploiting to break into PCs. However, it soon became clear that Microsoft had known about this vulnerability since at least April 2008.

On July 9, noted security researcher Halvar Flake published a blog post suggesting that the reason Microsoft took so long to fix the bug may be because the flaw was caused by a far more systemic problem in Windows.

According to Flake, the problem resides in a collection of code that Microsoft uses in a number of places in Windows. This code "library" is also provided to third-party software makers to help them build programs that can leverage certain built-in features of Windows.

As a result, Flake concluded, Microsoft may have fixed only a subset of the problem on Windows with its patch this month.

"The bug is actually much 'deeper' than most people realize," Flake wrote. "MS might have accidentally introduced security vulnerabilities into third party products."

I reached out to Flake for additional information, but he told me that shortly after he published that blog post he received a 3 a.m. phone call from Microsoft asking him please not to comment further.

Microsoft has not officially responded to requests for comment about Flake's research. But a source within Microsoft said Redmond could issue an out-of-band update prior to next month's Patch Tuesday to address the outstanding flaws.

The decision over whether to do that or wait until next month's Patch Tuesday may hinge upon whether attackers begin exploiting these other vulnerable areas by using Microsoft's patch (and Flake's research) as a guide to locating the flaws. What's more, this bug is almost certain to be discussed at Black Hat and Defcon, the world's largest annual security conferences, being held next week in Las Vegas.

Indonesian Unaware Husband was Noordin Mohammed Top - Jemaah Islamiya's Bomb Maker & Financier

Via Reuters -

The Indonesian wife of Noordin Top, the region's most-wanted militant because of his role in a string of bomb attacks in Indonesia, did not know his real name and thought he was a teacher, her lawyer said on Thursday.

Malaysian-born Top is one of the prime suspects behind last week's near-simultaneous suicide bomb attacks on the JW Marriott and Ritz-Carlton, two luxury hotels in Jakarta's main business district, which killed nine people and injured 53, including Indonesians and foreigners.

Police and security analysts said the attacks bore the hallmarks of Jemaah Islamiah (JI), the militant Islamist group responsible for previous attacks in Jakarta and on the resort island of Bali, or of a splinter group headed by Top.

Arina Rochmah was detained by the police under Indonesia's terrorism law, her lawyer Achmad Michdan told Reuters, adding that she could be charged for harbouring or hiding information about a terror suspect.

Michdan said Rochmah had no knowledge that her husband, Abdul Halim, was Noordin Top, although she admitted he was seldom at home due to his work teaching at an Islamic boarding school in South Sulawesi.

He said that police took Rochmah, 25, her two children and her mother on Wednesday from an Islamic boarding school founded by her father in Cilacap, in central Java.

Michdan added that Rochmah had come to Jakarta and asked for legal protection a few weeks ago, after the police raided the family's house. Police said that a bomb found at the house was identical to those used in Friday's blasts.

Under the terrorism law, police have seven days to declare someone a suspect.


Having fleeing from Malaysia after the government cracked down on Islamists following the September 11th attacks, he married using an assumed name, Abdurrachman Aufi.

In early 2006, Noordin Top is believed to have drifted away from the main Jemaah Islamiah structure due to a disagreement about attacks on "soft targets", which often kill civilians. Police said he was claiming to lead a previously unknown group called Tanzim Qaedat al-Jihad.

In naming the group "Tanzim Qaedat al-Jihad," or "Organization for the Base of Jihad," Top has intentionally established a clear association with Osama bin Laden's al Qaeda, mimicking early moves by Abu Musab al-Zarqawi as he was seeking to establish his credibility in Iraq.

Wednesday, July 22, 2009

The Economics of Botnets

Via -

In the past ten years, botnets have evolved from small networks of a dozen PCs controlled from a single C&C (command and control center) into sophisticated distributed systems comprising millions of computers with decentralized control. Why are these enormous zombie networks created? The answer can be given in a single word: money.

A botnet, or zombie network, is a network of computers infected with a malicious program that allows cybercriminals to control the infected machines remotely without the users’ knowledge. Zombie networks have become a source of income for entire groups of cybercriminals. The invariably low cost of maintaining a botnet and the ever diminishing degree of knowledge required to manage one are conducive to growth in popularity and, consequently, the number of botnets.

So how does one start? What does a cybercriminal in need of a botnet do? There are many possibilities, depending on the criminal’s skills. Unfortunately, those who decide to set up a botnet from scratch will have no difficulty finding instructions on the Internet.


Check out the full article...good stuff.

Apple Backs Down On Bluwiki Threats

Via EFF -

Apple has retracted its legal threats against public wiki hosting site Bluwiki, and, in response, EFF is dismissing its lawsuit against Apple over those threats. The skirmish involved a set of anonymously authored wiki pages in which hobbyists were discussing how to "sync" media to iPods and iPhones using music library playback software other than Apple's own iTunes.

In November 2008, Apple sent a series of legal threats to the operator of Bluwiki, alleging that these hobbyist discussions about interoperability violated copyright law and constituted a violation of the Digital Millennium Copyright Act (DMCA), even though the author(s) of the pages had not yet figured out how to accomplish their goal. In response to Apple's legal threats, Bluwiki took down the wiki pages in question. In April 2009, EFF and the San Francisco law firm Keker & Van Nest sued Apple on behalf of OdioWorks, which runs Bluwiki, asking a court to reject Apple's claims and allow Bluwiki to restore the discussions.

On July 8, 2009, Apple sent letter withdrawing its cease-and-desist demands and stating that "Apple no longer has, nor will it have in the future, any objection to the publication of the iTunesDB Pages." As a result, EFF has moved to dismiss its complaint against Apple.

"While we are glad that Apple retracted its baseless legal threats, we are disappointed that it only came after 7 months of censorship and a lawsuit," said EFF Senior Staff Attorney Fred von Lohmann. "Because Apple continues to use technical measures to lock iPod Touch and iPhone owners into -- and Palm Pre owners out of -- using Apple's iTunes software, I wouldn't be surprised if there are more discussions among frustrated customers about reverse engineering Apple products. We hope Apple has learned its lesson here and will give those online discussions a wide berth in the future."

For more details:

For more information about OdioWorks v. Apple:

Adobe Reader, Acrobat and Flash Player Vulnerability


Adobe has released a blog post indicating that it is aware of reports of a vulnerability affecting Adobe Reader and Acrobat 9.1.2 and Flash Player 9 and 10.

US-CERT encourages users and administrators to review the blog post and implement the following workarounds until the vendor releases additional information:
  • Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
  • Disable Flash Player or selectively enable Flash content as described in the Securing Your Web Browser Document.
Additional information regarding this vulnerability can be found in the Vulnerability Notes Database.

US-CERT will provide additional information as it becomes available.

Russian Intelligence Granted New Powers Over Citizens

Via Jamestown Foundation -

On July 6, the Russian ministry of communications posted its Order 65, on its official website ( Effective as of July 21, the order decrees that Russian postal services must make available for inspection on demand to the Federal Security Service (the FSB, the main successor to the Soviet KGB) and seven other Russian security service agencies any private mail or shipments, as well as its exhaustive data on senders and addressees. Special rooms where security officers will be able to open and inspect private mail were decreed to be established at post offices. Order 65 also cancels the privacy of electronic correspondence. Operators will now formally grant the security services access to their electronic databases.

Though Soviet or Russian security services never hesitated to intercept, monitor, inspect or confiscate private correspondence, nothing like Order 65 has ever occurred openly, formally or so blatantly -not even under Soviet rule.

Order 65 is in manifest contravention of the 1966 International Covenant on Civil and Political Rights (ICCPR), a United Nations treaty, based on the Universal Declaration of Human Rights -Russia is a signatory to both. It is also in contravention of Article 23 of the Russian constitution, which proclaims the complete privacy of telephone, postal and other communications and states unequivocally that this privacy can be lifted solely on the authority of the courts.

However, Order 65 contains no reference to making private correspondence available to the security services on the strength of a court decision. The Order leaves such decisions at the discretion of the security services. In 2000 and 2007 the Russian supreme court (and also in 2003 in the constitutional court) upheld Article 23 of the constitution, and ruled that mail operators could not disclose private correspondence or telephone communications to the security services, without first securing a court order (, July 15).

Yuri Vdovin, a prominent St. Petersburg's based human rights activist, told the Echo Moskvy Radio that Order 65 signifies a decisive step towards a totalitarian state. Unless this is revoked, Vdovin maintains, the next steps will include unlawful detentions and searches. Vdovin believes that the authorities are seeking ways to prevent possible social unrest, and take under their control any structures that might emerge in order "not to let the people speak their mind" (, July 15).

At the same time as this secret police surveillance of correspondence was openly decreed, the ministry of the interior (the MVD) were setting up special regional task forces to keep track of public attitudes, in an effort to prevent public protests, caused by the worsening economic situation in Russia. Interior Minister Rashid Nurgaliyev told the press that he expected this effort to allow the police and authorities to work preemptively and prevent an escalation of protests during the economic crisis. Nurgaliyev wants incoming evidence of growing social tension to be analyzed. If economic factors are deemed responsible, police will inform local officials and the government in order to launch preventive measures jointly, and keep any potential unrest under control (, July 15).

To complement this massive gathering of information, the MVD is also strengthening its already considerable forces to act on the basis of the information obtained. In the Moscow suburbs, they are now forming a new elite brigade named "avant-garde," which will specialize in maintaining public order during large-scale demonstrations. The force is expected to deploy across the country at short notice (, July 15).

These latest steps form a new chapter in Russia's progression towards a totalitarian state, and they logically complement previous punitive measures, launched by the Putin government, previously highlighted by the Jamestown Foundation (EDM, January 5). Some Russian experts now estimate the total strength of the MVD and other security forces at 2.5 million, which are assigned to crush the projected domestic protests. They see this process as a crisis demanding the militarization of the state (, July 14).

Osama Bin Laden's Son Thought Killed in Predator Strike

Via The Long War Journal -

Sa'ad bin Laden, the son of Osama bin Laden, is thought to have been killed in a US Predator airstrike in Pakistan's tribal areas. The report has not been confirmed.

Sa'ad is thought to have been killed during a strike earlier this year, US intelligence officials told The Long War Journal.

"We're pretty sure but we're not certain," one official said. "We are hopeful."

US intelligence officials want to confirm or deny Sa'ad's death by using DNA testing. But it is unclear if they have recovered a body from the attack site.

The officials would not identify the date or the location of the airstrike that is thought to have killed Sa'ad. The covert US air campaign has focused heavily on North and South Waziristan. Fifty percent of the attacks occurred in South Waziristan, and 38 percent took place in North Waziristan, according to data compiled by The Long War Journal. The US has killed a total of 22 High Value Targets, which include some of the high- and mid-level Taliban and al Qaeda leadership in the tribal agencies since the first strike was reported back in June 2004 [see LWJ report, US Predator strikes in Pakistan: Observations].

Al Qaeda has neither confirmed nor denied Sa'ad's death. Al Qaeda typically issues a martyrdom statement for senior leaders and commanders who have been killed in battle.

Sa'ad is considered a senior leader in al Qaeda. He is an operational commander who was involved in the 2003 bombings in Riyadh, Saudi Arabia. He is known to shelter in Iran and move back and forth across the border with Pakistan.

He is reported to have facilitated communications between Ayman al Zawahiri and Qods Force, the notorious special operations branch of the Iranian Revolutionary Guards Corps, in September 2008 after the deadly attack on the US embassy in Yemen.

Sa'ad made "key decisions for al Qaeda and was part of a small group of al Qaeda members that was involved in managing the terrorist organization from Iran," according to the US Treasury report that designated him as a terrorist on Jan. 16, 2009. "As of September 2008, it was possible that Sa'ad bin Laden was no longer in Iranian custody," the Treasury reported.

Sa'ad is believed to have entered Pakistan’s northwest to meet with Zawahiri in Pakistan sometime in early September, according to Mike McConnell, the outgoing Director of National Intelligence.

NSA Using Cloud Model For Intelligence Sharing

Via InformationWeek -

The National Security Agency is taking a cloud computing approach in developing a new collaborative intelligence gathering system that will link disparate intelligence databases.

The system, currently in testing, will be geographically distributed in data centers around the country, and it will hold "essentially every kind of data there is," said Randy Garrett, director of technology for NSA's integrated intelligence program, at a cloud computing symposium last week at the National Defense University's Information Resources Management College.

The system will house streaming data, unstructured text, large files, and other forms of intelligence data. Analysts will be able to add metadata and tags that, among other things, designate how securely information is to be handled and how widely it gets disseminated. For end users, the system will come with search, discovery, collaboration, correlation, and analysis tools.

The intelligence agency is using the Hadoop file system, an implementation of Google's MapReduce parallel processing system, to make it easier to "rapidly reconfigure data" and for Hadoop's ability to scale.

The NSA's decision to use cloud computing technologies wasn't about cutting costs or seeking innovation for innovation's sake; rather, cloud computing was seen as a way to enable new scenarios and unprecedented scalability, Garrett said. "The object is to do things that were essentially impossible before," he said.

NSA's challenge has been to provide vast amounts of real-time data gathered from intelligence agencies, military branches, and other sources of intelligence to authorized users based on different access privileges. Federal agencies have their own systems for sharing information, but many remain disconnected, while community-wide systems like Intellipedia require significant user input to be helpful.

The NSA effort is part of Intelligence Community Directive 501, an effort to overhaul intelligence sharing proposed under the Bush administration. Current director of national intelligence Dennis Blair has promised that intelligence sharing will remain a priority.

"The legacy systems must be modernized and consolidated to allow for data to actually be shared across an enterprise, and the organizations that collect intelligence must be trained and incentivized to distribute it widely," he said in response to questions from the Senate prior to his confirmation.

The new system will run on commodity hardware and "largely" on commercial software, Garrett said. The NSA will manage the arrayed servers as a pool of resources rather than as individual machines.

Deutsche Bank Fires Two as Possible Inquiry Looms

Via NYTimes -

Two executives have been fired at Deutsche Bank as prosecutors consider whether to open a criminal inquiry into surveillance measures conducted against board members and a shareholder advocate.

The executives fired were Wolfram Schmitt, head of investor relations, and Rafael Schenz, German security chief, a person with direct knowledge of the matter said on Tuesday. The person was not authorized to speak on the record and declined to be named.

The bank had ordered an internal review of possible violations of privacy laws in May, after several cases came to light. On Monday, the data protection agency for Hesse, the state where Deutsche Bank is based, said it had forwarded the case to state prosecutors in Frankfurt, after reviewing a preliminary report by the independent law firm Cleary Gottlieb Steen & Hamilton, which had been hired by the bank to conduct the review.

Doris Möeller-Scheu, a prosecutor and spokeswoman for the Frankfurt prosecutor’s office, said the office had received a “very big dossier” and would need about three weeks to decide whether a criminal investigation was warranted.

Ronald Weichert, head of media relations at Deutsche, said the bank could not comment until the report on its internal investigation was finished.

In May, the bank issued a statement saying that it had “learned about possible violations which occurred in past years of the bank’s internal procedures or legal requirements in connection with activities involving the bank’s corporate security department.”

The dismissal of Mr. Schmitt stems from the case of Michael Bohndorf, a shareholder with a history of litigation against the bank who was known to ask critical questions at its shareholder meetings.

After a shareholder’s meeting in 2006, Deutsche Bank hired private investigators to spy on Mr. Bohndorf, posing as vacationers to rent his house in Ibiza and trying to establish a link between him and Leo Kirch, a media tycoon who had waged a legal battle against the bank accusing it of provoking the collapse of some of his companies.

Around that same time, private investigators tested the security measures that Deutsche’s chief operating officer, Hermann-Josef Lamberti, took to protect himself from being tracked and bugged. Detectives tried to plant a GPS device on his car and to smuggle an inactive listening device into his house with a flower delivery.

Chinese News Sites Go Down After Reports on Gov't Scandal

Via -

Two of China's most popular technology news Web sites went offline Tuesday after carrying news reports that linked the son of China's president to a corrupt African deal.

The technology news sections disappeared for several hours from major Chinese portals and early Tuesday afternoon, when they started redirecting viewers to general news pages. Both tech sections had carried reports on a state-owned company accused of bribing Namibian officials in the last day, but those reports were missing when the Web pages reappeared.

The suspensions appeared to be a government penalty against the companies for reporting on a sensitive political issue.

"I'm impressed by the bravery of Sina and Netease in attempting to report this at all," said Rebecca MacKinnon, a Hong Kong-based expert on the Internet in China, in an online message.

Information on top leaders' children has always been off-limits in Chinese media, though the Internet has made it more difficult to control discussions on such topics, MacKinnon said.

Chinese police heavily patrol the Internet, and Internet companies run rigorous screening to prevent sensitive information from appearing on user forums or in search results on their sites. Companies can be punished if that process fails to catch certain political or pornographic content.

"This is not particularly surprising or different from long-standing censorship patterns," MacKinnon said.

A story posted on the NetEase tech page the night before its suspension cited English broadcaster BBC as saying that Nuctech, a Chinese company, was suspected of bribery in a deal to provide scanners for airports and ports in Namibia. The BBC report had said Namibian authorities wanted to question Hu Haifeng, the former company president and son of Chinese president Hu Jintao, but did not suspect him in the case.

The NetEase story did not mention Hu, but said Namibia wanted to question "relevant" Nuctech executives.

Sina's tech page carried a similar article the next morning, hours before the sites went down. After the tech sections returned to the portals, visiting the URLs of the scandal reports returned messages that they could not be found or had been deleted.

An employee who answered the phone at NetEase Tuesday said its tech section was down for tests. Sina did not respond to a request for comment.

Nuctech's parent company, Tsinghua Holdings, controls a range of other technology companies including Chinese PC maker Tsinghua Tongfang.

Tuesday, July 21, 2009

Vordel SOAPBox is Now Free!

Vordel SOAPbox allows developers to test the performance, scalability, and security of Web Services. Using SOAPbox, a developer can test how Web Services perform under load, how they deal with unexpected input, and what their traffic ceiling is.

Vordel SOAPbox highlights security tokens, XML Signatures, and encrypted content in XML documents. SOAPbox supports established security technologies such as SSL and HTTP-Auth, as well as next-generation security technologies such as WS-Security and SAML.


My team has been using this tool for quite some time...and it was worth the money.

But now it is free. Just input your e-mail...and download.

Vordel has made an attempt to block the use of free e-mail accounts (i.e. Mailinator) but they forgot to include the alternative mailinator domains, like ;)

GAO: Many Federal Agencies Still Don't Meet Security Standards

Via DarkReading -

Virtually all of the U.S. federal government's key civilian agencies are still falling short of the security marks they have been asked to meet, according to the Government Accountability Office (GAO).

In a report (PDF) issued earlier today, the GAO says of the 24 agencies reviewed, almost all had deficiencies in security controls and management, "leaving them vulnerable to attack or compromise." The GAO says it has made "hundreds" of recommendations to the agencies, yet many have not been addressed.

During the past three years, the number of incidents reported by federal agencies to U.S.-CERT has increased by almost 200 percent -- from 5,503 in 2006 to 16,843 in 2008, according to the report. More than one-third of the incidents are still under investigation, and the sources of the compromises are not yet known.

Of the incidents in which the sources are known, approximately 22 percent were caused by improper use of computers by authorized users, the report states. Eighteen percent of the compromises were caused by unauthorized access, and 14 percent were caused by malicious code. About 12 percent of the breaches were caused by scans, probes, or attempted access by external attackers, the report says.

Of the 24 agencies reviewed, 13 reported "significant deficiencies" in information security, the GAO says. Seven agencies reported "material weaknesses" that still have not been repaired. Only four agencies reported "no significant weakness," the report states.

Indonesian TV Identifies Another Jakarta Hotel Bomber

Via -

An Indonesian television on Tuesday evening unveiled identity of another suicide bomber at Ritz Carlton Hotel as Ibrahim, a florist at the hotel, who conducted his action on Friday along with fellow Nurhasbi at JW Marriott Hotel in Jakarta.

Based on the cctv record seconds before the blast at 07:47 at Erlangga restaurant at Ritz Carlton Hotel, a man suspected as Ibrahim of 36, walked unsteadily carrying a black bag which seems very heavy, Metro television said.

The whereabouts of Ibrahim has been unknown since the bombings at the two luxurious hotels which located opposite each other on July 17 that killed nine people and wounded 55 others, half of them foreigners. The police conducted DNA test to make sure the body of Ibrahim.

Based on the hotel presentation list Ibrahim was working on Friday morning, the day of the bombings.

He called his family before the blasts.

After the bombings, his family had looked for him at some hospitals where the victims of the explosions were being treated.

Police are identifying parts of bodies found at the scene, but it is still unknown yet whether one of them is belonging to Ibrahim.

The perpetrators of the bombings assembled the bombs at room 1808 at JW Marriott Hotel. They ordered the room on July 10 and occupied it at 15:01 Jakarta time (0901 GMT) on July 15, two days before conducting their deadly acts. Police found active bomb in a black laptop computer bag after the blasts.

The police have found similarities in equipment and method of the bombs with those detonated in Bali in 2002 and 2005, and that found in recent raid in Cilacap of Central Java, in which the regional militant network of Jemaah Islamiyah was responsible.

Police widens investigation on the group.

The blasts in JW Marriott Hotel and Ritz Carlton Hotel in Jakarta's main business district occurred after four-years absence of major terrorist acts in the country.

Indonesia had been attacked by a series of terrorist attacks from 2000 to 2005, including Bali bombings, the JW Marriott explosion and the Australian embassy bombings in Jakarta that killed more than 250 people.

The police and analysts said that the bombings in the two hotels were led by a breakaway of Jemaah Islamiyah led by Malaysian fugitive Noordin Moh Top, who had organized the major bombings in Indonesia, targeting foreigners and facilities. He has been main target of the police.

Monday, July 20, 2009

U.S. Steps Up Pressure on 'The Company' - Leaders of Los Zetas

Via Yahoo! News (AP) -

The Department of State offered up to $50 million Monday for information leading to the arrests of 10 top Mexican drug suspects accused of key roles in a violent organization estimated to have sold more than $1 billion worth of drugs in the United States.

U.S. Attorney Benton J. Campbell said the reward money and new federal charges were among U.S. efforts to dismantle a powerful drug trafficking organization known as The Company, whose members came from an elite security force called Los Zetas.

The only name on an indictment unsealed in federal court in Brooklyn was Miguel Trevino-Morales, a fugitive charged with operating a continuing criminal enterprise, international cocaine distribution and firearms violations. The indictment also sought the forfeiture of $1 billion in drug proceeds.

Campbell said in a release that Trevino-Morales, who could face life in prison if convicted, was the principal leader of Los Zetas, a group that includes former members of the Air Mobile Special Forces Group of the Mexican military who went into the drug-smuggling business.

In Washington, the Department of State announced it was offering a total of $50 million for tips leading to the capture of the defendants, including four leaders who were designated as narcotics kingpins by the U.S. Department of the Treasury's Office of Foreign Assets Control.

The government said it was offering up to $5 million apiece for information leading to the arrests of 10 people, one of whom has been captured.

Nineteen defendants have been charged in an indictment in federal court in Washington with drug trafficking-related crimes, and others are charged in indictments in federal court in Houston.

"The joint efforts announced today are significant steps in the department's strategy to stop the flow of illegal drugs into our communities and the shipment of drug proceeds back to Mexico," Campbell said.

Assistant Attorney General Lanny A. Breuer said the actions taken Monday will at least make it more difficult for the drug dealers to move cash around.

"We have learned that the most effective way to disrupt and dismantle criminal organizations is to prosecute their leaders and seize their funding," she said in a release. "We stand shoulder-to-shoulder with our brave Mexican colleagues in the fight against these destructive cartels."

The Foreign Narcotics Kingpin Designation Act, which became law in 1999, prohibits all trade and transactions between U.S. companies and individuals and significant foreign narcotics traffickers, their organizations and associates who act on their behalf.

Fewer than 100 people have been designated narcotics kingpins since the first major targets were announced in June 2000.

The indictment unsealed in Brooklyn said the drug organization, formerly known as the Gulf Cartel, had become the dominant force in the drug trade along the Gulf of Mexico, transporting multi-ton quantities of cocaine each month from Mexico to Texas after obtaining it in Guatemala, Colombia, Venezuela and elsewhere.