Tuesday, March 31, 2009

Pigeons Fly Cell Phones into Brazilian Prison

Via Google (AP) -

Inmates have devised an innovative way to smuggle in cell phones into a prison farm in Brazil: carrier pigeons.

Guards at the Danilio Pinheiro prison near the southeastern city of Sorocaba noticed a pigeon resting on an electric wire with a small cloth bag tied to one of its legs last week.

"The guards nabbed the bird after luring it down with some food and discovered components of a small cell phone inside the bag," police investigator Celso Soramiglio said Tuesday.

One day later, another pigeon was spotted dragging a similar bag inside the prison's exercise yard. Inside the bag was the cell phone's charger, Soramiglio said.

The birds were apparently bred and raised inside the prison, smuggled out, outfitted with the cell phone parts and then released to fly back.

"Pigeons instinctively fly back home, always," the investigator said.

Soramiglio said that police have not discovered who raised the pigeons nor the name of the inmate who was going to receive the cell phone, but that he hoped the telephone carrier would provide the information.

"Some of them are members of organized crime groups that use cell phones to talk to family and friends and to give and receive orders for criminal actions outside and inside prisons," Soramiglio said.

He did not want to elaborate further until investigations conclude.

In 2006, Sao Paulo's notorious First Capital Command used cell phones to coordinate a wave of assaults on police, banks and buses that left more than 200 people dead in South America's largest city.

The gang's leaders are based in prisons, and use smuggled cell phones to plan and execute drug deals, kidnappings and bank robberies.

Washington D.C. Restaurants Become Credit Card Cloning Hot Spots

Via Wired.com (Threat Level) -

Four former servers at three upscale Washington D.C. restaurants blocks from the White House were arrested last week for allegedly using covert skimming devices to clone customer credit card data, in a year-long counterfeiting operation that's put $750,000 in fraudulent charges on the plastic of Washington's elite.

Servers at Clyde's of Gallery Place, M&S Grill, and 701 Restaurant, along with Maryland workers at Carrabba's Italian Grill and the Gaylord Hotel, allegedly stole the card numbers. According to the Secret Service, the data wound up in the hands of 28-year-old Joseph Artemus Bush, III, a Maryland man who was repeatedly caught on surveillance video using counterfeit cards with the skimmed account numbers.

Bush's alleged MO was to purchase American Express gift cards at area Target and Walmart stores, then redeem them at high-end shops like Barney's of New York and Gucci. Last week he was charged with credit card fraud, along with two alleged confederates, Erick V. Burton and Aaron Gilbert. The four servers charged are Lavelle Denise Payne, Shannon Eileen McLaughlin, Jamaal Snowden and Simone Carrie Diane Folk.


Luckily I didn't visit any of these places in my trips to DC...but some of my friends do on a regular basis.

Know Your Enemy: Containing Conficker


Our "Know Your Enemy: Containing Conficker" whitepaper was released on March 30th as a PDF only. You can download the full paper from the link below.

Paper Abstract

The Conficker worm has infected several million computers since it first started spreading in late 2008 but attempts to mitigate Conficker have not yet proved very successful. In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotely detect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domainname generation mechanism for all three Conficker variants is discussed in detail and an overview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented here are freely available for download including source code.

In addition, as a result of this paper and the hard work of Dan Kaminsky, most vulnerability scanning tools (including Nmap) should now have a plugin or signatures that allow you to remotely detect infected Conficker systems on your networks. Finally, we would like to recognize and thank the tremendous help and input of the Conficker Working Group.

Paper last updated March 30th 2009, 23:00 GMT (rev1)
PDF MD5sum = 135ba75c33534327eb2800e98c8077e8 (KYE-Conficker.pdf)

Foreign Phisher Makes History with US Conviction

Via TechWorld.com -

A 23-year-old Romanian man has become the first foreigner to be convicted by a US court for phishing.

Ovidiu-Ionut Nicola-Roman, of Craiova, Romania, was sentenced to four years and two months in prison Monday for his role in an international phishing operation. Prosecutors had charged him with setting up fake banking sites and then sending out tens of thousands of fraudulent spam messages in hopes of tricking victims into giving up their account information.

The sentence was handed down by Judge Janet Hall of the United States District Court in Connecticut.

Nicola-Roman was arrested in Bulgaria and extradited to the US in November 2007. He pleaded guilty last July to a fraud charge and had been facing a possible five years in prison. Additional charges that he faced in California were dropped because they were not listed in his extradition request.

He was charged as part of a larger phishing bust that also named six other Romanians, none of whom have been arrested.

Security experts say countries such as Russia, Romania and the Ukraine have become hotbeds of cybercrime, in part because local governments are slow to prosecute fraudsters who take money from victims in other countries such as the US.

The FBI said Monday that Internet fraud complaints had spiked 33 percent year-over-year in 2008.

In Nicola-Roman's case, prosecutors said they found 2,600 credit and debit card numbers in email accounts linked to him, and that he had probably harvested more information. He set up a fake phishing site to snare customers of People's Bank in October 2005, but also had tools that would have allowed him to phish customers of Wells Fargo, Suntrust, Amazon.com, PayPal and eBay, according to court documents.

He doesn't appear to have written software himself, but assembled a large collection of online fraud tools, including a program called Web Data Extractor, which harvested e-mail addresses. He sent spam to victims using a program called Email Sender Express, which could send 30,000 spam messages per hour, and created counterfeit cards using a program called T2Gen, prosecutors said. Another program, called WebZIP Unlimited, could be used to counterfeit legitimate websites.

According to data supplied to prosecutors by People's Bank, 78 of the 88 People's Bank card numbers that investigators found in Nicola-Roman's possession had been used for fraud. Nicola-Roman was able to take an average of $960 (approx £722) per card number collected, prosecutors said.

Somali Pirates Hijack Two Tankers in 24 Hours

Via Google (AP) -

Pirates armed with machine guns pursued and captured a Norwegian chemical tanker off the coast of Somalia on Thursday, the owners said, less than 24 hours after a smaller Greek-owned vessel was seized in the same area.

The U.S. 5th Fleet, which patrols the pirate-infested Gulf of Aden, confirmed both hijackings and said they happened in the same area but separate from the gulf, one of the world's busiest — and now most treacherous — sea lanes.

The 23,000-ton Norwegian-owned Bow Asir was seized 250 miles (400 kilometers) off the Somali coast on Thursday morning, and the 9,000-ton Greek-owned Nipayia, with 19 crew members, was attacked about 450 miles (720 kilometers) off Somalia on Wednesday afternoon, the European Union's military spokesman said.

Norway's shipowner's association said the Bow Asir had a crew of 27 with a Russian captain, but the 5th Fleet said there were 23 crew on board. Fleet spokesman Lt. Nate Christensen said the Norwegian ship was Bahamian-flagged, but he did not know its cargo. U.S. Cmdr. Jane Campbell confirmed the hijacking on Wednesday of the Nipayia.

Both vessels are chemical tankers but their cargoes were not immediately made public

A Nairobi-based diplomat said the Nipayia had 18 Filipinos on board and a Russian captain. He said the ship is managed by Athens-based Lotus Shipping, speaking on condition of anonymity because he was not authorized to speak to the press.

The owner of the Norwegian Bow Asir, Salhus Shipping AS, said it received a security alert message from the Bow Asir at 0729GMT saying the ship was being chased by two small boats with suspected pirates on board.

At 0745GMT, the captain reported that the pirates had boarded the vessel, and three hours later, Salhus Shipping received an e-mail from the ship confirming that 16 to 18 pirates carrying machine guns had gained control, managing director Per H. Hansen said in a statement.

"We have no reports of any injuries," he said. "We are doing our utmost to ensure the safety of the crew, and have established communication lines with naval forces, insurance companies, flag state and charterer."

Japan Vows to Shoot Down North Korean Missile - if it fails

Via Janes.com -

The Japan Self-Defense Force (JSDF) is preparing to destroy a ballistic missile test-fired from North Korea should a failed launch pose a danger to Japan, a defence official has stated.

Following a high-level security meeting with Prime Minister Taro Aso on 27 March, Japan's Defence Minister Yasukazu Hamada was expected to order the JSDF to activate Japan's missile defence system to prepare to shoot down the missile or any debris after it is fired in early April.

This destruction order is based on Article 82-2 of JSDF Law, which stipulates that, even if the possibility of a missile or rocket falling onto Japan is unclear, the JSDF can take preventative action.

North Korea is poised to launch what it claims is a satellite launch vehicle between 4-8 April to boost national prestige ahead of the Supreme People's Assembly starting on 9 April.

Report: Chinese Develop Special "Kill Weapon" to Destroy U.S. Aircraft Carriers

Via UNSI.org -

With tensions already rising due to the Chinese navy becoming more aggressive in asserting its territorial claims in the South China Sea, the U.S. Navy seems to have yet another reason to be deeply concerned.

After years of conjecture, details have begun to emerge of a "kill weapon" developed by the Chinese to target and destroy U.S. aircraft carriers.

First posted on a Chinese blog viewed as credible by military analysts and then translated by the naval affairs blog Information Dissemination, a recent report provides a description of an anti-ship ballistic missile (ASBM) that can strike carriers and other U.S. vessels at a range of 2000km.

The range of the modified Dong Feng 21 missile is significant in that it covers the areas that are likely hot zones for future confrontations between U.S. and Chinese surface forces.

The size of the missile enables it to carry a warhead big enough to inflict significant damage on a large vessel, providing the Chinese the capability of destroying a U.S. supercarrier in one strike.

Because the missile employs a complex guidance system, low radar signature and a maneuverability that makes its flight path unpredictable, the odds that it can evade tracking systems to reach its target are increased. It is estimated that the missile can travel at mach 10 and reach its maximum range of 2000km in less than 12 minutes.

Supporting the missile is a network of satellites, radar and unmanned aerial vehicles that can locate U.S. ships and then guide the weapon, enabling it to hit moving targets.

While the ASBM has been a topic of discussion within national defense circles for quite some time, the fact that information is now coming from Chinese sources indicates that the weapon system is operational. The Chinese rarely mention weapons projects unless they are well beyond the test stages.

If operational as is believed, the system marks the first time a ballistic missile has been successfully developed to attack vessels at sea. Ships currently have no defense against a ballistic missile attack.

Along with the Chinese naval build-up, U.S. Navy officials appear to view the development of the anti-ship ballistic missile as a tangible threat.


The ASBM is said to be a modified Dong Feng 21 (DF-21).

Firefox Attacks Sharpen Bite

Via eWeek (Security Watch) -

Security researchers are highlighting a more powerful breed of attack that is specifically targeting users of the open source Mozilla Firefox web browser.

Long touted for its improved security over rival browsers including Microsoft IE, Firefox has been mined for dozens of vulnerabilities over the last few years, but the application hasn't ever faced the same level of attacks as Explorer.

However, experts are charting the emergence of a new, sophisticated breed of Firefox threat that packs a significantly more potent punch than its predecessors.

Posting to the Webroot Threat Blog, longtime security researcher Andrew Brandt describes several newly discovered pieces of badware in circulation that he cites as "raising the bar" for Firefox attacks.

"In the past few weeks, we've seen malware writers up the ante in their bets against Firefox. Two new spies came across the transom in the past week, and easily managed to load themselves into a freshly installed copy of Firefox 3.0.7. I should note that this isn't due to any problem or negligence on Mozilla's part; once you execute malicious code on your PC, any application is vulnerable. Firefox just happens to be a big target," Brandt notes.

The first piece of malware Brandt points to is a malicious plugin that appears to be a new variant of a known spyware attack, DNSChanger. Framed as a browser hijacking ploy, the installer drops a DLL payload into the Firefox components folder, and then runs in the background from thereon.

The threat, also ID'd as "Firesox" then injects ads or modified results when it detects certain search query strings sent to engines including Google, Yahoo, MSN, Altavista, Teoma, Ask, Pricegrabber, Brandt reports.

"In the past, we saw DNSChanger used to help fraudulent advertising affiliates boost their numbers, and to direct unsuspecting users to rogue antimalware tools by generating bogus results. It remains to be seen whether this new variant will be as prolific as the old version," he writes.

The second attack highlighted in the researcher's blog post is a piece of adware that only installs correctly with Firefox versions 3.x or later. Parceled together with other programs and a too-long-to-read EULA, the threat, dubbed Foxicle, appears after users attempt to opt-out of another adware toolbar, Mirar.

Whether they agree to keep Mirar or end up saddled with Foxicle, users unlucky enough to stumble onto the programs appear destined to stare at some unwanted ads when they're browsing.

In both cases, the attacks represent a new generation of Firefox threats in their ability to cloak themselves from discovery, Brandt contends.

"Neither Firesox, the DNSChanger clone, or Foxicle put an obvious entry in Firefox's plugins dialog that signal their presence. While not widely distributed, I suspect we'll be seeing more of them," he said.

Taliban Leader Vows To Attack D.C. Says “Will Amaze The World”

Via CBSNews -

The top Taliban commander in Pakistan promised an assault on Washington "soon" - one he says will "amaze" the world.

"Soon we will launch an attack in Washington that will amaze everyone in the world," Baitullah Mehsud told The Associated Press by phone.

Mehsud also claimed responsibility for Monday's attack on a police academy outside the eastern Pakistani city of Lahore, saying it was in retaliation for U.S. missile strikes against militants along the Afghan border.

Mehsud and other Pakistani Taliban militants are believed to be based in the country's lawless areas near the border with Afghanistan, where they have stepped up their attacks throughout Pakistan.

One year ago, CBS News security correspondent Bob Orr reported that U.S. intelligence officials were increasingly concerned that Mehsud could eclipse even Osama bin Laden as a threat to America.

The U.S. recently announced a $5 million bounty on Mehsud's head. Asked about it, he told the AP he would be happy to "embrace martyrdom."

Wireshark PROFINET DCP Format String Vulnerability


: A vulnerability has been discovered in Wireshark, which can potentially be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a format string error within the PN-DCP dissector when processing station names containing format string specifiers. This can be exploited to cause a crash and potentially execute arbitrary code via specially crafted packets captured off the wire or loaded via a capture file. The vulnerability is confirmed in version 1.0.6. Other versions may also be affected.

: Disable support for the "PN-DCP" protocol.

Provided and/or discovered by
: THCX Labs

Original Advisory
: http://milw0rm.com/exploits/8308


The PN-DCP protocol can be disabled in Wireshark by hitting "Shift-Ctrl-R" and then unchecking "PN-DCP".

Sunday, March 29, 2009

The Snooping Dragon: Social-Malware Surveillance of the Tibetan Movement

In this note we document a case of malware-based electronic surveillance of a political organisation by the agents of a nation state. While malware attacks are not new, two aspects of this case make it worth serious study. First, it was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed. Second, the modus operandi combined social phishing with high-grade malware. This combination of well-written malware with well-designed email lures, which we call social malware, is devastatingly effective. Few organisations outside the defence and intelligence sector could withstand such an attack, and although this particular case involved the agents of a major power, the attack could in fact have been mounted by a capable motivated individual. This report is therefore of importance not just to companies who may attract the attention of government agencies, but to all organisations. As social-malware attacks spread, they are bound to target people such as accounts-payable and payroll staff who use computers to make payments. Prevention will be hard. The traditional defence against social malware in government agencies involves expensive and intrusive measures that range from mandatory access controls to tiresome operational security procedures. These will not be sustainable in the economy as a whole. Evolving practical low-cost defences against social-malware attacks will be a real challenge.

University of Cambridge Report (3.0 MB)


Grab a copy of the other report on GhostNet over @ F-Secure

Software Labs Warn of ATM Virus Used to Steal Money

Via InfoTech.TMCNet.com -

Russia's leading computer security labs have warned of a new software virus which infects Automatic Teller Machines (ATM) to steal money from bank accounts of their users.

Two leading anti-virus software producers 'Doctor Web' and 'Kaspersky Lab' claimed to have discovered a new virus, in the networks of several bank ATMs, which is able to collect information from bank cards.

"This is a malicious programme intended to infect and survive in ATMs. It is possible that new software will appear, aimed at illegitimately using banking information and removing funds," an official of the Kaspersky Lab was quoted as saying by RIA Novosti news agency.

He said the virus is a Trojan which is able to infect the popular American Diebold brand of ATMs, used in Russia and Ukraine. Judging by the programming code used, there is a high probability that the programmer comes from one of the former Soviet republics, he added.

The computer security experts say the number of infected ATMs is minimal but individual bank cardholders will not be able to detect whether an ATM is infected or not.

However, banks can run a security software to find out if their machines are at risk.

Mozilla Patches Firefox's Critical Pwn2Own Bug

Via ComputerWorld -

Mozilla Corp. patched two critical Firefox bugs on Friday, including one used the week before by a German student to win $15,000 for hacking three different browsers at the Pwn2Own contest.

Firefox 3.0.8 was released several days earlier than expected. As recently as Thursday, Mozilla had set April 1 as the ship date for what the company labeled a "high-priority fire-drill security update" that would fix not only the Pwn2Own bug, but another that was revealed last Wednesday.

Both vulnerabilities were rated critical by Mozilla, But the most notable was clearly the one exploited earlier this month at CanSecWest, the Vancouver, British Columbia security conference that hosts the Pwn2Own hacking challenge.

At the contest, a 25-year-old computer science student from Germany who would only give his first name as Nils hacked Firefox and Safari on an Apple Inc. notebook, as well as Microsoft Corp.'s Internet Explorer 8 running on Windows 7. Nils was paid $5,000 for each successful exploit by 3Com Inc.'s TippingPoint, the Pwn2Own sponsor.

According to Mozilla, Nils' bug is in XUL, Mozilla's XML user interface markup language. In some cases, the "_moveToEdgeShift" tree method crashed Firefox; that crash could then "be used by an attacker to run arbitrary code on a victim's computer," Mozilla concluded.

Mozilla restricted access to additional information on the vulnerability by locking down Bugzilla, its bug tracking and management database, allowing only authorized users to view more information on the flaw.

Firefox 3.0.8 also patched a critical vulnerability that had gone public on the milw0rm.com exploit site last Wednesday. The bug allowed an attacker to crash Firefox by using malicious XSL code embedded on a Web site. "An attacker could potentially use this crash to run arbitrary code on a victim's computer," Mozilla warned in the accompanying security advisory.

Mac OS X Kernel Exploit PoC Code Published

Via InformationWeek -

Proof-of-concept exploit code has been posted online for six kernel vulnerabilities, five of which affect Mac OS X 10.5.6, the most current version of Apple's operating system software.

The vulnerabilities were discussed at CanSecWest 2009 last week during a talk about security flaws in the FreeBSD, Mac OS X, and Solaris kernels by security researchers Christer Oberg and Neil Kettle of Convergent Network Solutions.

One of them, a local kernel root exploit in FreeBSD 7.0/7.1, has been patched.

The five that affect Mac OS X, which uses the Mach kernel and incorporates portions of FreeBSD Unix, remain unpatched.

In an e-mail, Kettle explained that the vulnerabilities exploited were not disclosed to Apple when they were found and remained private until they were published to Milw0rm.com on Monday. He said no one has yet complained about the disclosure of the vulnerabilities, noting that in his experience, kernel bugs are not as serious as other vulnerabilities. "We wanted to show how easy it still is to break production kernels in well-used operating systems," he said.

Inaki Urzay, CTO of Panda Security, said the proof-of-concept code isn't an immediate threat but that it could be in the future. "The vulnerabilities are proofs of concept that demonstrate the code can take control of a machine, either via creating a privilege escalation modifying the users or launching DoS local attacks against the PC," he said in an e-mail. "The proof of concept code has the ability to create a new system volume, call to some OS functions, change the user ID, and so on, without administrative privileges."

The PoC code is designated as follows: 1) Mac OS X xnu <= 1228.3.13 (zip-notify) Remote Kernel Overflow PoC; 2) Mac OS X xnu <= 1228.3.13 (macfsstat) Local Kernel Memory Leak/DoS; 3) Mac OS X xnu <= 1228.3.13 (profil) Kernel Memory Leak/DoS PoC; 4) Mac OS X xnu <=1228.x (vfssysctl) Local Kernel DoS PoC; and 5) Mac OS X xnu <= 1228.x (hfs-fcntl) Local Kernel Root Exploit.


Several of the exploits can be found on Milw0rm's DoS / PoC Section...

Saturday, March 28, 2009

Hezbollah Uses Mexican Drug Routes Into U.S

Via Washington Times -

Hezbollah is using the same southern narcotics routes that Mexican drug kingpins do to smuggle drugs and people into the United States, reaping money to finance its operations and threatening U.S. national security, current and former U.S. law enforcement, defense and counterterrorism officials say.

The Iran-backed Lebanese group has long been involved in narcotics and human trafficking in South America's tri-border region of Paraguay, Argentina and Brazil. Increasingly, however, it is relying on Mexican narcotics syndicates that control access to transit routes into the U.S.

Hezbollah relies on "the same criminal weapons smugglers, document traffickers and transportation experts as the drug cartels," said Michael Braun, who just retired as assistant administrator and chief of operations at the U.S. Drug Enforcement Administration (DEA).

"They work together," said Mr. Braun. "They rely on the same shadow facilitators. One way or another, they are all connected.

"They'll leverage those relationships to their benefit, to smuggle contraband and humans into the U.S.; in fact, they already are [smuggling]."

His comments were confirmed by six U.S. officials, including law enforcement, defense and counterterrorism specialists. They spoke on the condition that they not be named because of the sensitivity of the topic.


A U.S. official with knowledge of U.S. law enforcement operations in Latin America said, "we noted the same trends as Mr. Braun" and that Hezbollah has used Mexican transit routes to smuggle contraband and people into the U.S.

Two U.S. law enforcement officers, familiar with counterterrorism operations in the U.S. and Latin America, said that "it was no surprise" that Hezbollah members have entered the U.S. border through drug cartel transit routes.

"The Mexican cartels have no loyalty to anyone," one of the officials told The Washington Times. "They will willingly or unknowingly aid other nefarious groups into the U.S. through the routes they control. It has already happened. That's why the border is such a serious national security issue."

GhostNet - Vast Spy System Loots Computers in 103 Countries

Via NYTimes -

A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded.

In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.

Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London and New York.

The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.

Intelligence analysts say many governments, including those of China, Russia and the United States, and other parties use sophisticated computer programs to covertly gather information.

The newly reported spying operation is by far the largest to come to light in terms of countries affected.

This is also believed to be the first time researchers have been able to expose the workings of a computer system used in an intrusion of this magnitude.

Still going strong, the operation continues to invade and monitor more than a dozen new computers a week, the researchers said in their report, “Tracking ‘GhostNet’: Investigating a Cyber Espionage Network.” They said they had found no evidence that United States government offices had been infiltrated, although a NATO computer was monitored by the spies for half a day and computers of the Indian Embassy in Washington were infiltrated.

The malware is remarkable both for its sweep — in computer jargon, it has not been merely “phishing” for random consumers’ information, but “whaling” for particular important targets — and for its Big Brother-style capacities. It can, for example, turn on the camera and audio-recording functions of an infected computer, enabling monitors to see and hear what goes on in a room. The investigators say they do not know if this facet has been employed.

The researchers were able to monitor the commands given to infected computers and to see the names of documents retrieved by the spies, but in most cases the contents of the stolen files have not been determined. Working with the Tibetans, however, the researchers found that specific correspondence had been stolen and that the intruders had gained control of the electronic mail server computers of the Dalai Lama’s organization.

The electronic spy game has had at least some real-world impact, they said. For example, they said, after an e-mail invitation was sent by the Dalai Lama’s office to a foreign diplomat, the Chinese government made a call to the diplomat discouraging a visit. And a woman working for a group making Internet contacts between Tibetan exiles and Chinese citizens was stopped by Chinese intelligence officers on her way back to Tibet, shown transcripts of her online conversations and warned to stop her political activities.

The Toronto researchers said they had notified international law enforcement agencies of the spying operation, which in their view exposed basic shortcomings in the legal structure of cyberspace. The F.B.I. declined to comment on the operation.

Although the Canadian researchers said that most of the computers behind the spying were in China, they cautioned against concluding that China’s government was involved. The spying could be a nonstate, for-profit operation, for example, or one run by private citizens in China known as “patriotic hackers.”

“We’re a bit more careful about it, knowing the nuance of what happens in the subterranean realms,” said Ronald J. Deibert, a member of the research group and an associate professor of political science at Munk. “This could well be the C.I.A. or the Russians. It’s a murky realm that we’re lifting the lid on.”

Friday, March 27, 2009

Mozilla Pounces On New Firefox Zero-Day Exploit

Via DarkReading -

A zero-day exploit for Firefox was unleashed online yesterday, but Mozilla didn't waste any time before patching for the critical vulnerability it abuses: The open-source group now has a patch ready for the flaw that will ship with the next Firefox update on April 1.

The researcher who discovered the vulnerability yesterday released with it proof-of-concept code. Mozilla developers jumped on it right away, coming up with a fix.

The flaw is a remote memory corruption vulnerability that affects all versions of Firefox 3.0.x, and could let an attacker execute malware on a victim's machine or crash the browser, according to the vulnerability report. The user would have to be lured into viewing a malicious file with his Firefox browser.

Johnathan Nightingale, whose title at Mozilla is "human shield," says so far Mozilla hasn't seen signs of an exploit in the wild for the bug.

The vulnerability affects Windows, OS X, and Linux versions of Firefox 3.0.x.

Web Fraud 2.0: Data Search Tools for ID Thieves

Via Washington Post (Security Fix) -

Data such as your Social Security number, mother's maiden name and credit card balance are not as difficult for ID thieves to find as most people think. I've recently learned that cyber crooks are providing cheap, instant access to detailed consumer databases, offering identity thieves the ability to find missing data as they compile dossiers on targeted individuals. Security Fix spent the past week testing services offered by two Web sites that sell access to a wealth of information on consumers. Each site offers free registration, but requires users to fund their accounts via Webmoney, a PayPal-like virtual currency that is popular in Russia and Eastern Europe.

I enlisted the help of a half-dozen volunteers who agreed to let me try to find their personal and financial data on these sites. For a payment of $3 each, I was able to find full Social Security numbers on four of the volunteers, as well as their most recent street addresses and birthdays.

Another set of three $3 payments allowed me to gather the mother's maiden name (MMN) on half of the volunteers. For both the SSN and MMN lookups, all that is required is the target's name, street number, and ZIP code (see snapshot above). Users are not charged for queries that fail to return results.

Using the service pictured above, customers can check the available balance on a credit card for a $1 payment, by including just the credit card number, the name of the cardholder, and his or her address. According to one source who is investigating the back-end technology behind this credit card balance-checking service, the site's operators are dialing in to the automated voice response units at various card issuers, using Skype, an Internet-based telephone service that can mask the caller's phone number and location.

Other data points that users can query the target's date of birth (50 cents per lookup); mother's date of birth ($6); drivers license number ($8); background report ($15); and credit report ($24). The site also offers a service that automates the changing the billing address on a target's credit or debit card ($35).

It's unclear how these sites are obtaining this kind of information. It may be that they're relying on insiders at companies with access to this data. Alternatively, perhaps the services are making use of using stolen credentials needed to access sensitive online databases. More likely, it is a mixture of both.

The legality of these services depends largely upon how the information was gathered. Obviously, selling data obtained via stolen credentials that allow access to a protected database would be illegal. And of course, no business can legally resell the ability to change someone else's credit card billing address without the owner's permission.

But there are several commercial services that sell massive amounts of consumer data that is collected from public sources, such as mortgage and court records. In fact, federal law does not prohibit the resale of Social Security numbers and other consumer data that was collected from public sources, said Ari Schwartz, vice president and chief operating officer for the Center for Democracy & Technology.

For example, services like Intelius.com, sell loads of consumer data, such as the ability to find someone's identity by looking up a cell phone number.

"They might be aggregating this data in ways that could be legal for them to resell," Schwartz said. "Once that data is gathered from public sources, there aren't really rules about what you can do with it."

For the past several years, lawmakers in Congress have tried but failed to gain support for legislation to block the resale of Social Security numbers and other sensitive consumer data without an individual's consent.

Researchers Can ID Anonymous Twitterers

Via ITWorld -

Web sites that strip personally identifiable information about their users and then share that data may be compromising their users' privacy, according to researchers at the University of Texas at Austin.

They took a close look at the way anonymous data can be analyzed and have come to some troubling conclusions. In a paper set to be delivered at an upcoming security conference, they showed how they were able to map out the connections on public social networks such as Twitter and Flickr. They were then able to identify people who were on both networks by looking at the many connections surrounding their network of friends. The technique isn't 100 percent effective, but it may make some users uncomfortable about whether they should allow their data to be shared in an anonymous format.

Web site operators often share data about users with partners and advertisers after stripping it of any personally identifiable information such as names, addresses or birth dates. Arvind Narayanan and fellow researcher Vitaly Shmatikov found that by analyzing these "anonymized" data sets, they could identify Flickr users who were also on Twitter about two-thirds of the time, depending on how much information they have to work with.

"A lot of the time people will share information online and they'll expect that they are anonymous," Narayanan said in an interview. But if their identity can be ascertained on one social network, its possible to find out who they are on some other network, or at least make a "strong guess," he said.

They do this not just by looking at one person's immediate circle of friends, but by analyzing the patterns in the connections between all friends on the social network. "The more of a person's network you can map out, the easier it gets to de-anonymize someone in the future, wherever they might go," he said.

In 2006, hoping to give search researchers a useful tool, AOL released a database of more than 650,000 user search records. Although this data was scrubbed, it didn't take long for the New York Times to identify one user based on her search queries, showing how supposedly anonymous data could be used to identify people.

The technique described by the University of Texas researchers could be used by government agencies looking to do surveillance or by online marketers or even scammers who want to target people with their messages. And it doesn't only apply to social networks. This method could be used to identify users in databases of phone calls too, the researchers say.

Narayanan and Shmatikov used similar techniques two years ago to show how they could identify Netflix users by comparing the anonymous movie rating data released by Netflix with publicly available reviews posted to the Internet Movie Database.

The research also has implications for privacy policies on social networks, which share information on users, but with personally identifiable information such as names removed. According to Narayanan and Shmatikov, current techniques simply do not make people anonymous.

"Social-network operators should stop relying on anonymization as the 'get out of jail' card insofar as user privacy is concerned," they write on their Web site. "They should inform users when their information is disclosed to third parties, even if this information has been anonymized, and give them the opportunity to opt out."

Al-Qaeda Ideologue Describes Alleged Spread of Al-Qaeda in the Levant

Via The Jamestown Foundation -

A leading jihadi ideologue known as “the Spearhead of the Mujahedeen” claims that al-Qaeda already exists in Palestine and soon there will be “huge good news” to prove its existence. In an internet question and answer session, “Assad al-Jihad 2” concentrated on the Israeli-Palestinian conflict in the shadow of last December’s Gaza conflict. Assad al-Jihad 2 is a regular contributor of articles written on behalf of al-Qaeda and affiliated groups, which are usually posted on jihadi web-forums and are highly regarded by their users. The question and answer session was published by al-Qaeda’s Global Islamic Media Front and posted on several jihadi websites (al-faloja.info, February 7).

Assad al-Jihad 2 focused on the so-called “al-Qaeda in the Levant,” claiming that this organization is “well-established and firm in the region, like the Levant’s mountains. [The organization] has studied every inch of the Levant, sent their reports to the leaders of al-Qaeda, and discussed them with the geniuses of the organization. [Al-Qaeda] has penetrated the Levant states and infiltrated them. I think the reason for the delay in announcing the presence of the organization is due to waiting for the completion of preparations.”

The ideologist stated that the goal of al-Qaeda in the region is to fight against Israel, alleging that the organization was already behind missile strikes on “the north of so-called Israel” on June 17, 2007, and again in January 2008; “one day before [ex-President] Bush’s visit to the region.” Assad al-Jihad 2 also claimed that the weapons the Lebanese army announced they discovered stored in the south of the country on December 25, 2008 belonged to al-Qaeda in the Levant. He claimed that these Russian pattern Grad rockets were stored for use in attacks on Akka (Acre) and the northern Israeli cities of Nahariya and Shlomi. Nahariya was targeted by hundreds of Hezbollah rockets in 2006; Shlomi was struck by Hezbollah rockets in 2005 and 2006.

Assad al-Jihad 2 asserted that al-Qaeda started to attack Israel from Lebanon in December 2005, when the late leader of al-Qaeda in Iraq, Abu Mus’ab al-Zarqawi, claimed responsibility for launching missile attacks on northern Israel (Daily Star [Beirut], December 20, 2005; Jerusalem Post, December 30, 2005). Assad al-Jihad 2 also claimed Osama Bin Laden has sent some al-Qaeda leaders to create bases in Lebanon. One of these leaders was Salih al-Qablawi (Abu Ja’afar al-Maqdesi) from Ain al-Hilwa, who was the mastermind behind an attack against Israel in 2002. Al-Qablwai later became friends with al-Zarqawi and appeared with him in a video in 2006 before being killed in Iraq the same year.

Security Projects Aim for Google Summer of Code 2009

Via SecurityFocus -

A number of security-focused open-source projects have announced their participation as mentoring organizations in Google's Summer of Code.

The NMap Project plans to sponsor students who will code modifications to the NMap port scanner's scripting engine, the ZenMap graphical frontend to the tool and the NCat networking utility. The OpenSSH project is looking for a few good students to help rewrite the sftp secure copy tool and improve performance. And, the Honeynet Project announced a slate of proposals to attract students interested in participating in the initiative, including improving the honeypots, developing a managed solution for client-side honeypots and visualizing the data from a deployed honeynet.

While 2009 will be the Honeynet Project's first year in the Google Summer of Code, the members are excited about the program, said project leader Lance Spitzner.

"We are looking to get a lot of stuff done," he said. "We tend to find that the best honeypot development comes from students."

In its fifth year, Google's Summer of Code allows students to work on coding projects that help the open-source software industry. In 2005, its first year sponsoring the program, Google accepted 400 student projects mentored by 40 open-source projects. Last year, the company worked with 175 organization to mentor 1,125 students, but plans to pare back to 1,000 students this year.

Among the other security-related projects, Harvard University's Berkman Center will sponsor applicants to work on an open Web community platform using reputations derived from its StopBadware.org service. The KDE Project is also looking for security coding and modeling for its desktop project, Plasma.

The Globus Alliance, a group focused on developing fundamental grid-computing technologies, and the National Center for Supercomputing Applications (NCSA) at University of Illinois are also sponsoring project focusing on the security of token-based grid architectures and more general cybersecurity initiatives.

The deadline for applying to Google's Summer of Code is Friday, April 3. Google pays the student programmer $4,500 and gives $500 to the mentoring organization.

Japan Says Ready to Shoot Down North Korean Missile

Via Yahoo! News -

Japan on Friday gave its military the green light to shoot down any incoming North Korean rocket, with tensions high ahead of a planned launch that the US and allies say will be an illegal missile test.

Japanese and US warships have already deployed ahead of the April 4-8 window, when the secretive North has said it will launch a communications satellite -- warning that shooting it down would be seen as an act of war.

But South Korea, Japan and the United States have all warned the North that any launch would be unacceptable, amid fears the regime is actually intending to test a long-range missile that could reach North America.

Russia -- which with the two Koreas, China, Japan and the US is part of a six-party forum working on the North's nuclear disarmament -- urged Pyongyang not to carry out the launch, saying there was no need to "ignite passions".

The security council in Japan, officially pacifist since the end of World War II, decided ahead of time to shoot down any incoming missile that could hit its territory rather than wait until a launch.

"The security council this morning decided to issue a destruction order in advance," said Defence Minister Yasukazu Hamada. "We will do our best to handle any flying object from North Korea."

The North said Thursday that even referring a launch to the United Nations would ruin the long-running and erratic six-nation nuclear disarmament talks, during which North Korea has already tested one missile and an atomic bomb.

US National Intelligence Director Dennis Blair said the North wanted to show it had the technology to launch an intercontinental ballistic missile.

The North is believed to be preparing to test a Taepodong-2 that could hit Alaska.

"North Korea is attempting to demonstrate an ICBM capability through a space launch," Blair said.

Japan has announced no plans to strike the North Korean rocket unless it appears to pose a direct threat, for example due to a mishap that could send an errant missile or debris flying toward the country.

"There are various scenarios -- for example, a case of failure," Hamada said. "It's extremely unpleasant that an object flies over our territories."

Pyongyang has reportedly already put a rocket onto one of its launch pads, raising the stakes in a delicate diplomatic stand-off that has come just two months into the new US administration of President Barack Obama.


he six-nation talks have offered the North aid and security guarantees in exchange for dismantling its nuclear programme.

North Korea said Thursday that bringing any launch to the United Nations would be a "hostile action" that would end the negotiations.

The United States, which says the launch would violate a UN Security Council resolution, has vowed to do so.

"The six-party talks will become non-existent," a spokesman for the North's foreign ministry told official media.

In Moscow, Russian Deputy Foreign Minister Alexei Borodavkin told reporters: "North Korea would be better off refraining from it."

"There is no need to ignite passions around this problem," he was quoted as saying by Russian news agencies.

Aussie Classification Site Hacked in Censorship Protest

Via The Register UK -

Hackers broke into the Australian government's film and videogame classification website yesterday and posted a message opposing comms minister Stephen Conroy's trial of internet filtering.

At the time of writing the site is still unavailable - but here is a screengrab of the front page kindly sent in by an Antipodean Reg reader.

Conroy was appearing on ABC TV show Q&A last night and from all accounts did not win many new recruits to his plan to filter internet content for all Aussies. The show should be available for download from here a little later.

The trial of the great Aussie Firewall has faced increased criticism since the secret blacklist of banned sites was published on WikiLeaks. Contrary to Conroy's promises the list included many sites which had nothing to do with child sexual abuse. The website of a travel agent and a Queensland dentist were among those which Australian citizens may not visit.

An Aussie photographer also found his pictures on the blacklist - Conroy blamed "technical errors" for the gaffe.

Conroy originally denied the leaked addresses were the Australian Communications and Media Authority(ACMA) list but then changed his mind and admitted it was broadly similar.

GAO Investigators Get Government Approval for Fake Medical Product

Via FoxNews -

U.S. government investigators looking into lax screening of medical research said Thursday they easily won approval from a private review board of a fake product to be used in medical testing on human subjects.

The Government Accountability Office also said it was able to register with the Health and Human Services Department a fictitious institutional review board, a panel of doctors and scientists that must approve any medical drug or device to be used in federally funded testing on humans. The president of this fake review board was a dog named Trooper.

The GAO said its investigation showed that they system "is vulnerable to unethical manipulation, particularly by companies or individuals who intend to abuse the system or to commit fraud."

Rep. Bart Stupak, a Democrat and chairman of the House Energy and Commerce Committee's oversight and investigations panel, said the findings "raise serious questions" about both the specific IRB that approved the fake product and "the entire system for approving experimental testing on human beings."

Officials from health department and the Food and Drug Administration assured lawmakers that there were substantial protections in place to ensure that testing is done in a responsible and ethical manner.

The review board that fell for the GAO ruse, Coast IRB, LLC., charged that the GAO violated federal and state criminal laws by falsely representing itself to be a medical device company and forging a medical license.

"We got hoodwinked," said Daniel Dueber, Coast IRB's chief executive officer.

"You didn't get hoodwinked," Stupak replied. "You took the bait, hook, line and sinker."


Ohh man, I love the GAO.

I really don't understand this..."well, what they did was illegal" defense. It's like the IRS not finding instances of tax fraud because according to the law, cheating the IRS is illegal...thus no ones would attempt to do it - so we don't have to look.

That view is wrong on so many levels...

Individuals looking to manipulate ANY system for fraudulent purposes clearly don't care much about the laws - that is why it is called "fraud".

Approval processes exist to weed out the bad stuff...including the illegal. So, how did this happen?

Thursday, March 26, 2009

Slides - CanSecWest Vancouver 2009


IATRP Reveals IAM / IEM Student Information


The following individuals successfully completed the NSA-sponsored IAM or IEM course on the date indicated. An individual's placement on this list does not constitute an endorsement, recommendation or warranty of his/her services on the part of NSA or any other government agency, nor does it imply any confirmation of an individual's experience level or ability. This web page is merely intended to distribute contact information of individuals who have successfully passed the IAM or IEM courses. Listed individuals are responsible for the accuracy of contact information.

This list is for official IATRP purposes and should not be used for mass mailing.

Student Information for Official Use Only


The list contains information on hundreds of IAM / IEM students.

Company name, phone number and e-mail address.

'The Analyzer' Hack Probe Widens; $10 Million Allegedly Stolen From U.S. Banks

Via Wired.com (Threat Level) -

Ehud Tenenbaum, an Israeli hacker arrested in Canada last year for allegedly stealing about $1.5 million from Canadian banks, also allegedly hacked two U.S. banks, a credit and debit card distribution company and a payment processor in what U.S. authorities are calling a global "cashout" conspiracy.

The U.S. hacks have resulted in at least $10 million in losses, according to court records obtained by Threat Level, and are just part of a larger international conspiracy to hack financial institutions in the United States and abroad.

The broadened case highlights the continued vulnerability of U.S. financial networks to cybercrime, despite supposedly tight industry security standards. It comes on the heels of other multimillion-dollar heists that also breached the security protecting ATM codes and account information. In late 2007, criminals used four hacked iWire payroll cards to steal $5 million from ATMs around the world in just two days. Shortly thereafter, a processing server that handles withdrawals from Citibank-branded ATMs at 7-Eleven convenience stores was cracked, leading crooks to converge on New York to withdraw at least $2 million from Citibank accounts using the stolen ATM data. And a carefully coordinated global heist last November resulted in a one-day haul of $9 million in cash, following a breach at payment processor RBS WorldPay.

Tenenbaum, 29, made headlines a decade ago under his hacker handle "The Analyzer" for penetrating Pentagon computers and other networks. He'd been living in France, and had only been in Canada about five months on a six-month visitor's permit when he was arrested last August in Calgary with three alleged accomplices for allegedly hacking into Direct Cash Management, a Calgary company that distributes prepaid debit and credit cards. A Canadian court granted him CDN $30,000 bail, but before he could be released from jail, U.S. authorities swooped in with a provisional warrant to retain him in custody while they pursued an indictment and extradition.

"I think he's probably been getting away with stuff for 10 years," said Darren Hafner, an acting detective with the Calgary police who investigated Tenenbaum on the Canadian charges. "We haven't seen or heard from him since the Pentagon attack. But these guys tend to get this 'cops can't touch me attitude' and then they get sloppy like any criminal in any type of crime."

Documents in the U.S. case have been sealed, but Threat Level obtained an affidavit detailing the U.S. allegations filed with the Canadian court handling Tenenbaum's extradition case. The affidavit (.pdf) was signed by Hafner and provides insight into the wave of multimillion-dollar hacks that have hit a number of financial institutions in the last year as well as the trail of clues left behind by at least one of the alleged hackers.

According to the affidavit, in October 2007, the United States Secret Service began investigating "an international conspiracy" to hack into computer networks of U.S. financial institutions and other businesses. As part of that investigation, agents examined network intrusions that occurred in January and February 2008 at OmniAmerican Credit Union, based in Fort Worth, Texas, and Global Cash Card of Irvine, California, a distributor of prepaid debit cards used primarily for payroll payments.

In both cases, the attacker gained access using a SQL injection attack that exploited a vulnerability in the company's database software. The attacker grabbed credit and debit card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.

In April and May 2008, agents investigated two additional hacks at 1st Source Bank in Indiana, and at Symmetrex, a prepaid debit card processor based in Florida. The intruder again used a SQL injection attack, and losses added up to more than $3 million.


SOLAR SUNRISE was a series of DoD computer network attacks which occurred from 1-26 February 1998. At least eleven attacks followed the same profile on Air Force, Navy, and Marine Corps computers worldwide.The attacks targeted key parts of the defense networks and obtained hundreds of network passwords. Although all DoD targeted systems were reported as unclassified, many key support systems reside on unclassified networks (Global Transportation System, Defense Finance System, medical, personnel, logistics, and official e-mail).

The attackers were two teenagers from California and one teenager from Israel - Analyzer.

Navy Chemist May Have Rediscovered 'Cold Fusion'

Via FoxNews -

Twenty years ago this week, a pair of previously unknown scientists stunned the world by announcing they'd done the impossible by achieving nuclear fusion in a lab flask at room temperature.

Martin Fleischmann and Stanley Pons quickly became celebrities as the news media hailed them for discovering a cheap source of nearly limitless power. But it all fell apart as other scientists couldn't duplicate their results, and the pair later admitted they'd made mistakes in the experiments.

Now a U.S. Navy researcher, speaking on the anniversary of their announcement and in the same city where they made it, thinks Fleischmann and Pons may have been right.

In a paper presented on Monday, chemist Pamela Mosier-Boss told the annual convention of the American Chemical Society in Salt Lake City that her team had gotten "very significant" evidence of some sort of nuclear reaction.

"To our knowledge, this is the first scientific report of the production of highly energetic neutrons from an LENR device," said Mosier-Boss, a researcher at the Navy's Space and Naval Warfare Systems Center in San Diego, in a press release.


"LENR" stands for "low energy nuclear reaction," which in this case happens in a lab flask containing palladium chloride mixed with deuterium, or "heavy water" made with a special form of hydrogen — the same setup Fleischmann and Pons used.

When an electrode was dipped into the flask and the power switched on, Mosier-Boss said, odd patterns of triple neutron strikes would appear on the adjacent plastic receptor.

Fleischmann and Pons' results centered on unexplainable excess heat resulting from the reaction. Mosier-Boss didn't get that, but the neutrons are even more significant.

"People have always asked 'Where's the neutrons?'" Mosier-Boss said in the press release. "If you have fusion going on, then you have to have neutrons. We now have evidence that there are neutrons present in these LENR reactions."

Nuclear fusion occurs at the center of stars, which fuse hydrogen nuclei together to create helium. It creates enormous amounts of energy, but it takes huge amounts of heat to happen at all.

Humans have so far generated the necessary heat only by detonating fission-based atomic bombs, which heat up cores of special two-neutron hydrogen to create a second, fusion-based explosion — a hydrogen bomb.

Decades of efforts to create controlled nuclear fusion, which could power reactors endlessly using cheap, abundant hydrogen, have so far been fruitless.

Most Electronic Voting Isn't Secure, CIA Expert Says

Via mcclatchydc.com -

The CIA, which has been monitoring foreign countries' use of electronic voting systems, has reported apparent vote-rigging schemes in Venezuela, Macedonia and Ukraine and a raft of concerns about the machines' vulnerability to tampering.

Appearing last month before a U.S. Election Assistance Commission field hearing in Orlando, Fla., a CIA cybersecurity expert suggested that Venezuelan President Hugo Chavez and his allies fixed a 2004 election recount, an assertion that could further roil U.S. relations with the Latin leader.

In a presentation that could provide disturbing lessons for the United States, where electronic voting is becoming universal, Steve Stigall summarized what he described as attempts to use computers to undermine democratic elections in developing nations. His remarks have received no news media attention until now.

Stigall told the Election Assistance Commission, a tiny agency that Congress created in 2002 to modernize U.S. voting, that computerized electoral systems can be manipulated at five stages, from altering voter registration lists to posting results.

"You heard the old adage 'follow the money,' " Stigall said, according to a transcript of his hour-long presentation that McClatchy obtained. "I follow the vote. And wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to . . . make bad things happen."

Stigall said that voting equipment connected to the Internet could be hacked, and machines that weren't connected could be compromised wirelessly. Eleven U.S. states have banned or limited wireless capability in voting equipment, but Stigall said that election officials didn't always know it when wireless cards were embedded in their machines.

While Stigall said that he wasn't speaking for the CIA and wouldn't address U.S. voting systems, his presentation appeared to undercut calls by some U.S. politicians to shift to Internet balloting, at least for military personnel and other American citizens living overseas. Stigall said that most Web-based ballot systems had proved to be insecure.

The commission has been criticized for giving states more than $1 billion to buy electronic equipment without first setting performance standards. Numerous computer-security experts have concluded that U.S. systems can be hacked, and allegations of tampering in Ohio, Florida and other swing states have triggered a campaign to require all voting machines to produce paper audit trails.

The CIA got interested in electronic systems a few years ago, Stigall said, after concluding that foreigners might try to hack U.S. election systems. He said he couldn't elaborate "in an open, unclassified forum," but that any concerns would be relayed to U.S. election officials.

Stigall, who's studied electronic systems in about three dozen countries, said that most countries' machines produced paper receipts that voters then dropped into boxes. However, even that doesn't prevent corruption, he said.

Turning to Venezuela, he said that Chavez controlled all of the country's voting equipment before he won a 2004 nationwide recall vote that had threatened to end his rule.

When Chavez won, Venezuelan mathematicians challenged results that showed him to be consistently strong in parts of the country where he had weak support. The mathematicians found "a very subtle algorithm" that appeared to adjust the vote in Chavez's favor, Stigall said.

Calls for a recount left Chavez facing a dilemma, because the voting machines produced paper ballots, Stigall said.

"How do you defeat the paper ballots the machines spit out?" Stigall asked. "Those numbers must agree, must they not, with the electronic voting-machine count? . . . In this case, he simply took a gamble."

Stigall said that Chavez agreed to allow 100 of 19,000 voting machines to be audited.

"It is my understanding that the computer software program that generated the random number list of voting machines that were being randomly audited, that program was provided by Chavez," Stigall said. "That's my understanding. It generated a list of computers that could be audited, and they audited those computers.

"You know. No pattern of fraud there."

A Venezuelan Embassy representative in Washington declined immediate comment.

Wednesday, March 25, 2009

XSS Rays - Open Source XSS Scanner


I’ve developed a new XSS scanner tool that’s written in Javascript called XSS Rays for Microsoft. They have given me permission to release the tool as open source which is awesome because it can be used for other open source applications. I recommend you use it as part of the web development process to make sure you’ve filtered XSS correctly on your application.

It works as a bookmarklet and scans any links, paths or forms on the target scanning page (even cross domain). You can add vectors to it quite easily and it includes some of the most common injections I’ve found on sites over the years. I’ve tested it on IE7/IE8 and Firefox but it could work in other browsers.

The advantage of the bookmarklet is that vectors can be customised for each browser and they are executed in the context of the browser, in IE8 standards mode were css expressions are disabled in IE8 the vector won’t be executed for example.

Hopefully there should be no false positives either because each vector is actually executed and it reported back as successful, in fact if there is a false positive it will be a bug in my code (lets hope not).

Mozilla Firefox XSL Parsing Remote Memory Corruption PoC 0day

// firefox XSL parsing remote memory corruption poc
// k`sOSe - works both in windows and linux


Phoenix Mayor Welcomes Border Buildup

Via Yahoo! News (AP) -

Posing as police officers, gunmen in bulletproof vests pulled over a motorist, took him to a Phoenix house, bound him with zip ties and held him for a $30,000 ransom in an abduction that may have been carried out by Mexican drug smugglers.

The abduction earlier this month was one of nearly 1,000 kidnappings reported in Phoenix over the past three years in a surge of lawlessness so terrifying that the mayor welcomed the news this week that Washington is sending more manpower and equipment to the Mexican border, 180 miles to the south.

"It's a good first step, but we'll need to do more," said Mayor Phil Gordon, who had pleaded with Congress for help.

The Obama administration announced Tuesday that it will dispatch nearly 500 more federal agents to the border, along with X-ray machines and drug-sniffing dogs, to stop the spillover of violence into the U.S. from Mexican drug- and immigrant-smugglers.

Homeland Security Secretary Janet Napolitano said that the move is just a first step and that National Guardsmen might also be sent, something Texas Gov. Rick Perry has requested.

On Wednesday, Secretary of State Hillary Clinton paid her first visit to Mexico and pledged that the U.S. will help Mexico fight its murderous drug cartels, a battle that has cost more than 7,000 lives south of the border.

The additional federal agents will be used to fight crime and illegal immigration in border communities. Some will be stationed in between border communities; some will scrutinize motorists entering Mexico, to curb the smuggling of guns. Guns brought into Mexico from the U.S. are blamed for 95 percent of the killings south of the border.

Cracking passwords with Wikipedia, Wiktionary, Wikibooks etc

Via Sébastien Raveau's Blog -

One effective way of assessing password strength is to try and crack them, and as most of you probably know, dictionary attack is the simplest yet formidable technique for cracking passwords.

Now, the problem is: your dictionary has to be as exhaustive as possible. Relying solely on common dictionaries (such as The Collins, Le Larousse, the ones contained in spell checkers, etc) just won't do because these are very limited, whereas basic human nature has us looking around when prompted to choose a password; a lot of people will then choose "belinea" because it's the brand of the monitor sitting in front of their eyes, "abnamro" because it's the bank outside their window, and so on.

However, it is very likely that any word you can put your eyes on is already in Wikipedia: try it, it is amazing.

A couple of years ago I generated a quick & dirty wordlist from Wikipedia in a dozen of languages. It helped quickly crack countless passwords, a lot of which bruteforcing would never get to.

Recently I managed to spare some time in order to generate a new one, inventorying words from 2009 (my old Wikipedia wordlist doesn't even have "twitter", imagine that :-P ) and from a way more comprehensive list of sources.


All this represents tens of gigabytes of XML data that I processed with a little C program, but I'm not releasing the source code for this one as I don't want to be responsible for a bandwidth hit on the Wikimedia Foundation; I'm already more than grateful to them for helping me on a daily basis...


Currently, the wordlist can be downloaded from a temporary storage provided by my ISP: wikipedia-wordlist-sraveau-20090325.txt.bz2 (MD5=e28104f22192b84854d259d9e93b5042, just for integrity). Feel free to leave a comment if you need a re-upload, or better yet if you can provide hosting ;-)

North Korea Prepares Rocket for ‘Satellite’ Launch

Via Times Online UK -

North Korea is loading a Taepodong rocket in anticipation of the launch of a communications satellite next month, US officials said.

Regional powers, however, worry that the claim is a cover for the launch of a long-range missile capable of reaching Alaska. In 1998 North Korea faked a satellite launch to cloak a missile development test.

The US National Intelligence Director, Dennis Blair, said this month that all the indications were that Pyongyang would, in fact, launch a satellite. South Korea, America and Japan have urged North Korea to refrain from going ahead with the launch, expected to take place between April 4 and 8, calling it a violation of a UN Security Council resolution barring the country from ballistic activity.

In 2006 North Korea launched a Taepodong2 long-range missile that blew up less than a minute into flight. The satellite rocket and the missile use similar technology.

Pyongyang insists that it bears the right to develop its space programme and has warned the US, Japan and their allies not to interfere with the latest launch.


In early March, North Korea told two U.N. agencies it plans to launch a communications satellite sometime between April 4 and 8. The unprecedented disclosure is seen as trying to fend off international condemnation expected after what many believe will be a test of long-range missile technology.

Today in Mexico City, US Secretary of State Clinton said a North Korean missile launch, for any purpose, would be a provocative act and a violation of U.N. Security Council resolution 1718 - approved after its 2006 nuclear test-demanding an end to Pyonyang's nuclear weapon and missile programs.

"We have made it very clear that the North Koreans pursue this pathway at a cost, and with consequences to the six-party [nuclear] talks, which we would like to see revived and moving forward as quickly as possible," said Hillary Clinton. "And we intend to raise this violation of the Security Council resolution, if it goes forward, in the U.N., and coincidentally Mexico will be chairing the Security Council starting in April."

Adobe Detail Secret PDF Patches

Via ComputerWorld -

Adobe Systems Inc. revealed today that it patched five critical vulnerabilities behind the scenes when it updated its Reader and Acrobat applications earlier this month to fix a bug already under attack.

According to a security bulletin issued today, the updates to Reader 9.1 and Acrobat 9.1 that Adobe delivered on March 10 included patches for not just one bug -- as Adobe indicated at the time -- but for five other vulnerabilities as well.

Foremost among the five were a quartet of bugs in Adobe's handling of JBIG2 compressed images, which was also at the root of the original vulnerability made public in February. When Adobe updated Reader and Acrobat to Version 9.1 two weeks ago, it fixed all five JBIG2 flaws, though it admitted only to the one at the time.

That bug has been used by hackers since at least early January, when they began sending malformed PDF files to users as e-mail attachments.

"The way we always handle this," said Brad Arkin, Adobe's director of product security and privacy, "is, will publicly released information help more users than not releasing the information?" Adobe, said Arkin today, decided the answer was "no," since it had yet to issue updates for all users when it first patched the software on March 10.

The decision was prompted by the staggered release of the Reader and Acrobat updates. Although Adobe patched the Windows and Mac OS X editions of the two apps on March 10, offered updates to the Version 8 line on March 17, and didn't issue Reader 9.1 and Acrobat 9.1 for Unix until today. It also didn't produce a fix for the even-older Version 7 until today.

"With this JBIG security incident, we wanted to patch as soon as possible," said Arkin, "and staggering the updates like we did was going to get the patches to the biggest demographic as soon as possible." More users run Version 9 on Windows and Mac than any other edition of Reader and Acrobat, Arkin added.

The four newly revealed JBIG2 vulnerabilities were reported to Adobe after Symantec Corp. said it had found a new Reader bug in the wild, said Arkin, but there was enough time before the March 10 update deadline to add fixes for them to Version 9.1.

That matches the schedule spelled out by iDefense Labs, a computer security research arm of VeriSign Inc. In its own bulletin today, iDefense said it had notified Adobe of a JBIG2 bug on Feb. 24, and provided the company with proof-of-concept code a day later.

All four of the already-patched JBIG2 bugs were classified by Adobe as critical, and could "lead to remote code execution," according to the bulletin.

The fifth vulnerability detailed today was also critical, and had actually been patched in the Unix edition of Reader 8.1.3 and Acrobat 8.1.3 last November. "That had not been ported over to the other platforms, however," said Arkin, referring to the Windows and Mac versions of the software.

One security researcher said that while he agreed with Adobe's call, the company could have done better at communicating about what it was doing. "It does make some sense if you are forced into doing a staggered release," said Andrew Storms, director of security operations at nCircle Network Security Inc. "There's no sense in exposing users any more than necessary. But what gives us the bad taste is how they aren't being upfront about it now," referring to the security bulletin, which doesn't mention the newly revealed bugs in its summary, but tucks them deeper in the document.

YouTube Blocked in China, Google Says

Via NYTimes -

Google said Tuesday that its YouTube video-sharing Web site had been blocked in China.

Google said it did not know why the site had been blocked, but a report by the official Xinhua news agency of China on Tuesday said that supporters of the Dalai Lama had fabricated a video that appeared to show Chinese police officers brutally beating Tibetans after riots last year in Lhasa, the Tibetan capital.

Xinhua did not identify the video, but based on the description it appears to match a video available on YouTube that was recently released by the Tibetan government in exile.

It purports to show police officers storming a monastery after riots in Lhasa last March, kicking and beating protesters. It includes other instances of brutality and graphic images of a protester’s wounds. According to the video, the protester later died.

“We don’t know the reason for the block,” a Google spokesman, Scott Rubin, said. “Our government relations people are trying to resolve it.”

Mr. Rubin said that the company first noticed traffic from China had decreased sharply late Monday. By early Tuesday, he said, it had dropped to nearly zero.

China routinely filters Internet content and blocks material that is critical of its policies. It also frequently blocks individual videos on YouTube. YouTube was not blocked Tuesday or Wednesday in Hong Kong, the largely autonomous region of China. Beijing has not interfered with Internet sites there.

“The instant speculation is that YouTube is being blocked because the Tibetan government in exile released a particular video,” said Xiao Qiang, adjunct professor of journalism at the University of California, Berkeley, and editor of China Digital Times, a news Web site that chronicles political and economic changes in China.

Mr. Xiao said that the blocking of YouTube fit with what appeared to be an effort by China to step up its censorship of the Internet in recent months. Mr. Xiao said he was not surprised that YouTube was a target. It also hosts videos about the Tiananmen Square protests and many other subjects that Chinese authorities find objectionable.

The video about the beatings was pieced together from different places, Xinhua said on Tuesday, citing an unidentified official with the Tibetan regional government in China.

There has been no independent assessment of whether the video is authentic. In a statement sent via e-mail, Lobsang Nyandak, a representative of the Tibetan government in exile, said that the video was authentic.

The government did not directly address whether YouTube had been blocked. When asked about the matter at a news conference, a Foreign Ministry spokesman, Qin Gang, said: “Many people have a false impression that the Chinese government fears the Internet.

In fact, it is just the opposite.”Even as China steps up its censorship efforts, the country’s Internet participation is booming. Often, critics often find a way to avoid censors and debate controversial topics.

FBI Deployed by US to Fight Mexican Drug Lords

The Guardian UK -

The White House yesterday revealed plans for a crime-fighting operation targeting Mexican drug cartels on a scale not seen since the battles against the US mafia.

Washington is dispatching more federal agents and equipment to its south-western border with Mexico to target the cartels. Among them are a newly formed FBI unit, to deal with the ringleaders, and treasury officials who will track drug money. An extra 100 customs officers are to be sent to the border within the next 45 days.

The moves reflect growing concern in Washington that the carnage in Mexico involving the cartels is in danger of spilling over the border. A White House statement said: "The president is concerned by the increased level of violence, particularly in Ciudad Juárez and Tijuana, and the impact that it is having on the communities on both sides of the border."

The homeland security secretary, Janet Napolitano, at a White House press conference yesterday, singled out Houston, Texas, and Phoenix, Arizona, as recording increases in violence and kidnapping. Other officials have also mentioned El Paso, Texas, and San Diego, California.

The plan to beef up operations came the day before the secretary of state, Hillary Clinton, is due to visit Mexico City for discussions about the drug war with the Mexican president, Felipe Calderón. Barack Obama is to visit Mexico next month. As well as sending more agents to the border, the White House is providing $700m (£476m) to the Mexican government for five new helicopters, a surveillance aircraft and other crime-fighting equipment.

Calderón has dispatched more than 45,000 Mexican troops to combat the cartels, which responded with thousands of kidnappings and murders, including beheadings. Despite a string of arrests and drug busts - last week, soldiers captured two drug bosses - a record 6,300 drug-related killings occurred last year.

Other measures announced by the White House yesterday included dispatching more mobile x-ray units to the US side of the border to screen vehicles involved in gun trafficking. Napolitano said that over the last week, the US had stopped 997 firearms en route to Mexico. Absent from the announced plans were high-visibility moves such as deployment of the National Guard or expansion of the border fence started under George Bush. But the Obama administration argues that these are not necessarily effective.

David Ogden, the deputy attorney general, said that the best way to fight the cartels was through intelligence-based operations, "the same approach as we took towards the Cosa Nostra".