Sunday, August 30, 2009

UAE Seizes North Korean Weapons Shipment to Iran

Via Bloomberg (Aug 28th, 2009) -

The United Arab Emirates has seized a ship carrying North Korean-manufactured munitions, detonators, explosives and rocket-propelled grenades bound for Iran in violation of United Nations sanctions, diplomats said.

The UAE two weeks ago notified the UN Security Council of the seizure, according to the diplomats, who spoke on condition they aren’t named because the communication hasn’t been made public. They said the ship, owned by an Australian subsidiary of a French company and sailing under a Bahamian flag, was carrying 10 containers of arms disguised as oil equipment.

The council committee that monitors enforcement of UN sanctions against North Korea wrote letters to Iran and the government in Pyongyang asking for explanations of the violation, and one to the UAE expressing appreciation for the cooperation, the envoys said. No response has been received and the UAE has unloaded the cargo, they said.

The UAE and Iranian missions to the UN didn’t immediately respond to requests for comment. The Financial Times reported the weapons seizure earlier today.

The Security Council voted on June 12 to adopt a resolution that punishes North Korea for its recent nuclear-bomb test and missile launches through cargo inspections and enforcement of restrictions on financial transactions. The measure calls for the interdiction at seaports, airports or in international waters of any cargo suspected of containing arms or nuclear or missile-related materials going to or from North Korea.

Saturday, August 29, 2009

Trend Micro Whitepaper - A Cybercrime Hub

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/a_cybercrime_hub.pdf

Tartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet service provider (ISP). On its website, the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees in 2007.

In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since 2005. Its employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers from its office in Tartu. The criminal outfit uses a lot of daughter companies thatoperate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. This does not cause much harm to the operation as a whole, however, as the same cybercriminal just continues its business under a new name. In fact, constantly changing names is part of the company’s business model with a few constants, one of which is the mother company in Tartu.

Although explicit evidence exists that the Estonian company is heavily involved in cybercrime, the company could also be just another façade of a bigger cybercriminal gang whose investors reside in another country like Russia or the United States. In fact, it is not at all unlikely that foreign criminal investors put their money into the Estonian company so they do not have to do the dirty work themselves. This paper provides detailed data on some of the cybercrimes that this Estonian company has been involved with. It also provides advertising fraud statistics committed on legitimate websites. Furthermore, it explains the backend structure of fraud with Google search queries and shows that around 100,000 unique Internet users per day get a bogus message saying, “You are infected with a virus, please download this piece of free antivirus software,” whenever they attempt to access high-traffic pornography websites. Finally, it also briefly discusses the internal network of the Estonian company, which shows how all of its activities relate to one another.

Source Code of Skype Covert Tap Released

Via H-Online -

On his website Megapanzer.com, Ruben Unteregger, a Swiss software developer has released the source code of a program for tapping into encrypted Skype conversations. The program can be injected into a PC as a trojan. According to the Unteregger, the successfully injected trojan hooks into active Skype processes, secretly records the audio data of conversations and transmits it to an external server as MP3 files.

Back in 2008, the CCC published a letter claiming that the Bavarian legal authorities and police had used a similar program made by a company called DigiTask; despite requests for clarification, the allegation was never denied. In Switzerland, a program made by vendor ERA IT Solutions has reportedly been used for the same purpose. Unteregger claims that he was employed with this very vendor for several years, working predominately on "malware stuff". Unteregger says that by making the spying software available under the GPL, he hopes to cast light onto this dark subject.

Riccardo Gubser from ERA explained to The H's associates at heise Security that "the know-how for this development was introduced to the company by R.U. and it disappeared with his exit from the company." Apparently Ruben Unteregger, was not only a developer at ERA IT, but one of the main shareholders and member of the management at the company.

Apache.org Hacked Via Compromised SSH Key

Via Apache.org Blog -

This is a short overview of what happened on Friday August 28 2009 to the apache.org services. A more detailed post will come at a later time after we complete the audit of all machines involved.

On August 27th, starting at about 18:00 UTC an account used for automated backups for the ApacheCon website hosted on a 3rd party hosting provider was used to upload files to minotaur.apache.org. The account was accessed using SSH key authentication from this host.

To the best of our knowledge at this time, no end users were affected by this incident, and the attackers were not able to escalate their privileges on any machines.

While we have no evidence that downloads were affected, users are always advised to check digital signatures where provided.

minotaur.apache.org runs FreeBSD 7-STABLE and is more widely known as people.apache.org. Minotaur serves as the seed host for most apache.org websites, in addition to providing shell accounts for all Apache committers.

The attackers created several files in the directory containing files for www.apache.org, including several CGI scripts. These files were then rsynced to our production webservers by automated processes. At about 07:00 on August 28 2009 the attackers accessed these CGI scripts over HTTP, which spawned processes on our production web services.

At about 07:45 UTC we noticed these rogue processes on eos.apache.org, the Solaris 10 machine that normally serves our websites.

Within the next 10 minutes we decided to shutdown all machines involved as a precaution.

After an initial investigation we changed DNS for most apache.org services to eris.apache.org, a machine not affected and provided a basic downtime message.

After investigation, we determined that our European fallover and backup machine, aurora.apache.org, was not affected. While the some files had been copied to the machine by automated rsync processes, none of them were executed on the host, and we restored from a ZFS snapshot to a version of all our websites before any accounts were compromised.

At this time several machines remain offline, but most user facing websites and services are now available.

We will provide more information as we can.

---------------------------------------

F-Secure has a screenshot of the basic downtime message that was shown for a short time.

FBI Investigating Laptops Sent to US Governors

Via ITWorld.com -

There may be a new type of Trojan Horse attack to worry about.

The U.S. Federal Bureau of Investigation is trying to figure out who is sending laptop computers to state governors across the U.S., including West Virginia Governor Joe Mahchin and Wyoming Governor Dave Freudenthal. Some state officials are worried that they may contain malicious software.

According to sources familiar with the investigation, other states have been targeted too, with HP laptops mysteriously ordered for officials in 10 states. Four of the orders were delivered, while the remaining six were intercepted, according to a source who spoke on condition of anonymity because of the ongoing investigation.

The West Virginia laptops were delivered to the governor's office several weeks ago, prompting state officials to contact police, according to Kyle Schafer, the state's chief technology officer. "We were notified by the governor's office that they had received the laptops and they had not ordered them," he said. "We checked our records and we had not ordered them."

State officials in Vermont told him they've received similar unsolicited orders, Schafer said. Representatives from that state could not be reached for comment Thursday.

Schafer doesn't know what's on the laptops, but he handed them over to the authorities. "Our expectation is that this is not a gesture of good will," he said. "People don't just send you five laptops for no good reason."

The computers are now being held as evidence by state police, who are working with the FBI to figure out how the machines were sent to the governor's office, said Michael Baylous, a sergeant with the West Virginia State Police.

The West Virginia laptops were delivered Aug. 5, according to the Charleston Gazette, which first reported the story.

The laptops sent to the Wyoming governor's office arrived in two separate shipments on Aug. 3 and Aug. 6, according to Cara Eastwood, a spokeswoman for Governor Freudenthal.

"We received one package, opened it and realized that it was an error since no one in our office had ordered them," she said. "The next day we received another package. At this point we realized that they needed to be turned over to law enforcement."

Friday, August 28, 2009

Norwegian Minister for Justice Tells ISPs to Censor Web

Via Wikileaks -

The file, a letter from the Norwegian Minister for Justice, Knut Storberget, asks all Norwegian Internet Service Providers (ISPs) to create a nation wide censorship system on a "voluntary basis" or face the passage of laws compelling them to do so.

The letter was sent to internet providers in Norway.

It was leaked because this such a move should be debated in the Parliament rather than implemented without debate behind closed doors. It has been leaked because secret censorship lists are inherently unjust and undemocratic. And it has been leaked because other countries with secret blacklists such as Australia (mandatory, unimplemented), Thailand (mandatory, implemented), Finland (voluntary, implemented) and Denmark (voluntary, implemented) have been exposed including material on their lists that they promised not to.

See also Norwegian secret internet censorship blacklist, 3518 domains, 18 Mar 2009
DOWNLOAD/VIEW FULL FILE FROM
fastest (Sweden), current site, slow (US), Finland, Netherlands, Poland, Tonga, Europe, SSL, Tor

Abu Zubaydah - His Job Is To Lie

Via Complex Terrain Lab (CT Lab) -

NEFA Foundation posted several newly declassified, redacted US intelligence reports (linked at the top of its home page) related to the interrogations of senior al-Qaeda members such as Khalid Sheikh Mohammed and Abu Zubaydah. A 2002 psychological assessment of Abu Zubaydah stands out for its surreal qualities. Initially, it reads like a typical CV of a white collar professional, complete with "action verbs":
"Served as senior Usama bin Laden lieutenant and played key role in the movement and training of operatives..."

"Directed the start-up of a Bin Laden cell in Jordan that was disrupted in Amman in 1999..."

"Managed a network of training camps, safehouses, and mujahedin-related offices in Peshawar..."
And then shifts into an assessment of personality traits that reads like a job recommendation or annual performance appraisal:
"Subject is a highly self-directed individual who prizes his independence... He is intellectually curious, skeptical...possesses excellent self-discipline and readily sets aside his own interests to meet his responsibilities."

"Subject has excellent social skills and social [redacted]..."
To be fair, it is a formal psychological assessment and is intended to describe Zubaydah, not analyze him. However, it is a fascinating peek at the kind of intelligence counterterrorism officials had at their disposal soon after September 11th.

Perhaps the most telling passage describes Zubaydah's (and by extension al-Qaeda's) approach to interrogations:
"Subject recognizes that his duty as a solldier/warrior/mujahid is to delay, mislead, and lie to protect what is most critical to the success of his cause. He assumes that we understand this. Thus, he is not likely to be intimidated or weakened by being 'caught' in lies. His job is to lie."

Breaking WPA TKIP in 60 Seconds

Via ZDNet -

Computer scientists in Japan have developed a way to break the WPA (Wi-Fi Protected Access) encryption system used in wireless routers in just one minute.

The attack, which reads encrypted traffic sent between computers and certain types of routers that use the WPA encryption system, was devised by Toshihiro Ohigashi of Hiroshima University and Masakatu Morii of Kobe University.

The scientists plan to discuss further details at a technical conference on 25 September in Hiroshima.

Security researchers first showed how WPA could be broken last November, but the researchers have accelerated theory into practice, taking the proven 15-minute Becks-Tews method developed by researchers Martin Beck and Erik Tews, and speeding it up to just 60 seconds.

Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard, or AES, algorithm.

According to their report, the limits of the man-in-the-middle attack are fairly restrictive. However, the development should spark users to drop WPA with TKIP as a secure method of protection.

The process of securing routers has been a long one. The WEP (Wired Equivalent Privacy) system introduced in 1997 is now considered to be insecure by security experts. Then came WPA with TKIP, followed by WPA 2.

However, users have been slow to upgrade to the latest secure methods.

Increased Safeguards at Natanz: What Does It All Mean?

Via FAS Strategic Security Blog -

A much anticipated IAEA report on Iran’s nuclear activities was leaked today. The report indicates that, among other things, Iran has conceded to additional safeguard at Natanz. This is a welcome development but occurring amidst a contested Iranian election, European threats of increased sanctions, continuing oblique hints of Israeli military action, and US talk of cutting off Iranian gasoline imports if nuclear talks are rejected. How important are these increased safeguards? Do they represent a change of course for Iran?

[...]

Some have suggested that Iranian compliance with IAEA requests is a sign that Teheran is preparing the ground for negotiations. Iranian officials themselves have stated that they are open to talks without preconditions and there was even a domestic proposal for an enrichment halt. The statement was quickly corrected making Iranian intentions as ambiguous as ever.

From a technical perspective, we believe that Iranian concessions on enhancing safeguards at Natanz do no present a fundamental change nor do they cause Iran much inconvenience. The changes are proportionate with the continued build up in the number of centrifuges and failure to implement them would have soon amounted to a violation of Iran’s Safeguards Agreement.

We should not read much political significance into Iran’s acceptance of additional safeguards. Whether Iran is cooperating with inspections because of, or in spite of, the threat of increased sanctions, their centrifuge program is continuing. Indeed, cooperation with the IAEA helps to weaken international political support for sanctions against Iran because of its nuclear program. We could say that Iran would rather have IAEA inspections than violate its Safeguards Agreement and suffer greater international sanctions, but we believe that agreeing to additional safeguards monitoring is not, by itself, an indication that Iran is willing to sit down at the negotiating table, let alone give up its centrifuge program.

Thursday, August 27, 2009

Somali Pirates Fire on US Navy Helicopter

Via Google (AP) -

Somali pirates holding a hijacked ship off the coast of Somalia fired at a U.S. Navy helicopter as it made a surveillance flight over the vessel, the first such attack by pirates on an American military aircraft, the Navy said Thursday.

The helicopter, which is based on the USS Chancellorsville, was not hit and there were no injuries, the Navy said.

The copter was flying on Wednesday over a Taiwanese-flagged fishing vessel, the Win Far, which pirates seized along with its 30-member crew in April and were holding south of the Somali port town of Hobyo.

The helicopter was about 3,000 yards (meters) away from the ship when the pirates opened fire with "a large caliber weapon," the Navy said in a statement. The helicopter did not return fire, it said.

Since seizing the Win Far in the Gulf of Aden, the pirates have used the vessel as a base for attacking other commercial ships, including the U.S.-flagged Maersk Alabama. Four pirates seized the Maersk Alabama in April, taking its captain Richard Phillips hostage. He was held for five days in a sweltering lifeboat off the coast until U.S. Navy snipers shot three of his captors dead.

Lt. Nathan Christensen, a Bahrain-based spokesman for the Navy's 5th Fleet told the Associated Press that Wednesday's shooting marks the first time pirates shot at U.S. Navy helicopters conducting daily surveillance flights over areas where pirates anchor hijacked vessels and await ransom.

Christensen said four other merchant ships and 105 crew members are currently being held by pirates near the Win Far. They are anchored along Somalia's coast, between port towns of Hobyo and Eyl, Christensen said in a phone interview on Thursday.

Piracy has increased in the Gulf of Aden — a crucial shipping route in and out of the Suez Canal — and elsewhere off the coast of Somalia, fueling a more than doubling of pirate attacks in the first half of 2009, according to an international maritime watchdog. Somalia has had no effective central government since 1991, and the country's interim government is embroiled in a struggle with Islamist extremists with suspected al-Qaida links.

Facebook Changes Privacy Policy

Via BBC -

Facebook has agreed to make worldwide changes to its privacy policy as a result of negotiations with Canada's privacy commissioner.

Last month the social network was found to breach Canadian law by holding on to users' personal data indefinitely.

Facebook has now agreed to make changes to the way it collects and handles this information.

It will also make it clear to users that they have the option of either deactivating or deleting their account.

"These changes mean that the privacy of 200 million Facebook users in Canada and around the world will be far better protected," said Canadian privacy commissioner Jennifer Stoddart.

"We're very pleased Facebook has been responsive to our recommendations."

The decision could also have implications for other social networking websites, she said.

Elliot Schrage, vice president of global communications and public policy at Facebook said he believed the new policies set a new standard for the industry."


As well as updating the privacy policy, Facebook has said it will make changes that will give users more control over the data they provide to third-party developers of applications, such as games and quizzes.

There are around 950,000 developers in 180 countries who provide applications for the site.

Specifically, the changes will require applications to state which information they wish to access and obtain consent from the user before it is used or shared.

"Application developers have had virtually unrestricted access to Facebook users' personal information," said Ms Stoddart.

"The changes Facebook plans to introduce will allow users to control the types of personal information that applications can access."

The social network has said work on the changes will begin immediately but they would take around 12 months to implement.

Photo of the Day - Mike Perham


(Credit: REUTERS/Pickthall/PPL/Handout)

British sailor Mike Perham, 17, holds flares as he celebrates his arrival into Falmouth, southern England August 27, 2009. The British teenager became the youngest person ever to sail solo around the world after crossing the finishing line off Land's End on Thursday.

http://www.reuters.com/article/lifestyleMolt/idUSTRE57Q2V220090827

Interpol Issues Notices Against Two More in Connection to Mumbai Terror Attacks

Via The Times of India -

Hours after Pakistan rejected India's 6th dossier on the Mumbai terror attacks, sources on Wednesday told Times Now that the Interpol has issued more Red Corner Notices against two more 26/11 accused. This comes a day after they issued RCNs against Lashkar-e-Taiba founder chief Hafiz Saeed and mastermind of Mumbai terror strike Zaki-ur-Rehman Lakhvi.

Sources have said that the Interpol has issued notices to Zarar Shah and Abu al-Qama for their involvement in the November 26, 2008 Mumbai terror attacks, which killed over 180 people.

India had earlier sent proof and requested for issuing a similar warrant against Lashker commander Zarar Shah and Abu Al Qama, to which the Interpol has said that it was analysing the evidence against them.

The Interpol has issued these notices after a Mumbai court issued a non-bailable warrant against the LeT operatives for their role in the November 26, 2008 attacks.

Besides Saeed and Lakhvi, two other top leaders of LeT -- Haji Muhammad Ashraf and Zaki-ur-Bahaziq -- have also been declared as terrorists by UNSC. India had sought a ban on JuD after LeT was blamed for the terrorist attacks in Mumbai.

The United States had sought a ban on Lakhvi, operations leader of LeT, who is suspected to have planned the Mumbai attacks, Ashraf, a JuD financier, and Bahaziq, an India-born Saudi national who was suspected of collecting funds for the banned organisations in Saudi Arabia.

----------------------------------

According to an Interpol Press Release dated August 6th 2009...
INTERPOL’s National Central Bureau (NCB) in Islamabad, Pakistan, has issued a global alert for 13 individuals wanted by police authorities in Pakistan in connection with the ongoing investigation into the Mumbai terror attacks of November 2008.

China: All Your Rare Earth Metals Belong to Us

Via Wired.com (Danger Room) -

Rare earth metals are the key to 21st Century technology: Without them, we wouldn’t have smart phones, hybrid cars or precision weapons. And China, which mines most of the world’s rare earth metals, may be starting to catch on to their strategic value.

According to this
alarming story in U.K. Telegraph, China’s Ministry of Industry and Information Technology is weighing a total ban on exports of terbium, dysprosium, yttrium, thulium, and lutetium — and may restrict foreign sales of other rare earth metals. But don’t panic yet: U.S.-based Molycorp Minerals is preparing to resume mining of rare earth ore deposits at a California facility, pictured here.

Still, it’s a reminder of the role that strategic resources play, especially for the high-tech military of the United States. As I reported a few years back in the
Financial Times, the Pentagon has become increasingly concerned over Chinese demand for specialty steels and titanium, which are key to armor plating, aircraft design and other high-end weaponry. Finding new, affordable sources of military-grade titanium has been a top priority of Darpa, the Pentagon’s far-out research arm.

Of course, China is not the only country that’s figuring out how to play the mineral wealth hand in geopolitics. For several years now, Russia has used natural gas supply as a way to exert less-than-subtle pressure on its neighbors. Energy, the Kremlin found, is a
more effective instrument than an aging nuclear weapons stockpile: You can actually turn the gas taps off when you feel like punishing someone.

As an old piece of wisdom from Strategic Air Command
put it: “When you have them by the balls, their hearts and minds will follow.”

---------------------------------

The race for limited global resources is on...and its on full force.

This reminds me of a great special report in the June 2008 edition of Fast Company...

Special Report: China Storms Africa

Those on the ground in the sub-Sahara don't call it "the Great Chinese Takeout" for nothing.

Wednesday, August 26, 2009

Malicious CD ROMs Mailed to Banks - UPDATED

Via SANS Internet Storm Center -

The National Credit Union Administration (NCUA) published an interesting advisory here:

http://www.ncua.gov/news/press_releases/2009/MR09-0825a.htm

Member credit unions evidently are reporting receiving letters which include two CDs. The letters claim to originate form the NCUA and advertises the CDs as training materials. However, it appears that the letter is a fake and the CDs include malware.

We have not heard about this scheme affecting any other targets, but please let us know if you see something like this. Malware delivery via USPS has certainly been suggested before.

------------------------

As it turns out, the CDs were part of an authorized pen-test......
Security assessment firm MicroSolved posted a statement on their site on Friday, confirming that they had been the firm conducting the penetration test.

"This was a controlled exercise in which the process worked," the company said in a blog post on Friday. "The social engineering attack itself was unsuccessful and drew the attention of the proper authorities. Had we been actual criminals and attempting fraud, we would have been busted by law enforcement."

Baitullah Mehsud Dead; Hakeemullah New Leader of Pakistani Taliban

The Long War Journal -

Two senior Pakistani Taliban leaders thought to have been at odds have confirmed that the former leader of the Movement of the Taliban in Pakistan is dead. The leaders also confirmed that Hakeemullah Mehsud is now the new leader of the Movement of the Taliban in Pakistan, dispelling the rumors of rampant infighting to choose Baitullah’s successors.

Hakeemullah and Waliur Rehman Mehsud said that Baitullah died on Sunday night from wounds suffered in the Aug. 5 US Predator strike in South Waziristan. The two Taliban leaders spoke via the phone from the same room to an The Associated Press reporter.

"He was wounded. He got the wounds in a drone strike and he was martyred two days ago," Hakeemullah Mehsud told The Associated Press. Waliur repeated the statement to confirm that Baitullah had been killed.

Both leaders stated that Hakeemullah is now the leader of the Movement of the Taliban in Pakistan. Waliur would take command of the Taliban in South Waziristan.

----------------------------------

Not surprisingly, Hakeemullah Mehsud threatened to strike back at the US for killing Baitullah Mehsud in a Predator attack earlier last month.

"We will take revenge and soon," Hakeemullah Mehsud, who was chosen to lead the Movement of the Taliban in Pakistan last weekend, told AFP. "We will give our reply to this drone attack to America."

Twitter Fails to Block Cross Site Scripting (XSS) Flaw

Via H-Online.com -

A vulnerability in the way Twitter handles the URL of client applications that post to the microblogging service can allow for cross site scripting attacks. Twitter maintains an index of client applications that are able to post messages to Twitter that authenticate with OAuth. This allows developers to register an application name, description and URL of their application and when Twitter messages posted by their application are viewed on the web, the application name is displayed as a link to the application URL underneath each message. David Naylor, a UK based SEO expert, discovered that the URL field was unfiltered and demonstrated the problem. In comments on Naylor's blog, a Twitter representative says that the problem has been patched.

Naylor, after finding his demonstration account had been disabled, checked the issue with a new demonstration account (since also disabled) and found that, rather than filtering the field for HTML elements and ensuring it was a valid URL, Twitter's developers had just filtered the URLs on spaces. This allowed the exploit to continue working as he was able to craft a new application URL which pops up an alert in the browser on the Twitter account @apifail2. Naylor says that this could be maliciously exploited and lead to spamming or credential theft if left uncorrected, and suggests users use a desktop Twitter client as they are not generally vulnerable to this attack. Twitter has now closed the @apifail2 account.

Cracking the GSM A5/1 Encryption Via Distributed Computing

Via CNET -

If you are using a GSM phone (AT&T or T-Mobile in the U.S.), you likely have a few more months before it will be easy for practically anyone to spy on your communications.

Security researcher Karsten Nohl is launching an open-source, distributed computing project designed to crack the encryption used on GSM phones and compile it into a code book that can be used to decode conversations and any data that gets sent to and from the phone.

He hopes that by doing this it will spur cellular providers into improving the security of their services and fix a weakness that has been around for 15 years and affects about 3 billion mobile users.

"We're not creating a vulnerability but publicizing a flaw that's already being exploited very widely," he said in a phone interview Monday.

"Clearly we are making the attack more practical and much cheaper, and of course there's a moral question of whether we should do that," he said. "But more importantly, we are informing (people) about a longstanding vulnerability and hopefully preventing more systems from adopting this."

This weakness in the encryption used on the phones, A5/1, has been known about for years. There are at least four commercial tools that allow for decrypting GSM communications that range in price from $100,000 to $250,000 depending on how fast you want the software to work, said Nohl, who previously has publicized weaknesses with wireless smart card chips used in transit systems.

It will take 80 high-performance computers about three months to do a brute force attack on A5/1 and create a large look-up table that will serve as the code book, said Nohl, who announced the project at the Hacking at Random conference in the Netherlands 10 days ago.

Using the code book, anyone could get the encryption key for any GSM call, SMS message, or other communication encrypted with A5/1 and listen to the call or read the data in the clear. If 160 people donate their computing resources to the project, it should only take one and a half months to complete, he said.

Participants download the software and three months later they share the files created with others, via BitTorrent, for instance, Nohl said. "We have no connection to them," he added.

Once the look-up table is created it would be available for anyone to use.

Distributed computing, which has long been used for research and academic purposes, like SETI@home, and which companies have built businesses around, not only solves the technical hurdle to cracking the A5/1 code, but it could solve the legal ones too.

A few years ago a similar GSM cracking project was embarked upon but was halted before it was completed after researchers were intimidated, possibly by a cellular provider, Nohl said. By distributing the effort among participants and not having it centralized, the new effort will be less vulnerable to outside interference, he said.

Nohl wasn't certain of the legal ramifications of the project but said it's likely that using such a look-up table is illegal but possession is legal because of the companies that openly advertise their tables for sale.

A T-Mobile spokeswoman said the company had no comment on the matter.

AT&T spokesman Mark Siegel said, "We take extraordinary care to protect the privacy of our customers and use a variety of tools, many technical and some human approaches. I can't go into the details for security reasons." He declined to elaborate or comment further.

The New Threat to Oil Supplies: Hackers

Via ForeignPolicy.com -

Earlier this year, a sullen, 28-year-old contractor in California was charged in federal court with sabotaging the computerized controls on oil-rig sitting off the coast, allegedly out of spite for not being hired full time. Prosecutors say the contractor hacked into a shore-to-rig communications network that, among other functions, detected oil leaks. He caused thousands of dollars worth of damage, they charge, though, fortunately, no leaks.

A research team from the SINTEF Group, an independent Norwegian think tank, recently warned oil companies worldwide that offshore oil rigs are making themselves particularly vulnerable to hacking as they shift to unmanned robot platforms where vital operations -- everything from data transmission to drilling to sophisticated navigation systems that maintain the platform's position over the wellhead -- are controlled via wireless links to onshore facilities.

The usual threat of a takeover of the massive oil platforms is in the form of seaborne raiders; Britain's Royal Marines commandos still regularly train for hostage rescue on rigs that dot the North Sea. But now, according to SINTEF scientist Martin Gilje Jaatun, with the advent of robot-controlled platforms, a cyberattacker with a PC anywhere in the world can attempt to seize control of a rig, or a cluster of rigs, by hacking into the "integrated operations" that link onshore computer networks to offshore ones. "The worst-case scenario, of course, is that a hacker will break in and take over control of the whole platform," Jaatun said. That hasn't happened yet, but computer viruses have caused personnel injuries and production losses on North Sea platforms, he noted.

Today, most new oil-field discovery, such as off the coasts of Brazil and Nigeria, occurs in deep ocean waters. Work on the massive metal platforms towering hundreds of feet above the ocean is notoriously dangerous for the "roughnecks," and specialized labor costs, not to mention feeding, providing care, and keeping fleets of helicopters and boats on standby to evacuate rig crews in the event of fire or hurricanes, is hugely expensive for oil companies; hence, the move to robot-operated platforms.

Although the newest oil rigs, which cost upward of $1 billion apiece, might be loaded with cutting-edge robotics technology, the software that controls a rig's basic functions is anything but. Most rely on the decades-old supervisory control and data acquisition (SCADA) software, written in an era when the "open source" tag was more important than security, said Jeff Vail, a former counterterrorism and intelligence analyst with the U.S. Interior Department. "It's underappreciated how vulnerable some of these systems are," he said. "It is possible, if you really understood them, to cause catastrophic damage by causing safety systems to fail."

The list of potential cyberattackers includes ecowarriors aiming to jack up an oil firms' production costs, extortionists drawn to oil firms' deep pockets, and foreign governments engaging in a strategic contest for ever more scarce global oil reserves, Vail said. Insurgents, such as Nigeria's Movement for the Emancipation of the Niger Delta, which is waging a war against oil firms operating in that country's waters, could hire mercenary cyberwarriors to mount full-scale assaults on rigs in the delta. Despite obvious network vulnerabilities, oil firms have not made security a priority, said SINTEF's Jaatun, "leaving many of us feeling like 'chicken little' chirping on that the sky is about to fall."

Social Networks Leak Personal Information

Via InformationWeek.com -

Online social networking sites leak personal information, a new study has found, raising the possibility that users of such sites can be tracked everywhere they go online.

The study, "On the Leakage of Personally Identifiable Information Via Online Social Networks," was co-authored by Balachander Krishnamurthy, a researcher at AT&T Labs and Craig E. Wills, a professor of computer science at the Worcester Polytechnic Institute in Massachusetts, and presented last week at the Second ACM SIGCOMM Workshop on Online Social Networks in Barcelona, Spain.

The researchers say that social networks leak information through a combination of HTTP header information -- the Referer header and the Request-URI -- and cookies sent to third-party aggregators such as Google (NSDQ: GOOG)'s DoubleClick, Google Analytics, and Omniture, among others.

As a consequence of this leakage, third-party aggregators can potentially link social network identifiers to past and future Web site visits, thereby identifying a person and his or her online activities.

"The ability to link information across traversals on the Internet coupled with the wide range of daily actions performed by hundreds of millions of user on the Internet raises privacy issues, particularly to the extent users may not understand the consequences of having their PII [personally identifiable information] available to aggregators," the study states.

The study notes that while the privacy policies of the third-party aggregators typically declare the sharing of non-indentifying information, they don't make it clear that an identity can often be derived from supposedly non-identifying information.

"What we are clearly trying to establish with this work is that these third party companies are receiving information about us from online social networks," said Wills in a phone interview. "When you or I create an account on an online social network, there's a unique identifier that's always associated with your account. That account number is being passed along to these third party aggregators. And along with the cookies these aggregators are already maintaining, they now can link that cookie to a social network identifier."

The study looked at twelve social networking sites: Bebo, Digg, Facebook, Friendster, Hi5, Imeem, LinkedIn, LiveJournal, MySpace, Orkut, Twitter, and Xanga.

"Not only do they know where I'm visiting, they know who I am," said Wills. "And that's disconcerting."

Many social networking sites provide privacy controls to limit information disclosure, but the report found that between 55% and 90% of users -- Wills suggests it's closer to 70% on the lower end -- of social networking services keep the default privacy settings for allowing strangers to view profile information and 80% to 97% keep the default privacy settings for viewing friends.

The report does not suggest that there's misuse of this information by third party aggregators and notes that contracts between social networking sites and third party aggregators may require aggregators not to use identifying information.

Facebook did not respond to a request for comment.

Opening the First Generation Mul-T-Lock Cliq with Vibration

Via blackbag.nl -

I have been looking forward to the HAR conference for a long time. After all, it was going to be the moment to publicly talk about our discovery on bypassing the electronic locking part on the first generation Mul-T-Lock Cliq. More then one year ago we discovered the samples we had in some instances could be opened with the so called ‘magnetic ring’ (you still needed to have the correct mechanical key or bypass the mechanical part). An important discovery as the attack would not show up in the electronic logfile in the lock. And the integrity of the logfile is a key issue in these kind of systems. So we immediately informed Mul-T-Lock about this problem. And even though communication did not always go smooth we came to an agreement. We agreed to go into full detail about this at the HAR conference in 2009. And that is what we just did. At the presentation we showed the problem was not magnetism … it was vibration!

Tuesday, August 25, 2009

PCI Council Releases Recommendations For Preventing Card-Skimming Attacks

Via DarkReading.com -

The PCI Security Standards Council (PCI SSC) today unveiled best practices for retailers to defend themselves against the growing number of credit- and debit-card skimming scams.

Skimming credit- and debit-card data is becoming a popular way for cybercriminals to steal credit and debit card account numbers and execute financial fraud against grocery stores, gas stations, convenience stores, and other retailers and their customers, who are increasingly falling victim to hijacked card readers and ATM machines. Skimming occurs either by a malicious insider at the retail point-of-sale capturing the customer's card data, or more commonly by someone physically rigging a reader with a sniffer-type device to capture the data, which is then transmitted to the bad guys remotely.

"Skimming is becoming a widespread problem. These are guidelines for what retailers should be looking at" with their reader devices, says Bob Russo, general manager of the PCI SSC. "We discuss different techniques for protecting those point-of-sale devices."

But security experts say the council's skimmer protection guidelines are more a symptom of the already-broken system of credit and debit cards. "The concept of a 'credit card' as it exists today is the problem: If credit cards were cryptographic devices rather than just numbers, then none of these threats would be a problem," says Chris Paget, a security researcher. "The technology exists to implement this today and to completely eliminate credit card fraud, but it seems there's too much money being made from fraud for the card issuers to care."

Paget says the PCI guidelines are missing two key elements of this type of fraud: a malicious merchant stealing the data, and equipment tampered with at the factory. "If the person you give your card to at a restaurant has their own card skimmer, you're just as vulnerable," he says.

Legitimate card-reader equipment is also being compromised at the factory, so when merchants receive their new terminal, it could arrive rigged. "[The guidelines] do not address the case of legitimately purchased equipment that was tampered with at the factory, nor the case of a software-only addition to an ATM or card reader," says Paget, who himself fell victim to an ATM scam in Las Vegas during the Defcon17 conference.

[...]

The PCI Council's "Skimming Prevention: Best Practices for Merchants" guidelines, meanwhile, include a risk assessment questionnaire and self-evaluation forms to help retailers gauge their susceptibility to these types of attacks and to determine where they need to shore up their defenses. The guidelines cover how to educate and protect employees who handle the PoS devices from being targeted, as well as ways to prevent and deter compromise of those devices. They also detail how to identify a rigged reader and what to do about it, and how physical location of the devices and stores can raise risk.

The guidelines are geared to be used in conjunction with the PCI's PIN Entry Device Security Requirements, which specifies how to secure PIN devices.

PCI's Russo says the guidelines are for all sizes of retailers, but are especially geared for helping mom-and-pop retailers: "A small merchant that makes pizza isn't going to know much when someone with a terminal shows up with a business card and says he's there to put in a replacement, but is doing something [malicious] with it and leaving it there," PCI's Russo says.

Among some of the information in the guidelines is how to look for signs of physical tampering and how to monitor the device for that. "Write down the serial number on your terminal and look at what the terminal looks like. Does it have seals on it? A label on the back? What color wires go to it?" he says. "Once a quarter, take a look at it and make sure it's intact."

"Most of this stuff is common sense, and that's where most of the fail happens," adds Michael Rothman, senior vice president of strategy at eIQnetworks. "But in reality, skimming defense is really more about process and education. People on the front lines need to know what to look for -- and that is a huge challenge. But it always has [been]."

But skimming is typically more about adding a layer to the existing device that can't be detected, he says, so the guidelines may not be effective in those cases.

Meanwhile, Paget says credit card companies need to wake up. "Credit cards as they exist today are the financial equivalent of a Telnet login session over the Internet. It's about time the dominant payment infrastructure upgraded to SSL [Secure Sockets Layer] and got rid of all of these attacks -- and more -- at once," he says.

Apple Adds Malware Blocker in Snow Leopard

Via ZDNet -

Apple’s commercials may give the impression that Macs are virus-free (.mov) but the company isn’t taking any chances with the newest Mac OS X refresh.

Apple has quietly added a new Snow Leopard feature to scan software downloads for malware, a no-brainer move that coincides with a noticeable spike in malicious files embedded in pirated copies of Mac-specific software.

The malware blocker, first spotted by the folks at Intego, appears to be scanning installation packages for signs of known Mac malware.

[...]

It is not yet clear how Apple is handling the package scans for signs of malicious software.

I have confirmed that Apple is not using the open-source ClamAV engine to handle these scans so it’s likely the company has entered into an agreement with a commercial anti-virus company.

This isn’t the first official acknowledgment from Apple that the Mac operating system may be susceptible to malware. This Web page on Mac OS X security actually recommends the use of third-party anti-virus software to get “additional protection.”

--------------------------------

Apple has confirmed that its new operating system, Mac OS X 10.6 Snow Leopard, will be released on 28 August.

Saturday, August 22, 2009

Relative May Have Helped the CIA Find Baitullah Mehsud

Via DailyTimes.com.pk (Pakistan) -

A “paid agent”, possibly a relative, helped signal the whereabouts of Tehreek-e-Taliban Pakistan’s former chief Baitullah Mehsud to the Central Intelligence Agency (CIA), helping it take out the Taliban leader in a drone strike on August 5.

Officials and tribal sources told Daily Times on Saturday that the Taliban were holding Baitullah’s in-laws “hostage”.

The Taliban still deny Baitullah’s death but TTP deputy chief Faqeer Muhammad has named Hakeemullah Mehsud the new Taliban chief. “No new strategy was undertaken while hunting Baitullah. Agents pin-pointed the TTP chief’s position and the CIA took him out through a drone attack,” officials familiar with training agents for tracking down targets told Daily Times. “He (TTP chief) was simply not spotted through the powerful lens fixed on the drone, rather the complete set of procedures laid down for such missions was followed,” the officials said.

A belt wrapped above an agent’s waist carries two electronic chips, the officials said. “The agent pushes the first chip when he finds himself close to the target to intimate the satellite, which transfers the information to the control-room. The second chip is pushed only when the target is present and the agent has moved to a safer place. That is what when the drone is positioned and Hellfire missiles are fired,” officials explained. The Taliban confirmed they had executed a resident of Mardan on charges of spying for the CIA, one week after the August 5 drone attack. The killed man’s family said he had served Baitullah as his driver. The possible involvement of the killed TTP leader’s in-laws in giving away his position was highlighted in a report published by the BBC on Saturday, which said Baitullah’s father-in-law Maulana Ikramuddin, his son Ziauddin, brother Saeedullah and a nephew were in Taliban custody for the last few days.

Photo of the Day - Ramadan 2009


(Photo Credit = AFP)

http://news.bbc.co.uk/2/hi/in_pictures/7149890.stm

Rituals include fasting between dawn and dusk, and offering special prayers during the evening, as here in Jakarta's Istiqlal mosque.

-----------------------------

Ramadan is the ninth month of the Islamic calendar. It is the Islamic month of fasting, in which participating Muslims refrain from eating, drinking, smoking, and indulging in anything that is in excess or ill-natured; from dawn until dusk. Fasting is meant to teach the Muslim patience, modesty and spirituality. Ramaḍān is a time to fast for the sake of Allah, and to offer more prayer than usual. During Ramaḍān, Muslims ask forgiveness for past sins, pray for guidance and help in refraining from everyday evils, and try to purify themselves through self-restraint and good deeds. As compared to solar calendar, the dates of Ramadan vary, moving forward about ten days each year. Ramadhan was the month in which the first verses of the Qur'an were revealed to the Prophet Muhammad.

America's Muslims Celebrate Holy Month of Ramadan

Via VOA News -

As the Muslim holy month of Ramadan begins on August 22, Muslim Americans are observing it in many ways.

American Muslims of diverse national backgrounds are coming together to worship. They will break their dawn-to-dusk fast -for a whole month - in Islamic centers and in their homes across the country.

Imam Abdulla Khouj is president of the Islamic Center in Washington, DC.

"People from all over the world gather in one place and all do feel one people regardless of the distances and regardless of the geographical areas," he said.

Regardless of national origin, Ramadan is observed with rituals that bridge those differences.

Families shop for foods that have been prepared especially for Ramadan. They prepare Iftar meals that break the daily fast and they pray together.

Nadia Rachid immigrated to the US from Morocco. She misses the big Ramadan gatherings in her home country.

"There is a big difference. Here you do not have extended family, and so instead of having 10 people around the table, there is only the two of us," she said.

Her husband, Mohamed Ibrahim, says it's easy to observe Ramadan in America even though most people around him are not fasting.

"Because it is my duty to fast it does not matter what everybody else is doing," he explained.

Pakistan Taliban Appoints New Chief - Hakimullah Mehsud

Via BBC -

Pakistan's Taliban movement has named a new leader, its deputy head Maulvi Faqir Mohammed has told the BBC.

He said Hakimullah Mehsud, a close associate of ex-leader Baitullah Mehsud, had been unanimously appointed at a meeting in northern Pakistan.

Pakistani and US officials believe Baitullah Mehsud was killed in a US drone strike in early August.

However the Taliban continue to insist that he is still alive, despite their decision to appoint a new leader.

Hakimullah Mehsud, who is in his late 20s, is a military chief of the Tehrik-e-Taliban Pakistan (TTP) organisation formed by Beitullah Mehsud in an effort to unite the various factions under one umbrella.

He controls an estimated 2,000 fighters in the Orakzai, Kurram and Khyber regions.

The announcement by Maulvi Faqir Mohammed follows weeks of speculation, and rumours of shootouts and disarray in Taliban ranks.

Mr Mohammed says Baitullah Mehsud has been seriously ill and wanted to see his successor appointed in his lifetime.

But the BBC's Orla Guerin in Islamabad says many will see the naming of a new leader as confirmation that Baitullah Mehsud is dead.

Our correspondent says Hakimullah Mehsud is a young commander in Baitullah's own image, and is reported to be equally ruthless.

Some believe he could be an even bigger threat to Pakistan, and to foreign troops across the border in Afghanistan, she adds.

Friday, August 21, 2009

Metasploit Gets Wyse [Exploits] & Two New Beta Modules

On August 19th, HD Moore merged the first exploit of many for Wyse thin clients, written by KF, into Metasploit SVN.

http://pastie.org/588882

This appears to be an exploit for the 'hagent.exe' buffer overflow vulnerability that was making news in July of this year. According to Wyse Security Advisory (WSB09-01), this vulnerability affected WDM Server 4.7.x, Wyse 9x, 5x and 3x series devices.

It will be interesting to see what else KF has up his sleeves....

In other MSF news, digininja recently released two beta Metasploit modules - DHCP Exhaustion and DNS MITM. Feedback is highly welcome....

One-in-four Browser Hackers Run Opera to Ward Off Other Criminals

Via NetworkWorld -

Hackers using multi-exploit attack "toolkits" take defensive measures of their own against other criminals, a security researcher said today.

"Exploit kit operators do use mainstream browsers, but they're much more likely to use Opera than the average user, because they know that the browser isn't targeted by other hackers," said Paul Royal, a principal security researcher with Atlanta-based Purewire.

While the most generous Web measurements peg Opera, a browser made by Norwegian company Opera Software, at a 2% share of the global market, 26% of the hackers who Purewire identified use the far-from-popular application.

Because of its small market share, few hackers bother to unleash exploits for Opera vulnerabilities, said Royal.

Purewire obtained this insight, and others, by infiltrating hackers' systems using a bug in the analytics software included with a pair of hacker toolkits, notably one dubbed "LuckySploit," said Royal. "We forged a 'refer' field and put in a little JavaScript," he explained, "and that revealed the hackers to us via their IP addresses."

Out of 51 exploit kit-using hackers, Purewire's tactic successfully identified the IP addresses of 15, as well as the browsers they ran. "We essentially did a code audit," said Royal. "Even criminals who attack others cannot architect reliable software," he added, talking about the vulnerabilities in the toolkits.

Most multi-strike attack kits, including LuckySploit, serve up a grab bag of exploits, including code that leverages vulnerabilities in Microsoft's Internet Explorer (IE), in ActiveX controls that IE uses, and in Adobe's Flash Player and Reader.

Criminals also try to hide from law enforcement by distancing themselves from the servers that host their exploit kits, said Royal. Of the 15 hackers Purewire identified, only two -- both with IP addresses traced to Latvia -- resided in the same country that also hosted the system containing their attack kit.

Most had at least one country between where they lived and where their malware-serving machine was located.

"This is a first stab," Royal said when asked what value could be placed on the information Purewire rooted out. "If we can discover the IP addresses of exploit kit operators, we can then turn that over to law enforcement."

World's Most Expensive Bicycle

http://news.bbc.co.uk/2/hi/europe/7941794.stm (Video)

A Danish designer has created what he claims is the "world's most expensive bicycle".

Coated throughout with 24-carat gold and studded with hundreds of Swarovski crystals, the bike is on sale for 80-thousand euros.

----------------------------------

In the video, I love the last young lady's reaction....
"In Denmark, we just steal bikes...we don't pay for them, so to pay that large amount of money...its just silly"
It's silly indeed.

More pictures of the bike can be found here.

----------------------------------

This story made me think of a little bike I encountered back in Amsterdam in 2006...



Stolen? Abandoned? Not sure, but definitely not ride-able.

Eight Indicted For $22M Identity Theft Scam Against AT&T, T-Mobile

Via Darkreading.com -

Eight defendants were arraigned in a Brooklyn court yesterday for allegedly using the stolen identities of AT&T, T-Mobile, and Asurion customers to steal some $22 million worth of wireless equipment and services.

An indictment was unsealed in Brooklyn federal court yesterday morning charging Courtney Beckford, Gabe Beizem, Rawl Davis, Lennox Lambert, Marsha Montayne, Saul Serrano, Ron Shealey, and Rohan Stewart, with conspiracy to commit mail fraud and wire fraud. Beizem, Montayne, and Stewart were also charged with wire fraud and aggravated identity theft.

According to the indictment, between February 2005 and July 2009, Beizem -- an owner of Got Wireless (aka USA Wireless), a former authorized AT&T and T-Mobile dealer that operated in Brooklyn -- obtained dealer access codes for AT&T's and T-Mobile's online customer databases. Stewart, the owner of KP Wireless -- an authorized T-Mobile wireless device dealer operating in West Palm Beach, Florida -- also obtained dealer access codes for T-Mobile's customer database.

Using these access codes, Beizem, Stewart, and Montayne, and others, allegedly obtained existing customer information from the customer databases, including customers' names, addresses, and personal identifying information, the indictment says. Montayne, and others, then fraudulently assumed the identities of existing customers and obtained new wireless devices without payment and without the customers' permission.

[...]

As a result of these fraudulent requests, AT&T and T-Mobile shipped new or replacement wireless devices for express mail delivery by FedEx, DHL or UPS, according to the indictment. The FedEx and DHL shipments from AT&T were generally shipped to addresses along the routes of private express mail drivers whom Beckford, Davis, Lambert, and Stewart, and others, allegedly recruited and paid to divert the packages.

FedEx and DHL drivers, including Serrano and Shealey, then allegedly scanned the packages into their respective carrier's computerized tracking systems as "delivered" to the stated delivery addresses, but actually diverted the packages to Beckford, Davis, Lambert, and Stewart, and others. UPS shipments from T-Mobile were shipped directly to addresses connected to the defendants and their associates.

Beckford, Beizem, Davis, and Montayne, and others, allegedly then sold the fraudulently obtained wireless devices to others. When charges were incurred on these devices, they were billed to existing AT&T and T-Mobile customers' accounts. When the customers reported or confirmed the fraud on their accounts to AT&T and T-Mobile, the companies absorbed the losses, which included the cost of the devices, insurance payments, shipping costs, and wireless service and other calling charges.

New Details, and Lessons, on Heartland Breach

Via securosis.com -

Thanks to an anonymous reader, we may have some additional information on how the Heartland breach occurred. Keep in mind that this isn't fully validated information, but it does correlate with other information we've received, including public statements by Heartland officials.

On Monday we correlated the Heatland breach with a joint FBI/USSS bulletin that contained some in-depth details on the probable attack methodology. In public statements (and private rumors) it's come out that Heartland was likely breached via a regular corporate system, and that hole was then leveraged to cross over to the better-protected transaction network.

According to our source, this is exactly what happened. SQL injection was used to compromise a system outside the transaction processing network segment. They used that toehold to start compromising vulnerable systems, including workstations. One of these internal workstations was connected by VPN to the transaction processing datacenter, which allowed them access to the sensitive information. These details were provided in a private meeting held by Heartland in Florida to discuss the breach with other members of the payment industry.

As with the SQL injection itself, we've seen these kinds of VPN problems before. The first NAC products I ever saw were for remote access -- to help reduce the number of worms/viruses coming in from remote systems.

I'm not going to claim there's an easy fix (okay, there is, patch your friggin' systems), but here are the lessons we can learn from this breach:

  1. The PCI assessment likely focused on the transaction systems, network, and datacenter. With so many potential remote access paths, we can't rely on external hardening alone to prevent breaches. For the record, I also consider this one of the top SCADA problems.
  2. Patch and vulnerability management is key -- for the bad guys to exploit the VPN connected system, something had to be vulnerable (note -- the exception being social engineering a system 'owner' into installing the malware manually).
  3. We can't slack on vulnerability management -- time after time this turns out to be the way the bad guys take control once they've busted through the front door with SQL injection. You need an ongoing, continuous patch and vulnerability management program. This is in every freaking security checklist out there, and is more important than firewalls, application security, or pretty much anything else.
  4. The bad guys will take the time to map out your network. Once they start owning systems, unless your transaction processing is absolutely isolated, odds are they'll find a way to cross network lines.
  5. Don't assume non-sensitive systems aren't targets. Especially if they are externally accessible.

Okay -- when you get down to it, all five of those points are practically the same thing.

Here's what I'd recommend:

  1. Vulnerability scan everything. I mean everything, your entire public and private IP space.
  2. Focus on security patch management -- seriously, do we need any more evidence that this is the single most important IT security function?
  3. Minimize sensitive data use and use heavy egress filtering on the transaction network, including some form of DLP. Egress filter any remote access, since that basically blows holes through any perimeter you might think you have.
  4. Someone will SQL inject any public facing system, and some of the internal ones. You'd better be testing and securing any low-value, public facing system since the bad guys will use that to get inside and go after the high value ones. Vulnerability assessments are more than merely checking patch levels.
--------------------------------------

Patch management isn't new...and it is so critically important, yet many many companies still don't take it serious.

One of the factors that can greatly affect any patch management process is inventory control.

Inventory control is rarely talked about in the realm of patch management, but they go hand-in-hand.

After all, you can't patch what you don't see...

Thursday, August 20, 2009

Apple + In-Store Recycling + Old Cell Phone = FAIL

With the recent move coming up, I have been trying to clear the house of old and unneeded things - including one Motorola RAZR and a very old Nokia 3560.

As a pretty happy owner of a iPhone 3G, I don't see the use in keeping them around.

I'm not a total hater of the environment, so I figured I would attempt to recycle them at the very least...as opposed to just breaking them with a hammer and throwing them directly into the landfill myself. Recycling sounds good, right?...but where can I do that?

http://www.apple.com/environment/recycling/

Ohhh, sweet! Apple takes old things for recycling...but will they take my old phones??

Lets check the site....




Very cool, the boxes on the right seem to indicate the following facts...
Apple’s free recycling program will take back your iPod or any cell phone — regardless of manufacturer or model.

You can bring your old cell phone to any Apple Retail Store for free recycling.
So the first sentence indicates that they will take any old phone for recycling...you just have to print out the mailing form and ship them off. Awesome, sounds easy enough. But wait!

I can bring my old cell phones to ANY Apple Retail Store for free recycling. Extra Awesome!!

Feeling comfortable that my logic was sound, I headed off to the local Apple Store to hand over my old busted phones.

Upon entering the store, I found one of those normally helpful blue/orange shirted employees and started into my story....about how old cell phones kill cute kittens.....and I like cute kittens so I wanted to recycle my phones.

After my short story, the employee kindly told me that they don't take any old phones for recycling...just some older iPhones. Ummmm Esqueeze me?

I explained that the website clearly and logically said otherwise....which he insisted wasn't correct.

So which is it Apple? Do you take off old non-Apple phones at ANY Apple Retail Store or not??

Either the employee was wrong...or your website is misleading. You tell me...

US Indicts Mexican Drug Traffickers From Sinaloa Cartel

Via VOA News -

U.S. authorities have announced new charges against members of a Mexican drug cartel accused of smuggling vast quantities of cocaine and other narcotics into the United States.

The Justice Department unveiled indictments against 43 leaders, members and associates of the powerful Sinaloa drug cartel, which is blamed for much of the drug-related violence that has claimed thousands of lives along the U.S.-Mexico border in recent years.

"We allege that these defendants shipped multi-ton quantities of narcotics into the United States through various established smuggling corridors and then through a network of affiliated distributors, [and] disbursed these drugs into cities and neighborhoods around the country," said US Attorney General Eric Holder.

Holder said the alleged smuggling spans nearly two decades, and has brought real harm and suffering to both the United States and Mexico.

"These cartels are not abstract organizations operating in far-off places," he said. "They are multi-billion dollar networks funneling drugs onto our streets. What invariably follows these drugs is more crimes and more violence in our communities."

The attorney general paid tribute to Mexico's efforts to battle drug cartels and said the United States must do its part.

"Our friends and partners in Mexico are waging an historic and heroic battle with the cartels as we speak," said the U.S. attorney general. "This is not a fight that we in the United States can afford to watch from the sidelines. The stakes are too high and the consequences are too real for us."

Man Sentenced For Role In Domestic Terror Plot

Via OCRegister.com (h/t NTARC) -

A man was sentenced to 70 months in prison today for his role in a domestic terrorism plot to wage war on the United States by attacking Jewish synagogues and military bases. Hammad Riaz Samana is the fourth member of Jami’yyat Ul-Islam Is-Shaheeh, or JIS, a prison-founded group that wanted to make a political statement that also had plans to attack the Israeli consulate in Los Angeles and El Al Israel Airlines at the Los Angeles International Airport.

Samana was 21 when he was charged in the case in July 2005, along with the cell’s mastermind, Kevin James, and members Levar Haley Washington and Gregory Patterson.

The group committed armed robberies of 11 gas stations, including two in Fullerton, to buy weapons and gear for the attacks. Authorities said gas stations were chosen as targets because of the symbolism of the oil.

Samana had a smaller role in the plot, and conducted computer research on the terrorism targets, and was the getaway driver for one of the armed robberies, according to U.S. District Judge Cormac Carney at today’s sentencing hearing.

Carney acknowledged he was imposing a substantially lighter sentence on Samana than those given to the other men.

New Chinese Defence Ministry Website

Via Ubiwar.com -

In the last few hours (days?) weeks, China has launched a new website for its Ministry of National Defense. It comes in two flavours, Chinese and English, which only differ in colour scheme, The Dark Visitor tells us (Chinese green, English red). I might be showing my ignorance of international English here, but ‘defense’ with an ’s’ is the American, as opposed to the UK/European, way of spelling it, so perhaps that’s a sign of who it’s aimed at, public diplomacy-wise. Today’s official press release tells us the following:

The website of the Chinese Ministry of National Defense mainly releases authoritative information of China’s national defense and army building. The founding of the website is designed to let the outside world have a better perception of China’s national defense policy, help enhance foreign exchanges and cooperation, display before the world the fine image of the PLA as a mighty, civilized and peaceful force and better promote the national defense and army modernization drive.

Netizens to visit the website will be impressed by its succinct and graceful webpage featuring novel and attractive design with distinctive military characteristics.

Indeed – I particularly like the green, Mandarin version.It continues:

The Chinese version of the website is composed of three parts, i.e. news channels, data and documentary materials, columns and special reports.

The news channels are today’s headlines, high-level development, national defense building, national defense education, national defense technology, military operations, military diplomacy, arms control & disarmament.

The data and documentary materials provided by the website include brief introductions to the leaders of the CMC and the four general headquarters/departments of the PLA, military laws and regulations, weaponry and equipment and military history.

The website also offers columns and special reports such as the collection of national defense videos, military photo gallery and special reports on domestic and international hot spots inside and outside the military circle.

The English version of the website will give more consideration to the concerns of overseas netizens on Chinese national defense information and their reading habits and better accord with the characteristics and rules of foreign publicity.

More from Reuters here.

Update: the London Times ran this story on 1 August 2009. Shows how slow I am. One of the comments on that article says,

You forgot to mention that the website is sponsored by Wulianyue – the PLA generals’ favourate [sic] and the strongest spirit in China (Chinese Whisky)!!!

That’s just not true. More on Chinese whisky here.

---------------------------------------------

Interesting how both the US and China released new defense websites recently...

Wednesday, August 19, 2009

Confidential Informants: A Double-Edged Sword

Via Stratfor (Global Security & Intelligence Report) -

Police in El Paso, Texas, announced Aug. 11 that they had arrested three suspects in the May 15 shooting death of Jose Daniel Gonzalez Galeana, a Juarez cartel lieutenant who had been acting as a confidential informant (CI) for the U.S. Immigration and Customs Enforcement (ICE) agency. It was an activity that prompted the Juarez cartel to put out a hit on him, and Gonzalez was shot multiple times outside his home in an upscale El Paso neighborhood. A fourth suspect was arrested shortly after the Aug. 11 announcement. Among the suspects is an 18-year-old U.S. Army soldier stationed at nearby Fort Bliss who the other suspects said had been hired by one of the leaders of the Juarez cartel to pull the trigger on Gonzalez. The suspects also include two other teenagers, a 17-year-old and a 16-year-old.

The man who recruited the teenagers, Ruben Rodriguez Dorado — also a lieutenant in the Juarez cartel — has also been arrested, and the emerging details of the case paint him as a most interesting figure. After receiving orders from his superiors in the Juarez cartel to kill Gonzalez, Rodriguez was able to freely enter the United States and conduct an extensive effort to locate Gonzalez — he reportedly even paid Gonzalez’s cell phone bill in an effort to obtain his address. Armed with the address, he then conducted extensive surveillance of Gonzalez and carefully planned the assassination, which was then carried out by the young gunman he had recruited.

The sophistication of Rodriguez’s investigative and surveillance efforts is impressive, and the Gonzalez hit was not the first time he undertook such tasks. According to an affidavit filed in state court, Rodriguez told investigators that he also located and surveilled targets for assassination in Mexico. Perhaps the most intriguing aspect of this case is that the entire time Rodriguez was plotting the Gonzalez assassination he, too, was working as a CI for ICE.

---------------------------------

Yet another great article from Stratfor....make sure to check out the full article. It contains awesome insight into the counterintelligence abilities of Mexican cartels.

Here are a couple of points that I found most interesting....

  • Groups like the Beltran Leyva Organization (BLO) have recruited scores of intelligence assets and agents of influence at the local, state and even federal levels of the Mexican government. They even have enjoyed significant success in recruiting agents in elite units such as the anti-organized crime unit of the Mexican attorney general’s office. The BLO even allegedly recruited Mexico’s former drug czar, Noe Ramirez Mandujano, who reportedly was receiving $450,000 per month from the organization.
  • According to a report released last week, in a 10-month period, four applicants for U.S. border law enforcement positions were found through background checks and polygraph examinations to be infiltrators from drug-trafficking organizations. It is important to remember that these four were only those who were caught, and not all agencies submit applicants to the same scrutiny, so the scope of the problem is likely much larger. In light of this history of cartel intelligence activity, it is not unreasonable to assume that the cartels possess the sophistication and skills to employ double agents.
  • Rodriguez’s use of teenage assassins to kill Gonzalez is also in keeping with a trend we have seen in Laredo and elsewhere, that of the cartels recruiting young street-gang members and training them to be assassins. Young gunmen working for Los Zetas in Laredo, Houston, San Antonio and elsewhere have been given the nickname “Zetitas,” or little Zetas.