Friday, January 29, 2010

Dropping Off the Grid

It's been a long week...but next week will be better. I am finally taking a long overdue vacation, so the blog will be pretty quiet for about a week.

But be sure, I will return and hit it harder than before....see everyone next weekend.

Thanks reading.

Google to Pay For Bugs Found in Chromium

Via Threatpost.com -

Google is starting a new program that will pay security researchers a $500 bounty for every security bug they find in Chromium, the open-source codebase behind the Google Chrome browser, as well as for bugs found in Chrome itself.

The company said Thursday that the plan is both meant as a reward for researchers who have been contributing bugs to the project already, and as a way to encourage other researchers to find security flaws in Chromium. Google said it will pay a base bounty of $500 for most bugs contributed, but may raise the payment to $1337 for bugs that are "particularly severe or particularly clever." The program is modeled after one started some time ago by Mozilla, which also pays $500 bounties.

Not every bug found in Chromium will qualify for the bounty. Google is looking for flaws in the Stable, Dev and Beta channels of the Chromium codebase, and said that the company will not pay for bugs that are disclosed publicly before they're disclosed to the Chromium developers. However, the company will pay for bugs that are disclosed publicly after they've been fixed in Chromium.


In addition to paying for bugs in Chromium and Chrome, Google said it may buy bugs discovered in plug-ins and components.

"In addition, bugs in plugins that are part of the Chromium project and shipped with Google Chrome by default (e.g. Google Gears) may be eligible. Bugs in third-party plugins and extensions are ineligible," the company said.

Other organizations have been buying vulnerabilities privately for several years now, most notably the Zero Day Initiative from Tipping Point, and VeriSign's iDefense Labs unit. Those companies pay far more than $500 for vulnerabilities, and researchers say that private organizations, such as government agencies, routinely pay tens of thousands of dollars for critical remotely exploitable bugs in popular software.

Thursday, January 28, 2010

FCC's Net Neutrality Plan Would Permit Blocking of BitTorrent

Via EFF -

Remember what put the debate over net neutrality into high gear? In 2007, EFF and the Associated Press confirmed suspicions that Comcast was clandestinely blocking BitTorrent traffic. It was one of the first clear demonstrations that ISPs are technologically capable of interfering with your Internet connection, and that they may not even tell you about it. After receiving numerous complaints, the FCC in 2008 stepped in and threw the book at Comcast, requiring them to stop blocking BitTorrent. The Comcast-BitTorrent experience put net neutrality at the top of the FCC agenda.

Yet now that the FCC has formally issued draft net neutrality regulations, they have a huge copyright loophole in them — a loophole that would theoretically permit Comcast to block BitTorrent just like it did in 2007 — simply by claiming that it was "reasonable network management" intended to "prevent the unlawful transfer of content."

You heard that right — under these conditions, the new proposed net neutrality regulations would allow the same practices that net neutrality was first invoked to prevent, even if these ISP practices end up inflicting collateral damage on perfectly lawful content and activities.

When we saw the loophole, we had to ask ourselves, "Is this real net neutrality?" And the answer was simply, "No." The entertainment industry is already pressuring ISPs to become copyright cops. Carving a copyright loophole in net neutrality would leave your lawful activities at the mercy of overbroad copyright filtering schemes, and we already have plenty of experience with copyright enforcers targeting legitimate users by mistake, carelessness, or design.

If net neutrality regulations are to be taken seriously at all, then the loophole must be closed. Sign the petition to demand real net neutrality from the FCC.

New UK Internet Surveillance Directorate - IMP is Dead, Long live the CCD!

Via ubiwar.com -

The Register has the skinny on the UK’s new Communications Capabilities Directorate (CCD), as mentioned here the other day. Sod the iPad, or whatever it’s called, read this:

Home Office Spawns New Unit to Expand Internet Surveillance

Exclusive The Home Office has created a new unit to oversee a massive increase in surveillance of the internet, The Register has learned, quashing suggestions the plans are on hold until after the election.

The new Communications Capabilities Directorate (CCD) has been created as a structure to implement the £2bn Interception Modernisation Programme (IMP), sources said.

The CCD is staffed by the same officials who have have been working on IMP since 2007, but it establishes the project on a more formal basis in the Home Office. It is not yet included on the Home Office’s list of directorates.

The intelligence and law enforcement agencies have pushed hard for new laws to force communications providers to store details of who contacts whom, when, where and how via the internet.

However, following a consultation last year, when the Home Office’s plans were heavily criticised by ISPs and mobile companies, it was widely assumed progress on IMP would slow or stop. The CCD has continued meeting with industry to try to allay concerns about the project’s costs, effect on customer privacy and technical feasibility.

“The Home Office has long been working with communications service providers to take forward legislation providing for the retention of communications data,” a Home Office spokesman said. “That is continuing.”

“More recently, we have been considering how, in a changing communications environment, lawful acquisition of communications data and interception of communications can continue to save lives, to counter terrorism, to detect crime and prosecute offenders, and to protect the public.”

Officials envisage communications providers will maintain giant databases of everything their customers do online, including email, social networking, web browsing and making VoIP calls. They want providers to process the mass of data to link it to individuals, to make it easier for authorities to access.

Access to communications data is currently governed by the Regulation of Investigatory Powers Act. Under European legslation ISPs are required to retain basic information about what their customers do online, but not to open their data packets to record who they contact on Facebook, for example.

The Home Office spokesman added: “This is a diverse range of activity now organised within a single Communications Capabilities Directorate with its focus on work under current legislation.

“The Directorate will continue to consider the challenges posed by new technologies, working closely with communications service providers and others to bring forward proposals that command public confidence and demonstrate an appropriate balance between privacy and security.”

Work is also continuing at GCHQ in Cheltenham on its classified Mastering the Internet programme, which is developing systems and methods for extracting intelligence from the huge volumes of new surveillance data online services can generate.

Perhaps government could demonstrate the need for this before ploughing ahead against the interests of almost everyone consulted? Perhaps ‘command public confidence’ by stating exactly what this project is actually going to do, what safeguards there are, and why on earth we need it. Fat chance. We’ve got a war to fight, don’t you know.

Wednesday, January 27, 2010

UK Police Planning to Use Unmanned Spy Drones for "Routine" Monitoring

Via guardian.co.uk -

Police in the UK are planning to use unmanned spy drones, controversially deployed in Afghanistan, for the ­"routine" monitoring of antisocial motorists, ­protesters, agricultural thieves and fly-tippers, in a significant expansion of covert state surveillance.

The arms manufacturer BAE Systems, which produces a range of unmanned aerial vehicles (UAVs) for war zones, is adapting the military-style planes for a consortium of government agencies led by Kent police.

Documents from the South Coast Partnership, a Home Office-backed project in which Kent police and others are developing a national drone plan with BAE, have been obtained by the Guardian under the Freedom of Information Act.

They reveal the partnership intends to begin using the drones in time for the 2012 Olympics. They also indicate that police claims that the technology will be used for maritime surveillance fall well short of their intended use – which could span a range of police activity – and that officers have talked about selling the surveillance data to private companies. A prototype drone equipped with high-powered cameras and sensors is set to take to the skies for test flights later this year.

[...]

Concerned about the slow pace of progress of licensing issues, Kent police's assistant chief constable, Allyn Thomas, wrote to the CAA last March arguing that military drones would be useful "in the policing of major events, whether they be protests or the ­Olympics". He said interest in their use in the UK had "developed after the terrorist attack in Mumbai".

Stressing that he was not seeking to interfere with the regulatory process, Thomas pointed out that there was "rather more urgency in the work since Mumbai and we have a clear deadline of the 2012 Olympics".

[...]

BAE drones are programmed to take off and land on their own, stay airborne for up to 15 hours and reach heights of 20,000ft, making them invisible from the ground.

Far more sophisticated than the remote-controlled rotor-blade robots that hover 50-metres above the ground – which police already use – BAE UAVs are programmed to undertake specific operations. They can, for example, deviate from a routine flightpath after encountering suspicious ­activity on the ground, or undertake numerous reconnaissance tasks simultaneously.

The surveillance data is fed back to control rooms via monitoring equipment such as high-definition cameras, radar devices and infrared sensors.

Previously, Kent police has said the drone scheme was intended for use over the English Channel to monitor shipping and detect immigrants crossing from France. However, the documents suggest the maritime focus was, at least in part, a public relations strategy designed to minimise civil liberty concerns.

"There is potential for these [maritime] uses to be projected as a 'good news' story to the public rather than more 'big brother'," a minute from the one of the earliest meetings, in July 2007, states.

-------------------------

I'm still calling it what it is...Big Brother.

How the Playstation 3 Hypervisor Was Hacked

Via Root Labs (Nate Lawson) -

George Hotz, previously known as an iPhone hacker, announced that he hacked the Playstation 3 and then provided exploit details. Various articles have been written about this but none of them appear to have analyzed the actual code. Because of the various conflicting reports, here is some more analysis to help understand the exploit.

The PS3, like the Xbox360, depends on a hypervisor for security enforcement. Unlike the 360, the PS3 allows users to run ordinary Linux if they wish, but it still runs under management by the hypervisor. The hypervisor does not allow the Linux kernel to access various devices, such as the GPU. If a way was found to compromise the hypervisor, direct access to the hardware is possible, and other less privileged code could be monitored and controlled by the attacker.

Hacking the hypervisor is not the only step required to run pirated games. Each game has an encryption key stored in an area of the disc called ROM Mark. The drive firmware reads this key and supplies it to the hypervisor to use to decrypt the game during loading. The hypervisor would need to be subverted to reveal this key for each game. Another approach would be to compromise the Blu-ray drive firmware or skip extracting the keys and just slave the decryption code in order to decrypt each game. After this, any software protection measures in the game would need to be disabled. It is unknown what self-protection measures might be lurking beneath the encryption of a given game. Some authors might trust in the encryption alone, others might implement something like SecuROM.

The hypervisor code runs on both the main CPU (PPE) and one of its seven Cell coprocessors (SPE). The SPE thread seems to be launched in isolation mode, where access to its private code and data memory is blocked, even from the hypervisor. The root hardware keys used to decrypt the bootloader and then hypervisor are present only in the hardware, possibly through the use of eFUSEs. This could also mean that each Cell processor has some unique keys, and decryption does not depend on a single global root key (unlike some articles that claim there is a single, global root key).

George’s hack compromises the hypervisor after booting Linux via the “OtherOS” feature. He has used the exploit to add arbitrary read/write RAM access functions and dump the hypervisor. Access to lv1 is a necessary first step in order to mount other attacks against the drive firmware or games.

His approach is clever and is known as a “glitching attack“. This kind of hardware attack involves sending a carefully-timed voltage pulse in order to cause the hardware to misbehave in some useful way. It has long been used by smart card hackers to unlock cards. Typically, hackers would time the pulse to target a loop termination condition, causing a loop to continue forever and dump contents of the secret ROM to an accessible bus. The clock line is often glitched but some data lines are also a useful target. The pulse timing does not always have to be precise since hardware is designed to tolerate some out-of-spec conditions and the attack can usually be repeated many times until it succeeds.

------------------------

Very good write-up from Nate on the PS3 hack. If you want to dig into the devil of the details, be sure to follow the link and check out the full article. Good stuff.

Tuesday, January 26, 2010

Playstation 3 Hypervisor Exploit Released

Via Geohot's Playstation 3 Blog -

In the interest of openness, I've decided to release the exploit. Hopefully, this will ignite the PS3 scene, and you will organize and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released. I have a life to get back to and can't keep working on this all day and night.

Please document your findings on the psDevWiki. They have been a great resource so far, and with the power this exploit gives, opens tons of new stuff to document. I'd like to see the missing HV calls filled in, nice memory maps, the boot chain better documented, and progress on a 3D GPU driver. And of course, the search for a software exploit.

This is the coveted PS3 exploit, gives full memory access and therefore ring 0 access from OtherOS. Enjoy your hypervisor dumps. This is known to work with version 2.4.2 only, but I imagine it works on all current versions. Maybe later I'll write up how it works :)

Good luck!

Hackers Targeted Oil Companies for Oil-Location Data

Via Wired.com -

Three U.S. oil companies were targeted in a coordinated hack that sought valuable information about new discoveries of oil deposits and other data, according to a new report in the Christian Science Monitor.

The attacks predated by two years recent intrusions into Google and other companies but shared some similarities to those attacks. Highly targeted malicious e-mails were sent to employees and customized spyware attempted to grab specific data.

The hackers sought “bid data,” which details the location of oil deposits around the world as well as their size and value.

“Knowing which one of those blocks is oil-bearing — and which to go for and which not — is clearly worth something,” Paul Dorey, former chief information security officer at BP, told the Monitor. “If I was a foreign government, that’s the data I would want to get — and any analysis that reveals [a company's] intention.”

The three companies that were hit — ExxonMobil, ConocoPhillips and Marathon Oil — didn’t confirm the hacks to the Monitor. But according to sources who spoke with the paper, the companies were unaware of the extent of the attacks until authorities disclosed that the hackers had been siphoning e-mail passwords and other data associated with executives who had access to proprietary oil exploration and discovery information.

“We’ve seen real, targeted attacks on our C-level [most senior] executives,” an anonymous oil company official told the Monitor.

In February 2009, federal officials from the National Cyber Investigative Joint Task Force met with oil company executives and their technology teams to discuss what occurred.

Marathon Oil first became suspicious when, on Nov. 13, 2008, a senior executive in the company’s Houston office received an e-mail that appeared to be a reply to a message she had sent a corporate colleague overseas. The original message, which included a URL, related to the U.S. government’s bailout plan for U.S. banks. The executive did not send the original message and warned colleagues to avoid the e-mail if they received one.

Investigators would ultimately learn that similar e-mails had been sent to key executives at ExxonMobil and ConocoPhillips, as well. Some of the data siphoned from the companies went to computers overseas, including one located in China.

The Monitor doesn’t say what vulnerability the malicious e-mails targeted. And it’s unclear whether hackers managed to obtain the “bid data” they sought.

VMware Releases vSphere Hardening Guide Draft

Via SANS ISC -

VMware announces the first draft of it's vSphere Hardening Guide, posted for public comment. A worthy successor to the current VMware Hardening Guide, it contains over 100 guidelines, split into the following sections:

* Introduction
* Virtual Machines
* Host
* vNetwork
* vCenter
* Console OS (for ESX)

Aside from the versioning difference, this newer version of the guide uses a standardized format, and has severity levels for each security recommendation. The Hardening Guide can certainly be used as-is for production environments today, but we can expect changes over the next while in response to comments to the posted draft. While reviewing the draft, you'll see that most guidelines are worded to be "script friendly", which is very nice to see.

The announcement can be found here ==> http://blogs.vmware.com/security/2010/01/announcing-vsphere-40-hardening-guide-public-draft-release.html

The actual hardening guides can be found here ==> http://communities.vmware.com/community/vmtn/general/security?view=documents

Again, each document has a comments form, the authors are actively seeking constructive comments on these documents before going to a final version.

Operation Aurora - 'Obscure' CRC Code May Not Be That Obscure

Via The Register UK -

An error-checking algorithm found in software used to attack Google and other large companies circulated for years on English language books and websites, casting doubt on claims it provided strong evidence that the malware was written by someone inside the People's Republic of China.

The smoking gun said to tie Chinese-speaking programmers to the Hydraq trojan that penetrated Google's defenses was a cyclic redundancy check routine that used a table of only 16 constants. Security researcher Joe Stewart said the algorithm "seems to be virtually unknown outside of China," a finding he used to conclude that the code behind the attacks dubbed Aurora "originated with someone who is comfortable reading simplified Chinese."

"In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase," Stewart wrote here.

In fact, the implementation is common among English-speaking programmers of microcontrollers and other devices where memory is limited. In 2007, hardware designer Michael Karas discussed an almost identical algorithm here. Undated source code published here also bears more than a striking resemblance.

The method was also discussed in W. David Schwaderer's 1988 book C Programmer's Guide to NetBIOS. On page 200, it refers to a CRC approach that "only requires 16 unsigned integers that occupy a mere 32 bytes in a typical machine." On page 205, the author goes on to provide source code that's very similar to the Aurora algorithm.

"Digging this a little deeper though, the algorithm is a variation of calculating CRC using a nibble (4 bits) instead of a byte," programmer and Reg reader Steve L. wrote in an email. "This is widely used in single-chip computers in the embedded world, as it seems. I'd hardly call this a new algorithm, or [an] obscure one, either."

[...]

The claim that the CRC was lifted from a paper published exclusively in simplified Chinese seemed like the hard evidence that was missing from the open-and-shut case. In an email to The Register, Stewart acknowledged the CRC algorithm on 8052.com was the same one he found in Hydraq, but downplayed the significance.

"The guy on that site says he has used the algorithm, didn't say he wrote it," Stewart explained. "I've seen dates on some of the Chinese postings of the code dating back to 2002."

Maybe. But if the 16-constant CRC routine is this widely known, it seems plausible that attackers from any number of countries could have appropriated it. And that means Google and others claiming a China connection have yet to make their case.

The lack of evidence is important. Google's accusations have already had a dramatic effect on US-China relations. If proof beyond a reasonable doubt is good enough in courts of law, shouldn't it be good enough for relations between two of the world's most powerful countries?

Operation Aurora - Hackers Target Friends of Google Workers

Via FT.com -

Personal friends of employees at Google, Adobe and other companies were targeted by hackers in a string of recently disclosed cyberattacks, raising privacy concerns and pointing to a highly sophisticated operation, security experts said.

Cybersecurity experts analysing the attacks said the hackers spied on individuals and used other sophisticated techniques, making them extremely difficult to stop. The disclosures come amid renewed alarm over cybersecurity after Google said it had been the target of a series of cyberattacks from China.

The most significant discovery is that the attackers had selected employees at the companies with access to proprietary data, then learnt who their friends were. The hackers compromised the social network accounts of those friends, hoping to enhance the probability that their final targets would click on the links they sent.

“We’re seeing a lot more up-front reconnaissance, understanding who the players are at the company and how to reach them,” said George Kurtz, chief technology officer at security firm McAfee.

“Someone went to the trouble to backtrack: ‘Let me look at their friends, who I can target as a secondary person’.”

McAfee discovered that a previously unknown flaw in Microsoft’s Internet Explorer had been used in the attacks. Mr Kurtz said the attackers also used one of the most popular instant messaging programmes to induce victims to click on a link that installed spy software.

-----------------------------

Loose lips sink ships you know....

Monday, January 25, 2010

The Great Australian Internet Blackout

http://www.internetblackout.com.au/

The Great Australian Internet Blackout is a combined online and offline demonstration against imposed online censorship. We’re collaborating with Electronic Frontiers Australia to make sure every Australian knows why this draconian policy is unacceptable.

-----------------------------

http://www.efa.org.au/

Electronic Frontiers Australia today announced that over 500 web Australian sites will be “blacked out” on Australia day in protest against the Rudd government’s mandatory Internet filtering plan. Included among them are the Australian Greens, an Internet service provider, media outlets, and hundreds of other Australian businesses and organisations.

[...]

The “Great Australian Internet Blackout” was the brainchild of activist Jeff Waugh, and is endorsed and supported by EFA. For a week starting on Australia Day, participating web sites will appear to turn black and will display a one-time message to visitors explaining the Government’s plan and offering them more information before allowing visitors to continue as normal.

The plan, which will see all Australian Internet connections subject to a Government-controlled blacklist of banned sites, will apply to all Australian Internet connections within 12 months of the legislation being passed. Although originally touted as a “cyber-safety” policy, the resulting filter will not filter out all material unsuitable for children, instead targeting a select list of “refused classification” material, which would includes content dealing with crime, drugs and certain types of adult material.

[...]

Concerns with the list include its broad scope, it’s secret nature, and the inability of Australian businesses to know if and when they have been placed on the list. “One of our main concerns is how the list might expand in the future,” said Jacobs. “It’s hard to imagine this and all future governments responding to special interests, electoral pressure and the news cycle only with restraint forevermore.”

The Internet Blackout on Australia Day marks an escalation of opposition to the plan, which will continue throughout the year. “Our goal is to ensure the Australian public know what they’re in for,” said Peter Black, EFA’s campaign manager. “It’s important that such a major and expensive policy gets the public scrutiny it deserves.”

Unpatched Microsoft Windows "KiTrap0D" Privilege Escalation in Metasploit

HD Moore posted the following on his twitter (@hdmoore) update in the last several hours...
Easy privilege escalation in Metasploit using Tavis Ormandy's KiTrap0d code (with minor tweaks): http://pastie.org/793713 (svn update)
-----------------------------

Original advisory - http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html

If the use of 16-bit program is not required, you can disable the VDM by a simple registry configuration change. This mitigation is outlined in an H-Online article from last week.

-----------------------------

On Jan 20th, Microsoft released a Security Advisory (979682) outlining the issue....
http://www.microsoft.com/technet/security/advisory/979682.mspx

Saturday, January 23, 2010

Gettin' Down: Planned Record-Breaking Skydive This Year Will Include First Supersonic Free Fall

Via scientificamerican.com -

A privately funded team will attempt this year to break a 50-year-old record for the highest-altitude parachute jump, floating a balloon well into the stratosphere before its pilot leaps out for a supersonic free fall.

The team behind the Red Bull Stratos mission announced details of the attempt here Friday morning in a media briefing. If all goes as planned, a towering helium balloon will loft Austrian-born skydiver and BASE jumper Felix Baumgartner, 40, roughly 37 kilometers into the air before he begins his descent. (BASE stands for "buildings, antennas, spans, Earth"—the places and structures from which a BASE parachutist jumps.) Baumgartner could set new records for the highest manned balloon flight and the longest free fall as well as become the first person to break the sound barrier without a protective craft. Baumgartner said he would exceed the speed of sound within about 35 seconds of free fall but would not pull his chute for another five minutes.

"It's human nature to want to go faster, farther," said Joe Kittinger, 81, the retired U.S. Air Force pilot who made the highest jump on record in 1960, parachuting from a balloon 31 kilometers above Earth's surface. Kittinger is the Stratos mission's capcom (short for capsule communicator), which means that he will be the voice in Baumgartner's helmet. Kittinger's advice to his successor: "Have fun, enjoy it, and tell us all about it when you get down."

Baumgartner, who called Kittinger a "childhood hero," is perhaps best known for gliding across the English Channel in 2003 with a carbon-fiber wing strapped to his back. Baumgartner said that jump, from about 10 kilometers, is his highest to date. The Stratos mission is incremental, with two lower-altitude jumps set to precede the final attempt; even the first jump, from roughly 20 kilometers, would double Baumgartner's personal altitude record.

The Stratos team claimed that Baumgartner's jump will be more than a dangerous stunt—Kittinger said that the collection of physiological data is central to the mission. Medical director Jonathan Clark noted that Kittinger's 1960 jump as part of the Air Force's Project Excelsior was in some ways a precursor to manned U.S. space missions, which began the next year. Similarly, Clark said, investigating the effects of a high-altitude bailout could benefit the fledgling commercial spaceflight industry.

Although many details of Baumgartner's proposed feats were on display, much of the mission's logistics remain opaque. Red Bull said only that the Stratos launch, for which a date has not been set, would be from North America; the company would not disclose the cost of the mission.

French skydiver Michel Fournier has attempted, without success, similar assaults on the record books in the past. At his most recent try in 2008, Fournier's balloon drifted away from its Saskatchewan launch site as it was being filled. The Web site for Fournier's project states that another attempt at a balloon jump from 40 kilometers will be made this year.

----------------------------

http://en.wikipedia.org/wiki/Project_Excelsior

On August 16, 1960, Kittinger jumped out of his gondola at 102,800 ft. His entire descent took 13 minutes and 45 seconds and set the current world record for the highest parachute jump. During the descent, Kittinger experienced temperatures as low as −94 °F (−70 °C). In the free-fall stage, he reached a top speed of 988 km/h (614 mph).

Venezuela Silent as Colombia Expels Two Alleged Spies

Via IntelNews.org -

On Tuesday, the Colombian government announced the expulsion of two alleged Venezuelan intelligence agents, reportedly for conducting espionage operations on Colombian soil. The two, Jose Vicente Marquez and Diego Jose Palomino, were nabbed by counterintelligence agents of Colombia’s Administrative Department of Security (DAS) in the northwest city of Valledupar, just a few miles from the Colombian-Venezuelan border. The two were reportedly found in possession of video footage of homes and vehicles, as well as “other types of material”, which so far remains unspecified. DAS director, Felipe Muñoz, said the two alleged agents appeared to be illegals –i.e. not affiliated with the Venezuelan embassy in Bogotá– having entered the country clandestinely on January 12, via Paraguachon, on the northernmost tip of the Colombian-Venezuelan border. The expulsion of the two alleged agents is only the latest incident in a wider low-intensity intelligence conflict between the two neighboring countries. Last October, the government of Venezuela announced the arrest of an undisclosed number of Colombian intelligence agents, who were allegedly “captured carrying out actions of espionage”. There has reportedly been no comment about this latest incident from the Venezuelan Ministry of External Relations.

Somali Pirates Threaten to Kill British Hostages in Days

Via CNN -

A British couple held hostage by pirates for more than three months have told of brutal treatment at the hand of their captors who they say are perilously close to killing them.

In separate telephone interviews with CNN affiliate ITN, Paul and Rachel Chandler pleaded for help and spoke of their fears that they were just days away from death.

An emotional Rachel Chandler also spoke of how she thought "dying would actually be an easy way out" and how she wanted to see her husband "at least once before we die."

The Chandlers were taken by pirates from their 38-foot yacht, the Lynn Rival, just days after setting sail from the Seychelles islands for Tanzania.

Their captors initially demanded a ransom of $7 million, but the British government -- in line with longstanding policy -- has refused to pay.

"Please, please find a way of helping us because it really is a very desperate situation here," Rachel Chandler said in the latest interview, in which she said she had not seen her husband for two weeks since they were violently separated.

"I've broken a tooth because I was hit on the head with something, probably the butt of a gun... I don't know... and yes, so we have been physically attacked."

Rachel Chandler, 55, who along with her husband has been held for nearly 100 days, said the pirates had issued a new deadline.

"They've just told me that if they don't get the money within four or five days they'll kill one of us."

Audibly close to tears, she also asked for a message to be passed on to her husband.

"The message to him is hang on for me because I hope -- my biggest hope -- is that I shall see him at least once before we die."

She added: "It's hard not to feel, well, dying would actually be an easy way out. It's hard to explain but it is when you're all on your own in this country and you've no idea where you are and no idea when something might happen and whether I'll see Paul again. It's just very, very despairing"

Internet 2009 in Numbers

Via pingdom.com -

What happened with the Internet in 2009?

How many websites were added? How many emails were sent? How many Internet users were there? This post will answer all of those questions and many more. Prepare for information overload, but in a good way.

We have used a wide variety of sources from around the Web. A full list of source references is available at the bottom of the post for those interested. We here at Pingdom also did some additional calculations to get even more numbers to show you.

[...]

Websites
  • 234 million – The number of websites as of December 2009.
  • 47 million – Added websites in 2009.
Web servers
  • 13.9% – The growth of Apache websites in 2009.
  • -22.1% – The growth of IIS websites in 2009.
  • 35.0% – The growth of Google GFE websites in 2009.
  • 384.4% – The growth of Nginx websites in 2009.
  • -72.4% – The growth of Lighttpd websites in 2009.
[...]

Internet users
  • 1,73 billion – Internet users worldwide (September 2009).
  • 18% – Increase in Internet users since the previous year.
  • 738,257,230 – Internet users in Asia.
  • 418,029,796 – Internet users in Europe.
  • 252,908,000 – Internet users in North America.
  • 179,031,479 – Internet users in Latin America / Caribbean.
  • 67,371,700 – Internet users in Africa.
  • 57,425,046 – Internet users in the Middle East.
  • 20,970,490 – Internet users in Oceania / Australia.

Friday, January 22, 2010

Project Grey Goose Report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

http://dataclonelabs.com/security_talkworkshop/papers/25550091-Proj-Grey-Goose-report-on-Critical-Infrastructure-Attacks-Actors-and-Emerging-Threats.pdf

Introduction

This Project Grey Goose investigation was launched on October 16, 2009 to answer the question of whether there has been any successful hacker attacks against the power grid, both domestically and internationally.

Today, January 21, 2010, we are able to answer that question. Our Key Findings are p
articularly relevant now as Smart Grid research and development ramps up and implementation of Smart Grid technology occurs across the globe.

There are many reports in the public domain which discuss vulnerabilities in the
power grid. This is not one of them. Instead, this report looks at the broader threat landscape, some (not all) of the key actors involved, and most importantly, how U.S. Energy companies as a self-regulating and predominantly privately owned industry contribute to making the U.S power grid less secure.

Thursday, January 21, 2010

U.S. Offers Pakistan Shadow Drones to Urge Cooperation

Via NYTimes.com -

The United States will provide a dozen unarmed aerial spy drones to Pakistan for the first time as part of an effort to encourage Pakistan’s cooperation in fighting Islamic militants on the Afghanistan border, American defense officials said Thursday. But Pakistani military leaders, rebuffing American pressure, said they planned no new offensives for at least six months.

The unmanned Shadow drones, which are smaller than armed Predator drones, would be a significant upgrade in the Pakistanis’ reconnaissance and surveillance capability and would supply video to help cue ground or air strikes.

Defense Secretary Robert M. Gates, who is in Pakistan on a two-day visit, made the initial disclosure about the drones, or unmanned aerial vehicles, in an interview Thursday with a Pakistani television reporter.

[...]

Shortly before Mr. Gates’s remarks, the chief spokesman of the Pakistani Army indicated that the army would not launch any assault against militants in the tribal region of North Waziristan for six to 12 months, pushing back against calls by the United States to root out militants staging attacks along the Afghan border.

The Army spokesman, Maj. Gen. Athar Abbas, told American reporters at the army headquarters in Rawalpindi that Pakistan had to stabilize its gains and contain Taliban militants scattered by offensives already opened last year. “We are not capable of sustaining further military operations,” Major Abbas said.

[...]

Pakistan, which already has some limited surveillance capability, has long asked for drone technology from the United States, arguing that it should have the same resources to watch and kill militants on its own soil as does the Central Intelligence Agency, which conducts regular drone strikes in Pakistan.

American officials have rejected giving Pakistan armed drones. The Shadow surveillance drone appears to be a compromise aimed at enticing Pakistan further into the war and helping the country’s political leadership explain the drone strikes to a deeply suspicious and anti-American public.

[...]

American defense officials said that the drones would be for use in Pakistan’s tribal areas and would be restricted to defensive rather than offensive operations. One major concern for the American military is the possibility that Pakistan could use the drones against India, its archrival in the region.

The latest version of the Shadow is used by the United States Army and the Marines in Iraq and Afghanistan. It has a wing span of 14 feet, is about 12 feet long, is launched from a trailer by ground units and can fly about 70 miles.

Interesting Recently Released CRS Reports

http://opencrs.com/recent/

R41022: The National Counterterrorism Center (NCTC)--Responsibilities and Potential Congressional Concerns (01/15/2010)

RL32048: Iran: U.S. Concerns and Policy Responses (01/06/2010)

RL30588: Afghanistan: Post-Taliban Governance, Security, and U.S. Policy (12/30/2009)

R40344: The United Arab Emirates Nuclear Program and Proposed U.S. Nuclear Cooperation (12/23/2009)

R40980: Government Collection of Private Information: Background and Issues Related to the USA PATRIOT Act Reauthorization (12/23/2009)

RL34256: North Korea's Nuclear Weapons: Technical Issues (12/16/2009)

MPAA and RIAA Seek Net Neutrality Copyright Loophole

Via EFF -

Last week the
MPAA and RIAA submitted their comments in the FCC's net neutrality proceeding. As anticipated in EFF's comments, the big media companies are pushing for a copyright loophole to net neutrality. They want to be able to pressure ISPs to block, interfere with, or otherwise discriminate against your perfectly lawful activities in the course of implementing online copyright enforcement measures.

Of course, the MPAA and RIAA couch this in language intended to sound inoffensive. The RIAA says "the perfect should not be the enemy of the good" and "justice often takes too long." The MPAA chimes in that "it is essential that government policies explicitly permit—and encourage—ISPs to work with content creators to utilize the best available tools and technologies to combat online content theft."

But here's how it would work in practice. The proposed FCC net neutrality principles include a loophole for "reasonable network management," which is defined to include "reasonable practices employed by a provider of broadband Internet access service to...(iii) prevent the transfer of unlawful content; or (iv) prevent the unlawful transfer of content." That means that so long as your ISP claims that it's trying to prevent copyright infringement, it's exempted from the net neutrality principles and can interfere with your ability to access lawful content, use lawful devices, run lawful applications, or access lawful services.

This is not about protecting copyright infringers—the FCC's proposed net neutrality principles expressly do not apply to unlawful content or unlawful transmissions. So you don't need a "reasonable network management" loophole to go after illegal conduct. The loophole that the RIAA and MPAA are after is about giving the green light to overbroad copyright enforcement measures that inflict collateral damage on innocent conduct.

The proposed copyright loophole is reminiscent of the RIAA's response when asked about innocent people mistakenly sued for file sharing: "When you go fishing with a driftnet, sometimes you catch a dolphin." Unlike the MPAA and RIAA, EFF doesn't think that ISPs should get a free pass for sideswiping innocent activities if they implement shoddy copyright enforcement systems. And neither do Public Knowledge, the Consumer Electronics Association, CCIA, NetCoalition, or the Home Recording Rights Coalition.

Allowing ISPs to jeopardize perfectly legal activities in the name of "copyright enforcement" is a bad idea. Let the FCC know that you oppose any copyright loophole that would allow the RIAA and MPAA to pressure ISPs into catching your "dolphins" in their poorly designed fishing nets.

Websense Introduces First Real-Time Security Application for Facebook

Via Websense.com -

Organizations and individuals alike are adopting blogging platforms, social Web sites like Facebook and Twitter, and other Web 2.0 technologies at a rapid pace. In fact 59 percent of all U.S. Internet users now use social networks , 70 percent consume content on social media and social networking sites and 46 percent of Fortune 100 companies have an official company presence on Facebook today.

Unfortunately, the social nature of Web 2.0 also causes security risks to spread swiftly and claim many victims. The chairman of the Federal Communications Commission himself fell victim and accidentally spammed his friends on Facebook after mistakenly clicking on a bad link.

Today, Websense® is helping organizations and individuals protect their blogs, Facebook pages and other Web 2.0 sites through the delivery of Defensio™ 2.0, a threat detection system for the social Web that analyzes and classifies user-generated content in real-time as it is posted to blogs and Facebook pages, to protect visitors from being exposed to malicious links and spam.

Individuals and organizations with Facebook pages can visit www.defensio.com to download the free Defensio security application for Facebook. It runs on the Facebook page in real-time, scanning and analyzing content posted to the page – including wall posts, comments, third-party applications and links – to look for security threats and spam. If a threat is identified, the Defensio application alerts the Facebook page owner so they may remove it and prevent their online friends and fans from being exposed to the risk.

Whereas other security applications are designed to help clean a users’ computer after it has been infected, the Defensio application from Websense is the first proactive security measure that helps prevent users from ever being exposed to the threat in the first place.

Click to watch the video on Defensio 2.0 to learn more:
http://www.youtube.com/watch?v=BSLg-yVXt4I

[...]

Protect your Facebook page today by visiting
www.defensio.com.

Unprofessional TSA Screener Plays Joke on Passenger

Via Philly.com -

In the tense new world of air travel, we're stripped of shoes, told not to take too much shampoo on board, frowned on if we crack a smile.

The last thing we expect is a joke from a Transportation Security Administration screener - particularly one this stupid.

Rebecca Solomon is 22 and a student at the University of Michigan, and on Jan. 5 she was flying back to school after holiday break. She made sure she arrived at Philadelphia International Airport 90 minutes before takeoff, given the new regulations.

She would be flying into Detroit on Northwest Airlines, the same city and carrier involved in the attempted bombing on Christmas, just 10 days before. She was tense.

What happened to her lasted only 20 seconds, but she says they were the longest 20 seconds of her life.

After pulling her laptop out of her carry-on bag, sliding the items through the scanning machines, and walking through a detector, she went to collect her things.

A TSA worker was staring at her. He motioned her toward him.

Then he pulled a small, clear plastic bag from her carry-on - the sort of baggie that a pair of earrings might come in. Inside the bag was fine, white powder.

She remembers his words: "Where did you get it?"

Two thoughts came to her in a jumble: A terrorist was using her to sneak bomb-detonating materials on the plane. Or a drug dealer had made her an unwitting mule, planting coke or some other trouble in her bag while she wasn't looking.

She'd left her carry-on by her feet as she handed her license and boarding pass to a security agent at the beginning of the line.

Answer truthfully, the TSA worker informed her, and everything will be OK.

Solomon, 5-foot-3 and traveling alone, looked up at the man in the black shirt and fought back tears.

Put yourself in her place and count out 20 seconds. Her heart pounded. She started to sweat. She panicked at having to explain something she couldn't.

Now picture her expression as the TSA employee started to smile.

Just kidding, he said. He waved the baggie. It was his.

And so she collected her things, stunned, and the tears began to fall.

Another passenger, a woman traveling to Colorado, consoled her as others who had witnessed the confrontation went about their business. Solomon and the woman walked to their gates, where each called for security and reported what had happened.

A joke? You're not serious. Was he hitting on her? Was he flexing his muscle? Who at a time of heightened security and rattled nerves would play so cavalierly with a passenger's emotions?

When someone is trying to blow planes out of the sky, what is a TSA employee doing with his eyes off the ball?

When she complained to airport security, Solomon said, she was told the TSA worker had been training the staff to detect contraband. She was shocked that no one took him off the floor, she said.

"It was such a violation," the Wynnewood native told me by phone. "I'd come early. I'd done everything right. And they were kidding about it."

I ran her story past Ann Davis, regional TSA spokeswoman, who said she knew nothing to contradict the young traveler's account.

Davis said privacy law prevents her from identifying the TSA employee. The law prevents her from disclosing what sort of discipline he might have received.

"The TSA views this employee's behavior to be highly inappropriate and unprofessional," she wrote. "We can assure travelers this employee has been disciplined by TSA management at Philadelphia International Airport, and he has expressed remorse for his actions."

Maybe he's been punished enough. That Solomon's father, Jeffrey, is a Center City litigator might mean this story isn't over.

In the meantime, I think the TSA worker should spend time following passengers through the scanners, handing them their shoes. Maybe he could tie them, too.

Update: Ann Davis, the TSA spokeswoman, said this afternoon that the worker is no longer employed by the agency as of today. She said privacy laws prevented her from saying if he was fired or left on his own

MS10-002 - Cumulative Security Update for IE

http://www.microsoft.com/technet/security/Bulletin/MS10-002.mspx

This security update is rated Critical for all supported releases of Internet Explorer: Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6 Service Pack 1, Internet Explorer 7, and Internet Explorer 8 (except Internet Explorer 6 for supported editions of Windows Server 2003). For Internet Explorer 6 for supported editions of Windows Server 2003 as listed, this update is rated Moderate.

[...]

Microsoft thanks the following for working with us to help protect customers:
  • David Lindsay "thornmaker" and Eduardo A. Vela Nava "sirdarckcat" for reporting the XSS Filter Script Handling Vulnerability (CVE-2009-4074)
  • Lostmon Lords for reporting the URL Validation Vulnerability (CVE-2010-0027)
  • Brett Moore, working with TippingPoint and the Zero Day Initiative, for reporting the URL Validation Vulnerability (CVE-2010-0027)
  • Wushi of team509, working with TippingPoint and the Zero Day Initiative, for reporting the Uninitialized Memory Corruption Vulnerability (CVE-2010-0244)
  • Sam Thomas of eshu.co.uk, working with TippingPoint and the Zero Day Initiative, for reporting the Uninitialized Memory Corruption Vulnerability (CVE-2010-0245)
  • Sam Thomas of eshu.co.uk, working with TippingPoint and the Zero Day Initiative, for reporting the Uninitialized Memory Corruption Vulnerability (CVE-2010-0246)
  • Haifei Li of Fortinet’s FortiGuard Labs for reporting the Uninitialized Memory Corruption Vulnerability (CVE-2010-0247)
  • Peter Vreugdenhil, working with TippingPoint and the Zero Day Initiative, for reporting the HTML Object Memory Corruption Vulnerability (CVE-2010-0248)
  • Meron Sellem of BugSec for reporting the HTML Object Memory Corruption Vulnerability (CVE-2010-0249)
Microsoft thanks the following companies for working with us and for providing details of limited, targeted attacks against customers of Internet Explorer 6:
  • Google Inc. and MANDIANT
  • Adobe
  • McAfee
  • French government CSIRT (CERTA)
---------------------------------

Of the nine vulnerabilities fixed in this patch, five were reported via TippingPoint's ZDI program.

For those keeping track, CVE-2010-0249 is the zeroday that was used in "Operation Aurora".

Customs and Border Protection (CBP) First Production Documents

Via ACLU.org -

In response to the ACLU’s Freedom of Information Act lawsuit seeking documents about the government’s policy of searching travelers’ laptops and cell phones at U.S. border crossings without suspicion of wrongdoing, the government has released hundreds of pages of documents about the policy. The records reveal new information about how many devices have been searched, what happens to travelers’ files once they are in the government’s possession, and travelers’ complaints about how they are treated by border officials.

The ACLU's analysis of the first batch of documents released by CBP reveals:

• In a span of just nine months, CBP officials searched over 1,500 electronic devices belonging to travelers. Under the current policy, they were not required to justify a single one of these searches.

• Travelers' laptops are not the only devices at risk of being examined, detained, or seized by the government. In fact, cell phones were the most commonly searched and seized devices between October 2008 and June 2009.

• Other types of devices that were searched and detained during this time period include digital cameras, thumb drives, hard drives, and even DVDs.

• Between July 2008 and June 2009, CBP transferred electronic files found on travelers' devices to third-party agencies almost 300 times. Over half the time, these unknown agencies asserted independent bases for retaining or seizing the transferred files. More than 80 percent of the transfers involved the CBP making copies of travelers' files.

[...]

Those interested in analyzing the data themselves may find these spreadsheets useful.

Nmap 5.20 Released

http://seclists.org/nmap-hackers/2010/0

Happy new year, everyone. I'm happy to announce Nmap 5.20--our first stable Nmap release since 5.00 last July! It offers more than 150 significant improvements, including:
  • 30+ new Nmap Scripting Engine scripts
  • enhanced performance and reduced memory consumption
  • protocol-specific payloads for more effectie UDP scanning
  • a completely rewritten traceroute engine
  • massive OS and version detection DB updates (10,000+ signatures)
The Nmap 5.00 source code and packages for Linux, Mac, and Windows are
available for download at the usual place:

http://nmap.org/download.html

Wednesday, January 20, 2010

Deep-Sea Snail Shell Could Inspire Better Body Armor

Via Wired.com (Wired Science) -

A deep-sea snail wears a multilayered suit of armor, complete with iron, new research shows. Dissecting details of the shell’s structure could inspire tough new materials for use in everything from body armor to scratch-free paint.

“If you look at the individual properties of the bits and pieces that go into making this shell, they’re not very impressive,” comments Robert Ritchie of the University of California, Berkeley. “But the overall thing is.”

The snail, called the scaly-foot gastropod, was discovered nearly a decade ago living in a hydrothermal vent field in the Indian Ocean. In its daily life, the snail encounters extreme temperatures, high pressures and high acidity levels that threaten to dissolve its protective shell. Worse, it is hunted by crabs that try to crush the mollusk between strong claws.

To understand how the valiant gastropod holds up to these trials, Christine Ortiz of MIT and her colleagues used nanoscale experiments and computer simulations to dig in to the shell’s structure. Many other species’ shells exhibit what Ortiz calls “mechanical property amplification,” in which the whole material is hundreds of times stronger than the sum of its parts.

[...]

Ortiz hopes that studying the snail’s shell could one day lead to improved materials for armor or helmets for people. Studying organisms that have been optimized for extreme environments through millions of years of evolution could offer ideas that engineers would never think of on their own, she says.

But it will probably be a while, Ritchie cautions. His lab built a ceramic material based on mother-of-pearl in 2008.

“I’m a great fan of this kind of research, but the next step is the critical one. Can you actually harness that information and make a synthetic structure in its image which has the same properties?” he asks. “That’s the most difficult step.”

FBI Replaced Legal Process with Post-It Notes to Obtain Phone Records

Via EFF -

Today, the DOJ's Office of the Inspector General issued a long awaited report on the FBI's use of 'exigent letters' to obtain phone records. While the report has many interesting and shocking revelations, three issues jumped out at us: Post-it note process; a secret new legal theory; and the need for accountability for the telecoms.

Post-it notes. Seriously.

While we had known since 2007 that the FBI improperly sought phone records by falsely asserting emergency circumstances, the report shows the situation inside the FBI's Communications Analysis Unit (CAU) degenerated even further, sometimes replacing legal process with sticky notes.

While we had known since 2007 that the FBI improperly sought phone records by falsely asserting emergency circumstances, the report shows the situation inside the FBI's Communications Analysis Unit (CAU) degenerated even further, sometimes replacing legal process with sticky notes.

Employees of three telecoms worked directly out of the CAU office, right next to their FBI colleagues. According to the report, even exigent letters became too much work: an FBI analyst explained that "it's not practical to give the [exigent letter] for every number that comes in." Instead, the telecoms would provide phone records pursuant to verbal requests and even post-it notes with a phone number stuck on the carrier reps' workstations.

At the time, the Electronic Communications Privacy Act allowed a telecom to provide records based on an actual emergency, where the carrier had a "reasonable belief" that "an emergency involving danger of death or serious physical injury to any person requires disclosure without delay." The bare assertion of exigent circumstances in the FBI's letters is not enough to provide the basis for a reasonable belief, let alone a telephone number on a yellow slip of paper.

In March 2006, the relevant ECPA provision was changed from "reasonable belief" to "good faith belief." It appears that the telecoms were worried that the bare assertions in exigent letters were not enough, because they "expressed concern to [Congress] that the [reasonably believes] standard was too difficult for them to meet." However, even after the change, there is no way the telecoms could have formed a good faith belief, when they were never provided any basis to do so.

New Legal Theory to Allow Phone Record Disclosure

The OIG report discusses, in heavily redacted form, discusses a new legal theory that the FBI now asserts allows telecoms to divulge phone records without legal process. Despite the Obama Administration's alleged commitment to openness and transparency, the OIG report redacts the basis for this legal theory, even redacting the statutory section number on which the FBI says it can rely.

According to the report, the DOJ's Office of Legal Counsel issued an opinion agreeing with this theory on January 8, 2010. The DOJ's “Principles to Guide the Office of Legal Counsel” states that “OLC should publicly disclose its written legal opinions in a timely manner, absent strong reasons for delay or nondisclosure.” Nevertheless, the opinion is not publicly available. We urge the Obama Administration to release this memo.

Facebook to Build Its Own Data Centers

Via datacenterknowledge.com -

Facebook has decided to begin building its own data centers, and may announce its first facility as soon as tomorrow. The fast-growing social network has previously leased server space from wholesale data center providers, but has grown to the point where the economics favor a shift to a custom-built infrastructure.

“Facebook is always looking at ways to scale our infrastructure and better serve our users,” said Facebook spokesperson Kathleen Loughlin said last week. “It should come as no surprise that, at some point, building a customized data center will be the most efficient and cost effective way to to do this. However, we have nothing further to announce at this time.”

That may change tomorrow at noon, when Oregon Gov. Ted Kulogonski is scheduled to unveil the identity of Company X, the mysterious tenant in a data center project in Prineville, Oregon. Construction is already underway on the 117,000 square foot data center at a site near the Prineville Airport, which is expected to employ 35 workers.

The data center is being built by Vitesse LLC on behalf of an unidentified tenant. But Vitesse has said Company X is not either Google or Yahoo. Data center industry chatter suggests the tenant is a large social networking site – which usually means Facebook.

Facebook’s move to build its own data centers was foreshadowed by its plans to implement custom servers and an innovative power path design, which will allow the company to reduce the energy loss during power distribution from the current 35 percent to about 15 percent.

Simple Youtube Video Download Hack

Want to download YouTube videos? When playing, change the Y on YouTube in the address bar to a 3!

For example, here is a Wax Tailor song...

http://www.youtube.com/watch?v=RRBugVOO6ec

By changing the Y to a 3, you get the option to download in MP4 or FLV format....

http://www.3outube.com/watch/?v=RRBugVOO6ec


3outube.com is not affiliated with YouTube.com. So lets hope it doesn't turn malicious.

Profiling: Sketching the Face of Jihadism

Via STRATFOR (Global Security & Intelligence Report) -

On Jan. 4, 2010, the U.S. Transportation Security Administration (TSA) adopted new rules that would increase the screening of citizens from 14 countries who want to fly to the United States as well as travelers of all nationalities who are flying to the United States from one of the 14 countries. These countries are: Afghanistan, Algeria, Cuba, Iran, Iraq, Lebanon, Libya, Nigeria, Pakistan, Saudi Arabia, Somalia, Sudan, Syria and Yemen.

Four of the countries — Cuba, Iran, Sudan and Syria — are on the U.S. government’s list of state sponsors of terrorism. The other 10 have been labeled “countries of interest” by the TSA and appear to have been added in response to jihadist attacks in recent years. Nigeria was almost certainly added to the list only as a result of the Christmas Day bombing attempt aboard a Detroit-bound U.S. airliner by Umar Farouk Abdulmutallab, a 23-year-old Nigerian man.

As reflected by the large number of chain e-mails that swirl around after every attack or attempted attack against the United States, the type of profiling program the TSA has instituted will be very popular in certain quarters. Conventional wisdom holds that such programs will be effective in protecting the flying public from terrorist attacks because profiling is easy to do. However, when one steps back and carefully examines the historical face of the jihadist threat, it becomes readily apparent that it is very difficult to create a one-size-fits-all profile of a jihadist operative. When focusing on a resourceful and adaptive adversary, the use of such profiles sets a security system up for failure by causing security personnel and the general public to focus on a threat that is defined too narrowly.

Sketching the face of jihadism is simply not as easy as it might seem.

[...]

The following individuals, among many others, were involved in jihadist activity but did not fit what most people would consider the typical jihadist profile:

As reflected by the list above, jihadists come from many ethnicities and nationalities, and they can range from Americans named Daniel, Victor and John to a Macedonian nicknamed “Elvis,” a Tanzanian called “Foopie” (who smuggled explosives by bicycle) and an Indonesian named Zulkarnaen. There simply is not one ethnic or national profile that can be used to describe them all.

[...]

One of the big reasons we’ve witnessed men with names like Richard and Jose used in jihadist plots is because jihadist planners are adaptive and innovative. They will adjust the operatives they select for a mission in order to circumvent new security measures. In the wake of the 9/11 attacks, when security forces began to focus additional scrutiny on people with Muslim names, they dispatched Richard Reid on his shoe-bomb mission. And it worked — Reid was able to get his device by security and onto the plane. If he hadn’t fumbled the execution of the attack, it would have destroyed the aircraft. Moreover, when Khalid Sheikh Mohammed wanted to get an operative into the United States to conduct attacks following 9/11, he selected U.S. citizen Jose Padilla. Padilla successfully entered the country, and it was only Mohammed’s arrest and interrogation that alerted authorities to Padilla’s mission.

[...]

Jihadist planners have now heard about the list of 14 countries and, demonstrating their adaptability, will undoubtedly try to use operatives who are not from one of those countries and choose flights that originate from other places as well. They may even follow the lead of Chechen militants and the Islamic State of Iraq by employing female suicide bombers. They will also likely instruct operatives to “lose” their passports so that they can obtain new documents that contain no traces of travel to one of the 14 countries on the list. Jihadists have frequently used this tactic to hide operatives’ travel to training camps in places like Afghanistan and Pakistan.

[...]

In an environment where the potential threat is hard to identify, it is doubly important to profile individuals based on their behavior rather than their ethnicity or nationality — what we refer to as focusing on the “how” rather than the “who”. Instead of relying on pat profiles, security personnel should be encouraged to exercise their intelligence, intuition and common sense. A U.S. citizen named Robert who shows up at the U.S. Embassy in Nairobi or Amman claiming to have lost his passport may be far more dangerous than some random Pakistani or Yemeni citizen, even though the American does not fit the profile requiring extra security checks.

The difficulty of creating a reliable and accurate physical profile of a jihadist, and the adaptability and ingenuity of the jihadist planners, means that any attempt at profiling is doomed to fail. In fact, profiling can prove counterproductive to good security by blinding people to real threats. They will dismiss potential malefactors who do not fit the specific profile they have been provided.

Operation Aurora - Evidence Found for Chinese Attack on Google

Via NYTimes.com -

An American computer security researcher has found what he says he believes is strong evidence of the digital fingerprints of Chinese authors in the software programs used in attacks against Google.

n the week since the announcement, several computer security companies have made claims supporting Google’s suspicions, but the evidence has remained circumstantial.

Now, by analyzing the software used in the break-ins against Google and dozens of other companies, Joe Stewart, a malware specialist with SecureWorks, a computer security company based in Atlanta, said he determined the main program used in the attack contained a module based on an unusual algorithm from a Chinese technical paper that has been published exclusively on Chinese-language Web sites.

The malware at the heart of Google attack is described by researchers as a “Trojan horse” that is intended to open a back door to a computer on the Internet. The program, called Hydraq by the computer security research community and intended to subvert computers that run different versions of the Windows operating system, was first noticed earlier this year.

Mr. Stewart describes himself as a “reverse engineer,” one of a relatively small group of software engineers who disassemble malware codes in an effort to better understand the nature of the attacks that have been introduced by the computer underground, and now possibly by governments as well.

“If you look at the code in a debugger you see patterns that jump out at you,” he said. In this case he discovered software code that represented an unusual algorithm, or formula, intended for error-checking transmitted data.

He acknowledged that he could not completely rule out the possibility that the clue had been placed in the program intentionally by programmers from another government intent on framing the Chinese, but he said that was unlikely. “Occam’s Razor suggests that the simplest explanation is probably the best one.”

--------------------------------

http://www.secureworks.com/research/blog/index.php/2010/01/20/operation-aurora-clues-in-the-code/


There is one interesting clue in the Hydraq binary that points back to mainland China, however. While analyzing the samples, I noticed a CRC (cyclic redundancy check) algorithm that seemed somewhat unusual. CRCs are used to check for errors that might have been introduced into stored or transferred data. There are many different CRC algorithms and implementations of those algorithms, but this is one I had not previously seen in any of my reverse-engineering efforts.

[...]

The CRC algorithm used in Hydraq uses a table of only 16 constants; basically a truncated version of the typical 256-value table.

[...]

The CRC algorithm used in Hydraq uses a table of only 16 constants; basically a truncated version of the typical 256-value table. By decompiling the algorithm and searching the Internet for source code with similar constants, operations and a 16-value CRC table size, I was able to locate one instance of source code that fully matched the structural code implementation in Hydraq and also produced the same output when given the same input:

[...]

In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase. And certainly, considering the scope, choice of targets and the overwhelming boldness of the attacks (in light of the harsh penalties we have seen handed out in communist China for other computer intrusion offenses), this creates speculation around whether the attacks could be state-sponsored.

Microsoft to Release Out-of-Band IE Zeroday Patch Tomorrow

http://blogs.technet.com/msrc/archive/2010/01/20/advance-notification-for-out-of-band-bulletin-release.aspx

Today we issued our Advanced Notification Service (ANS) to advise customers that we will be releasing MS10-002 tomorrow, January 21st, 2010. We are planning to release the update as close to 10:00 a.m. PST (UTC -8) as possible. This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released.

Today we also updated Security Advisory 979352 to include technical details addressing additional customer questions.

Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack

Via H-Online.com -

Microsoft isn't having an easy time of it these days. In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

Ormandy has also published a suitable exploit which functions under Windows XP, Windows Server 2003 and 2008, Windows Vista and Windows 7. When tested by the The H's associates at heise Security, the exploit opened a command prompt in the system context, which has the highest privilege level, under Windows XP and Windows 7. No patch has become available, although Ormandy reports that Microsoft was already informed of the hole in mid 2009. The developer decided to publish the information regardless because, in his opinion, there is a simple workaround: to disable the MS-DOS subsystem.

-----------------------

Original Advisory - http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html