Friday, April 30, 2010

Former Pakistani Intelligence Officer Executed in North Waziristan

Via The Long War Journal -

A former officer in Pakistan's Inter-Services Intelligence agency who has close links to terror groups has been found dead, apparently executed by a Taliban-linked group.

A group calling itself the "Asian Tigers" killed Khalid Khawaja, a former Squadron Commander in the Air Force, and dumped his bullet-ridden body in Taliban-controlled North Waziristan.

The Asian Tigers pinned a note to Khawaja's corpse and claimed credit for murdering him. The Asian Tigers had previously accused Khawaja of working for the Pakistani government and the CIA.

Khawaja, along with a former ISI officer known as Colonel Imam and a British journalist, was kidnapped several weeks ago after visiting the town of Miramshah in North Waziristan. In early April it was reported that the three men had disappeared while trying to link up with key Taliban leaders, including top South Waziristan commander Waliur Rehman Mehsud.

On April 18, the Asian Tigers released a videotape showing Imam and Khawaja, and calling for the release of three top Afghan Taliban leaders. The Asian Tigers demanded that Pakistani intelligence release Mullah Abdul Ghani Baradar, the former leader of the Afghan Taliban's Quetta Shura; Maulvi Abdul Kabir, the former leader of the Peshawar Regional Military Council; and Mullah Mansur Dadullah Akhund, a former military commander in the south.

On the tape, Imam and Khawaja both stated that they had been directed to visit the Taliban in North Waziristan by two top former ISI officers. Some news reports from Pakistan claimed that Imam and Khawaja were sent to broker a deal with the Taliban to end their fight against the Pakistani state and reorient their efforts against Coalition forces in Afghanistan.

Four days after the tape was released, the Afghan Taliban denied any connections to the Asian Tigers and said that Colonel Imam was "widely respected among the Taliban for his independent views and sympathies towards the mujahideen."

The Asian Tigers are thought to be members of the so-called Punjabi Taliban, a group of fighters from Lashkar-e-Taiba, Jaish-e-Mohammed, Harkat-ul-Jihad-al-Islami, Harkat-ul-Mujahideen, and various other jihadist groups that are based in Punjab province.

Facebook's Eroding Privacy Policy: A Timeline

Via EFF -

Since its incorporation just over five years ago, Facebook has undergone a remarkable transformation. When it started, it was a private space for communication with a group of your choice. Soon, it transformed into a platform where much of your information is public by default. Today, it has become a platform where you have no choice but to make certain information public, and this public information may be shared by Facebook with its partner websites and used to target ads.

To help illustrate Facebook's shift away from privacy, we have highlighted some excerpts from Facebook's privacy policies over the years. Watch closely as your privacy disappears, one small change at a time!

[...]

Viewed together, the successive policies tell a clear story. Facebook originally earned its core base of users by offering them simple and powerful controls over their personal information. As Facebook grew larger and became more important, it could have chosen to maintain or improve those controls. Instead, it's slowly but surely helped itself — and its advertising and business partners — to more and more of its users' information, while limiting the users' options to control their own information.

Sixteen Killed Wednesday In Mexican Border City Shootings

Via Chron.com (Houston, TX) -

Gunmen stormed into a bar, dragged out eight people and killed them in the parking lot, the first of several shootings in this violent border city Wednesday that left 16 dead, including a man in a wheelchair.

In one incident, a car chase and shootout killed three people in front of an elementary school, creating a panic among students, teachers and parents.

Battles between rival drug gangs have made Ciudad Juarez, across the border from El Paso, Texas, one of the world's deadliest cities. More than 800 people have been killed this year in the city of 1.3 million people.

Armed men burst into the Aristos bar in the middle of the night, said Arturo Sandoval, a spokesman for the Chihuahua state attorney general's office. Eight people were forced out into the parking lot and shot to death.

The victims had not been identified, but Sandoval said at least one appeared to be a teenage boy.
The shootout in front of the Benito Juarez elementary school erupted hours later. Sandoval said a woman and two men were found dead inside a car.

Gunmen in a car chased down another vehicle and opened fire in front of the school around noon, said a teacher who asked not to be quoted by name out of fear for his safety.

The teacher said a pregnant teacher and three students suffered panic attacks and were taken to a hospital. Classes were canceled for the rest of the day, and parents rushed to pick up their children.

Gunmen opened fire on another car elsewhere in the city, killing four young men inside, Sandoval said. Separately, a gang of armed men killed a man sitting in a wheelchair on the sidewalk, he said.

Police had no information on the identities of any of the gunmen.

The army, meanwhile, reported that it freed 16 hostages Tuesday at a house in Sabinas Hidalgo, a town near the northern city of Monterrey. One of the hostages was a 1-year-old child.

Troops acting on an anonymous tip arrived at the house in helicopters, a statement said. Gunmen opened fire and soldiers fired back from the air. Two people were found dead inside the house but it was unclear if they were captors or hostages.

Soldiers also seized two tons of marijuana, nine guns and a grenade launcher. It was unclear why the 16 people were being held hostage.

Sony Sued Over Playstation 'Other OS' Removal

Via ThinQ.co.uk -

A Californian Playstation 3 user has filed a class action lawsuit against Sony over removal of the Install Other OS function.

Anthony Ventura filed the suit at the United States District Court for the Northern District of California on April 27th.

The action - which is being fought by law firm Meiselman, Denlea, Packman, Carton and Eberz - seeks to redress Sony's "intentional disablement of the valuable functionalities originally advertised as available with the Sony Playstation 3 video game console."

The suit claims that the disablement breaches the sales contract between Sony and its customers and constitutes "an unfair and deceptive business practices perpetrated on millions of unsuspecting customers".

The company has apologised for the removal of the Other OS function but says that the action was essential to prevent piracy.

Sony is currently trying to hide behind its End User Licence Agreement (EULA) in the stunningly arrogant belief that a digital contract signed with an on-screen button press (more often than not by a child) can supercede the law.

At least one user has received a partial refund from Amazon after complaining that his PS3 console no longer did what it was orginally intended to do. Sony has since said that it will not reimburse retailers if they choose to offer refunds.

We are aware of at least one other New York law firm which is currently preparing a class action suit against the Japanese electronics company and its international subsidiaries.

Bluebear: Exploring Privacy Threats in BitTorrent


BitTorrent is arguably the most efficient peer-to-peer protocol for content replication. However, BitTorrent has not been designed with privacy in mind and its popularity could threaten the privacy of millions of users. Surprisingly, privacy threats due to BitTorrent have been overlooked because BitTorrent popularity gives its users the illusion that finding them is like looking for a needle in a haystack. The goal of this project is to explore the severity of the privacy threats faced by BitTorrent users.

We argue that it is possible to continuously monitor from a single machine most BitTorrent users and to identify the content providers (also called initial seeds) [LLL_LEET10, LLL_TR10]. This is a major privacy threat as it is possible for anybody in the Internet to reconstruct all the download and upload history of most BitTorrent users.

To circumvent this kind of monitoring, BitTorrent users are increasingly using anonymizing networks such as Tor to hide their IP address from the tracker and, possibly, from other peers. However, we showed that it is possible to retrieve the IP address for more than 70% of BitTorrent users on top of Tor [LMC_POST10]. Moreover, once the IP address of a peer is retrieved, it is possible to link to the IP address other applications used by this peer on top of Tor.

Thursday, April 29, 2010

Texas Man to Plead Guilty to Building Botnet-for-Hire

Via PC World -

A Mesquite, Texas, man is set to plead guilty to training his 22,000-PC botnet on a local ISP -- just to show off its firepower to a potential customer.

David Anthony Edwards will plead guilty to charges that he and another man, Thomas James Frederick Smith, built a custom botnet, called Nettick, which they then tried to sell to cybercriminals at the rate of US$0.15 per infected computer, according to court documents.

On August 14, 2006, Smith and Edwards allegedly used part of Nettick to attack a computer hosted by The Planet. Apparently, that was just a test, to show that the botnet was for real. "After the test, the bot purchaser agreed to buy the source code and the entire botnet for approximately $3,000," prosecutors say in the indictment against the two men.

Edwards will plead guilty Thursday in federal court in Dallas, according to his attorney, Mick Mickelsen. Smith has pleaded innocent in the case and is set to go to trial on May 17. Both men face a maximum of five years in prison and a $250,000 fine on one count of conspiring to cause damage to a protected computer and to commit fraud.

Web Exploits: There’s an App for That

http://www.m86security.com/documents/pdfs/security_labs/m86_web_exploits_report.pdf

In the last few years M86 Security Labs has seen a dramatic increase in attack or exploit kits. These easy-to-use kits are the backbone of exploits in the “wild”. M86 Security Labs research reviews how exploit kits are developed, distributed and monetized globally. The turnover of exploits is quick. The success rate is high. And, all of this for very minimal cost for the exploit kit users and operators. The details in this report will provide a fundamental understanding of how exploits operate and give the reader a true sense of the business behind the crime.

Tuesday, April 27, 2010

Pentagon’s Mach 20 Glider Disappears, Whacking ‘Global Strike’ Plans

Via Wired.com (Danger Room) -

The Pentagon’s controversial plan to hit terrorists half a planet away suffered a setback this weekend, after an experimental hypersonic glider disappeared over the Pacific Ocean.

In its first flight test. the Falcon Hypersonic Technology Vehicle 2 (HTV-2) was supposed to be rocket-launched from California to the edge of space. Then the HTV-2 would could screaming back into the atmosphere, maneuvering at twenty times times the speed of sound before landing north of the Kwajalein Atoll, 30 minutes later and 4100 nautical miles away. Thinly wedge-shaped for better lift, equipped with autonomous navigation for more precision, and made of carbon-carbon to withstand the assault of hypersonic flight, the hope was it could fly farther and more accurately at a lower angle of attack than other craft returning to Earth.

At least, that was the idea. Instead, nine minutes after launch, Darpa researchers lost contact with the HTV-2. They’re still trying to figure out why. The agency says the flight test wasn’t a total bust: The craft deployed from its rocket booster, performed some maneuvers in the air, and “achieved controlled flight within the atmosphere at over Mach 20,” Darpa spokesperson Johanna Jones says.

But it’s bad news for the Pentagon “prompt global strike” program — a burgeoning and hotly-debated effort to almost-instantly attack targets thousands of miles away. The Defense Department is pursuing three different families of technologies to accomplish the task. One is to re-arm nuclear intercontinental ballistic missiles with conventional warheads. But that runs the risk of accidentally triggering a response from another atomic power, who might mistake it for a nuke. A second effort is to build shorter-range cruise missiles than can fly at five or six times the speed of sound; that effort hit some recent turbulence when flight tests for the X-51 Waverider, scheduled for December 2009, were pushed until May 2010. Something like an armed version of the HTV-2 is the third choice.

In Shanghai, Bootleg Goods Are Moved to Secret Rooms

Via NYTimes.com -

The latest mystery in Shanghai, complete with sliding bookshelves, secret passageways and contraband goods, is this: Why are all the popular DVDs and CDs missing from this city’s shops?

But it’s a mystery easily solved. In China, embarrassments are usually hidden from sight when the world comes visiting, and that is what has happened to a large supply of bootleg DVDs and CDs as Shanghai prepares for the World Expo, which is expected to attract 70 million visitors.

A few weeks ago, government inspectors fanned out across the city and ordered shops selling pirated music and movies to stash away their illegal goods during the expo, a six-month extravaganza that opens May 1.

But shop owners found a novel way to comply — they simply chopped their stores in half.

In a remarkable display of uniformity, nearly every DVD shop in central Shanghai has built a partition that divides the store into two sections: one that sells legal DVDs (often films no one is interested in buying), and a hidden one that sells the illegal titles that everyone wants — Hollywood blockbusters like “Avatar” (for a dollar), Tim Burton’s “Alice in Wonderland” and even Lady Gaga’s latest CD “The Fame.”

Customers entering these shops are now routinely directed toward a slide-away bookshelf that reveals a secret corridor. And to chants of “movie inside, movie inside,” a young sales clerk will lead them past a series of empty spaces before entering a room stocked with thousands of bootleg copies of popular films, music and television programs.

“This is where everything is now,” said a clerk at Movie World. “We have to do it this way because of the expo.”

China Lifts Travel Restrictions for HIV Carriers

Via BBC -

China has lifted travel restrictions for foreigners who suffer from HIV and AIDS.

The newly amended law, published on the government website, comes ahead of the opening of the Shanghai World Expo on Saturday, which expects 100m visitors.

WHO welcomed the decision, calling it "a significant step in the right direction".

More than 50 countries around the world still have laws and restrictions for HIV-positive people.

Dr Margaret Chan, WHO Director-General, said: "This decision should inspire other nations to change laws and policies that continue to discriminate against people living with HIV.

"Many policies that discriminate against people living with HIV were enacted at a time when AIDS was surrounded by widespread fear and hopelessness.

"With HIV prevention and treatment now saving millions of lives, this is no longer the case. Policies that help curb discrimination can help prevent further transmission," she said.

UN Secretary-General Ban Ki-moon said in a statement: "Punitive policies and practices only hamper the global AIDS response.

"I urge all other countries with such restrictions to remove them as a matter of priority and urgency."

----------------------------------------------

Different counties have different restrictions - some block entry, some require long-term visitors to register. Find more information @ HIVTravel.org

Feds Say Judge Hampering Webcam Spy Probe

Via Wired.com (Threat Level) -

Prosecutors are claiming that a federal judge is hampering a criminal investigation into a webcam scandal at a Philadelphia suburban school district.

The evidence prosecutors are seeking is connected to a federal civil lawsuit in which the plaintiff’s lawyers claim that the Lower Merion School District secretly snapped thousands of webcam images of students using school-issued laptops without the pupils’ knowledge or consent.

U.S. District Judge Jan DuBois, who is presiding over the civil case, two weeks ago ordered that evidence should only be disseminated to those connected to the civil lawsuit. (.pdf) U.S. Attorney Michael Levy wrote the judge, saying Friday that her freeze order “interfered with the government’s obligation to investigate possible criminal conduct occurring within this district.”

Levy asks the court to “modify its order to permit the government access.” (.pdf) Among other things, Levy wants to examine what plaintiffs lawyers contend are thousands of screenshots school-supplied MacBooks took of an unknown number of children, some of which might include nude or partially clothed shots.

While it remains unclear whether the secret and remote filming of students is a federal crime, taking nude images of children is likely criminal conduct. A federal grand jury and the FBI are said to be looking into the district’s actions.

Monday, April 26, 2010

Microsoft Security Intelligence Report - Volume 8

The Microsoft Security Intelligence Report (SIR) is a comprehensive and wide-ranging study of the evolving threat landscape, and addresses such topics as software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software.

Volume 8 of the Security Intelligence Report (SIR v8) covers July 2009 through December 2009. It includes data derived from more than 500 million computers worldwide, each running Windows. It also draws data from some of the busiest services on the Internet, such as Windows Live Hotmail and Bing.

Bill Gates Revamps His Polio-Eradication Effort Amid Africa Outbreak

Via WSJ.com -

Bill Gates walked into the World Health Organization's headquarters in Geneva—for a meeting in an underground chamber where global pandemics are managed—and was greeted by bad news. Polio was spreading across Africa, even after he gave $700 million to try to wipe out the disease.

hat outbreak raged last summer, and this week a new outbreak hit Tajikistan, which hadn't seen polio for 19 years. The spread threatens one of the most ambitious health campaigns in the world, the effort to destroy the crippling disease once and for all. It also marks a setback for the Microsoft Corp. co-founder's new career as full-time philanthropist.

Next week, the organizations behind the polio fight, including WHO, Unicef, Rotary International and U.S. Centers for Disease Control and Prevention, plan to announce a major revamp of their strategy to address shortcomings exposed by the outbreaks.

Polio is a centerpiece of Mr. Gates's charitable giving. Last year the billionaire traveled to Africa, one of the main battlegrounds against the disease, to confer with doctors, aid workers and a sultan to propel the polio-eradication effort.

"There's no way to sugarcoat the last 12 months," Bruce Aylward, a WHO official, told Mr. Gates in the meeting in the underground pandemic center last June. He described how the virus was rippling through countries believed to have stopped the disease.

Mr. Gates asked: "So, what do we do next?"

That question goes to the heart of one of the most controversial debates in global health: Is humanity better served by waging wars on individual diseases, like polio? Or is it better to pursue a broader set of health goals simultaneously—improving hygiene, expanding immunizations, providing clean drinking water—that don't eliminate any one disease, but might improve the overall health of people in developing countries?

The new plan integrates both approaches. It's an acknowledgment, bred by last summer's outbreak, that disease-specific wars can succeed only if they also strengthen the overall health system in poor countries.

Yemen: British Ambassador Escapes Explosion

Via APNews.com -

The British ambassador in Yemen narrowly escaped a suicide attack Monday, when a young man in a school uniform detonated his explosives belt near his armored car at a poor neighborhood of San'a, officials said.

The attack - the first such suicide bombing in the capital in a year - raised questions over the Yemeni government's U.S.-backed campaign against al-Qaida militants, who have found a haven in parts of the mountainous, impoverished nation where the central government's control is weak.

Washington has dramatically stepped up counterterrorism aid to San'a over the past year, warning that al-Qaida's offshoot in Yemen has become a global threat, particularly after it claimed responsibility for the failed Christmas Day attempt to bomb an American jet liner heading for Detroit.

A British Embassy spokeswoman said the ambassador, Timothy Torlot, was unhurt in the attack Monday morning, which wounded three bystanders, including a woman.

The ambassador's vehicle was passing through the impoverished San'a district of Noqm when the explosion went off nearby, the Interior Ministry said in a statement. The explosion ripped apart the bomber, and his head was found on the roof of a house about 20 meters (yards) away, it said.

The ministry identified the bomber as a 22-year old high school student who hails from the southern town of Taiz.

Witnesses said the attacker was a young man who wore a school uniform, apparently as a disguise. Yemeni officials said the attacker was believed to have been wearing an explosives belt, adding that the Noqm district is known to be popular with militants.

The officials spoke on condition of anonymity because they were not authorized to speak to the media.

There was no claim of responsibility for the attack, but it bore the hallmarks of al-Qaida.

[...]

Al-Qaida in the Arabian Peninsula, an offshoot of Osama bin Laden's terror network, was formed more than a year ago when Yemen and Saudi militant groups merged. The suspect in the failed Christmas Day plane bombing plot has said he received training from militants in Yemen, according to U.S. investigators.

In Drone War, CIA Opts for Smaller, Less Deadly Weapons

Via Wired.com (Danger Room) -

In Iraq and Afghanistan, the U.S. military has long been wise to a problem: Weapons designed for Cold War combat are often too powerful — and too lethal — for low-intensity conflict and counterinsurgency. Now it seems the CIA is catching on to the concept as well.

In today’s Washington Post, Joby Warrick and Peter Finn report that the CIA may be using “new, smaller missiles” to take out suspected insurgents in Pakistan’s tribal areas, in combination with better surveillance and other technological upgrades.

Last month, they write, a CIA missile “probably no bigger than a violin case and weighing about 35 pounds” targeted a house in Miram Shah, in Pakistan’s South Waziristan province. The strike killed a top al-Qaeda organizer, along with several others. Such precise, low-collateral-damage attacks, they add, “have provoked relatively little public outrage.”

Leaving aside the question of whether the CIA’s campaign of targeted killing is any less controversial — our pal Peter Singer argues that is isn’t — the agency’s acquisition of less-lethal weapons is intriguing. While the agency refused to comment on the specifics, it’s pretty easy to guess what’s going on here.

Take the AGM-114 Hellfire missile, once the primary weapon in the drone arsenal. The hundred-pound missile packs a warhead that was originally designed to destroy a main battle tank. Use it against a more lightly armored target — say, a civilian car — and it’s overkill. At the military’s behest, contractors have long been developing a number of alternatives for arming drones.

Sunday, April 25, 2010

The Effect Of Banking Trojans On Small & Medium-Sized Businesses In The U.S.

http://www.pandasecurity.com/resources/pro/02_SMB_Trojans_Study_Summary_Report.pdf

The malware economy is flourishing and affecting both consumers and businesses of all sizes. The reality is that cybercrime is growing exponentially in frequency and sophistication. The following Panda Security study examines the prevalence and effects of cybercrime, specifically banker Trojans, on an increasingly targeted demographic: small and medium-sized businesses (SMBs). After a thorough survey of more than 300 high-level SMB executives across a wide range of industries, Panda Security found SMBs are lacking a solid level of awareness around the real risk that their businesses face, and more pressing, that they may not be as protected as needed to keep their assets and networks safe.

Panda Security found that while a majority of respondents are concerned about online banking fraud and identity theft in their organizations, they don’t have a good understanding of how best to protect their businesses. In addition, they have a false sense of security in terms of their expectations around bank reimbursement in the unfortunate event they fall victim to fraud.

Overall, Panda Security’s study revealed some compelling results:
  • 66 percent of the 25 million malware samples collected by PandaLabs in 2009 were banker Trojans
  • 52 percent of respondents had little or no familiarity with banking Trojans, despite the wave of increased attacks in 2009
  • Small businesses continued to be a prime target for cybercriminals in 2009 as evidenced by the multiple attacks using banker Trojans such as URLZone
  • 49 percent of survey respondents use online banking to make and receive payments online
  • 11 percent of SMBs said they have or may have been affected by online fraud or identify theft, of which 86 percent were reported to authorities
  • 15 percent either do not have updated security software on all systems where online transactions are conducted or are unsure of the status of their security software at their organizations

Photo of the Day - Saturn Aurora (Hubble)


(Credit: Hubblesite.org)

The dancing light of the auroras on Saturn behaves in ways different from how scientists have thought possible for the last 25 years. New research by a team of astronomers led by John Clarke of Boston University has overturned theories about how Saturn's magnetic field behaves and how its auroras are generated.

----------------------------

In April, the Hubble Space Telescope is celebrating its 20th year in use, and following a 2009 mission in which the space shuttle Atlantis carried two new instruments to the satellite to operate at its most technologically advanced and powerful state.

Al Qaeda in Iraq (AQI) Confirms Deaths of Leaders

Via The Long War Journal -

Al Qaeda in Iraq has confirmed that its top two leaders were killed during a raid last weekend by Iraqi and US forces.

The terror group admitted that Abu Ayyub al Masri, the leader of al Qaeda in Iraq, and Abu Omar al Baghdadi, the leader of the Islamic State of Iraq, al Qaeda’s political front, were killed. The Islamic State of Iraq released a statement on the Internet, which was posted on allied jihadist websites. Abu al Walid Abd al Wahhab al Mashadani, the group’s sharia minister, is quoted and confirmed their deaths.

"The ISI Sharia Minister, Abu al-Walid Abd al Wahhab al Mashadani, informed that both leaders were attending a meeting when enemy forces engaged them in battle and launched an airstrike on their location," the statement,
which was translated by the SITE Intelligence Group, said.

Al Masri, Baghdadi, Baghdadi’s son, and an aide to al Masri were all killed by Iraqi and US forces during a raid on their hideout near Tikrit in the remote Thar Thar region on April 18. During the operation, 16 aides and bodyguards were captured.

Al Qaeda in Iraq remained silent about al Masri and Baghdadi’s deaths for six days before confirming the news. In the interim, jihadis posting on the al Qaeda-linked forums doubted Western and Iraqi reports of the deaths of al Masri and Baghdadi. Posts on the forums attempting to lionize al Masri and Baghdadi were removed by administrators. These actions in turn caused many forum posters and members of the media to question the accuracy of the reports that al Masri and Baghdadi had been killed.

Iraqi and US forces quickly capitalized on intelligence gathered from the strike that killed al Masri and Baghdadi. Within five days of killing al Qaeda’s top two leaders, Iraqi and US forces killed al Qaeda’s military commander in northern Iraq and its operations commander in Anbar province.

Saturday, April 24, 2010

Suspect: Al-Qaida Ordered NYC Attack

Via Military.com -

They were former classmates at a New York high school, both on a mission to join the Taliban and fight U.S. forces in Afghanistan.

But when Zarein Ahmedzay and Najibullah Zazi arrived in Pakistan in the summer of 2008, two high-ranking al-Qaida operatives gave them another set of marching orders.

"They told us we would be more useful if we returned to New York City ... to conduct operations," Ahmedzay said Friday in a guilty plea that offered more chilling details of a foiled plot attack on the New York City subways last fall.

Asked by a judge in federal court in Brooklyn what kind of operations, he responded: "Suicide-bombing operations."

The attacks were to coincide with Ramadan and target landmarks, but the plan was scaled back because the conspirators didn't have enough homemade explosives.

The plea also marked the first time prosecutors named the al-Qaida operatives involved in the high-profile case.

Assistant U.S. Attorney Jeffrey Knox identified them as Saleh al-Somali and Rashid Rauf, who were both killed in Pakistan. The U.S. Justice Department on Friday described al-Somali as the head of international operations for al-Qaida.

Al-Somali was killed in a drone strike in December. Rauf, a British militant linked to a jetliner bomb plot, was also killed in a Predator strike in November 2008.

Friday, April 23, 2010

WhiteHouse.gov Releases Open Source Code

http://www.whitehouse.gov/tech

As part of our ongoing effort to develop an open platform for WhiteHouse.gov, we're releasing some of the custom code we've developed. This code is available for anyone to review, use, or modify. We're excited to see how developers across the world put our work to good use in their own applications.

By releasing some of our code, we get the benefit of more people reviewing and improving it. In fact, the majority of the code for WhiteHouse.gov is already open source as part of the Drupal project.

Iraqi Forces Detained AQI's 'Ruler of Baghdad'

Via The Long War Journal -

Iraq security forces captured the leader of al Qaeda's network in the capital of Baghdad during an operation more than a month ago. The al Qaeda leader helped direct Iraqi and US forces to the top two leaders of al Qaeda in Iraq, both of whom were killed during a raid near Tikrit last weekend.

Iraqi forces captured Manaf Abdulrehim al Rawi during a raid in Baghdad in March, Major General Qassem Atta, the spokesman for the Baghdad Operations Command, said in a press conference, according to Voices of Iraq.

Rawi, who is also known as Falah Abu Hayder, was an Iraqi citizen who was born in Moscow in 1975, Atta said. "He joined the terrorist al Qaeda group in 2003 and was appointed by Abu Omar al Baghdadi as Ruler of Baghdad in 2008."

Rawi was the mastermind of the series of attacks that have rocked Baghdad since August 2009. More than 550 Iraqis have been killed and thousands more wounded in the attacks.

"The suspect is responsible for several terrorist operations, including the assassination of lawmaker Harith al Obaidi," Atta continued. "He also oversaw the blasts that targeted the buildings of the foreign affairs and finance ministries, the provincial council, the court of appeal and the judicial institute."

Rawi's detention was not confirmed by the US military. US Forces Iraq did not respond to an inquiry on Rawi's detention or his importance to al Qaeda in Iraq’s network.

But US military and intelligence officials contacted by The Long War Journal did say that the detention of Rawi last month helped paint the intelligence picture that led to the operation last week that killed al Qaeda in Iraq's top two leaders, Abu Ayyub al Masri and Abu Omar al Baghdadi. Al Masri and Baghdad were killed along with Baghdadi's son and a top aide to al Masri during a joint US and Iraqi raid in the Thar Thar region just outside of Tikrit. In the course of the raid, 16 other al Qaeda operatives were detained.

Saudi Arabia to Establish the 'King Abdullah City for Nuclear & Renewable Energy'

Via JPost.com -

Saudi Arabia last week announced the establishment of a renewable energy complex, confirming the country’s interest in nuclear energy.

The King Abdullah City for Nuclear and Renewable Energy, set to be established in Riyadh, will, according to a royal decree, be tasked with the research and application of nuclear technology and oversee all aspects of a nuclear power industry, the official Saudi Press Agency reported.

In an effort to diversify the country’s oil-based energy industry, Saudi Arabia has been experimenting with alternative energies such as solar power. Nuclear power is a growing focus area.

Analysts say, however, that politics may have played a major role in the Saudi decision to focus on nuclear technology, as the kingdom’s leaders feel increasingly threatened by the specter of a nuclear Iran.

Dr. Theodore Karasik, director for Research and Development with the Dubai-based Institute of Near East and Gulf Military Analysis, said the plan to build the new complex is motivated by both economics and political factors.

“You have to take it in the context of the other GCC [Gulf Cooperation Council] or Arab states in terms of their transparency,” Karasik said. “Many of them are trying to move toward nuclear energy capabilities in order to be transparent, as opposed to the Iranians, who are not.”

Sunni countries in the Middle East, including Saudi Arabia, are concerned about Shi’ite Iran becoming a nuclear power and in recent years have started developing nuclear programs of their own. While such programs are ostensibly all civilian, analysts say the underlying message to Iran is that these countries have both the know-how and the capability to respond to an atomic threat.

“It’s a trend in the region, and they need it,” Karasik said. “They are looking ahead 40 or 50 years from now and many of these countries need to develop it now to plan for the future.”

The Saudi announcement did not specify time frames and Karasik said ambitious projects of these kinds could take 15-20 years before becoming a reality.

Nuclear power is also a way to save crude oil for export while still providing energy for local consumption. The kingdom has around 20 percent of the world’s proven petroleum reserves and is the largest exporter of petroleum.

Saudi Arabia has a petroleum sector that accounts for roughly 80% of its budget revenues, 45% of its GDP and 90% of its export earnings.

The new energy complex will fund university research labs and help the private sector develop nuclear applications for agriculture, health care, water desalination and power.

The new institution will also be tasked with drafting a national policy on nuclear energy development, supervising the commercial use of nuclear power and handling radioactive waste.

Prompt Global Strike - U.S. Faces Choice on New Weapons for Fast Strikes

Via NYTimes -

In coming years, President Obama will decide whether to deploy a new class of weapons capable of reaching any corner of the earth from the United States in under an hour and with such accuracy and force that they would greatly diminish America’s reliance on its nuclear arsenal.

Yet even now, concerns about the technology are so strong that the Obama administration has acceded to a demand by Russia that the United States decommission one nuclear missile for every one of these conventional weapons fielded by the Pentagon. That provision, the White House said, is buried deep inside the New Start treaty that Mr. Obama and President Dmitri A. Medvedev signed in Prague two weeks ago.

[...]

Called Prompt Global Strike, the new weapon is designed to carry out tasks like picking off Osama bin Laden in a cave, if the right one could be found; taking out a North Korean missile while it is being rolled to the launch pad; or destroying an Iranian nuclear site — all without crossing the nuclear threshold. In theory, the weapon will hurl a conventional warhead of enormous weight at high speed and with pinpoint accuracy, generating the localized destructive power of a nuclear warhead.

The idea is not new: President George W. Bush and his staff promoted the technology, imagining that this new generation of conventional weapons would replace nuclear warheads on submarines.

In face-to-face meetings with President Bush, Russian leaders complained that the technology could increase the risk of a nuclear war, because Russia would not know if the missiles carried nuclear warheads or conventional ones. Mr. Bush and his aides concluded that the Russians were right.

Partly as a result, the idea “really hadn’t gone anywhere in the Bush administration,” Defense Secretary Robert M. Gates, who has served both presidents, said recently on ABC’s “This Week.” But he added that it was “embraced by the new administration.”

Mr. Obama himself alluded to the concept in a recent interview with The New York Times, saying it was part of an effort “to move towards less emphasis on nuclear weapons” while insuring “that our conventional weapons capability is an effective deterrent in all but the most extreme circumstances.”

The Obama national security team scrapped the idea of putting the new conventional weapon on submarines. Instead, the White House has asked Congress for about $250 million next year to explore a new alternative, one that uses some of the most advanced technology in the military today as well as some not yet even invented.

The final price of the system remains unknown. Senator John McCain of Arizona, the ranking Republican on the Senate Armed Services Committee, said at a hearing on Thursday that Prompt Global Strike would be “essential and critical, but also costly.”

Redacted Fail - Motion to Subpoena President Obama

https://docs.google.com/viewer?url=http%3A%2F%2Fstatic.cbslocal.com%2Fstation%2Fwbbm%2Fobama.pdf&pli=1

------------------------------------------

Cut & Paste into Notepad......then read.

How to Opt Out of Facebook’s Instant Personalization

Via EFF -

Yesterday, Facebook announced Instant Personalization, whereby select websites would "personalize your experience using your public Facebook information." The initial sites are Pandora, Yelp and Microsoft Docs. As Facebook CEO Mark Zuckerberg explained, this means that when you visit "Pandora for the first time, it can immediately start playing songs from bands you've liked." Pandora, and other partners, can also link your real name and other Facebook information with everything you do on their site.

[...]

By default, the "Allow" checkbox for Instant Personalization is checked on your privacy settings. If you don't want the websites that you or your Facebook friends visit to know your information, you must opt out. Since this process is a bit complicated, we have made a quick video showing step by step how to do so.

[...]

Simply unchecking the "Allow" box is not sufficient. As Facebook explains, "if you opt out, your friends may still share public Facebook information about you to personalize their experience on these partner sites unless you block the application." Nor can you go to the Block Applications setting to block these partner sites. This setting is only for showing which applications and sites are blocked, and unblocking them.

So, to opt out of this fully, you also need to go each page for Microsoft Docs, Pandora, and Yelp and push the Block Application button. If Facebook adds another partner site to the program, you will need to block that as well, so be sure to check back often.

------------------------------------

Check out the video on the EFF page for more details on how to completely opt-out of this new "feature".

Air Force Launches Secretive Space Plane; ‘We Don’t Know When It’s Coming Back’

Via Wired.com (Danger Room) -

The Air Force launched a secretive space plane into orbit last night from Cape Canaveral, Florida. And they’re not sure when it’s returning to Earth.

Perched atop an Atlas V rocket, the Air Force’s unmanned and reusable X-37B made its first flight after a decade in development shrouded in mystery; most of the mission goals remain unknown to the public.

The Air Force has fended off statements calling the X-37B a space weapon, or a space-based drone to be used for spying or delivering weapons from orbit. In a conference call with reporters, deputy undersecretary for the Air Force for space programs Gary Payton, space programs did acknowledge much of the current mission is classified. But perhaps the most intriguing answer came when he was asked by a reporter wanting to cover the landing as to when the X-37B would be making its way back to the planet.

“In all honesty, we don’t know when it’s coming back for sure,” Payton said.

Payton went on to say that the timing depends on how the experiments and testing progress during the flight. Though he declined to elaborate on the details. The vague answer did little to quell questions about the ultimate purpose of the X-37B test program.

At only 29 feet long, the X-37B is roughly one fourth the size of the space shuttle. It’s onboard batteries and solar arrays (pictured at left from it’s NASA days) can keep it operating for up to nine months according to the Air Force. It is similar to the shuttle with payload doors exposing a cargo area, and uses a similar reentry procedure before gliding to a runway. In the case of the X-37B, the vehicle will autonomously return to earth and land itself using an onboard autopilot. The primary landing spot is Vandenberg Air Force Base in California.

Russian Hacker Selling 1.5 Million Facebook IDs

Via ComputerWorld.com -

A hacker named Kirllos has a rare deal for anyone who wants to spam, steal or scam on Facebook: an unprecedented number of user accounts offered at rock-bottom prices.

Researchers at VeriSign's iDefense group recently spotted Kirllos selling Facebook user names and passwords in an underground hacker forum, but what really caught their attention was the volume of credentials he had for sale: 1.5 million accounts.

IDefense doesn't know if Kirllos' accounts are legitimate, and Facebook didn't respond to messages Thursday seeking comment. If they are legitimate, he has the account information of about one in every 300 Facebook users. His asking price varies from $25 to $45 per 1,000 accounts, depending on the number of contacts each user has.

To date, Kirllos seems to have sold close to 700,000 accounts, according to VeriSign Director of Cyber Intelligence Rick Howard. Hackers have been selling stolen social-networking credentials for a while -- VeriSign has seen a brisk trade in names and passwords for Russia's VKontakte, for example. But now the trend is to go after global targets such as Facebook, Howard said.

-------------------------------------

According to some Antichat.ru forum users, Kirllos was born in Russia, lives in New Zealand, is 24 years old and speaks both English and French.

Thursday, April 22, 2010

Iraqi Forces Kill Top AQI Military Commander in the North

Via The Long War Journal -

Iraqi security forces killed al Qaeda in Iraq’s top military commander for the north during a raid yesterday in the outskirts of Mosul.

The al Qaeda military commander, identified as Ahmad Ali Abbas Dahir al Ubayd and also known as Abu Suhaib, was killed during a raid in a region just northeast of Mosul, the US military said in a press release. Ubayd was killed after Iraqi forces, backed by US soldiers, took fire from a building where he was sheltering.

Ubayd was responsible for al Qaeda’s military operations in the northern provinces of Ninewa, Salahadin, and Kirkuk, according to Voices of Iraq.

"He was the guy in charge of operations from Tikrit all the way up to Mosul out to the Syrian border,” General Ray Odierno, the top US commander in Iraq, told Fox News. “He was the military emir."

Khalifa’s death is the latest blow to al Qaeda in Iraq’s leadership over the past three days. On Sunday, Iraqi and US forces killed Abu Ayyub al Masri, the leader of al Qaeda in Iraq who was appointed by Ayman al Zawahiri, and Abu Omar al Baghdadi, the leader of al Qaeda’s puppet Islamic State of Iraq. Both men were killed, along with an aide to al Masri and Baghdadi’s son, after the joint Iraqi-US force launched an operation in the Thar Thar region just outside of Tikrit.

Iraqi and US forces are reported to have seized a treasure trove of intelligence after killing Baghdadi and al Masri. Intelligence teams retrieved documents, laptops, cell phones, and correspondence with al Qaeda leaders, including Osama bin laden, US military intelligence officials told The Long War Journal.

Intelligence gathered from the raid that killed al Masri and Baghdadi helped Iraqi and US forces hunt down Ubayd, General Odierno said.

US intelligence officials told The Long War Journal that intelligence gathered in the past four months during operations against al Qaeda’s northern network helped the joint forces zero in on al Masri and Baghdad.

DEA Captures Four Mexican Drug Cartel Leaders

Via Washington Times -

The leadership of a Mexican drug cartel operating in Dallas has been dismantled by a Drug Enforcement Administration-led task force with guilty pleas from four U.S.-based cell leaders and two associates tied to La Familia, a violent Mexico-based gang that killed 20 Mexican federal police and military officers in attacks last year.

Cell leaders Ricardo Hernandez-Cruz, 37; Edgar Gomez-Huerta, 31; Balmer Valencia Bernabe, 34; and Martin Alvarado-Cruz, 33, have pleaded guilty as part of a continuing law enforcement initiative known as Project Coronado, in which nearly 100 La Familia members tied to a drug smuggling and distribution operation in Dallas were arrested. All four await sentencing in U.S. District Court.

La Familia, or "the Family," is one of the Mexican government's highest priorities in its often deadly war against drug-trafficking gangs. Formerly allied with the infamous Gulf cartel, it split off on its own in 2006. Its boss, Nazario Moreno Gonzalez, has preached his gang's divine right to strike its enemies.

Wednesday, April 21, 2010

HD Moore: Death By 32 Bits

http://python.sys-con.com/node/1356355

On Wednesday, April 21, HD will present “Death by 32-bits” about how population growth, random-access memory (RAM) prices and the slow migration to 64-bit platforms have converged to radically shift existing security models. He will share his insight on the limitations of 32-bit platforms, the cheap availability of grid computing, and how all of this ties together to leave the Internet, as a whole, vulnerable to wide-spread attacks.


--------------------------------------

HD's Slides....
http://www.metasploit.com/data/confs/source2010/DeathBy32.pdf

Researchers Hijack Cell Phone Data, GSM Locations

Via Threatpost.com -

A pair of security researchers has discovered a number of new attack vectors that give them the ability to not only locate any GSM mobile handset anywhere in the world, but also find the name of the subscriber associated with virtually any cellular phone number, raising serious privacy and security concerns for customers of all of the major mobile providers.

The research, which Don Bailey of iSec Partners and idndependent security researcher Nick DePetrillo will present at the SOURCE conference in Boston today, builds upon earlier work on geolocation of GSM handsets and exposes a number of fundamental weaknesses in the architecture of mobile providers' networks. However, these are not software or hardware vulnerabilities that can be patched or mitigated with workarounds. Rather, they are features and functionality built into the networks and back-end systems that Bailey and DePetrillo have found ways to abuse in order to discover information that most cell users assume is private and known only to the cell provider.

"I haven't seen anything out there anywhere on this. Who owns a cell number isn't private," DePetrillo said. "If you go through entire number ranges and blocks, you'll get numbers for celebrities, executives, anyone. You can then track them easily using the geolocation information."

At the heart of the work the pair did is their ability to access the caller ID database mobile providers use to match the names of subscribers to mobile numbers. This is the same database that contains the subscriber information for landlines, but most mobile users don't realize that their data is entered into this repository, Bailey said.

"A lot of this isn't terribly secret, but it's not that well-known," Bailey said. "To find information on users, that was our goal. These pieces of information come from all over. The caller ID database provides a lot of information about people and companies. One thing we found is that we could go through the provider network in a given city and determine which numbers have been allocated to a given company. Using that information, you can leverage some of our attacks and target specific handsets owned by company executives."

A bill that would make caller ID spoofing illegal passed the House of Representatives just last week, but Bailey said the change would not affect their attacks because they're not using the spoofing techniques for anything illegal or deceptive.

Once they accessed the database, known as the Home Location Register (HLR), the researchers are able to determine which mobile provider a given subscriber uses, and then combine that with the caller ID data, giving them a profile of the subscriber. This is a correlation that most mobile subscribers think isn't possible because there isn't a public white pages directory of mobile numbers. Using that information, Bailey and DePetrillo have the ability to tailor specific attacks to the user's handset.

-----------------------------------------------

According to sources at the conference, DePetrillo said the following during their talk...
[The] White House should reconsider policy on personal cell phones on Air Force One.

Tuesday, April 20, 2010

Gang Starr - Moment Of Truth



-------------------------------

Just over a month since undergoing surgery following a heart attack, Gang Starr MC Guru (born Keith Elam) has died at age 43. According to a statement, Guru died of cancer-related causes on Monday after a long fight with the disease.

R.I.P Guru

Facebook Further Reduces Your Control Over Personal Information

Via EFF -

Once upon a time, Facebook could be used simply to share your interests and information with a select small community of your own choosing. As Facebook's privacy policy once promised, "No personal information that you submit to Facebook will be available to any user of the Web Site who does not belong to at least one of the groups specified by you in your privacy settings."

How times have changed.

Today, Facebook
removed its users' ability to control who can see their own interests and personal information. Certain parts of users' profiles, "including your current city, hometown, education and work, and likes and interests" will now be transformed into "connections," meaning that they will be shared publicly. If you don't want these parts of your profile to be made public, your only option is to delete them.

[...]

There is one loophole — tell Facebook you're under 18. Under Facebook's
policy for minors, your interests would only be visible for friends and family and verified networks. You would not be publicly listed on these new connection pages. However, this only works as you set up a new account.

The new connections features benefit Facebook and its business partners, with little benefit to you. But what are you going to do about it? Facebook has consistently ignored demands from its users to create an easy "exit plan" for migrating their personal data to another social networking website, even as it has continued — one small privacy policy update after another — to reduce its users' control over their information.

The answer: Let Facebook hear your frustration. Last December, when Facebook announced a new round of privacy degradations, it provoked a potent combination of public outrage, legal threats, and government investigations. In response, Facebook listened to
some criticism and walked-back a few of its changes. Now it will allow users to adjust the visibility of information in their profiles, such as hiding your friend list from other friends. If you want Facebook to walk back these new changes too, let them know how you feel.

Government Requests Directed to Google and YouTube

http://www.google.com/governmentrequests/

Like other technology and communications companies, we regularly receive requests from government agencies around the world to remove content from our services, or provide information about users of our services and products. The map shows the number of requests that we received between July 1, 2009 and December 31, 2009, with certain limitations.

We know these numbers are imperfect and may not provide a complete picture of these government requests. For example, a single request may ask for the removal of more than one URL or for the disclosure of information for multiple users. See the FAQ for more information.


------------------------------

You might notice the red question mark in China....
Chinese officials consider censorship demands as state secrets, so we cannot disclose that information at this time.

Cyberattack on Google Said to Hit Password System

Via NYTimes.com -

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in a cluster of computers, popularly referred to as “cloud” computing, a single breach can lead to disastrous losses.

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

The details surrounding the theft of the software have been a closely guarded secret by the company. Google first publicly disclosed the theft in a Jan. 12 posting on the company’s Web site, which stated that the company was changing its policy toward China in the wake of the theft of unidentified “intellectual property” and the apparent compromise of the e-mail accounts of two human rights advocates in China.

Monday, April 19, 2010

Top Al-Qaeda Leader Linked to Five Americans on Trial in Pakistan

Via The Long War Journal -

Pakistani prosecutors claim that five Americans currently on trial for attempting to join al Qaeda were in contact with a top leader of the terror group.

The five Americans are said to have made contact with Qari Saifullah Akhtar, the leader of the radical Harkat-ul-Jihad-al-Islami and the commander of al Qaeda's Brigade 313. Prosecutors presented evidence, including phone calls, emails, and other documents that linked Akhtar and the five would-be terrorists, according to Dawn.

Akhtar recruited the five Americans after watching their videos posted on YouTube, according to Pakistani police officials. Akhtar was able to obtain emails through the YouTube postings and encouraged the men to travel to Pakistan to join the jihad.

The five American Muslim men were detained in the city of Sargodha in Punjab province in December 2009 after a family member discovered they were missing and contacted the FBI. The five Americans have been identified as Umar Farooq, Waqar Hussain, Rami Zamzam, Ahmad Abdullah Mini, and Amman Hassan Yammer.

The Americans were attempting to enter North Waziristan to join al Qaeda. They arrived in Karachi in November 2009; their passports stated they entered the country to attend a wedding. They traveled to Lahore to meet their al Qaeda contact, but he never appeared. The five men then traveled to Sargodha in an attempt to reestablish contact and make their way into North Waziristan. The men stayed at a home owned by Farooq's uncle. Pakistani police arrested the five Americans after being tipped off about their whereabouts.

Al-Maliki: Al-Qaeda in Iraq Leaders Killed

Via Washington Post -

Iraqi Prime Minister Nouri al-Maliki announced Monday that the two leaders of the Sunni insurgent group al-Qaeda in Iraq have been killed.

In a televised news conference, Maliki said Abu Ayyub al-Masri, the leader of al-Qaeda in Iraq, and Abu Omar al-Baghdadi, the head of the Islamic State of Iraq, an umbrella group that includes al Qaeda in Iraq, were found dead in a ditch after an air strike conducted by American forces.

American officials did not immediately confirm the death of the top insurgent leaders, and there was no way to independently verify the claim. In the past, Iraqi officials have announced the capture or killing of top al-Qaeda in Iraq leaders who later turned out to be free and very much alive.

Iraqi officials said last summer that Baghdadi, a shadowy figure who some U.S. intelligence officials have long suspected is a fictionalized character, was in custody. They supported that claim with a video and photos of the alleged insurgent.

U.S. intelligence officials say non-Iraqi leaders of the Islamic State of Iraq created the myth of Baghdadi to bolster the group's standing in a deeply nationalistic country. Recent audio messages posted on insurgent Web sites have been attributed to him. In the statements, the organization has vowed to continue attacking state symbols and entities that support it. It had threatened to derail the parliamentary elections that were held March 7.

--------------------------------------

According to the NYTimes....
After Mr. Maliki’s press conference, the American military released a statement verifying that Mr. Baghdadi was killed in a joint raid between Iraqi and United States forces in the dark hours of Sunday morning near Tikrit, near Saddam Hussein’s hometown. Also killed, according to Mr. Maliki and American officials, was Abu Ayyub al-Masri, the leader of Al Qaeda in Iraq, also known as Al Qeada in Mesopotamia, a largely Iraqi group that includes some foreign leadership. Both men were found in a hole in the ground.
More information can be found over @ the LWJ and the CT Blog....

OWASP Top 10 for 2010

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

On April 19, 2010 we released the final version of the OWASP Top 10 for 2010. This version was updated based on numerous comments received during the comment period after the release candidate was released in Nov. 2009.

Click here to download the OWASP Top 10 - 2010

The OWASP Top 10 Web Application Security Risks for 2010 are:

  • A1: Injection
  • A2: Cross-Site Scripting (XSS)
  • A3: Broken Authentication and Session Management
  • A4: Insecure Direct Object References
  • A5: Cross-Site Request Forgery (CSRF)
  • A6: Security Misconfiguration
  • A7: Insecure Cryptographic Storage
  • A8: Failure to Restrict URL Access
  • A9: Insufficient Transport Layer Protection
  • A10: Unvalidated Redirects and Forwards

School District Allegedly Snapped Thousands of Student Webcam Spy Pics

Via Wired.com (Threat Level) -

A webcam spying scandal at a suburban Philadelphia school district is broadening, with lawyers claiming the district secretly snapped thousands of webcam images of students using school-issued laptops without the pupils’ knowledge or consent.

Some of the images included pictures of youths at home, in bed or even “partially dressed,” according to a Thursday filing in the case. Pupils’ online chats were also captured, as well as a record of the websites they visited.

When the story first broke in February, the district said the cameras were activated only handful of times when a laptop was reported stolen or missing — an assertion lawyers suing the district say is false.

“Discovery to date has now revealed that thousands of webcam pictures and screen shots (.pdf) have been taken from numerous other students in their homes, many of which never reported their laptops lost or missing,” attorney Mark Haltzman wrote in a Thursday federal court filing.

Sunday, April 18, 2010

SWJ: Will Bad Information Lead to Bad Decisions?

http://smallwarsjournal.com/blog/journal/docs-temp/419-brown.pdf

As a scientist I worry that too much of the discussion of poppy and opium in Afghanistan is based on bad biology, bad economics, and bad horticulture. Can make good decisions based on wrong information?

Case in point. The other night
CNN reported from Helmand on the usual "oh look at all that poppy" stuff that is part of the spring season. It is bad enough that the fields that CNN shows "blooming" are uniform green with not a flower in sight (was it really poppy?), but then the reporter, Chris Lawrence, says, "Every few days or so the Taliban will come by and pick off some bulbs," and the Marine being filmed adds that he and his colleagues have seen the bad guys "hack a few plants that are ready to go and put it on a donkey and just head north." Chris goes on to say that the Marines are not allowed to "slash and burn" the poppy fields.

Poppies don't have bulbs they have seed pods. A single poppy pod or even a whole poppy plant is not particularly valuable, and mown green poppy plants have no value for drugs.

[...]

These mistakes highlight the gaps in the knowledge base of allied forces, journalists and other "experts" and their lack of access to appropriate information and technical resources.

Unfortunately, the young Afghans who go to the field as interpreters are too often urban, Peshawar-educated fellows who would not ever leave their city environment if they had other work. They are unlikely to recognize agriculture crops or know anything about farming systems. Bureaucrats in Kabul, Washington and London suffer similar weaknesses.

Ignorance of fundamentals leads to risible reporting, as in the CNN piece, but left unchallenged and uncorrected, ignorance might also lead to bad decisions.

Al Qaeda in Iraq Using New Tactic - HBIEDs

Via Jordan Times -

Al Qaeda in Iraq is rigging houses and shops with explosives in a new tactic that has killed and maimed civilians in recent weeks and defied the thousands of security forces in Baghdad, officials say.

The renting of residential buildings for targeted bombings has forced police and the army to adapt their operations, in a bid to prevent more of the attacks that have killed dozens since the country’s inconclusive March 7 election.

The US military has even coined a new acronym - HBIED (house-borne improvised explosive device) for the bombings, which have also left hundreds wounded in the past month in the Iraqi capital.

The HBIED follows the IED (improvised-explosive device - homemade bomb) and VBIED (vehicle-borne improvised-explosive device - car bomb) into a terrorist lexicon started in Iraq and subsequently transported to Afghanistan.

“Our forces are focusing on the renting of apartments and buildings,” Major General Qassim Atta, a Baghdad security forces spokesman, told AFP.

Insurgents were continually looking to exploit gaps in the city’s defences, he said.

“They change their methods periodically because most of their plans and tactics have been discovered. I believe they are already searching for another method of attack, maybe churches or bridges.”

Some 25 people were killed on election day, when explosives destroyed two buildings in northeast Baghdad. The US military, which pointed the finger at Al Qaeda, said the properties had been rented and deliberately blown up.

A further 35 people died on April 6, when explosives were planted in houses and shops in mostly Shiite neighbourhoods, leading Atta to say Iraq was in an “open war” with Al Qaeda and loyalists of executed former president Saddam Hussein.

A number of those properties had also been rented days earlier, security officials told AFP.

Counterterrorism experts say the insurgents are placing bombs in houses and shops despite the methods being frowned upon by much of Al Qaeda.

“These stories are credible,” said Brian Fishman, a counterterrorism research fellow at the New America Foundation in Washington, DC and author of “Dysfunction and Decline: Lessons Learned from Inside Al Qaeda in Iraq”.

“The tactic is seen as very disreputable, even among active insurgents,” but it allows them “to get around a lot of the tactics developed to prevent car bombs”, such as the mass of security checkpoints in Baghdad, Fishman said.

“Al Qaeda in Iraq’s propaganda arm has disavowed the tactic and urged supporters to distribute their statement widely... but that doesn’t mean they are not doing it,” he added.

American officers agree that insurgents, including Al Qaeda, have adapted their tactics.

“The terrorist threat that exists in this country, and it does exist to a degree, will continue to evolve,” said US military spokesman Brigadier General Steve Lanza.

“One of the tactics you have seen is to take buildings and to destroy them, causing a lot of collateral damage and a lot of injuries. The purpose is to foment sectarian violence but they have not succeeded.”

Al-Qaeda is 'like Middle-Aged Dad at Disco'

Via adelaidenow.com.au -

Satire and ridicule can help win the fight against al-Qaeda by stripping it of its glamour and mystique, argues a team of British researchers.

Beating the Islamist movement is as much about winning the battle of ideas and undermining al-Qaeda's counter-culture cachet as it is about conventional anti-terrorism operations, said the report.

"Terrorism must be defeated through the deliberate 'toxification' of the al-Qaeda brand; not by making it seem dangerous, but by exposing it as dumb," Jamie Bartlett, one of the report's authors, told AFP.

"Al-Qaeda has to be ridiculed as the equivalent of a middle-aged dad at a school disco: enthusiastic, incompetent and excruciatingly uncool."

Dr Bartlett, together with Jonathan Birdwell and Michael King, published The edge of violence, a radical approach of extremism on the website of the London-based think tank Demos. The report summarised two years of work in Britain, Canada, Denmark, France and the Netherlands, which included interviews with 58 people convicted of terror-related offences and with 20 radical, but non-violent Muslims.

Researchers also interviewed 70 Muslims in Canada and 75 local and national experts.

"An increasingly important part of al-Qaeda's appeal in the West is its dangerous, romantic and counter-cultural characteristics," said an executive summary of the report.

"Young Muslims are drawn, like young people throughout the ages, to excitement, rebellion and a desire to be cool," Dr Bartlett, who heads up the extremism and violence department at Demos, told AFP.

"But like every anti-establishment movement before it, al-Qaeda has become cool, with Mr bin Laden cast as the new Che," he added.

One could not deny that ideology was important to some of al-Qaeda terrorists, he said.

[...]

So while it was important for the police and intelligence agencies to continue their battle against al-Qaeda, other tactics also had an important role to play.

Part of the battle was to strip the movement of its glamour and mystique, said the report. Messages "from a range of organisations, should stress that most al-Qaeda-inspired terrorists are in fact incompetent, narcissistic, irreligious".

The idea was to demystify terrorist lives and deaths, said Dr Bartlett.

"The average day in the life of an Islamic extremist is similar to that of a petty criminal: tedious, lonely and punctuated by fear."

Satire was another powerful tool, the report added, noting that it had been used effectively against both the Ku Klux Klan and the British Fascist party in the 1930s. Satire, however, was not a job for the authorities, but for others in society, it added.

Fighting al-Qaeda was not about preventing angry young Muslims from rebelling, but about finding ways to channel a natural sense of subversion and radicalism into non-violent areas, the report argued. It also recommended a liberal approach to fighting al-Qaeda's ideology, exposing it to debate rather than suppressing it, but being sure to provide effective counter-arguments.

"The threat of violent radicalisation can never be 'solved' or completely neutralised; it can only be managed," the report warned.

-----------------------------------------------------

Saturday, April 17, 2010

Inside the Java 0-Day Exploit

Via ThreatPost.com -

The Java Web Start vulnerability that has been getting so much attention of late is being attacked by a number of different sites now, with a relatively simple and easily reproducible exploit, researchers say.

The Java flaw, which Google researcher Tavis Ormandy disclosed publicly on April 9, was patched by Sun yesterday with an emergency out-of-cycle fix after evidence surfaced that it was being exploited on one Web site. But researchers at FireEye have seen some other sites using the exploit against visitors, as well. The company has published a detailed analysis of the exploit, which it says is quite simple.

The site, which is offline now, was hosting the exploit in a familiar fashion. The main page directed users to a secondary page, on which the exploit itself was actually hosted. That page performs a drive-by download that installs a Trojan downloader on the victim's machine. That Trojan then downloads and installs a second stage piece of malware.

The series of downloads eventually installs a Trojan called Piptea, which is the basis of a large pay-per-install network, the researchers said.

The FireEye researchers said that the site launching the exploit was registered on April 8, the day before Ormandy disclosed the Java flaw.

"It's pretty obvious that the simplicity and reliability of this exploit will make it a lethal weapon for the bad guys in coming days. Plus, the unavailability of any working patch is making the overall picture scarier. I am pretty sure that in the coming days, this exploit will become part of underground exploit kits. This means that even a kiddie with basic computer skills and bad intentions can start making money out of this," FireEye's Atif Mushtaq said in the blog post.

South Korean Officials Say External Blast Sunk Navy Ship

Via GlobalSecurity.org -

South Korean investigators have all but ruled out an on-board accident or collision with rocks as the cause of a navy ship's sinking. The government is still treating the matter delicately, as suspicions remain that North Korea was involved in the sinking.

A multinational investigative team said Friday that the South Korean naval corvette, the Cheonan, split in half and sank earlier this month due to force applied from outside the ship.

Yoon Duk-yong, chief of the team, which includes marine salvage experts from the United States and Australia, says there is a far higher possibility of external explosion than one inside the ship.

[...]

Salvage teams have managed to raise the biggest sections of the ship, and recover most of the bodies of the 46 sailors killed in the incident.

Yoon says fragments of the hull are bent inward, showing that the explosive force came from the outside. He adds the likeliest possible causes of an onboard accident have been eliminated.

He says there is no damage to the ship's ammunition depot, fuel tanks, or diesel engine room. Plastic coverings of electrical wires were also undamaged. Yoon says a lack of damage to the underside of the ship sharply reduces the chances it hit a reef or other underwater obstacle.

South Korean Defense Minister Kim Tae-yoon is among those who have publicly speculated the Cheonan may have been destroyed by a North Korean mine or torpedo. Officials in Seoul are carefully avoiding any direct accusations, but Kim says the matter is being treated seriously.

He says South Korea's government and military are treating the Cheonan incident as a "grave national security issue."

Investigators say it could take months or even years to find hard evidence of a North Korean role in the sinking, in the form of mine or torpedo splinters in the wreckage. They caution against drawing premature conclusions.

U.S. State Department Spokesman Philip Crowley said Thursday that Washington is offering full assistance to South Korea in the probe. He warned that North Korea's behavior in the region may affect multinational talks aimed at ending the North's nuclear weapons programs in exchange for energy, financial and diplomatic incentives.

Taliban Cooperation with Al-Qaeda 'is at the highest limits'

Via The Long War Journal -

The top leader of the dangerous Haqqani Network operating in eastern Afghanistan said that al Qaeda fighters are welcome to fight alongside the Taliban, and that his forces control 90 percent of the areas under his command.

Siraj Haqqani, the military commander of the deadly Haqqani Network, a Taliban group that operates in eastern Afghanistan, made the statements during an interview conducted by Abu Dujanah al Sanaani for
the newly established Al Balagh Media Center. A translation of Siraj's interview was provided by Flashpoint Partners.

Siraj stated he was 30 years old and confirmed he is a "member in the Shura Council in the Islamic Emirate" of Afghanistan. Better known as the Quetta Shura, the Taliban's top council is headquartered in the Pakistani city of Quetta in the southwestern province of Baluchistan.

During the interview, Haqqani admitted that foreign members of al Qaeda are welcome to fight with his men and the rest of the Taliban, and that relations between the Taliban and al Qaeda are excellent.

When asked about the Haqqani Network and the Taliban's relationship with "mujahideen who emigrate to the land of the Khorasan" and whether they "form any obstacle or burden on the Afghani people," Siraj responded that the foreign fighters, or al Qaeda, "enlighten the road for us and they resist against the cross worshippers by cooperating with us and us with them in one trench." Siraj also said that cooperation between Arab fighters and the Taliban "is at the highest limits."

Siraj's disclosure that his fighters are closely allied with al Qaeda
matches statements made by Mullah Sangeen Zadran, one of Siraj's top lieutenants. Sangeen is the top military commander in Paktika province, a Haqqani Network stronghold. In an interview released in September 2009 by As Sahab, al Qaeda's top media outlet, Sangeen said al Qaeda and the Taliban "are all one and are united by Islam."

WebOS: Examples of SMS Delivered Injection Flaws

Via intrepidusgroup.com -

Intrepidus Group has been doing mobile application security testing for over three years now, and during this time we’ve discovered and responsibly disclosed a number of vulnerabilities in Brew, Windows Mobile, BlackBerry, and iPhone applications. We have been contracted time after time to perform threat modeling, penetration testing, and various other security assessments on these platforms. So, as any one would expect, we were all looking forward to have a glance at Palm’s new WebOS platform.

[...]

So what vulnerabilities are we talking about? What was uncovered after a few hours of poking around? The WebOS SMS client wasn’t performing input/output validation on any SMS messages sent to the handset. This lead to a rudimentary HTML injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over a SMS message). We have produced a
video demonstrating some of these possible attacks.

In this
video a number of text messages were sent to the device. Leveraging the HTML injections, and some innate WebOS functionality, we were able to perform actions ranging from opening up a website by simply reading an SMS to turning off the hand set’s radio.

[...]

This only focuses on the SMS client of WebOS for this
demonstration. The HTML injection bug may be present in a number of WebOS applications. Any app installed via the market place (even other Palm developed apps) may be vulnerable to this or other common web applications vulnerabilities. We hope that by seeing these attacks in action, WebOS application developers will know what kind of defenses they must code into their applications. We hope that by raising awareness of this threat, users will be aware of the dangers their WebOS applications can present, and that product managers will insist on security assurance testing before their offering goes live.

-------------------------

Follow the link at the top to see all the example SMS messages. The simple ability to do these things by just sending a SMS is quite shocking, to say the least.