Wednesday, June 30, 2010
Security expert Fred Burton analyzes the U.S. arrests of alleged Russian spies and discusses the interconnected nature of espionage cases.
The NYTimes also has a cool story on "illegals" and the former Russian Intelligence system.
If you have checked in with Foursquare in San Francisco in the last three weeks, Jesper Andersen probably knows where and when — even if you’ve set your check-ins to be published to friends only.
Andersen, a coder who recently built a service called Avoidr that helps you avoid social network “friends” you don’t really like, figured out that Foursquare had a privacy leak because of how it published user check-ins on web pages for each location.
On pages like the one for San Francisco’s Ferry Building, Foursquare shows a random grid of 50 pictures of users who most-recently checked in at that location — no matter what their privacy settings. When a new check-in occurs, the site includes that person’s photo somewhere in the grid. So Andersen built a custom scraper that loaded the Foursquare web page for each location in San Francisco, looked for the differences and logged the changes.
Even though he was using an old computer running through the slow but anonymous Tor network, Andersen estimates he logged about 70 percent of all check-ins in San Francisco over the last three weeks.
That amounts to 875,000 check-ins.
Andersen reported the privacy breach to Foursquare two Sundays ago — and the company admitted the bug existed. They asked for a week or so to fix the bug, and now, according to an e-mail sent to Alexander, the company is modifying its privacy settings to let users opt out of being listed on location’s web pages. The site previously allowed users to opt out of being listed in the “Who’s here now” function, but until Tuesday that button didn’t apply to listing “Who’s checked in there.”
“I’m trying to be white-hat,” Andersen said. “It definitely felt icky at times.”
Andersen confirmed the validity of his script’s findings by checking the results with people he knew. And even though his groups of friends “live in a data mining culture,” the findings didn’t sit well with all of them.
“Some were grossed out by it, and a couple of people stopped using Foursquare,” Andersen said. “One had a stalker and got creeped out by it.”
Foursquare declined to respond to two e-mail requests for comment, but in an e-mail to Andersen, Foursquare programmer Jon Hoffman thanked Alexander for bringing the issue to the company’s attention.
Privacy settings are great..and people really should set them to as private as possible (while keeping the service useable for your needs), but in the end...you really shoudn't trust those settings to keep your data completely private.
There is always a risk that the information will be exposed. It's best to be aware of this residual risk...and either accept it...or not.
Sometimes, exploit writers would kill for a fixed address to pivote from. Nowadays, the days of ASLR and DEP, any memory leak is welcome. Yesterday, Stefano Di Paola posted the following tweet http://twitter.com/WisecWisec/status/17254776077. After elaborating that weird behaviour I discovered a flaw in mshtml.dll, exploitable via Internet Explorer. In VBScript/JScript there are at least two functions that make use of timers: setTimeout and setInterval. According to the documentation, the return value should be a Timer ID. In Chrome and FF [Firefox] this ID is pure sequential (1,2,3,4...) but in IE I was getting "weird" IDs. Later on I discovered that those IDs turned out to be a heap address plus a counter.
Products affected: XP/Vista/Windows7 32/64 bit. IE8. IE9 is not vulnerable.
In plain English, this technique could be used to bypass ASLR or at least make it a less effective protection layer.
More info here.
Tuesday, June 29, 2010
Panetta denied claims that Anwar al-Awlaki is on an "assassination list," but said al-Awlaki -- who is believed to be hiding in Yemen and taking on an operational terrorist role -- is engaged in a campaign to encourage attacks on the United States.
"We have a terrorist list and he's on it," Panetta said.
Speaking with ABC's "This Week," Panetta affirmed that several terror plots can be traced back to the radical cleric, who last month called for the killing of American civilians in a video released by Al Qaeda in the Arabian Peninsula.
"Awlaki is a terrorist who has declared war on the United States. Everything he's doing now is to try to encourage others to attack this country -- there's a whole stream of intelligence that goes back to Awlaki and his continuous urging of others to attack this country in some way," Panetta said. "Awlaki is a terrorist and, yes, he's a U.S. citizen, but he is first and foremost a terrorist and we're going to treat him like a terrorist."
Several members of the European Parliament have voiced concern over the recent disclosure in Colombia of an alleged operation to undermine the European Union’s parliamentary and human rights bodies. The operation is reportedly mentioned in internal documents belonging to Colombia’s Administrative Department of Security (DAS), which were recently confiscated by the office of the Colombian Attorney General. The confiscated documents describe a clandestine program codenamed Operation EUROPE, which aims to wage a “legal war” intended to discredit and “neutralize the influence of the European judicial system, the European Parliament’s human rights subcommittee, and the office of the United Nations High Commissioner for Human Rights”. These bodies routinely join international human rights organizations in criticized the abysmal civil liberties record of the government of Colombian President Alvaro Uribe. This record caused the United States Congress, which is usually Colombia’s staunchest international supporter, to vote to terminate all US monetary assistance to the DAS intelligence agency.
But the more interesting element of this case, as it develops, is not that the Russians were playing spy games in America. I’d drop down unwell if the Americans weren’t doing the same to them, and we still have the shining and glorious moment in British intelligence history of the plastic listening rock placed in Moscow by our own gallant lads… No, the more interesting element (relevant to Europeans as well) is that these characters were also empowered to seek out investment opportunities for Russian money in think-tanks and lobbying outfits. The new capitalist Russia doesn’t need to turn westerners to work for them, it gives them a whacking great big research grant instead. Buying influence is again nothing new – western industry has done it successfully for years and years – but this is the great leap that has been made by Russians, particularly in Europe actually.
So, whilst this is embarrassing it is also temporary. This particular ’shocker’ will fade into the annals of news cuttings. The growing influence of Russian money (amongst others, let’s not single out Russia here, there are some very much less desirable funding sources in UK think-tanks and higher education than them) is perhaps the bigger cause for concern. Perhaps the Cold War has given way to a behind-the-scenes battle for ideas. ‘Follow the money’ is the famous cry from Watergate, as it was from the popular TV depiction ‘The Wire’. In both cases, uncovering the money reveals some seriously discomforting revelations.
Don’t worry so much about espionage; start worrying about influence.
Very interesting take on the recent Russian spy case....
Mark Hosenball @ the Declassified Blog ends with a very similar question...
Apart from the SVR's seemingly anachronistic methodology, another big question remains unanswered: why bother to set up such elaborate long-term undercover plants when the Russians could arguably buy as much influence as they want in Washington by simply hiring the right consultants, lawyers, and lobbyists?
Moscow communicated with a ring of alleged spies in America by encoding instructions in otherwise innocent-looking images on public websites. It’s a process called steganography. And it’s one of a slew of high-tech and time-tested methods that the deep-cover agents and their Russian handlers used to pass information — from private Wi-Fi networks to buried paper bags.
The accused Russian spy network started using steganography as early as 2005, according to the Justice Department’s criminal complaint against the conspirators, unsealed yesterday in Manhattan. In 2005, law enforcement agents raided the home of one of the alleged spies. There, they found a set of password-protected disks and a piece of paper, marked with “alt,” “control,” “e,” and a string of 27 characters. When they used that as a password, the G-Men found a program that allowed the spies “to encrypt data, and then clandestinely to embed the data in images on publicly available websites.”
The G-Men also found a hard drive. On it was an address book with website URLs, as well as the user’s web traffic history. “These addresses, in turn, had links to other websites,” the complaint notes. “Law-enforcement agents visited some of the referenced websites, and many others as well, and have downloaded images from them. These images appear wholly unremarkable to the naked eye. But these images (and others) have been analyzed using the Steganography Program. As a result of this analysis, some of the images have been revealed as containing readable text files.”
These messages were used to arrange meetings, cash drops, deliveries of laptops and further information exchanges. One of the steganographically hidden messages also directed the conspirators to use radiograms — a decades-old method to pass information, long discredited in spooky circles.
“The FBI must have been clapping its collective hands when it discovered the primitive radio techniques the Russians were using: high-speed ‘burst transmissions,’” writes SpyTalk’s Jeff Stein. “The Cold War-era technique requires the sending party to record a coded Morse code message on a tape, then shoot it through the air in a millisecond. They were easy picking for the FBI, once it knew where to listen.”
According to the FBI, bugs in the spies’ homes picked up “the irregular electronic clicking sounds associated with the receipt of coded radio transmissions.”
Russia's foreign minister demanded Tuesday that it be allowed access to suspected spies arrested in the United States.
Those arrested have committed no kind of activity directed against U.S. interests, the foreign ministry said.
Russia urged the United States to take into account the "positive character" of current Russian-U.S. ties when dealing with the case
Russian Prime Minister Vladimir Putin also spoke out Tuesday, expressing hope that the spy scandal would not damage improving relations between Russia and the United States, news agencies reported.
In a statement on the scandal the ministry said, "We are talking about Russian citizens who came to the United States at different times."
"They have not committed any kind of actions directed against the interests of the United States," it added.
It called on the U.S. authorities to guarantee consular access from Russian officials for the suspects.
The Foreign Ministry would not say specifically how many of the 11 alleged deep-cover agents are Russian.
The FBI announced the arrests of 10 suspects Monday, and an 11th person allegedly involved in the Russian spy ring was arrested Tuesday in Cyprus. Court papers said the operation goes back as far as the 1990s and many of the suspects were tracked for years.
Semenko and Chapman, however, were listed in a separate complaint and said to use their real names. Most of the other suspects were accused of using fake names and purporting to be U.S. or Canadian citizens while really being Russian.
They are accused of attempting to infiltrate U.S. policymaking circles while posing as ordinary citizens, some of them as married couples.
Oleg Gordievsky, a former deputy head of the KGB in London who defected in 1985, said Russia probably has about 50 deep-cover couples spying inside the United States.
Countries often have a number of intelligence officials whose identities are declared to their host nation, usually working in embassies, trade delegations and other official posts.
Gordievsky, who spent nine years working in the KGB directorate in charge of illegal spy teams, said he estimates there are 400 declared Russian intelligence officers in the U.S., as well as up to 50 couples charged with covertly cultivating military and diplomat officials as sources of information.
He said the complexity involved in training and running undercover teams means Russia is unlikely to have significantly more operatives now than during his career.
"I understand the resources they have, and how many people they can train and send to other countries," Gordievsky said. "It is possible there may be more now, but not many more, and no more than 60 (couples)."
The ex-KGB officer said deep-cover spies often fail to deliver better intelligence than their colleagues who work in the open.
"They are supposed to be the vanguard of Russian intelligence," Gordievsky said. "But what they are really doing is nothing, they just sit at home in Britain, France and the U.S."
In Britain, the case stirred memories of the country's own illegal Soviet spy -- Melita Norwood, a civil servant who spent about 40 years passing atomic research and other secrets to Moscow. Authorities ruled against prosecuting the elderly grandmother when she was exposed in 1992. Norwood died in 2005 at the age of 93.
Former Soviet spy Oleg Kalugin, who headed KGB operations in the United States in the 1970s and later left Russia to live in America, told CNN Tuesday he is "amazed" that Moscow is engaging so heavily in espionage against Washington.
Reacting to the recent arrests of 11 alleged Russian spies, Kalugin said that getting the type of information the FBI says the operatives collected "does not require such a massive assault" against the United States.
"I am amazed," he said. "It reminds me of the worst years of the Cold War."Kalugin also said he was "amused" by reports of the arrests. "It is a sign of the decadence of the Russian intelligence services," he said. "Why do they need to use so many people to get information that is openly available?"
Kalugin said that has been a mission for Soviet and Russian operatives for decades: to look for potential spies in the United States with the ultimate purpose of placing them in key government agencies like the State Department, Defense Department and the White House.
Kalugin added that he was impressed by the "efficiency" of the FBI, which apparently was able to keep the suspects under control for several years. He said FBI agents have not "lost their focus" and noted that it is difficult to ferret out such spies.
The former Soviet spy told CNN he did not believe that Russian President Dmitry Medvedev knew of the pending arrests during his visit to the White House last Thursday, but his impression was that President Barack Obama did know and it was reflected in a "rather strained" visit with Medvedev. Kalugin said he now feels that "something was brewing."
He also explained that he is not surprised that several of the suspects are listed as former Canadian citizens. He said Canada, with a large number of Russian and former Soviet émigrés, has been used for decades by Soviet intelligence as a "jumping ground" to pick up people for possible espionage operations in the United States.
The reports of alleged Russian espionage, Kalugin believes, "will sober up some minds in the U.S. who believe that Russia is a totally different country."
Kalugin said former Russian president and now prime minister Vladimir Putin -- himself a former KGB agent -- has restored the role of the intelligence agency, now called the FSB, and its arm that deals with foreign intelligence, the SVR. "Old habits have been restored," he said.
"The United States used to be enemy No. 1 for the KGB," he said. "Now it is priority No. 1."
Scientists working on the Large Hadron Collider (LHC) say they have moved a step closer to their aim of unlocking the mysteries of the Universe.
The world's highest-energy particle accelerator has produced a record-breaking particle collision rate - about double the previous rate.
The collider is now generating around 10,000 particle collisions per second, according to physicist Andrei Golutvin.
Over the past few months, LHC engineers have slowly and carefully increased the energy and intensity of the proton beams which race around the collider's 27km-long "ring".
This weekend, engineers smashed together two beams consisting of three "bunches" of protons particles.
For the first time, these bunches were at "nominal" intensity - the intensity the LHC was designed to work at. This means each bunch consisted of as many as 100 billion protons.
The LHC smashed together its first two particle beams travelling at close to the speed of light in November 2009.
At the moment, it is running at half the energy it was designed for, but the scientists aim to take the machine to the top energy of seven tera-electronvolts (TeV) per beam by 2013.
Stationed around the collider's ring are four large experiments designed to study new physics - in a bid to shed light on the secrets of our Universe. These are Compact Muon Solenoid (CMS), Atlas, Alice and LHCb, of which Dr Golutvin is chief scientist.
Scientists hope to find an elusive sub-atomic particle known as the Higgs boson, dubbed the "God particle", which explained why matter has mass.
Allegations that Moscow ran a spy ring in the US are baseless and a throwback to the Cold War, a Russian foreign ministry official has said.
The claims had set back attempts by President Barack Obama to reset ties with Moscow, the official added.
The response comes a day after 10 people were arrested in the US.
They are accused of conspiracy to act as unlawful agents of a foreign government, a crime which carries up to five years in prison.
Nine of those arrested also face a charge of conspiracy to launder money.
An 11th suspect named as "Christopher R Metsos" was arrested on Tuesday on the Mediterranean island of Cyprus, police there said. They said he was arrested at Larnaca airport as he tried to leave for Budapest and was released on bail pending US extradition proceedings.
The 11 were allegedly part of an operation where agents posed as ordinary citizens, some living together as couples for years.
Alleged intercepted messages in court documents suggest the 10 people arrested in the US were asked to find information on topics including nuclear weapons, US arms control positions, Iran, White House rumours, CIA leadership turnover, and political parties.
The US Department of Justice says that eight of the suspects allegedly carried out "long-term, 'deep-cover' assignments" on US soil, working in civilian jobs so as not to arouse suspicion.
They were allegedly trained by the Russian Foreign Intelligence Service (SVR) to infiltrate policy-making circles and collect information, according to papers filed in the US court for the southern district of New York.
They were told to befriend US officials and send information using various methods to Russian government handlers.
US officials say the spy ring was discovered in a "multi-year investigation" by FBI agents who posed as Russian handlers and gleaned information from two of the suspects.
Investigators say some of the agents had been using false identities since the early 1990s, using codes and engaging in advanced computer operations, including posting apparently innocent pictures on the internet which contained hidden text.
The FBI also reported observing older techniques, such as messages sent by invisible ink, money being buried next to a beer-bottle marker and "brush pasts" in parks, where agents swap identical bags as they pass each other.
"You were sent to USA for long-term service trip," says one purported message to two of the suspects that was intercepted by US intelligence.
Your education, bank accounts, car, house etc - all these serve one goal: fulfil your main mission, ie to search and develop ties in policymaking circles in US and send intels."
Generally, spies were allegedly tasked with becoming "Americanised" to be able to do this, with some pursuing university degrees, holding jobs, and joining relevant professional associations, court documents said.
The group allegedly got close to a scientist involved in designing bunker-busting bombs and a top former intelligence official.
Five of the suspects briefly appeared in a Manhattan federal court on Monday, where a judge ordered them to remain in prison until a preliminary hearing set for 27 July.
These included a couple known as "Richard Murphy" and "Cynthia Murphy", who were arrested in Montclair, New Jersey; Vicky Pelaez and a man known as "Juan Lazaro" who were arrested in Yonkers, New York state; and Anna Chapman, who was arrested in Manhattan, New York City.
Another three - Mikhail Semenko and a couple known as "Michael Zottoli" and "Patricia Mills" - appeared in a federal court in Alexandria, Virginia, after being arrested in Arlington, Virginia.
The final two people - a couple known as "Donald Howard Heathfield" and "Tracey Lee Ann Foley" - were arrested in Boston, Massachusetts, and appeared in a federal court in the city.
All the suspects except Ms Chapman and Mr Semenko have also been charged with conspiracy to commit money laundering.
Monday, June 28, 2010
Ten individuals have been arrested in the United States for spying for Russia, the Justice Department announced Monday.
The 10 were "trained Russian intelligence operatives," a Justice Department spokesman said.
All 10 suspects are charged with acting as agents of a foreign government, and nine are also charged with conspiracy to commit money laundering.
Among the phony identities taken by the alleged spies are those of dead Americans, officials said.
All are scheduled to appear in court Monday in New York, Boston, Massachusetts, and Alexandria, Virginia.
A total of 11 defendants -- including the 10 arrested -- have been charged in two separate criminal complaints. One defendant is still at large, according to the Justice Department.
The defendants have been charged with conspiracy to act as an agent of a foreign government without notifying the U.S. attorney general, a crime that carries a maximum penalty of five years in prison, the Justice Department said. Conspiracy to commit money laundering has a maximum penalty of 20 years in prison.
The case against the alleged spies, according to the statement, is the result of a "multiyear investigation" conducted by the FBI, the U.S. Attorney's Office for the Southern District of New York and the Justice Department's National Security Division.
A Russian embassy spokesman said on Monday that he was unaware of the reports on the arrests, and said he is seeking more information from Russian officials.
More information here.
Ace from our Kuala Lumpur lab has written a technical white paper on the internals of the highly advanced TDL3 trojan. The paper goes deep into the features of this advanced backdoor / rootkit.
You can download "The Case of Trojan DownLoader TDL3" from here [2MB pdf file].
In some ways, TDL3 is similar to the infamous Mebroot rootkit. For a thorough discussion on Mebroot, see our presentation from 2008.
ESET has also released a comprehensive report on the TDL3 rookit.
http://www.eset.com/resources/white-papers/TDL3-Analysis.pdf (1.49 MB PDF)
Sunday, June 27, 2010
A new study about the (in)efficacy of anti-virus software in detecting the latest malware threats is a much-needed reminder that staying safe online is more about using your head than finding the right mix or brand of security software.
Last week, security software testing firm NSS Labs completed another controversial test of how the major anti-virus products fared in detecting malware pushed by malicious Web sites: Most of the products took an average of more than 45 hours — nearly two days — to detect the latest threats.
Some in the anti-virus industry have taken issue with NSS’s tests because the company refuses to show whether it is adhering to emerging industry standards for testing security products. The Anti-Malware Testing Standards Organization (AMTSO), a cantankerous coalition of security companies, anti-virus vendors and researchers, have cobbled together a series of best practices designed to set baseline methods for ranking the effectiveness of security software. The guidelines are meant in part to eliminate biases in testing, such as regional differences in anti-virus products and the relative age of the malware threats that they detect.
David Harley, an AMTSO board member and director of malware intelligence for NOD32 maker ESET, didn’t quibble with the core findings in the NSS report, but rather what he called the lack of transparency in NSS’s testing methodology.
“My quarrel with NSS is that they’re trying to quantify that Product A is better than Product B on the basis of an uncertain methodology,” Harley said. “I’m not quarreling with the proposition that the industry misses a lot of malware. That’s incontrovertible, when every day we’re dealing with close to 100,000 new malware samples. In fact, that sort of level of detection that NSS is talking about — 50 to 60 percent right out of the gate — sounds realistic to me.”
For all of its hand-wringing about results from outside testing firms, the anti-virus testing labs are starting to move in the direction of more real-time testing, said Alfred Huger, vice president of engineering at upstart anti-virus firm Immunet.
“People have to understand that anti-virus is more like a seatbelt than an armored car: It might help you in an accident, but it might not,” Huger said. “There are some things you can do to make sure you don’t get into an accident in the first place, and those are the places to focus, because things get dicey real quick when today’s malware gets past the outside defenses and onto the desktop.”
Three managers at an unnamed Spanish software developer have been arrested over allegations they planted 'logic bombs' in software that meant clients were obliged to pay for disruptive repairs and extended maintenance contracts.
The Guardia Civil said that more than 1,000 clients of the Andalucia-based developer were affected by the scam since 1998. The unnamed firm sold marketed custom software to small and medium-sized businesses with built-in errors such that it was guaranteed to fail at a predetermined date.
These errors would "paralyse the normal functioning of businesses" and oblige customers to contact their supplier, who would hit them for repair fees and extended support. In the course of making repairs, the developer allegedly programmed systems to fail again at a future date.
An anonymous web-based tip-off led to a Guardia Civil investigation and a subsequent raid on the firm's premises, where computer equipment and records were seized for analysis. The investigation - codenamed Operation Cordoba - is been led by the Guardia Civil's hi-tech division in cooperation with local police in Cordoba, Spanish daily El Pais adds.
It has been years since the United States has had good intelligence on the whereabouts of Al Qaeda leader Osama bin laden, although he is thought to be in Pakistan, CIA director Leon Panetta said on Sunday.
He also gave a sobering account of the war in Afghanistan, saying the Taliban seemed to be strengthening with a stepped-up campaign of violence, even as U.S.-led forces undermine the Islamist movement with attacks on its leadership.
Progress is being made in the nearly nine-year-old conflict but "it's harder, it's slower than I think anyone anticipated," Panetta said on ABC's "This Week" program. He did not directly answer a question about whether the war was being won.
Not since "the early 2000s" have U.S. officials had "the last precise information about where he (bin Laden) might be located," Panetta said.
"Since then, it's been very difficult to get any intelligence on his exact location," Panetta said. "He is, as is obvious, in very deep hiding ... He's in an area of the tribal areas of Pakistan."
Denying the world's most wanted man safe haven on the lawless Afghanistan-Pakistan border has been an aim of Western policy since the September 11 attacks in 2001, when the Taliban in effect spurned a U.S. demand to hand over the al Qaeda chief.
Panetta said the United States still believed it could ultimately "flush out" bin Laden, noting it had already "taken down" more than half of al Qaeda's leadership.
In recent months, the CIA has ramped up the pace of unmanned drone strikes in the tribal areas of Pakistan that border Afghanistan, targeting not only high-level al Qaeda and Taliban targets but unknown foot soldiers as well.
Taliban militants, Panetta said, "with regards to some of the directed violence, they seem to be stronger. But the fact is, we are undermining their leadership and that I think is moving in the right direction."
See more highlights from Panetta'a interview here and here.
Firefox 3.6.6 modifies the crash protection feature to increase the amount of time that plugins are allowed to be non-responsive before being terminated.Please see the complete list of changes in this version.
However, now that 3.6.4 has shipped, we are seeing an increasing number of reports that some users are unable to play Farmville, because Farmville hangs the browser long enough for out timeout to trigger and kill it.--------------------------------
In all fairness, the problem wasn't solely an issue just for Farmville...but clearly that was the loudest and quickest userbase to complain.
Friday, June 25, 2010
Pakistan will monitor seven major websites, including Google and Yahoo, to block anti-Islamic links and content, an official said Friday. Seventeen lesser-known sites are being blocked outright for alleged blasphemous material.
The moves follow Pakistan's temporary ban imposed on Facebook in May that drew both praise and condemnation in a country that has long struggled to figure out how strict a version of Islam it should follow.
Both the Facebook ban and the move announced Friday were in response to court orders. The sites to be monitored include Yahoo Inc., Google Inc. and its YouTube service, Amazon.com Inc. and MSN, Hotmail and Bing from Microsoft Corp., said Pakistan Telecommunication Authority spokesman Khurram Mehran.
"If any particular link with offensive content appears on these websites, the (link) shall be blocked immediately without disturbing the main website," Mehran said.
Google spokesman Scott Rubin said the company intends to monitor how Pakistan's new policies affect access to its services, which include the world's most popular search engine and the most widely watched video site, YouTube.
"Google and YouTube are platforms for free expression, and we try to allow as much ... content as possible on our services and still ensure that we enforce our policies," Rubin said.
Yahoo called Pakistan's actions disappointing. The company is "founded on the principle that access to information can improve people's lives," Yahoo spokeswoman Amber Allman said.
Microsoft and Amazon didn't immediately respond to requests for comment.
Wednesday, June 23, 2010
Malware writers actually leave behind a telling trail of clues that can help identify their native tongue, their geographic location, their ties to other attacks -- and, in some cases, lead law enforcement to their true identities. A researcher at Black Hat USA next month plans to give away a homemade tool that helps organizations glean this type of intelligence about the actual attacker behind the malware.
Greg Hoglund, founder and CEO of HBGary, for several months has been studying malware from the infamous Operation Aurora attack that hit Google, Adobe, Intel, and others, as well as from GhostNet; in both cases, he discovered key characteristics about the attackers themselves. Hoglund says the key is to gather and correlate all of the characteristic "markers" in the malware that can, in turn, be traced to a specific malware writer.
While anti-malware firms focus on the malware and malware kits and give them names, Hoglund says that model is all wrong. "That whole model is completely broken," he says. "Instead of tracking kits, we need to start tracking the attacker as a threat group. I want to take the fight back to the attacker."
Among his findings on GhostNet, an attack used to spy on Chinese dissidents, for example, was a common compression method for the video stream that was unique to those attacks. And in Operation Aurora, he found Chinese-language ties, registry keys, IP addresses, suspicious runtime behavior, and other anomalies that tied Aurora to the developer.
"Developers write certain algorithms ... one time and keep reusing those components," Hoglund says. Those are one of these clues that can be found.
With Aurora, for instance, he found the snippet of the binary code in a blog post Chinese hacking site after doing a Google search. "He was either very close or was the developer. We weren't able to find this anywhere else on the Net," he says. He then graphed the hacker's social relationships, including who he was communicating with and who was commenting on his blog, and found that he had also written an attack toolkit, which he was also selling online. "We had the individuals who were using that developer toolkit ... it doesn't get any better than that," he says.
Hoglund says his firm handed their findings over to the feds, but never heard back on the outcome.
Based on his research and investigations of malware, he says he thinks there are more likely only hundreds, rather than thousands, of criminal gangs behind most cybercrime. "I think those groups do a lot of colluding. They're not individuals. They're not islands," he says. "They share a lot of stuff with each other."
Meanwhile, Hoglund says he plans to release a second free tool at Black Hat -- an inoculator tool. This tool will sweep the entire enterprise for a piece of malware and remove it. "That's totally hard core," he says.
Mexican drug cartels have set up shop on American soil, maintaining lookout bases in strategic locations in the hills of southern Arizona from which their scouts can monitor every move made by law enforcement officials, federal agents tell Fox News.
The scouts are supplied by drivers who bring them food, water, batteries for radios -- all the items they need to stay in the wilderness for a long time.
“To say that this area is out of control is an understatement," said an agent who patrols the area and asked not to be named. "We (federal border agents), as well as the Pima County Sheriff Office and the Bureau of Land Management, can attest to that.”
In these areas, which are south and west of Tucson, sources said there are “cartel scouts galore” watching the movements of federal, state and local law enforcement, from the border all the way up to Interstate 8.
This increased activity in the US is just another example of the internationally assertive Mexican drug cartels.
According to Dino, the presentation was a mix of some technical background on local Mach RPC on Mac OS X, a bug he found the day before the conference, and some miscellaneous rants from my presentation at BSidesSF.
Hacking at Mach Speed!
Monday, June 21, 2010
The Federal Bureau of Investigation identified 14 suspected “leakers” of classified U.S. intelligence information during the past five years, according to newly disclosed statistics (pdf).
Between 2005 and 2009, U.S. intelligence agencies submitted 183 “referrals” to the Department of Justice reporting unauthorized disclosures of classified intelligence. Based on those referrals or on its own initiative, the FBI opened 26 leak investigations, and the investigations led to the identification of 14 suspects.
“While DOJ and the FBI receive numerous media leak referrals each year, the FBI opens only a limited number of investigations based on these referrals,” the FBI explained in a written response to a question from Senator Sheldon Whitehouse (D-RI).
“In most cases, the information included in the referral is not adequate to initiate an investigation. The most typical information gap is a failure to identify all those with authorized access to the information, which is the necessary starting point for any leak investigation. When this information is sufficient to open an investigation, the FBI has been able to identify suspects in approximately 50% of these cases over the past 5 years. Even when a suspect is identified, though, prosecution is extremely rare (none of the 14 suspects identified in the past 5 years has been prosecuted),” the FBI said.
The FBI report to Congress predated the indictment of suspected NSA leaker Thomas A. Drake, who was presumably one of the 14 suspects that the FBI identified. The case of Shamai Leibowitz, the FBI contract linguist who pled guilty to unauthorized disclosures in December 2009, is not reflected in the new report and may be outside the scope of intelligence agency leaks that were the subject of the congressional inquiry.
The Obama Administration has adopted an increasingly hard line toward leaks of classified information with multiple prosecutions pending or underway, as noted recently in Politico (May 25) and the New York Times (June 11). A recent memorandum from the Director of National Intelligence will “streamline” the processing of leak investigations, Newsweek reported June 11.
Faisal Shahzad, the 30-year-old Pakistani-American suspect in the failed Times Square bombing case, entered pleas of guilty Monday in federal court to all 10 counts he was facing.
Before entering his pleas, he told the court: "I want to plead guilty 100 times because unless the United States pulls out of Afghanistan and Iraq, until they stop drone strikes in Somalia, Pakistan and Yemen and stop attacking Muslim lands, we will attack the United States and be out to get them."
Shahzad said he traveled to Waziristan in Pakistan on December 9 with two friends to join the Taliban. He said that during the five days he was there, the Taliban gave him $4,000, which he combined with $4,900 of his own money to pay for the materials used in the attack.
"Once I got back to the states, I started working on the plan," he said. "Getting together what I needed for the bomb. I rented a place in Bridgeport, Connecticut. That is where I built the bomb, put it in the Pathfinder and drove it to Times Square."
On May 1, he said, he drove the vehicle into Times Square and ignited the 2.5- to 5-minute fuses, "and then I left the car." The bomb, he said, was in three pieces.
"I consider myself a mujahedeen and a Muslim soldier," he said
A source familiar with the case told CNN that prosecutors will ask for the maximum sentence on the charges during sentencing, which is scheduled for October 5.
The source said there was no plea deal and no cooperation deal. That means that, despite the fact that Shahzad cooperated with prosecutors for two weeks after his arrest, they will not request any preferential treatment for him.
Of the 10 charges, six carry a maximum sentence of life: attempted use of a weapon of mass destruction, conspiracy to use a weapon of mass destruction, possession of a firearm in relation to conspiracy to use a weapon of mass destruction, attempted act of terrorism transcending national boundaries, conspiracy to commit an act of terrorism, and attempted use of a destructive device in relation to conspiracy to commit an act of terrorism.
Because Shahzad pleaded guilty to Count 3, Count 6 carries a mandatory minimum penalty of life in prison.
Counts 7 and 8 -- transportation of an explosive and conspiracy to transport an explosive -- each carry a maximum sentence of 10 years.
Counts 9 and 10 -- attempted destruction of property by fire and explosives and conspiracy to destroy property by fire and explosives -- each carries a maximum sentence of 20 years.
Sunday, June 20, 2010
Times Square bomb suspect Faisal Shahzad was charged Thursday with 10 terrorism and weapons counts in an indictment that accuses him of receiving explosives training and financial help from the Pakistani Taliban.
The indictment returned by a grand jury in U.S. District Court in Manhattan added five charges to the original case against the 30-year-old Shahzad and also detailed in greater depth his alleged financing, saying Shahzad had received a total of $12,000 from the militant group through cash drop-offs in Massachusetts and Long Island.
Shahzad is accused of plotting to build and detonate a homemade gasoline-and-propane bomb inside a used SUV among thousands of tourists on a busy Saturday night. He was charged with attempted use of a weapon of mass destruction among several terrorism and weapons counts.
"The facts alleged in this indictment show that the Pakistani Taliban facilitated Faisal Shahzad's attempted attack on American soil," Attorney General Eric Holder said in a release. "Our nation averted serious loss of life in this attempted bombing, but it is a reminder that we face an evolving threat that we must continue to fight with every tool available to the government."
Shahzad's lawyers did not immediately respond to requests for comment on the indictment. Shahzad was scheduled to enter a plea during an appearance in court Monday. The most serious counts against him carry mandatory penalties of life in prison.
The indictment alleged that Shahzad received explosives training in Waziristan, Pakistan, in December 2009 from trainers affiliated with Tehrik-e-Taliban, a Pakistan-based militant extremist group. The affiliation with the group led to financing as well, the indictment alleged.
It said Shahzad received approximately $5,000 in cash in Massachusetts on Feb. 25 from a co-conspirator in Pakistan whom Shahzad understood worked for Tehrik-e-Taliban.
Approximately six weeks later, on April 10, 2010, Shahzad received an $7,000 more in cash in Ronkonkoma, N.Y., which also was sent at the co-conspirator's direction, the indictment said.
U.S. Attorney Preet Bharara said Shahzad conspired with the Pakistani Taliban "to wreak death and destruction in Times Square."
The Pentagon’s main spy outfit, the Defense Intelligence Agency, is building a new database which will consolidate in one system “human intelligence” information on groups and individuals—potentially including Americans—collected by DIA operatives in United States and abroad.
A notice published earlier this week in the government’s regulatory bulletin, the Federal Register, says the manager of the system will be a little-known DIA unit called the Defense Counterintelligence and Human Intelligence Center (DCHC).
Records held in the database, the notice says, could include information on “individuals involved in, or of interest to, DoD intelligence, counterintelligence, counterterrorism, and counternarcotic operations or analytical projects as well as individuals involved in foreign intelligence and/or training activities.” Among the data to be stored: “information such as name, Social Security Number (SSN), address, citizenship documentation, biometric data, passport number, vehicle identification number and vehicle/vessel license data.” Actual intelligence reports from the field and analytical material which would help “identify or counter foreign intelligence and terrorist threats to the DoD and the United States” will also be included.
“That’s potentially a lot of information,” Donald Black, chief spokesman for DIA, acknowledged in an interview with Declassified. But he said that material entered into the new database would be carefully reviewed—as regularly as every 90 days—to ensure that out-of-date, discredited, or irrelevant data on individuals would be destroyed if there was no longer a good reason to keep it.
Two U.S. officials, who asked for anonymity when discussing sensitive information, said that while CIFA had been disbanded on paper, many of its personnel and some of its functions were transferred to DCHC. One of the officials said that DCHC is now in the same office space that CIFA once occupied, in a complex near suburban Washington’s Reagan National Airport.
A defense official, who also did not want to be named, insisted that the new unit, unlike CIFA, had no law-enforcement powers. He maintained that the new system would not repeat abuses similar to those which occurred with TALON.
The official said that unlike TALON, the new DCHC database would not include field reports generated by military counterintelligence agencies with domestic field offices, such as the Army’s Criminal Investigation Division, the Navy Criminal Investigative Service, or the Air Force Office of Special Investigations. However, if those agencies were to ask DIA or DCHC to become involved in one of their cases, then information about the case could well be entered in the new DCHC database. The official had no estimate of how many records on individual subjects—including Americans—would be stored.
Some civil-liberties experts are already expressing dismay about the new DIA database. Mike German, a former FBI investigator who now works for the American Civil Liberties Union, told The Washington Post’s Spy Talk blog that while the functions of the new database were still murky, "We do know that DIA took over 'offensive counterintelligence' for the DoD once CIFA was abandoned… It therefore makes sense that this new DIA data base would be collecting the same types of information that CIFA collected improperly, so Americans should be just as concerned."
The pirate cook smuggled food to the terrified hostages held by his gang off the Somali coast. He bought them cell phone cards. And when the pirates started talking about harvesting their organs for cash, he sneaked them guns.
The hostages killed the pirates and escaped. But now the life of the Somali cook, known only as Ahmed, is in danger. Despite actions the crew described as heroic, European Union nations, Syria and nearby Djibouti have all refused to take him, according to an official who was not authorized to talk.
Ahmed has since disappeared. It is thought to be the first time someone working for the pirates has turned against them to help hostages.
"Sending him back to (Somalia's) shore would be putting him to death for his compassion," said John S. Burnett, the author of "Dangerous Waters: Modern Piracy and Terrorism on the High Seas." ''This smacks of a bureaucratic bungle ... it's a line in the sand. No Somali pirate will ever risk showing any modicum of compassion again if he knows he's not going to get any help from the authorities."
The tale began Feb. 2, when the pirates hijacked the MV Rim, a Libyan-owned, North Korean-flagged cargo ship in the Gulf of Aden.
During the first two months, the pirates gave food and water to the crew of one Romanian and nine Syrians. But when talks about the $300,000 ransom went nowhere, the pirates grew impatient. The crew got little food or water, Virgil Teofil Cretu, the 36-year-old Romanian crew member, said in an interview in Costanta, Romania.
Cretu, who as the coxswain had steered the ship, and the Syrian sailors drank rainwater and cooked rice in seawater. Their diet was augmented by whatever Ahmed could sneak to them.
Ahmed bought a SIM card to use in a cell phone the crew had hidden from the pirates, so the hostages could speak with relatives.
But the negotiations were not going well. No one from North Korea, Libya or Syria would agree to pay a ransom.
On June 2, Ahmed told the crew that the pirates had decided to kill them and harvest their organs to get some money out of the seajacking. Ahmed secretly passed the crew three Kalashnikovs. That's when "all hell broke loose," according to Cretu.
The crew started their engines and steamed away, pursued by more pirates in another hijacked vessel. The MV Rim's old engines stalled, but an EU Naval Force helicopter swooped down just before the pirates closed in, hovering between the two ships and buying precious minutes.
After the crew was taken off the MV Rim, the EU Naval Force let the ship drift in the Gulf of Aden. Cretu said the ship was to have been scrapped after delivering in India a load of kaolin, a soft white clay used in making porcelain and many other products.
Now the crew has gone home, but Ahmed is nowhere to be found. His last known location was the Dutch warship Johan de Witt.
"In my mind, cook Ahmed was an angel sent by God," said Cretu. "Without his intervention, without his courage, we would have been dead."
The EU Naval Force won't say if he was set ashore in Somalia - where he faced execution by pirates or clan members of the brigands who died - or sent away alone in a small boat to navigate the high seas at the beginning of monsoon season. EU Naval Force officials said they had investigated repatriation and migration options for Ahmed but would not give details.
"I owe my life to my Somali friend and I want to take him into my home if possible so he and his family can change their lives," said Cretu.
A new UNODC report shows how, using violence and bribes, international criminal markets have become major centres of power
VIENNA, 17 June (UN Information Service) - "Organized crime has globalized and turned into one of the world's foremost economic and armed powers," said Antonio Maria Costa, Executive Director of the United Nations Office on Drugs and Crime (UNODC) at the launch of a new UNODC report on The Globalization of Crime: A Transnational Organized Crime Threat Assessment. The Report, released today at the Council on Foreign Relations in New York, looks at major trafficking flows of drugs (cocaine and heroin), firearms, counterfeit products, stolen natural resources, and people trafficked for sex or forced labour, as well as smuggled migrants. It also covers maritime piracy and cybercrime.
Full Report (PDF)
In The globalization of crime: a transnational organized crime threat assessment, UNODC analyses a range of key transnational crime threats, including human trafficking, migrant smuggling, the illicit heroin and cocaine trades, cybercrime, maritime piracy and trafficking in environmental resources, firearms and counterfeit goods. The report also examines a number of cases where transnational organized crime and instability amplify each other to create vicious circles in which countries or even subregions may become locked. Thus, the report offers a striking view of the global dimensions of organized crime today.
Saturday, June 19, 2010
In last week’s Security Weekly we discussed how situational awareness is a mindset that can — and should — be practiced by everyone. We also described the different levels of situational awareness and discussed which level is appropriate for different sorts of situations. And we noted how all criminals and terrorists follow a process when planning their acts and that this process is visible at certain times to people who are watching for such behavior.
When one considers these facts, it inevitably leads to the question: “What in the world am I looking for?” The brief answer is: “warning signs of criminal or terrorist behavior.” Since this brief answer is very vague, it becomes necessary to describe the behavior in more detail.
Good follow-up on the situational awareness primer posted last week by STRATFOR.
While, it is true that most of us aren't targets for high-end kidnappings, increased situational awareness might be the difference between getting mugged on the street...and not.
I am pretty sure that my increased awareness helped detour at least one criminal within traveling on vacation in Europe. Simple criminals looking for easy targets.
In addition, I have seen video evidence of a family member taking smart (yet simple) actions to avoid a possible mugging while on vacation in the Caribbean.
You don't have to be an expert; a conscious effort to be more aware of the things that are happening around you could make all the difference.
Friday, June 18, 2010
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.
The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
Note that some of those sites still include a lot of content from third party domains that is not available over HTTPS. As always, if the browser's lock icon is broken or carries an exclamation mark, you may remain vulnerable to some adversaries that use active attacks or traffic analysis. However, the effort required to monitor your browsing should still be usefully increased.
Send feedback on this project to https-everywhere AT eff.org.
The plugin currently works for:
- Google Search
- The New York Times
- The Washington Post
Apple's 10.6.4 operating system upgrade earlier this week silently updated the malware protection built into Mac OS X to protect against a backdoor Trojan horse that can allow hackers to gain remote control over your treasured iMac or MacBook.
Although there is no mention of it that we could find in Apple's release notes for Mac OS X 10.6.4, or the accompanying security bulletin, Apple has updated XProtect.plist - the rudimentary file that contains elementary signatures of a handful of Mac threats - to detect what they call HellRTS.
HellRTS, which Sophos products have been detecting as OSX/Pinhead-B since April, has been distributed by malicious hackers disguised as iPhoto, the photo application which ships on modern Mac computers.
If you did get infected by this malware then hackers would be able to send spam email from your Mac, take screenshots of what you are doing, access your files and clipboard and much more.
Unfortunately, many Mac users seem oblivious to security threats which can run on their computers. And that isn't helped when Apple issues an anti-malware security update like this by stealth, rather than informing the public what it has done. You have to wonder whether their keeping quiet about an anti-malware security update like this was for marketing reasons. "Shh! Don't tell folks that we have to protect against malware on Mac OS X!"
There's a lot less malicious software for Mac computers than Windows PCs, of course, but the fact that so many Mac owners don't take security seriously enough, and haven't bothered installing an anti-virus, might mean they are a soft target for hackers in the future.
Apple's update to detect "HellRTS" more than doubles the size of the XProtect.plist file from 2.4k to 5.1k. There are still a lot of Mac threats it doesn't protect against.
In 10.6.4, the XProtect file includes simple checks for three trojans....
Thursday, June 17, 2010
With the impending release of Fierce 2.0 I thought I’d spend a minute talking about finding high value targets. I was working with a company in a specific vertical when I realized they use a very large single back end provider (essentially a cloud-based SaaS). But they aren’t the only large company using that SaaS - there are many hundreds of other companies using them as well. But because I’m not in that particular industry and having not worked much in that vertical, I had never even heard of them before. Frankly, I had no idea that they even existed. Now let’s take a typical Fierce DNS enumeration scan; it can find a lot of non-contiguous IP space, sure. But what about when I launch scans against hundreds of companies in that same vertical? Some interesting results start bubbling up.
Because companies tend to point their DNS to those SaaS providers for white labeling, often you’ll see a convergence of a lot of sub-domains all pointing to a single IP address or set of IP addresses. It doesn’t take a rocket scientist to realize that you don’t need to attack the target you’re interested in, you can attack the SaaS provider and take over not just one but all of those companies in that vertical that use that provider. Even though that may not be obvious by just probing the external network, DNS can sometimes help to uncover those sorts of details. This happens a lot more than most people realize, and in my experience those cloud based SaaS providers aren’t any more secure than anyone else. It’s a lot more interesting to compromise hundreds of companies for the price of one.
Wednesday, June 16, 2010
The Electronic Frontier Foundation (EFF), the ACLU of Northern California, and a coalition of privacy groups are urging Facebook to give users true control over their personal data by taking six critical steps to protect members' information.
In an open letter sent to CEO Mark Zuckerberg today, the coalition asks Facebook to close its "app gap" and allow users to decide which applications can access their personal data. The group also asks Facebook to make "instant personalization" an opt-in service and use an HTTPS connection for all interactions by default, among other steps.
"Facebook continues to push its users into more and more public sharing -- sharing that it's not at all clear members want or fully understand," said EFF Senior Staff Attorney Kevin Bankston. "We're calling on Facebook and Mark Zuckerberg to respect their members and give them the information and the tools they need for true control."
For the full open letter:
There is still significant debate within the U.S. government and among members of the national security establishment over the level of threat posed by Iran's growing presence and the increasing presence of Hezbollah that this presence brings.
So the arrest of a suspected Hezbollah fundraiser with an outstanding US arrest warrant in the Tri-border area is another important indicator of just how deep this relationship has now become.
Moussa Hamdan is the latest in a long line of suspected Hezbollah financiers who have been arrested in and around Ciudad del Este, the main hub of the Tri-border (where the borders of Brazil, Argentina and Paraguay meet near Iguazu Falls) region. U.S., European and Latin American investigations have traced tens of millions of dollars from the region back to Hezbollah in Lebanon, using the formal and informal money remittance systems. Hezbollah operatives in the 1994 AMIA bombing in Buenos Aires have been documented as having used Ciudad del Este as their base while planning their attack on a Jewish target, operating under orders from Iran.
The Tri-border has historically been a smuggling and black market center for the Southern Cone of Latin America, generating hundreds of millions of dollars in illicit profits. That is not new. What changed over the past 15 years is the importance of the region as a financial hub for terrorist groups, from Hezbollah to the FARC in Colombia to Hamas.
How to play:
- Read this post and decide if you want to play or help run the contest
- Register in the forum thread for sign ups if you want to play.
- Show up to DEF CON 18 with all your gear and tools to attack!
- Grab the package.
There are various tamper evident technologies out there, including tape, seals, locks, tags, and bags, to name a few. This contest will test your ability to perform "defeats" (Described below) against a range of inexpensive commercial low to medium security products. I will list the exact products I am buying so you can go buy them as well to practice in advance if you want to.
A component of the contest will require documentation of how you did your break, pictures or video, so the knowledge can be spread and others can learn what does and does not work. In the end we can all make better informed decisions about what we can or can't trust!
THE COURSE OF THE CONTEST:
When you get to con you will be given a package. This package will have tamper evident seals on it. Some of these products claim to be "Impossible to reseal or reuse". Your goal is to prove them wrong and document your work every step of the way. Open the box and tamper with its contents. Inside you will find two chains. One of the chains is just a plain chain, the other chain will have some tamper evident tags and such on it. You will have until noon on Sunday of con to move as many of these seals and tags from one chain to the other without your tampering being detected. Oh, and open the box and deal with anything else you may find in there.
There should only be about five or six tags this first year, I will edit this post and exactly describe what they are and where you can buy them in advance. I will also have some spares at the con that you can practice against.
- PCI: Security's lowest common denominator
- Analyzing Flash-based RIA components and discovering vulnerabilities
- Logs: Can we finally tame the beast?
- Launch arbitrary code from Excel in a restricted environment
- Placing the burden on the bot
- Data breach risks and privacy compliance
- Authenticating Linux users against Microsoft Active Directory
- Hacking under the radar
- iPhone backup, encryption and forensics
- AND MORE!
Damn good PCI article.
The Adobe Flash Player plugin that was included in yesterday's Mac OS X software update contains multiple vulnerabilities that expose users to malicious hacker attacks.
Apple shipped a new Flash Player plugin (10.0.45.2) in the Mac OS X patch bundle but that version became outdated on June 10th when Adobe shipped Flash Player 10.1.53.64.
The Flash Player 10.0.45.2 software contains 32 vulnerabilities, most rated "critical." At least one of those flaws have been exploited on the Windows platform.
Apple's outdated Flash Player plugin problem was flagged publicly by Adobe's Wendy Poland:
Earlier today, Apple released security update 2010-004 / Mac OS X v10.6.4. This update includes an earlier version of Adobe Flash Player (version 10.0.45.2) than available from Adobe.com. While the Mac OS X v10.6.4 update does not appear to downgrade users who have already upgraded to Adobe Flash Player 10.1, Adobe recommends users verify they are using the latest, most secure version of Flash Player (10.1.53.64) available for download from http://www.adobe.com/go/getflashplayer.To verify the Adobe Flash Player version number installed on your system (after applying the Mac OS X security update), Mac users can go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.
If you use multiple browsers, perform the check for each browser you have installed on your system.
I know I have asked this before, but why the hell is Apple installing Adobe Flash as part of their updates?
At least, they aren't downgrading newer version of Flash, like they did with the Snow Leopard (10.6) release.
Users are reporting issues trying to pre-order the ability to purchase the latest iPhone 4 on June 24th when they go on sale from what is basically just a complete overwhelming off the systems designed to take the orders. AT&T’s web interface at brick and mortar shops is failing to the point where orders are being taken with pen and paper, and the Apple web site is acting clunky. But the most serious issue people are reporting is that upon logging into AT&T online to place the order, other user’s information is coming up including billing information, call history, and so forth.
So if we look at this, without any other information, how do we decide that one user logging in and seeing another user’s information is probably not the result of a weekend systems’ upgrade? Because we’ve seen this behavior before, a lot. When you stress test a web site, its not uncommon to see functions that return and read user sessions get garbled, and web sites start to return pages for the wrong user session.
When you log into a web site a session gets created and some sort of persistence mechanism is returned to maintain the session (usually a session cookie, but there are other less used methods available). Every “logged in page” reads this session identifier to determine whether the user is logged in and uses it to return the right information. Further complexity is usually introduced into large web sites, where some sort of load balancing is taking place, and therefore a user’s session has to be found amongst data centers, servers, and so forth.
When you overload the capacity of programs that read, manage, and create sessions, bad stuff happens like sessions getting crossed. Since the AT&T site was probably under a severe and unusually high server load today, the site went haywire (in our technical opinion).
How do you prevent this from happening? Add occasional and event driven stress testing to your quality assurance processes, you will find a number of unusual and difficult to solve problems result. At the very least you will know how your web application acts under unusually high loads, and thus not be surprised when the Apple fanboys come calling for Steve’s latest masterpiece.
Tuesday, June 15, 2010
Researchers have found evidence that attackers are exploiting the vulnerability in the Windows Help and Support Center that was at the center of so much controversy last week. The flaw, which is in the protocol handler related to the Microsoft Windows Help and Support Center, was disclosed late last week by Tavis Ormandy, a security researcher who works for Google. The disclosure, which came just five days after Ormandy notified Microsoft of the vulnerability, caused a huge dustup in the security community and elicited a rather testy response from the Microsoft Security Response Center.
Now, researchers say that they have seen evidence that attackers are using the vulnerability in active attacks. Sophos researchers identified a piece of malware that's being used by a compromised site to attack visitors.
Microsoft has posted several tweets on their official (msftsecresponse) twitter account...
Windows Server 2003 customers are not currently at risk from the Win Help issue based on the attack samples we have analyzed
We are aware of limited exploits against the Win Help issue. XP users, apply the FixIt in Security Advisory 2219475 http://bit.ly/9EdPcs
While it is far from the first Trojan ever to simply fail to execute under Windows XP, it definitely caught our eye that a variant of Trojan-Downloader-Tacticlol distributed last week in a spam campaign only fully executed under Windows Vista or newer operating systems. It may have been just a fluke, but repeated tests with both a virtual machine and real hardware running Windows XP at various patch levels showed that the Trojan we received attached to a spam message simply quit when executed in an XP environment, but ran smoothly and did all its planned dirty work on a Windows Vista testbed.
More interestingly, though, is the idea that this Trojan, which is so prevalent and widely distributed, may signal the start of a trend where malware authors begin turning away from XP as the dominant operating system they target.
For some time, the conventional wisdom in malware analysis has been that, if you want to do research in a real test environment, it makes sense to use the oldest, most vulnerable, most attacked version of Windows. This development of a Trojan which simply rejects Windows XP as a platform for infection may signal that it’s time for researchers to broaden their horizons and look at these newest, supposedly more secure platforms, more carefully than we may have done in the past.
While investigating the malware and shellcode that were associated with the recent Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability (BID 40586), we came across some interesting similarities to the malware and shellcode that were used in the Microsoft Internet Explorer 'iepeers.dll' Remote Code Execution Vulnerability (BID 38615) targeted attacks from March 2010.
Both of these shellcode samples hook UnhandledExceptionFilter, MessageBeep, and LdrShutdownThread, and are fairly advanced. It appears that the goal of the shellcode author was to protect the zero-day and hide the attack from the victim. We have seen this shellcode before! We wrote about it in 2008 in the blog titled "Protecting Zero-Day." It was used in a targeted attack against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability (BID 32721). That makes three attacks using this private shellcode to target zero-days over a period of two years. It is quite common to have a shellcode that is used in many attacks; for this reason, we started to examine the similarities between the malware used in both of the attacks
Funnily enough, the filename for the DLL used in the IEPeers attack is 'wshipl.dll' and the filename for the DLL that was used in this recent attack is 'wshipm.dll', suggesting an incremental version increase in versions from ”l” to ”m.” This is all very interesting. It is difficult to look at these similarities without drawing the conclusion that these attacks are linked by methodology and tool chain.
Of course it is impossible to say for sure, but it certainly seems like the attacker(s) that targeted the Adobe Flash Player, Adobe Reader, and Acrobat 'authplay.dll' Remote Code Execution Vulnerability this month also participated in the IEPeers attack from March 2010, and potentially even participated in the targeted attack against the Microsoft Internet Explorer XML Handling Remote Code Execution Vulnerability in 2008. The term Advanced Persistent Threat (APT) is fashionable at the moment—and we hesitate to use it—but an active attacker that uses a zero-day to target their victims over such a long period of time seems to be the kind of attacker that this term applies to, which should be a concern for those who are working to protect their infrastructure and assets.
Monday, June 14, 2010
The office of Attorney-General Robert McLelland today denied that a controversial data retention policy being considered by his department could see Australians' web browsing history tracked by internet service providers.
"This is not about web browser history," said McLelland's media liaison Adam Siddique in a brief telephone conversation. "It's purely about being able to identify and verify identities online," he added, linking the initiative to the ability for law enforcement to track criminals.
On Friday the Attorney-General's Department confirmed it had been examining the European Directive on Data Retention to consider whether it would be beneficial for Australia to adopt a similar regime. The directive requires telcos to record and retain data such as the source, destination and timing of all emails and telephone calls — even including internet telephony.
Siddique's statement contradicts claims by internet service (ISP) provider sources that the Australian version of the directive could extend as far as tracking the web browsing history of all Australians, with one of those sources telling ZDNet Australia that such a regime "would be scary and very expensive".
Another source said the regime being considered by the Australian Government could see data held for much longer than EU Directive time of 24 months — it would be more like five or ten years.
"We're talking browsing history and emails, way beyond what I would consider to be normal SMS, retaining full browsing history and everything," that source said.
However, Siddique declined to disclose further details of what the department was considering or when any public consultation on the matter might be held, directing further questions to the department, which has already declined to comment on more specific details of the consultation.
The United States is hailing growing determination in most corners of the globe to combat modern-day slavery through stepped-up law enforcement and legislative action. That’s the good news.
But the State Department’s annual report on human trafficking nevertheless brands 13 countries as standouts for failure to address rampant cases of sex trading, indentured domestic work, forced field labor, and other varieties of slavery within their borders.
The global scofflaws range from Kuwait and Saudi Arabia to North Korea and Cuba. The bright spots include Pakistan, Malaysia, Syria, Egypt, and Bosnia-Herzegovina – countries that don’t always shine in annual human-rights ratings but that the State Department found have acted to address human-trafficking issues over the past year.
“We saw overall improvement,” with 116 countries enacting legislation of some form in 2009 to combat human trafficking, says Luis CdeBaca, senior adviser on modern slavery issues to Secretary of State Hillary Rodham Clinton.
The report estimates that more than 12 million people are trafficked globally every year.
For the first time, the US rated itself in the report, giving itself a “tier one,” or top-tier, rating (along with most Western countries and Nigeria, which stands out in Africa as a tier one country) but recommending more training for federal, state, and local law enforcement officials to better detect and prosecute cases ranging from debt bondage to child prostitution.
Trafficking in Persons Report 2010