Tuesday, August 31, 2010

Hardware Hack Busts Quantum Encryption

Via International Business Times (IBT) -

Quantum cryptography is absolutely unbreakable, as it relies on the laws of physics to rat out eavesdroppers. But like other encryption methods, it is sometimes only as good as the users and their hardware.

A group at the Norwegian University of Science and Technology and Germany's University of Erlangen-N├╝rnberg, together with the Max Planck Institute for the Science of Light, found a vulnerable point in quantum cryptography systems.


To mount an attack, the eavesdropper would have to duplicate the signal the receiver would get exactly. But quantum mechanics says you can't do that because you can't copy quantum states.

A hacker can fool the detector into thinking that a quantum signal has arrived by simply blinding it for a few seconds. The hacker attaches another device to the fiber optic cable and receives the sender's signal. To fool the intended receiver he sends a signal down the cable that is orders of magnitude stronger than usual, which blinds the detector. Then he can send ordinary pulses of light to the detector, which is no longer able to see single photons.

Even though a hacker can't copy quantum bits, he can send ordinary, classical light pulses that look just like them to an impaired detection system, neatly sidestepping the laws of quantum mechanics.

"We know from the history of encryption, there are always implementation problems," said Vadim Makarov, one of the lead researchers on the project. In this case, unlike other types of encryption breaking, the hacking is done via hardware rather than software.

Makarov says the research group notified the manufacturers of quantum cryptography systems, and that they have been working on solutions.

Ribory says quantum encryption is used in systems where there is a single fiber-optic connection between two points, where long-term security is an issue -- as it is for banks, medical records or the military. In these systems anybody attacking it has to mount a physical assault on the connection itself.

Quantum communications systems also cost a lot. Makarov notes the system in his lab would be on the order of $100,000. That puts it out of the reach of basement tinkerers, at least for a time. Another feature of quantum cryptography is that it is "future proof" - as long as the hardware is kept safe, the code itself cannot be broken without someone knowing about it. So it will likely become more widespread as it becomes cheaper. By finding ways to attack the system, Makarov says, he helps make them stronger.

"An army deteriorates pretty quickly if there isn't a war," he said. "For these systems, we provide the opposing force."


Both IDQ and MagiQ welcome the hack for exposing potential vulnerabilities in their systems. Makorov informed both companies of the details of the hack before publishing, so that patches could made, avoiding any possible security risk.

"We provide open systems for researchers to play with and we are glad they are doing it," says Anton Zavriyev, director of research and development at MagiQ.


Makarov agrees that the hack should not make people lose confidence in quantum cryptography. "Our work will ultimately make these systems stronger," he says. "If you want state-of-the-art security, quantum cryptography is still the best place to go."

94% of Internet Users Befriend Unknown 'Good-Looking Woman'

Via Virus Bulletin News -

Research from BitDefender has shown that the vast majority of users of social network sites are willing to befriend an unknown, 21-year-old, fair-haired woman; many of them even shared sensitive data that could be used to steal passwords.

The researchers created the fake profile on a popular social networking site and sent a friendship request to 2,000 people (as many males as females). A small number of people accepted the request immediately, but after some persuasion, a staggering 94% of people ultimately befriended the unknown face. Among the reasons for doing so were that the woman had 'a lovely face' (53%), or that she worked in the same industry (24%). 17% of people even claimed that she had a known face, but 'couldn't remember the place they met'.

Perhaps even more surprising was that 86% of those who accepted the friendship request were working in IT; 31% even in IT security, an industry that has been stressing the risks of using social networking sites for many years.

The researchers continued their study posing as the fair-haired woman and had a two-hour written conversation with a small sample of their 'victims'. During this conversation, most victims revealed information such as their address, phone numbers or the names of their parents and pets; information that can be used to change passwords and steal identities. Many users also revealed sensitive business information.

The full report can be found here (PDF), with comments from Help Net Security here.

Secunia's Verified List - Windows Applications Insecure Library Loading

There has recently been a lot of focus on a remote attack vector for exploiting an old class of vulnerabilities. This is referred to as: Insecure library loading [or DLL Hijacking]

Secunia Research is closely monitoring discoveries of new vulnerabilities related to this issue and releasing verified Secunia advisories. This information is summarised here by providing a complete overview of the recent developments on affected programs and vendors.


U.S. Expands Sanctions on North Korea

Via CNN -

President Barack Obama issued an executive order Monday giving broad new authority to impose financial sanctions on North Korean entities and individuals doing business with and for the secretive communist state.

Stuart Levey, Treasury Department under-secretary for terrorism and financial intelligence, said the new order "targets a wide range of illicit activities undertaken by the government of North Korea."

Obama specifically named three North Korean entities, but his order covers much more ground, directing the State and Treasury departments to target any individuals or entities that facilitate North Korean trafficking in arms and related materiel; procurement of luxury goods; and engagement in illicit economic activities, such as money laundering, the counterfeiting of goods and currency, bulk cash smuggling and narcotics trafficking.

This new executive order supplements existing but more limited U.S. sanctions established in 2008 by President George W. Bush, which targeted proliferators of weapons of mass destruction.

And it makes it possible for the U.S. to go after individuals and companies in other countries who assist or sponsor financial relationships with the North Koreans that include any of the banned types of transactions.



Mexico Captures "La Barbie" Drug Trafficker

Via Yahoo! News (AP) -

Mexico captured major drug trafficker Edgar "La Barbie" Valdez on Monday in a new victory for President Felipe Calderon's high-stakes war on murderous cartels that threatens the country's image among investors and tourists.

Federal police caught Valdez, a leader of the Beltran Leyva cartel based in central Mexico, in a residential area near Mexico City, the government said.

Valdez, a 37-year-old Mexican-American born in Texas, put up little resistance, a police spokesman said.

"Valdez has connections with organized crime groups operating in Central and South America to smuggle drugs to the United States, where he is also wanted," national security spokesman Alejandro Poire told a news conference.

Nicknamed "La Barbie" for his fair complexion, Valdez is believed to have been behind a surge in bloodshed in central Mexico as he fought for leadership of his cartel. U.S. authorities put a $2 million bounty on his head but Poire did not say if Valdez would be sent to the United States.



Gary Hale, the recently retired chief of intelligence for the Drug Enforcement Administration's Houston Division, said Valdez could be among the top five traffickers in Mexico.

"It is a big deal to capture a cartel head who happens to be a U.S. citizen," said Hale, who is owner of Grupo Savant, a law-enforcement and intelligence consulting firm.

According to STRATFOR...

Valdez Villarreal has been locked in heated battle with his former colleague, Hector “El H” Beltran Leyva, for control over the territory once occupied by the Beltran Leyva Organization under now-deceased leader Arturo Beltran Leyva. Hector has since gone on to form Cartel Pacifico Sur (CPS) and has been waging war against the former BLO elements loyal to Valdez Villarreal.

Apple QuickTime Backdoor Creates Code-Execution Peril

Via The Register UK -

A security researcher has unearthed a “bizarre” flaw in Apple's QuickTime Player that can be exploited to remotely execute malicious code on Windows-based PCs, even those running the most recent versions of operating system.

Technically, the inclusion of an unused parameter known as “_Marshaled_pUnk” is a backdoor because it is the work of an Apple developer who added it to to the QuickTime code base and then, most likely, forgot to remove it when it was no longer needed. It sat largely undetected for at least nine years until Ruben Santamarta of Spain-based security firm Wintercore discovered it and realized it could be exploited to take full control of machines running Windows 7, Microsoft's most secure operating system to date.

The bug is is pretty bizarre,” H D Moore, CSO of Rapid7 and chief architect of the Metasploit project, told The Reg on Monday. “It's not a standard vulnerability in the sense that a feature was implemented poorly. It was more kind of a leftover development piece that was left in production. It's probably an oversight.”


ASLR, or address space layout randomization, for instance, loaded code into memory locations that attackers can't predict, while DEP, or data execution prevention, prevented any code that does get loaded from being executed.

But in a stroke of efficiency, Santamarta figured out how to repurpose code in a common Windows file to bypass the protections. Using a technique known as ROP, short for return oriented programming, he was able to load a Windows Live file known as WindowsLiveLogin.dll into memory and reorder the commands in a way that allowed him to take control of the underlying computer. Using the Microsoft DLL not only allowed him to know where in memory it would load, it also allowed him to get the code executed.

Santamarta said the parameter was present in a QuickTime version dating back to 2001, when it could be used to draw contents into an existing window instead of creating a new one. The functionality was eventually removed from newer versions but the line lived on. Combined with an unrandomized DLL like the one for Windows Live, it represents a serious threat to end users.

The attack has been confirmed on the XP, Vista, and 7 versions of Windows, Santamarta said.


While the exploit posted by Santamarta works only against those who have Microsoft's Windows Live Messenger installed, the researcher told The Reg that components that ship by default with QuickTime can be used to pull off the same ROP sleight of hand. Files called QuickTimeAuthoring.qtx and QuickTime.qts are two possibilities.

Indeed, programmers with the open-source Metasploit project used by penetration testers and other hackers are in the process of building an attack module that does just that. And that means that in the next 24 hours there will be publicly available exploit code for a critical vulnerability that remains unpatched in Apple's blockbuster media player for Windows.


Apple QuickTime "QTPlugin.ocx" Trusted Parameter Value Vulnerability

Original Advisory - [0day] Apple QuickTime "_Marshaled_pUnk" Backdoor / Code Execution http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1

Monday, August 30, 2010

Anti-Phishing Working Group Targeting Fax-Based Scams

Via Threatpost.com -

The heyday of faxing may have passed twenty years ago, but scam artists haven't given up on the old technology, especially when it comes to wheedling personally identifiable information out of unsuspecting office workers. Now a leading anti-phishing group is tackling the problem of fax based phishing scams.

The Anti Phishing Working Group announced the Fax Back Phishing Education program this week to help telecommunications firms and Fax over Internet Protocol (FoIP) providers track and respond to scam artists that are using fax-ed, hard copy appeals and pitches to steal sensitive data.

APWG was created to battle Web- and e-mail based phishing scams, which lure unwitting victims into surrendering personal information and account logins and passwords with realistic-looking pitches and fake Web sites. But Web and e-mail are hardly the only mediums for phishing. Scammers have found that fax-based appeals are also effective at getting victims to surrender personal documents and information. Often the appeals start with e-mailed forms that the recipients are asked to fill out and fax to a number that is provided.

The Group announced last month that it would partner with the U.S. Internal Revenue Service's Online Fraud Detection and Prevention (OFDP) group. OFDP is providing fax numbers from complaints registered to its phishing@irs.gov e-mail address and then works with telecommunications providers and FoIP providers to disable the numbers. APWG worked with OFDP to develop an automated fax cover sheet that can be sent to notify victims who attempt to fax a number associated with fax phishing scams. That cover sheet provides links to online resources, including Web sites that allow them to register complaints with the FTC.

Sunday, August 29, 2010

Norway 'Bomb Plot' Underscores Al-Qaida Pitfalls

Via KATV.com (AP) -

When police arrested a suspected al-Qaida cell in Norway last month they turned up the makings of a bomb lab tucked away in a nondescript Oslo apartment building.

An Associated Press investigation shows that authorities learned early on about the alleged cell by intercepting e-mails from an al-Qaida operative in Pakistan and - thanks to those early warnings - were able to secretly replace a key bomb-making ingredient with a harmless liquid when one of the suspects ordered it at an Oslo pharmacy.

Officials say the suspected plot against this quiet Nordic country was one of three planned attacks on the West hatched in the rugged mountains of northwest Pakistan by some of al-Qaida's most senior leaders. The other plots targeted the bustling New York subway and a shopping mall in Manchester, England.

Interviews with U.S. and European intelligence officials and documents reviewed by the AP paint the picture of a loosely organized cell that was doomed to fail long before Norwegian police raided its basement lab in suburban Oslo in July. The officials spoke on the condition of anonymity because they were not authorized to discuss the cases publicly.

The Norwegian plot's undoing, and that of its sibling plots in the U.S. and Britain, casts light on the potential pitfalls of al-Qaida's changing tactics in the decade since the massive, highly organized Sept. 11 attacks. In recent years, al-Qaida has grown increasingly decentralized and nimble, relying on amateurs to recruit local cells and carry out smaller-level attacks without extensive planning and hands-on training.

While such plots are harder to detect, they are also harder to manage - and the slack remote control they often require leaves greater room for operational error and sloppy tradecraft.

All three plots were thwarted after suspected operatives exchanged e-mails - sometimes poorly coded ones - in and out of Pakistan.


"There are strengths and weaknesses in decentralization," said Magnus Norell, a terrorism expert at the Swedish Defense Research Agency. "It's a strength because it's difficult to find these plots unless you stumble upon them or have very good intelligence. Also, you can bring in people who might not be able to join otherwise. The weaknesses - they came to the surface in these cases."

Saturday, August 28, 2010

Indian E-Voting Researcher Freed After Seven Days in Police Custody

Via Freedom to Tinker Blog -

FLASH: 4:47 a.m. EDT August 28 — Indian e-voting researcher Hari Prasad was released on bail an hour ago, after seven days in police custody. Magistrate D. H. Sharma reportedly praised Hari and made strong comments against the police, saying Hari has done service to his country. Full post later today.

The Real Truth About Al Qaeda in Afghanistan

Via CT Blog -

Ever since senior Obama administration advisers such as CIA Director Leon Panetta and Vice President Biden admitted that Al Qaeda’s presence in Afghanistan was minimal, with fewer than 100 operatives believed to be on the ground there, war critics have complained the President has little justification for escalating the U.S. commitment there.

But the inside-the-Beltway political debate underscores a fundamental misunderstanding of what Al Qaeda’s role in Afghanistan — which Osama Bin Laden’s minions call “Khorasan” — truly has been, according to Special Operations commanders and troops on the ground.


Critics also fail to realize that a single Al Qaeda operative’s knowledge and experience in guerrilla and terror tactics is of incalculable value as a force multiplier to the Taliban.

Al Qaeda’s Arab operatives are considered a fearless elite. They have knowledge of Islam that makes them seem like religious scholars to many Pashtun tribesmen, who they have led into battle in the past. After Al Qaeda fled Afghanistan’s cities with their Taliban government allies in 2001-02, they reorganized and reconstituted their ranks in Pakistan. Al Qaeda returned to the fight in 2004, training, equipping and often leading or joining Haqqani fighters in battle along the eastern border.

Their presence was often suggested by the tactics used by Haqqani fighters, the cells’ skill at accurately firing AK-47s and RPGs, and gear such as armor-piercing ammo, body armor and night-vision devices.


Arabs from Al Qaeda still fund and train the Taliban, but no longer lead operations from the front, Army Col. Donald C. Bolduc, who leads the Combined Joint Special Operations Task Force, told me in his office at Bagram Airfield this month.

“They’re considered much too valuable to risk that,” said another U.S. official in the war zone.

During the winter, Taliban leaders ensconced in Pakistan send in Al Qaeda operatives to train their fighters in bombmaking tradecraft during the lull in fighting, sources said.

“The Pakistani madrassahs are still the big recruiting and training place. The Afghans go to a madrassah in Pakistan, where an Arab is typically like the dean, or headmaster, and learn how to fight,” the official told me. “Then the Afghan goes back home and teaches others to build bombs or fight — and gets paid handsomely for it.”


Al-Qaeda has also moved into these less visible roles based on the threat of alienating the local population - some of which may not see AQ's motives as inline with their own.

"The [Al-Qaeda] numbers aren't large, but their ability to help local forces punch above their weight acts as a multiplier," said Bruce Hoffman, a terrorism expert and Georgetown University professor. "They've learned from their previous experiences, when their foreign fighters were front and center."
In Iraq, he noted, al-Qaeda figures from elsewhere alienated the locals by trying to hijack that insurgency.

U.S. military officials say al-Qaeda recognizes the same risk in Afghanistan. Taliban leaders often see al-Qaeda, their erstwhile ally, as "a handicap," according to an unclassified briefing presented in December by Maj. Gen. Michael Flynn, the top U.S. military intelligence officer in Afghanistan.

Although Taliban commanders want support from al-Qaeda and jihadists around the world, according to Flynn, they are sensitive to the idea that ordinary Afghans might view it as foreign interference.

That balancing act has resulted in a limited, if steady, flow of foreign fighters. Most are Uzbeks and Chechens who join networks affiliated with, but not formally part of, al-Qaeda, U.S. military officials said. Less common are Arabs and European Muslims who answer al-Qaeda's direct call to join the jihad in Afghanistan.

BGP Research Experiment Disrupts Internet, For Some

Via NY Times -

An experiment run by Duke University and a European group responsible for managing Internet resources went wrong Friday, disrupting a small percentage of Internet traffic.


The problem started just before 9 a.m. Greenwich Mean Time Friday and lasted less than half an hour. It was kicked off when RIPE NCC (Reseaux IP Europeens Network Coordination Centre) and Duke ran an experiment that involved the Border Gateway Protocol (BGP) -- used by routers to know where to send their traffic on the Internet. RIPE started announcing BGP routes that were configured a little differently from normal because they used an experimental data format. RIPE's data was soon passed from router to router on the Internet, and within minutes it became clear that this was causing problems.

"During this announcement, some Internet service providers reported problems with their networking infrastructure," wrote RIPE NCC's Erik Romijn in a note posted to the NANOG (North American Network Operators Group) discussion list. "Immediately after discovering this, we stopped the announcement and started investigating the problem. Our investigation has shown that the problem was likely to have been caused by certain router types incorrectly modifying the experimental attribute and then further announcing the malformed route to their peers."

That shouldn't have happened on systems that were properly configured to support BGP, Romijn said, but nonetheless for a brief period Friday morning, about 1 percent of all the Internet's traffic was affected by the snafu, as routers could not properly process the BGP routes they were being sent.

"Over 3,500 prefixes (announced blocks of IP addresses) became unstable at the exact moment this 'experiment' started," wrote Earl Zmijewski, a general manager with Internet security firm Renesys. "Not surprisingly, they were located all over the world: 832 in the US, 336 in Russia, 277 in Argentina, 256 in Romania and so forth. We saw over 60 countries impacted."


The damage from Friday's experiment was minimal, but if someone had been able to intentionally announce bad routes, it would have been much worse, said Paul Ferguson, a researcher with security firm Trend Micro.

It's unclear why RIPE NCC and Duke were trying out these new route formats.

One of the researchers behind the experiment, Duke assistant professor Xiaowei Yang, declined to talk in detail about the experiment, citing legal concerns. But she said that the work was for a research paper, and the BGP data that was sent was "100 percent standard compliant."

"It is an experiment initiated by my student and I," she wrote in an e-mail message. "It unexpectedly triggered some vendor bugs."

ASIO's New HQ Building Progressing on Time and on Budget

Via canberratimes.com.au (Aug 22, 2010) -

The elevator wells are up, cranes dot the skyline and works are progressing steadily on the new ASIO headquarters in Parkes.

Construction of the $606 million monolith is progressing on time and on budget, with completion scheduled for mid-2012 before becoming operational later that year.

While ASIO is a secretive organisation, Canberrans have the rare chance to turn the tables on Australia's largest domestic spy agency by watching the headquarter's construction.

But don't get caught looking. Despite its public construction, security surrounding the project is high. The 270 construction workers on site have been vetted for security clearance, must pass security checkpoints each day, and have signed papers not to discuss anything that happens on site.

Winning tenders are kept secret to prevent infiltration and building is compartmentalised so no firm completes enough work to gain too much information. Armed guards are rumoured to patrol the boundaries at night.

When asked about security arrangement on such a public work site, ASIO remained tight lipped.

''ASIO's new central office will be a high-security facility which protects staff, information and technologies,'' a joint response from ASIO and the Department of Finance and Deregulation said. ''Comprehensive security procedures have been developed for the design and construction phases which are commensurate with the level of risk for this project.''

Australian Strategic Policy Institute national security program director Carl Ungerer said physical protection during the construction phase was relatively simple.

Dr Ungerer said the days of Cold War style bugging and satellite imaging had become largely redundant, with cyber security now the biggest threat.

'The cyber world is clearly the growing phase of all spying today.'


The Australian Security Intelligence Organisation (ASIO) is the principal Federal domestic internal intelligence, counter-intelligence and security agency of Australia which is responsible for the national security of Australia and the protection of the country and its citizens from espionage, sabotage, acts of foreign interference, politically-motivated violence, attacks on the Australian defence system, serious and major crime, and terrorism. ASIO is comparable to the United Kingdom Security Service (MI5).

Canadian Terror Suspects May Have Been Targeting Government Buildings

Via Declassified Blog (NewsWeek) -

Three suspects arrested by Canadian authorities this week on terrorism-related charges had been collecting materials and instructions for building homemade bombs and may have considered targeting Canadian government buildings, national-security officials say. Three additional suspects in the case are wanted but have not yet been arrested. For the moment, U.S. officials say, there appears to be no American link to what Canadian officials are calling a major terror inquiry.

In press statements in Ottawa today, representatives of the Royal Canadian Mounted Police and Canadian Security Intelligence Service (CSIS), the country's undercover spy agency, announced that the three men apprehended so far in this week's roundup had accumulated a stash of homemade bomb materials, including "schematics, videos, drawings, instructions, books, and electrical components designed specifically for the construction of Improvised Explosive Devices." The Mounties also said they believe that the three men arrested so far in the case are part of an unnamed domestic terror group operating in Canada, and that one of the men is a member of and was in contact with a terror group linked to the war in Afghanistan. The Mounties said they have evidence that one of the three men had been trained in bomb-building.

The Mounties identified the three men already in custody as Hiva Mohammed Alizadeh, Misbahuddin Ahmed, and Khurram Syed Sher. A spokesman for the Mounties told Declassified they are all Canadian citizens, but would not further describe the men's backgrounds. Nor did Canadian authorities identify the Afghan-based terror group to whom they said one of the men was linked, though some Canadian news reports suggested there might be a connection to Al Qaeda.


Turgeon said he could not confirm reports linking the plot to Al Qaeda, nor could he discuss what investigators believe the ultimate objective of the plot might have been. However, a national-security official familiar with reporting on the case, who asked for anonymity when discussing sensitive information, said there were indications the men may have been plotting to attack Canadian government buildings, presumably in Ottawa, the national capital. The official also said there was reason to believe that at least one of the suspects had traveled to the Afghanistan-Pakistan region for explosives training.

Friday, August 27, 2010

China’s Secure Communications Quantum Leap

Via Jamestown Foundation (Aug 16, 2010) -

In May 2010 a team of 15 Chinese researchers from Tsinghua University in Beijing and the Hefei National Laboratory for Physical Sciences, a government-directed research center, published a research paper announcing a successful demonstration of “quantum teleportation” (liangzi yinxing chuan) over 16 kilometers of free space. These researchers claimed to have the first successful experiment in the world. The technology on display has the potential to revolutionize secure communications for military and intelligence organizations and may become the watershed of a research race in communication and information technology.

Although much of the science behind this technology is still young, quantum technologies have wide-ranging applications for the fields of cryptography, remote sensing and secure satellite communications. In the near future, the results from this experiment will be used to send encrypted messages that cannot be cracked or intercepted, and securely connect networks, even in remote areas, with no wired infrastructure, even incorporating satellites and submarines into the link.


As a result, the issue has found itself at the center of a rapidly developing geopolitical race to apply quantum technology to military and intelligence work. Since secure quantum key distribution (QKD) provides a much higher level of security between communication networks, employing quantum teleportation over a satellite network allows for completely secure communications, even in sensitive and remote areas, without fiber optic infrastructure, as long as all parties are able to maintain line of sight with a satellite. This could have wide applications in communications and intelligence for ground troops, aircraft, surface ships and submarines, and fits into China’s current plans to grow its satellite network even further.

Using quantum teleportation to send this type of information has been technically possible for several years, but according to the Chinese research paper, it had been previously demonstrated experimentally only over an enclosed fiber optics network and then only over a distance of several hundred meters. The Chinese experiment appears to shatter these records by claiming to be the first to use a high-powered blue laser to exchange quantum information over a free space channel, and to demonstrate the principle over a distance as great as 16 km. This distance is significant because it displays approximately the same degree of light distortion as is seen in communication from the earth’s surface to a satellite, and so would allow for quantum communication using satellites. If this experiment were indeed the first of its kind, it would appear that China has succeeded in leapfrogging the West, and gained a significant edge in next-generation communications and cryptography.

The Chinese claim to be the first may not be entirely accurate, although certain elements of their experiment were unique and innovative. In 2005, a group of universities and defense corporations under a Defense Advanced Research Projects Agency (DARPA) grant and led by BBN Technologies, the company responsible for developing the precursor to the internet, succeeded in transferring cryptographic keys over a free-space link of 23 km in Cambridge, Massachusetts. Well beyond the single link employed by the Chinese, the BBN program has developed an expanding, multi-node web of secure quantum communication that will be able to further expand and link seamlessly with existing internet technology. There are a few differences in the physics of their experiment that still make it notable and may not technically disqualify the Chinese from claiming their status as first, but nonetheless American researchers seem to have had a five-year head start in demonstrating the principles of the technology.

Because of its security level and applications for satellite and submarine communications, quantum communication technology figures centrally in the objectives of the Chinese military to upgrade their growing command and control capabilities. A functional satellite-based quantum communication system would give the Chinese military the ability to operate further afield without fear of message interception.

However, Chinese researchers must also be aware of the potential for the United States to employ the same technology and may be seeking ways to counter this eventuality. While it is still almost impossible to intercept quantum messages without being detected, it may be feasible to jam the laser signals that send them with “optical noise” or other lasers. Understanding the ways in which quantum cryptography functions may also eventually expose further weaknesses in the network that can be exploited by a savvy adversary. China’s continuing cutting-edge quantum cryptography, lasers and optics research thus seems as much a reaction to the same research in the United States and an attempt to counter it as it is to develop its own indigenous network.

Pakistanis Tell of Motive in Taliban Leader’s Arrest

Via NY Times -

When American and Pakistani agents captured Abdul Ghani Baradar, the Taliban’s operational commander, in the chaotic port city of Karachi last January, both countries hailed the arrest as a breakthrough in their often difficult partnership in fighting terrorism.

But the arrest of Mr. Baradar, the second-ranking Taliban leader after Mullah Muhammad Omar, came with a beguiling twist: both American and Pakistani officials claimed that Mr. Baradar’s capture had been a lucky break. It was only days later, the officials said, that they finally figured out who they had.

Now, seven months later, Pakistani officials are telling a very different story. They say they set out to capture Mr. Baradar, and used the C.I.A. to help them do it, because they wanted to shut down secret peace talks that Mr. Baradar had been conducting with the Afghan government that excluded Pakistan, the Taliban’s longtime backer.


The events surrounding Mr. Baradar’s arrest have been the subject of debate inside military and intelligence circles for months. Some details are still murky — and others vigorously denied by some American intelligence officials in Washington. But the account offered in Islamabad highlights Pakistan’s policy in Afghanistan: retaining decisive influence over the Taliban, thwarting archenemy India, and putting Pakistan in a position to shape Afghanistan’s postwar political order.

“We picked up Baradar and the others because they were trying to make a deal without us,” said a Pakistani security official, who, like numerous people interviewed about the operation, spoke anonymously because of the delicacy of relations between Pakistan, Afghanistan and the United States. “We protect the Taliban. They are dependent on us. We are not going to allow them to make a deal with Karzai and the Indians.”

Some American officials still insist that Pakistan-American cooperation is improving, and deny a central Pakistani role in Mr. Baradar’s arrest. They say the Pakistanis may now be trying to rewrite history to make themselves appear more influential. It was American intellgence that led to Mr. Baradar's capture, an American official said.

“These are self-serving fairy tales,” the official said. “The people involved in the operation on the ground didn’t know exactly who would be there when they themselves arrived. But it certainly became clear, to Pakistanis and Americans alike, who we’d gotten.”

Other American officials suspect the C.I.A. may have been unwittingly used by the Pakistanis for the larger aims of slowing the pace of any peace talks.

At a minimum, the arrest of Mr. Baradar offers a glimpse of the multilayered challenges the United States faces as it tries to prevail in Afghanistan. It is battling a resilient insurgency, supporting a weak central government and trying to manage Pakistan’s leaders, who simultaneously support the Taliban and accept billions in American aid.

Facebook Alternative Diaspora Launches September 15

Via Mashable.com -

Diaspora, the much-hyped open source alternative to Facebook, will release its code to the world on September 15, but promises that its creators are just getting started.

Earlier this year, Facebook was embroiled in controversy after it made significant privacy changes. Users didn’t like having more of their information public, so they revolted.

During the height of the crisis, four NYU students decided to create an open source alternative to Facebook. Their goal was to raise $10,000 for their summer project, but dramatic interest helped them raise over $100,000 through donations. Even Facebook CEO Mark Zuckerberg donated to the project.

Since then, the Diaspora team has been mostly silent, coding away on their project. However, in a blog post earlier today, they revealed that the project is on track for release on September 15.

“We have Diaspora working, we like it, and it will be open sourced on September 15th,” the Diaspora team said in its announcement.

DARPA Project CINDER Targets Insider Threats

Via Threatpost.com -

The U.S. military is looking for new ways to identify malicious insiders and stop them from operating from within government and military networks, which it assumes have already been compromised.

The Defense Advanced Research Projects Agency (DARPA)this week issued a call for proposals for a new Cyber Insider Threat (CINDER) Program. The goal of the program is to "greatly increase the accuracy, rate and speed with which insider threats are detected."

While incidents of cyber espionage, such as Titan Rain and the so-called Aurora attacks from late 2009 are common, so are compromises due to rogue insiders with legitimate access to sensitive information.

Leaks of classified documents to the Website Wikileaks, allegedly by service member Bradley Manning, are just the most high-profile and recent example of the dangers posed by rogue or malicious insiders. Earlier this month, a federal grand jury convicteda former B-2 bomber engineer with selling cruise missile designs to China. The engineer, Noshir Goadia, its alleged, used the money to help pay the mortgage on an elaborate home he built in Maui, Hawaii.

DARPA's CINDER program seeks to spot bad actors such as Goadia who "operate from within our networks and easily evade existing security measures."

In what might be considered a frank assessment of the state of current security within military and government networks, the CINDER program starts with the premise that "most systems and networks have already been compromised by various types and classes of adversaries," and that "these adversaries are already engaged in what appear to be legitimate activities, while actually supporting adversary missions."

In its initial phase, CINDER will seek to identify the kinds of "adversary missions and observables" at work on government and military networks and the techniques advesaries are using. In Phase II, that information will be used to create a system that can identify mulitiple missions that might be ongoing. In Phase III, that system will be deployed in a way that scales to meet the government's needs.

TDL3 Rootkit x64 Goes in the Wild

Via Prevx Blog -

We talked about TDL3 rootkit some months ago as the most advanced rootkit ever seen in the wild. Well, the last version of TDL3 was released months ago and documented as build 3.273. After that, no updates have been released to the rootkit driver. This was pretty suspicious, more so if you've been used to seeing rebuild versions of TDL3 rootkit every few days to defeat security software.

Obviously, the rootkit was stable and it is currently running without any major bug on every 32 bit Windows operating system. Still though, the dropper needed administrator rights to install the infection in the system. Anyway, the team behind TDL3 rootkit was just too quiet to not expect something new.

They actually built a nice gift for every security vendor, because TDL3 has been updated and this time this is a major update; the rootkit is now able to infect 64 bit versions of Microsoft Windows operating system.


But this TDL3 release can be considered as the first x64 compatible kernel mode rootkit infection in the wild. Our Prevx community spotted the infecting dropper more than 9 days ago and we are now seeing new samples reported every day. This means the infection is spreading on the web, by using both porn websites and exploit kits.

Speaking about the infection itself, we are still analyzing the infection. Though at first glance we don't feel it could be considered as a brand new TDL3.

It looks like someone got TDL3 sources and added bootkit infection to it. This is because the TDL3 rootkit is now targetting the Master Boot Record, as MBR rootkit did years ago and as Whistler Bootkit is currently doing.

To bypass both Kernel Patch Protection and Driver Signature verification, the rootkit is patching the hard drive's master boot record so that it can intercept Windows startup routines, owns it, and load its driver. Both Windows security mechanisms are bypassed.


Even the rootkit build version changed from 3.273 to 0.02. It looks like a beta build. We say this because from our first internal tests, the rootkit didn't always fully work.

Our current idea is that TDL3 sources could have been sold and the new team who owns them has started adapting the rootkit to x64 platform by adding to it a bootkit infection technique already showed by Whistler bootkit and Stoned v2 bootkit.

What is more important is that with this new TDL3 release a new era is officially dawned; the era of x64 rootkits. How this develops, we're not sure.


However, the authors of these attacks have not been resting. Just under a month ago, we became aware of a new variant of Alureon that infects the Master Boot Record (MBR) instead of an infected driver. While this new variant did not affect 64-bit machines, it had an inert file called ldr64 as part of its virtual file system. More recently, we discovered an updated variant that successfully infected 64-bit machines running Windows Vista or higher, while rendering 64-bit Windows XP and Server 2003 machines unbootable.

VLC Media Player & uTorrent Patch Windows DLL Flaw


The developers of the uTorrent file-sharing application have released an updated version that fixes a problem that could allow an attacker to load malicious code onto a user's computer.


UTorrent version 2.0.4 fixes the problem, although the company behind the application, BitTorrent, said that no attacks have been reported despite a working exploit.


Just one week after the 1.1.3 update was released, the VideoLAN Project developers have issued version 1.1.4 of their VLC Media Player, a free open source cross-platform multimedia player for various audio and video formats.


According to the developers, the 1.1.4 release addresses the DLL vulnerability on Windows systems that affects a wide variety of Windows-based programs.

It looks like Peter Van Eeckhoutte is tracking vendors which fix the DLL Hijacking flaw in his Unofficial DLL Hijacking list.

Thursday, August 26, 2010

Detecting Deceptive Discussions in Conference Calls



We estimate classification models of deceptive discussions during quarterly earnings conference calls. Using data on subsequent financial restatements (and a set of criteria to identify especially serious accounting problems), we label the Question and Answer section of each call as "truthful" or "deceptive". Our models are developed with the word categories that have been shown by previous psychological and linguistic research to be related to deception. Using conservative statistical tests, we find that the out-of-sample performance of the models that are based on CEO or CFO narratives is significantly better than random by 4%- 6% (with 50% - 65% accuracy) and provides a significant improvement to a model based on discretionary accruals and traditional controls. We find that answers of deceptive executives have more references to general knowledge, fewer non-extreme positive emotions, and fewer references to shareholders value and value creation. In addition, deceptive CEOs use significantly fewer self-references, more third person plural and impersonal pronouns, more extreme positive emotions, fewer extreme negative emotions, and fewer certainty and hesitation words.

DLL Hijacking: Facts and Fiction

Via Threatpost.com -

It’s been interesting watching DLL hijacking grow from interesting phenomena to a full-on snowball of hype and FUD over the last few days. As of this writing Google turns up 152 news articles on the subject. The vast majority of coverage is calling this a “new class of attack” and pointing out how “over 30 zero-day vulnerabilities have been found so far!”. The only way to paraphrase many of the headlines is: “Panic!”

Fear and panic, while good for security companies and media outlets in the short term, are not responses that benefit users. Risk management isn’t based on emotion, it’s based on a well-reasoned assessment of risk. In the long run panic can draw attention away from the day-to-day issues which may represent more risk to the enterprise.


The root of this problem lies in the past in an industry far removed from internet security. Many years ago a Microsoft design error included the current working directory in the list of directories Windows will search when looking for a DLL. As a result, it was trivial to use a directory under your control to trick an application into loading the wrong copy of a DLL, which could be a security flaw in some circumstances. Later as the Internet grew and computer security became a pressing issue, Microsoft mitigated this problem by introducing the SafeDLllSearchMode registry key. It wasn’t a perfect solution, but it did help the situation. Finally this behavior was enabled by default in Windows XP SP2.

Prior to SafeDllSearchMode virtually every windows application was vulnerable to this sort of DLL Hijacking attack. Did it cause infopocalypse? Did SCADA systems burst into flames world-wide? Nope.


Does it matter? Yes. Is it cause for concern? Probably. Should we all panic about this new ‘glut of zero-days’? Not at all.

The key thing to understand is there are tons of mitigating factors for this sort of attack, and that’s why it isn’t widely exploited even though it’s been known for a long time:

  • The user must open a document from a WebDAV share or a network file share. Reports that say that “opening a file from the Internet” can cause a victim to be compromised are extremely misleading. That document could be opened via a link in an email, however, which is cause for concern, as this sort of attack will always succeed for a small population of users.
  • The attacker must guess what vulnerable software you have installed. Since we’ve seen reports that MS Office and other ubiquitous applications are vulnerable, that isn’t very hard right now. It’s safe to assume we’ll see patches in the coming weeks, at which point attackers will have a much worse success rate as they have to predict which software, and in some cases what version of a program, a victim has installed.
  • There are easier ways to trick a user. Similar email attacks have been fairly successful this year, but they used much simpler vectors. PDF files and Word documents are things users are used to receiving in email and opening without a second thought; so zero-day vulnerabilities in Acrobat or Word are a big deal. Call me an optimist, but I’d like to think users might pause to think harder when a weird looking link in email opens up an Explorer window on a WebDAV share on the Internet. That’s just not a normal use-case.
  • Virus software can help. Some people are reporting that anti-virus can’t block this sort of attack. That’s largely false. It is easy to write a malicious DLL, but it’s just as easy to create an A/V signature for a malicious DLL as any other malware.

To make a prediction, we’ll probably see email borne attempts to exploit DLL hijacking circulate for a while. They won’t be that effective, and we’ll all go back to business as usual when the next big zero-day in a common file format surfaces.

That said, within the enterprise, where opening files or even applications from shares is commonplace, this could represent a real risk from an inside attacker. Please do head over to Microsoft and deploy the fix, there’s really no good reason to load a DLL from a WebDAV or other share in a security conscious environment.


Good write up by Oliver Lavery, Director of Security Research and Development @ nCricle.

Less technical and more risk-based.

Wednesday, August 25, 2010

America's Most Dangerous Military Computer Breach Was Caused By a Flash Drive

Via Washington Post (hat tip to Gizmodo) -

Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008.

In an article to be published Wednesday discussing the Pentagon's cyberstrategy, Deputy Defense Secretary William J. Lynn III says malicious code placed on the drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command.

"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control," he says in the Foreign Affairs article.

"It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary."

Lynn's decision to declassify an incident that Defense officials had kept secret reflects the Pentagon's desire to raise congressional and public concern over the threats facing U.S. computer systems, experts said.


Lynn's declassification of the 2008 incident has prompted concern among cyberexperts that he gave adversaries useful information. The Foreign Affairs article, Pentagon officials said, is the first on-the-record disclosure that a foreign intelligence agency had penetrated the U.S. military's classified systems. In 2008, the Los Angeles Times reported, citing anonymous Defense officials, that the incursion might have originated in Russia.

The Pentagon operation to counter the attack, known as Operation Buckshot Yankee, marked a turning point in U.S. cyberdefense strategy, Lynn said. In November 2008, the Defense Department banned the use of flash drives, a ban it has since modified.

Infiltrating the military's command and control system is significant, said one former intelligence official who spoke on the condition of anonymity because of the sensitivity of the matter. "This is how we order people to go to war. If you're on the inside, you can change orders. You can say, 'turn left' instead of 'turn right.' You can say 'go up' instead of 'go down.' "

In a nutshell, he said, the "Pentagon has begun to recognize its vulnerability and is making a case for how you've got to deal with it."


Foreign Affairs - Defending a New Domain (The Pentagon's Cyberstrategy)


Unlike Deputy Defense Secretary William J. Lynn, not everyone involved in “Operation Buckshot Yankee” is ready to call it a " foreign intelligence" attack, according to Wired's Danger Room Blog.

But exactly how much (if any) information was compromised because of agent.btz remains unclear. And members of the military involved in Operation Buckshot Yankee are reluctant to call agent.btz the work of a hostile government — despite ongoing talk that the Russians were behind it.

"Some guys wanted to reach out and touch someone. But months later, we were still doing forensics. It was never clear, though,” one officer tells Danger Room. “The code was used by Russian hackers before. But who knows?” Left unsaid is a second question: why would an intelligence agency launch a limp attack?

Better, Faster, Stronger: DLLHijackAuditKit v2

Via Metasploit Blog -

Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications.


HD Moore and the guys over at Metasploit / Rapid7 have really put some work into this tool. The new version practically kills all the spawned processes and protects the running processes. After the initial audit, it attempts to verify each possible vulnerability and generates a POC exploit for each filetype found to be exploitable.

I took v2 of the tool for a spin on my Windows XP image this morning and it worked very well and with almost no need for my interaction. In the end, it only detected the Windows Address Book application as vulnerable, which means it failed to detect several applications that are known to be vulnerable - Office, Firefox, MS Internet Signup, and perhaps Winzip and Winamp.

HD Moore informed me this morning he is updating the current version of the audit tool which will include some bugfixes.

In addition, several groups have started attempts to track the list of vulnerable applications....

VUPEN - Security Advisories

Secunia - Security Advisories

Offensive Security - Exploit Database

DLL Hijacking - the Unofficial List

Global Terrorism Database (GTD)


The Global Terrorism Database (GTD) is an open-source database including information on terrorist events around the world from 1970 through 2008 (with additional annual updates planned for the future). Unlike many other event databases, the GTD includes systematic data on domestic as well as transnational and international terrorist incidents that have occurred during this time period and now includes more than 87,000 cases. For each GTD incident, information is available on the date and location of the incident, the weapons used and nature of the target, the number of casualties, and--when identifiable--the group or individual responsible.

The National Consortium for the Study of Terrorism and Responses to Terrorism (START) makes the GTD available via this online interface in an effort to increase understanding of terrorist violence so that it can be more readily studied and defeated.

Tuesday, August 24, 2010

ATM Makers Release Fixes for 'Jackpotting' Flaw

Via Threatpost.com -

Two ATM manufacturers have released software updates to address the remotely exploitable vulnerabilities in their machines' firmware that IOActive researcher Barnaby Jack demonstrated live on stage at the Black Hat conference last month.

In response to the demonstration, in which Jack was able to bypass the authentication mechanism on the ATMs and then load a small rootkit that he wrote, ATM manufacturers Hantle and Triton have released new versions of their firmware that fix the vulnerability. Both manufacturers are recommending that ATM owners install the updates immediately


Triton and Hantle also are recommending that customers who aren't using the ATM's remote management interface disable that feature to protect against any other remote attacks.

Exploiting DLL Hijacking Flaws


This post describes the process for identifying and exploiting applications vulnerable to the DLL hijack vulnerability disclosed last week. For background information on this vulnerability, as well as remediation information, please see my post on the Rapid7 Blog.

This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker. This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless, the flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory.

In practice, this flaw can be exploited by sending the target user a link to a network share containing a file they perceive as safe.


To determine the extent of the problem, I developed a quick and dirty audit kit that leverages the Process Monitor utility and the Ruby interpreter. This kit will turn a desktop PC into a game of whack-a-mole by launching the file handlers for every registered file type, while recording whether or not a DLL was accessed within the working directory of the associated file. After the audit phase is complete, the generate.rb script can be used to create test cases that will validate each result. Clicking through the test cases will lead to the Calculator being launched when the result is exploitable and nothing when it is not.


The Offensive Security folks posted a video exploiting the DLL hijack issue (to an awesome @dualcoremusic track)




Today we released Security Advisory 2269637 notifying customers of a remote attack vector to a class of vulnerabilities affecting applications that load DLL’s in an insecure manner. The root cause of this issue has been understood by developers for some time. However, last week researchers published a remote attack vector for these issues, whereas in the past, these issues were generally considered to be local and relatively low impact.



This update introduces a new registry key CWDIllegalInDllSearch that allows users to control the DLL search path algorithm. The DLL search path algorithm is used by the LoadLibrary API and the LoadLibraryEx API when DLLs are loaded without specifying a fully qualified path.


The newly introduced CWDIllegalInDllSearch registry key enables computer administrators to modify the behavior of the DLL search path algorithm that is used by LoadLibrary and by LoadLibraryEx. This registry key could allow certain kinds of directories to be skipped.

Anti-virus Products Struggle Against Exploits

Via KrebsOnSecurity.com -

Most anti-virus products designed for use in businesses do a poor job of detecting the exploits that hacked and malicious Web sites use to foist malware, a new report concludes.

Independent testing firm NSS Labs looked at the performance of 10 commercial anti-virus products to see how well they detected 123 client-side exploits, those typically used to attack vulnerabilities in Web browsers including Internet Explorer and Firefox, as well as common desktop applications, such as Adobe Flash, Reader, and Apple QuickTime.


Among all ten products, NSS found that the average detection rate against original exploits was 76 percent, and that only three out of ten products stopped all of the original exploits. The average detection against exploits variants was even lower at 58 percent, NSS found.


Wismer said the study highlights an area where many products have room for improvement, and that having more anti-virus products blocking the exploitation stage would be a very advantageous improvement. But he said the report itself doesn’t provide a full picture of the performance of these products.

“It just doesn’t tell the customer whether or not they’d actually be protected in the real world,” Wismer [an AV industry watcher and blogger] wrote in an e-mail to KrebsOnSecurity.com. “The more links in the chain of events leading to compromise that can be used to a defenders advantage. a chain is only as strong as it’s weakest link and so only one stage of a multi-stage attack needs to be blocked in order for the final intended outcome to be thwarted. A test that doesn’t include all the stages therefore necessarily omits information that could be important in determining which products provide the best assistance at protection.”

Interestingly, a series of reports released earlier this month by anti-virus testing lab AV-Test comes to similar conclusions as the NSS report about the exploit-blocking abilities of the major anti-virus products. According to AV-Test, the industry average in protecting against exploits (both known and unknown) was 75 percent.

Sunday, August 22, 2010

Apple Files for Patent to Disable Jailbroken iPhones

Via Mashable.com -

Apple has applied for a patent covering various methods for identifying and disabling unauthorized use — including jailbreaking and other hacks — of electronic devices, such as its popular iPhone and iPad products.

Although the U.S. government has legally authorized the jailbreaking (i.e. running code that gives users access to extensions and themes that Apple has not approved, as well as use carriers that are not supported by Apple) of iPhones and other electronic devices for “educational purposes,” it seems that Apple is determined to gain further control over said devices.

Currently, the Cupertino, California-based tech company automatically revokes its warranty on all iPhones that have been subject to jailbreaking and other hacks.

The patent, which was filed in February and published on Thursday, primarily focuses on measures for identifying stolen devices and protecting the kinds of sensitive information, such as credit card numbers and passwords, stored on those devices. Upon learning that a customer’s iPhone has been stolen, for instance, sensitive data stored on that customer’s device could be sent to one of Apple’s remote storage servers and then erased entirely from the phone.

However, the patent also covers methods for identifying devices that have been hacked, jailbroken, unlocked or had their SIM cards removed, such as monitoring sudden increases in memory usage that could “indicate that a hacking program is being run and that an unauthorized user may be using the electronic device.” Theoretically, Apple could then wipe personal data from these devices and then alert AT&T to “shutdown any telephone service to the electronic device, shutdown the electronic device itself, or otherwise suitably extract the functions of the electronic device.”

In other words, the system described in the patent allow Apple to effectively kill jailbroken devices under the guise of protecting customers from theft, since it may not be able to determine whether a device has been stolen or if it is being willingly jailbroken by users.

Human Rights and Malware Attacks

Via Infowar Monitor (Aug 19, 2010) -

On March 18, 2010, unknown attackers sent a spear phishing email that appeared to be from Sharon Hom, the Executive Director of Human Rights in China (HRIC), to a variety of organizations and individuals. Leveraging the trust and recognition of HRIC, the attackers’ email encouraged recipients to visit a compromised website that contained malicious code designed to allow the attackers to ultimately take full control of the visitor’s computer. These targeted malware attacks are now becoming commonplace, further extending the threat faced by civil society organizations.


The subject of the email was “Microsoft, Stool Pigeon for the Cops and FBI” and the email contained a JPG attachment. However, the attackers’ objective was for the targets to visit the link contained in the email. The link, www.cfcr2008.org, redirected to cfcr.i1024.com which was compromised by the attackers and in which they had inserted code that caused visitors to the website to open a malicious PDF from www.520520.com.tw. This PDF exploited Adobe Reader and compromised the visitors computer. Compromised computers then connected to a website under the attackers’ control, www.humanright-watch.org, and downloaded additional malware before ultimately connecting to a command and control server, 360liveupdate. com, in China.

India: Electronic Voting Researcher Arrested Over Anonymous Source

Via Freedom to Tinker Blog -

About four months ago, Ed Felten blogged about a research paper in which Hari Prasad, Rop Gonggrijp, and I detailed serious security flaws in India's electronic voting machines. Indian election authorities have repeatedly claimed that the machines are "tamperproof," but we demonstrated important vulnerabilities by studying a machine provided by an anonymous source.

The story took a disturbing turn a little over 24 hours ago, when my coauthor Hari Prasad was arrested by Indian authorities demanding to know the identity of that source.

At 5:30 Saturday morning, about ten police officers arrived at Hari's home in Hyderabad. They questioned him about where he got the machine we studied, and at around 8 a.m. they placed him under arrest and proceeded to drive him to Mumbai, a 14 hour journey.

The police did not state a specific charge at the time of the arrest, but it appears to be a politically motivated attempt to uncover our anonymous source. The arresting officers told Hari that they were under "pressure [from] the top," and that he would be left alone if he would reveal the source's identity.


Our work has produced a hot debate in India. Many commentators have called for the machines to be scrapped, and 16 political parties representing almost half of the Indian parliament have expressed serious concerns about the use of electronic voting.

Earlier this month at EVT/WOTE, the leading international workshop for electronic voting research, two representatives from the Election Commission of India joined in a panel discussion with Narasimha Rao, a prominent Indian electronic voting critic, and me. (I will blog more about the panel in coming days.) After listening to the two sides argue over the security of India's voting machines, 28 leading experts in attendance signed a letter to the Election Commission stating that "India’s [electronic voting machines] do not today provide security, verifiability, or transparency adequate for confidence in election results."

Nevertheless, the Election Commission continues to deny that there is a security problem. Just a few days ago, Chief Election Commissioner S.Y. Quraishi told reporters that the machines "are practically totally tamper proof."


Hari is spending Saturday night in a jail cell, and he told me he expects to be interrogated by the authorities in the morning. Hari has retained a lawyer, who will be flying to Mumbai in the next few hours and who hopes to be able to obtain bail within days. Hari seemed composed when I spoke to him, but he expressed great concern for his wife and children, as well as for the effect his arrest might have on other researchers who might consider studying electronic voting in India.

If any good has come from this, it's that there has been an outpouring of support for Hari. He has received positive messages from people all over India.

Unfortunately, the entire issue distracts from the primary problem: India's electronic voting machines have fundamental security flaws, and do not provide the transparency necessary for voters to have confidence in elections. To fix these problems, the Election Commission will need help from India's technical community. Arresting and interrogating a key member of that community is enormously counterproductive.


India's EVMs are Vulnerable to Fraud

Saturday, August 21, 2010

Black Hole Mystery Unveiled by Magnetic Star Discovery

Via BBC -

The discovery of a rare magnetic star - or magnetar - is challenging theories about the origin of black holes.

Magnetars are a special type of neutron star with a powerful magnetic field.

They are formed by gravitational collapse after the original, or progenitor star, dies and forms a catastrophic supernova.

For this newly discovered magnetar, astronomers calculated that the mass of the progenitor must have been at least 40 times greater than that of our Sun.

Collapsing stars of this size should form a black hole. The fact that this one resulted in a neutron star, challenges established theory.


To calculate the mass of the progenitor star, the research team estimated its lifespan. Massive stars collapse earlier than small stars because the pressure on their core is greater, causing them to burn up their hydrogen fuel more rapidly.

The astronomers assumed that this star formed at the same time as others in the same cluster.

So the fact that this star had already collapsed shows that it must have been more massive than the other stars that still exist there.

Stars that are more than 25 times more massive than our Sun normally collapse to form black holes.

Dr Negueruela of the University of Alicante in Spain, a co-author on the study, said that the mystery of the missing black hole might be explained if the progenitor star got rid "of nine tenths of its mass before exploding as a supernova".

One way of achieving this "diet plan" would be if the progenitor was part of cosmic double-act known as a "binary star", and its companion pulled off some of its mass, Dr Clark, another co-author, told the BBC. This would have allowed it to avoid the fate of becoming a black hole.

Professor Mike Cruise, an astrophysicist at the UK's University of Birmingham, who was not involved in the study, told BBC News that the new research was "a brilliant piece of detective work".

He commented: "What is especially attractive about this paper is the way the researchers' arguments are based on robust measurements, not just theory."

Friday, August 20, 2010

Al-Qaeda Advises Shabaab to Keep Low Profile on Links, Attack US Interests

Via The Long War Journal -

Al Qaeda's senior leadership has advised Shabaab, its affiliate in Somalia, to downplay links between the two terror groups and suggested that future attacks be directed at US interests in East Africa.

"Al Qaeda's top leadership has instructed Shabaab to maintain a low profile on al Qaeda links," a senior US intelligence official who closely follows al Qaeda and Shabaab in East Africa told The Long War Journal. The official, who requested anonymity due to the sensitivity of the subject, said the information was passed between the top leadership of both groups.

"Al Qaeda has accepted Shabaab into the fold and, and any additional statements would only serve to draw international scrutiny," the intelligence official said. "Al Qaeda is applying lessons learned from Iraq, that an overexposure of the links between al Qaeda central leadership and its affiliates can cause some unwanted attention."

Shabaab's double suicide attack in Uganda on July 11 was well received by al Qaeda's top leadership, who want Shabaab to continue to hitting US interests in Africa.

"Al Qaeda is pleased with the double suicide attack in Uganda, but suggested Shabaab reserve future strikes at US interests in the region," the official said.

"I targeted places where many Americans go," Luyima said in a press conference hosted by Ugandan police on Aug. 12. "I was made to believe that Americans were responsible for the suffering of Muslims all over the world."


Evidence of Shabaab's attempts to minimize its regional reach could recently be seen in Somalia's north after Shabaab commander Mohammed Said Atom and Shabaab both downplayed any ties after security forces attacked terror training camps operated by Atom in the Galgala Mountains in late July.


Shabaab's former spokesman and top military commander, Sheikh Mukhtar Robow, admitted that many Shabaab leaders have trained with and take instruction from al Qaeda. "Most of our leaders were trained in Al Qaeda camps," Robow told The Los Angeles Times in August 2008. "We get our tactics and guidelines from them," he continued. "Many have spent time with Osama bin Laden." Other Shabaab leaders have also admitted to links with al Qaeda.

"We will take our orders from Sheikh Osama bin Laden because we are his students," Robow continued. "Al Qaeda is the mother of the holy war in Somalia."

Al-Shabaab’s Unavoidable Clash with Somaliland Democracy

Via Jamestown.org -

If the suicide bombings in Kampala during the World Cup finals were a sign of al-Shabaab’s plans to fight outside of southern Somalia, then Somaliland’s new ruling party must prepare for more attacks. Al-Shabaab leader Shaykh Ahmad Abdi Godane “Abu Zubayr” has made clear his intention to expand al-Shabaab’s jihad to his native Somaliland.

Somaliland’s democratic political system and desire for independence are to Shaykh Abdi Godane what Egypt’s secular state is to Ayman al-Zawahiri and Saudi Arabia’s friendship with the United States is to Osama bin Laden – blasphemy. Abdi Godane is a Salafist who fought with al-Qaeda in Afghanistan until the end of 2001 and calls for jihad “until Islamic law is implemented on all continents of the world” (AFP, May 13, 2009).


Somaliland is an Unrecognized state located in the Horn of Africa. It is regarded internationally as being an autonomous region of Somalia.The government of Somaliland, however, regards itself as the successor state to British Somaliland which was independent for a few days in 1960 as the State of Somaliland. Somaliland has formed a hybrid system of governance under the Constitution of Somaliland, combining traditional and western institutions.

Somaliland's Motto: "Justice, Peace, Freedom, Democracy and Success for All"

DoD Publicly Cites Chinese Cyberespionage Against U.S.

Via DarkReading.com -

The Defense Department this week called out China for waging cyberattacks on U.S. companies and government agencies.

The "Annual Report To Congress: Military and Security Developments Involving the People's Republic of China 2010" report this week marks the Pentagon's most public statements yet about China's alleged cyberespionage efforts. The DoD report says in 2009, "numerous computer systems around the world, including those owned by the U.S. government, continued to be the target of intrusions that appear to have originated within" China, according to an Associated Press article on the DoD's report.

DoD maintains that China was "focused on exfiltrating information, some of which could be of strategic or military utility" in those attacks. It stopped short of confirming that the People's Liberation Army in China either executed or endorsed the attacks, but noted that "developing capabilities for cyberwarfare is consistent with PLA military writings."

The report also says the PLA has set up "information warfare units" that include civilian computer experts to create viruses that attack "enemy" computers and networks, the report says. "These units include elements of the militia, creating a linkage between PLA network operators and China's civilian information technology professionals," the report says.

Chinese officials this week disputed the DoD's claims, saying the U.S. was trying to "blacken China's image," according to reports from the Chinese state news agency Xinhua. "The U.S. purpose (of releasing such a report) is to tarnish China's image and exaggerate the threat China poses," China's Internet Society president reportedly said in response to the DoD report.


More insight into the DoD's assessment report...

Thursday, August 19, 2010

Hadopi: Will France Spy on You?

Via ESET Threat Blog -

Apparently France has some new legislation surrounding pirated software. I applaud reasonable approaches to combating piracy, but it appears that France may be ready to make public the answer to the question “Will Anti-virus ignore government Trojan horse programs?”

I first saw the story at Slashdot and the story was picked up from TechDirt. If this is true it could pit the rest of the European Union and virtually the entire antivirus industry against France.

Hadopi refers to both the High Authority for Copyright Protection and Dissemination of Works on the Internet legislation and the French governmental organization tasked with enforcing France’s new law. Already most of the European Union has indicated that they feel the law violates the EU constitution. The technical specifications of a plan to enforce the Hadopi law were leaked and appear to call out for software, that most reasonable people would call spyware, to be installed upon the computers of French Citizens.


The very nature of heuristics is such that the program is likely to be detected even if signatures do not detect it, unless the program is white listed. I doubt that AV companies are going to white list such a program.

To anyone with a slight degree of sophistication it is obvious that the criminal element would exploit vulnerabilities in the software so as to take over the spyware, whether it is to harm the user or to interfere with the government.

The idea is almost certain to be doomed from the start and is almost certainly only an excuse for some bureaucrats to waste French tax payer’s money pretending that they were actually doing anything at all. It appears that this idea is not uniquely mine.

40 Windows Apps Contain Critical Bug, Says Researcher

Via NetworkWorld.com -

About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, a security researcher said Wednesday.

The bug was patched by Apple in its iTunes software for Windows four months ago, but remains in more than three dozen other Windows programs, said HD Moore, the chief security officer of Rapid7 and creator of the open-source Metasploit penetration testing toolkit. Moore did not reveal the names of the vulnerable applications or their makers, however.

Each affected program will have to be patched separately.

Moore first hinted at the widespread bug in a message on Twitter on Wednesday. "The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell," he tweeted, then linked to an advisory published by Acros, a Slovenian security firm.


Moore confirmed that the flaw "applies to a wide range of Windows applications," and added that he stumbled across it while researching the Windows shortcut vulnerability, a critical bug that Microsoft acknowledged in July and patched on Aug. 2 using one of its rare "out-of-band" emergency updates.


Moore declined to name the applications that contain the bug or to go into great detail about the vulnerability. But he was willing to share some observations.

"The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a 'safe' file type from a network share [either on the local network or the Internet]," Moore said in an e-mail reply to questions. "It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content."


His advice until the vulnerable applications are patched was also taken from Microsoft's shortcut bug playbook.

"Users can block outbound SMB [by blocking TCP ports] 139 and 445, and disable the WebDAV client [in Windows] to prevent these flaws from being exploited from outside of their local network," Moore recommended.


Moore said that Rapid7 would release more information about the vulnerability next week, and added that an exploit module has been written for Metasploit but has not been released.


In Windows XP, the WebDAV client is a service that runs called "WebClient". By default, this service is set to "Automatic".

Facebook Adds 'Places' Check-in Feature

Via WashingtonPost.com -

Facebook is following in the footsteps of younger social-networking sites by adding a "Places" feature that lets you share your real-world location with online friends. As company representatives explained at an event at Facebook's Palo Alto, Calif., offices and wrote in a blog post, you'll be able to tap a "Check In" button to announce your presence at a physical location to your Facebook friends. Your check-in will then appear on that location's "place page," on your profile and in your friend's News Feeds.

Your pals, in turn, can tag you as being with them, after which you can remove that tag--similar to the way Facebook's photo-tagging feature operates.


So basically, Facebook has copied FourSquare. But of course, Facebook has kept its past course and made some parts of Places opt-out....as opposed to opt-in. By default, your friends can check you in even if you don't check-in yourself!

Here are the three changes that I made to my FB settings...

Privacy Settings -> Customize Settings -> Things I share -> Set "Places I check in" to "Only Me"

Privacy Settings -> Customize Settings -> Things I share -> Uncheck the enable checkbox for "Include me in "People Here Now" after I check in"

Privacy Settings -> Customize Settings -> Things other share -> Select Disable for "Friends can check me in to Places"

Wednesday, August 18, 2010

Adobe to Release Critical Out-of-Cycle Reader Updates Tomorrow

Via H-Online.com -

Adobe has confirmed it will be releasing out-of-cycle security updates for Adobe Reader and Adobe Acrobat tomorrow, August 19th. The updates will be for Reader 9.3.3 for Windows, Macintosh and UNIX, Acrobat 9.3.3 on Windows and Macintosh, and Reader and Acrobat 8.2.3 on Windows and Macintosh.

The out-of-cycle update will address a number of critical security issues, including Charlie Miller's Cooltype.dll vulnerability as presented at Black Hat USA 2010. Also included are fixes from Adobe's Flash update on August 11th. The Flash fixes are needed as a vulnerable Flash player component is included in Acrobat and it does not get updated when a system's Flash player is updated.

New Mass SQL Injection Attack Hits Thousands of Sites

Via HostExploit.com -

A new automated SQL Injection (SQLi) attack is circulating online. It appears to have hit tens of thousands of websites at the least. To make things worse, the attack is using a domain on a bulletproof server out of China, making it nearly impossible to knock offline, and has ties to the Zeus botnet.


Obfuscated SQL Injection Attacks

Apple.com Hit in Latest Mass Hack Attack