Sunday, October 31, 2010 - Much Respect

The following message was posted on yesterday.... was started in September 2002 because I enjoyed keeping up to date on the latest security news, vulnerabilities, novel attack vectors and I started publishing interesting links I came across on the site. Since then however after around 8 years of daily updates my interest in computer security has been slowly fading, and updating the site has changed from being a hobby to more of a task I just do out of habit.

Regular daily updates are therefore now on hold, possibly indefinitely.

Thank you for your support, links, and readership over the past 8 years.
------------------------------------------------------------------------------------------------ is one of websites that regularly watch for new security topics. I visited the site very often and would like to thank them for all their work over the years, to keep us all in the loop.

American Pleads Guilty to Attempt to Spy for China

Via Google News (AFP) -

An American who studied in China pleaded guilty Friday to attempted espionage after he admitted to being recruited by Beijing to infiltrate US intelligence agencies, the Justice Department said.

Glenn Shriver, 28, faces a sentence of two years in prison under a plea agreement, the department said. His sentencing was scheduled for January 21.

Shriver "attempted to gain access to classified US national defense information by securing a position within the US government under false pretenses," with the goal of passing it on to China, a Justice Department statement said.

Shriver who lived in China as a university undergraduate and after graduation was approached in 2004 by three Chinese intelligence officers while living in Shanghai, it said.

"At the request of these foreign agents, Shriver agreed to return to the United States and apply for positions in US intelligence agencies or law enforcement agencies," it said, citing a statement of facts filed as part of the plea agreement.

From 2005 to 2010, he tried getting jobs with the US Foreign Service and with the CIA clandestine service, hiding his contacts with the Chinese officers. He met with one or more of them about 20 times.

During that period he received more than 70,000 dollars in payments from Chinese intelligence officers, according to the statement.

In December 2009, he received notice to report to Washington DC for final processing for a job at the CIA.

"Shriver admitted that he communicated with a PRC (Peoples Republic of China) intelligence officer that he was 'making some progress' in obtaining a position with the CIA and that he would not be free to travel to PRC for another meeting because it could raise suspicion," the Justice Department said.


Hat-tip to for the link.

Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks


The pervasive interconnection of autonomous sensor devices has given birth to a broad class of exciting new applications. At the same time, however, the unattended nature and the limited resources of sensor nodes have created an equal number of vulnerabilities that attackers can exploit in order to gain access in the network and the information transferred within. While much work has been done on trying to defend these networks, little has been done on suggesting sophisticated tools for proving how vulnerable sensor networks are. This work demonstrates a tool that allows both passive monitoring of transactional data in sensor networks, such as message rate, mote frequency, message routing, etc., but also discharge of various attacks against them. To the best of our knowledge, this is the first instance of an attack tool that can be used by an adversary to penetrate the confidentiality and functionality of a sensor network. Results show that our tool can be flexibly applied to different sensor network operating systems and protocol stacks giving an adversary privileges to which she is not entitled to. We hope that our tool will be used proactively, to study the weaknesses of new security protocols, and, hopefully, to enhance the level of security provided by these solutions even further.

U.S. Sees Complexity of Bombs as Link to Al Qaeda

Via -

The powerful bombs concealed inside cargo packages and destined for the United States were expertly constructed and unusually sophisticated, American officials said Saturday, further evidence that Al Qaeda’s affiliate in Yemen is steadily improving its abilities to strike on American soil.

As investigators on three continents conducted forensic analyses of two bombs shipped from Yemen and intercepted Friday in Britain and Dubai, American officials said evidence was mounting that the top leadership of Al Qaeda in the Arabian Peninsula, including the radical American-born cleric Anwar al-Awlaki, was behind the attempted attacks.

Yemeni officials on Saturday announced the arrest of a young woman and her mother in connection with the plot, which also may have involved two language schools in Yemen. The two women were not identified, but a defense lawyer who has been in contact with the family, Abdul Rahman Barham, said the daughter was a 22 year-old engineering student at Sana University.

Yemen’s president, Ali Abdullah Saleh, said Saturday night during a news conference that Yemeni security forces had identified her based on a tip from American officials, but he did not indicate her suspected role.

Investigators said that the bomb discovered at the Dubai airport in the United Arab Emirates was concealed in a Hewlett-Packard desktop printer, with high explosives packed into a printer cartridge to avoid detection by scanners.

“The wiring of the device indicates that this was done by professionals,” said one official involved in the investigation, who like several officials spoke on condition of anonymity because the inquiry was continuing. “It was set up so that if you scan it, all the printer components would look right.”

The bomb discovered in Britain was also hidden in a printer cartridge.


American officials said their operating assumption was that the two bombs were the work of Ibrahim Hassan al-Asiri, Al Qaeda in Yemen’s top bomb-maker, whose previous devices have been more rudimentary, and also unsuccessful. Mr. Asiri is believed to have built both the bomb sewn into the underwear of the young Nigerian who tried to blow up a trans-Atlantic flight last Dec. 25, and the suicide bomb that nearly killed Saudi Arabia’s intelligence chief, Mohammed bin Nayef, months earlier. (In the second episode, American officials say, Mr. Asiri hid the explosives in a body cavity of his brother, the suicide bomber.)

Just as in the two previous attacks, the bomb discovered in Dubai contained the explosive PETN, according to the Dubai police and Janet Napolitano, the secretary of homeland security. This new plot, Ms. Napolitano said, had the “hallmarks of Al Qaeda.”


It was a call from Mr. bin Nayef, the Saudi intelligence chief, on Thursday evening to John O. Brennan, the White House senior counterterrorism official and former C.I.A. station chief in Riyadh, the Saudi capital, that set off the search, according to American officials. They said Mr. bin Nayef also notified C.I.A. officials in Riyadh.

Saudi Arabia has sometimes been a reluctant ally in America’s global campaign against radical militants. But it sees Yemen, its impoverished next door neighbor, as a different matter. The Saudis consider the Qaeda branch in Yemen its biggest security threat and Saudi intelligence has set up both a web of electronic surveillance and spies to penetrate the organization.


Originally born to a pious family in Saudi Arabia, Ibrahim is one of 85 people on the kingdom's list of wanted terrorists. After serving jail time in his home country, he fled to neighbouring Yemen two years ago with his brother Abdullah to become key members of Al Qaeda in the Arabian Peninsula, which has bases in the lawless mountain areas beyond the writ of central government.

The slightly-built 28-year-old, who is the son of a retired soldier, is believed to be the movement's resident bombmaking expert - skills he first put to chilling use in a suicide attack in which he recruited his own younger brother, Abdullah, 23, to act as the "martyr".


Explosive devices in cargo packages addressed to Chicago, Illinois, destinations appear to have been designed to detonate on their own, without someone having to set them off, the top White House counterterrorism official told CNN on Sunday.

John Brennan, President Barack Obama's assistant for homeland security and counterterrorism, said on CNN's "State of the Union" program that the sophisticated explosives could have been intended to blow up the air cargo planes carrying them, as suspected by British authorities.

"It is my understanding that these devices did not need somebody to detonate them," Brennan said, adding that U.S. authorities continued to investigate.

Saturday, October 30, 2010

Bomb Plot Is Said to Contain ‘Hallmarks of Al Qaeda’

Via -

A day after two packages containing explosives, shipped from Yemen and addressed to synagogues in Chicago, were intercepted in Britain and Dubai, setting off a broad terrorism scare, Janet Napolitano, the secretary of Homeland Security, said that the plot “has the hallmarks of Al Qaeda.”


“I think we would agree with that, that it does contain all the hallmarks of Al Qaeda and in particular Al Qaeda A.P.,” she said, referring to Al Qaeda in the Arabian Peninsula.

Ms. Napolitano and the police in Dubai on Saturday confirmed that the bomb discovered in its country in cargo from Yemen bound for the United States contained the explosive PETN, the same chemical explosive in the bomb sewn into the underwear of the Nigerian man who tried to blow up an airliner over Detroit last Dec. 25. That plot, too, was hatched in Yemen, a country that is regarded as one of the most significant fronts in the battle with extremists.

The discovery on Friday of the explosives packed in toner cartridges for computer printers, based on a tip from Saudi intelligence officials, began an urgent hunt for other suspicious packages in the United States, Yemen and other countries.

According to The Associated Press, the Dubai police said that tests showed the printer cartridge also contained lead azide, an explosive compound that can be used in bomb detonators. British forensic officials on Saturday were examining the device found in their country, Reuters reported.


The white powder explosives discovered in Dubai were in the printer’s ink cartridge and were rigged to an electric circuit.

“The parcel was prepared in a professional way where a closed electrical circuit was connected to a mobile phone SIM card hidden inside the printer,” the Dubai police said, according to Reuters.

The statements released by the Dubai police followed information given by American officials on Friday. Representative Jane Harman, a California Democrat on the House Homeland Security Committee, had said that the packages seized in Britain and Dubai contained PETN, also known as pentaerythritol, a highly explosive substance.

Ms. Harman, who was briefed by John S. Pistole, administrator of the Transportation Security Administration, also said that both packages contained computer printer cartridges filled with the explosive, with one using a cellphone as a detonator and the other a timer.


British officials and security experts said they regarded the use of cargo planes to deliver explosives as a sinister, but predictable, new front in the war against terrorism. By using the freight aircraft as a new “delivery system,” they said, the militants appeared to have moved beyond reliance on suicide bombers boarding passenger planes, the method used in the Sept. 11 terrorist attacks and a succession of attempted attacks.

“This is a new dynamic,” said Sajjan M. Gohel, director for International Security for the London-based Asia-Pacific Foundation, an independent security and intelligence think tank. “Whenever security gaps are plugged, and the threat minimized, terrorist groups will find alternative means of striking their targets. If they can’t go for passenger aircraft, they go for cargo planes; and if they can’t go after cargo planes, they’ll go after another link in the chain.”

President Obama, in a brief national statement on Friday, praised the work of intelligence and counterterrorism officials in foiling the plot.


Lack of Cargo Screening Requirements Opens Door to Terrorists

Friday, October 29, 2010

Dumb Fuzzing - Flash Player Zero-day Vulnerability (CVE-2010-3654)

Via Fortinet Blog -

As indicated in our FortiGuard Advisory FGA-2010-53, an attack exploiting a critical zero-day vulnerability in Adobe Flash Player was found very recently roaming in the wild. Although the attack vector in the wild is a PDF file, it is a Flash Player vulnerability indeed (Adobe Reader embeds a Flash Player).

After analyzing the PDF sample, we do confirm that the core ActionScript in the embeded flash file, which triggers the exploit, is almost exactly the same as that of an example on, as Bugix Security guessed.

Almost? Indeed: the only difference lies in a single byte (at 0×494A, for those who’d like to make a signature based on that ;)), changed from 0×16 in the example to 0×07 in the exploit code:


Based on this, it is not extremely challenging to guess how the attacker discovered this 0day vulnerability: Simply by running a “dummy” fuzzer on basic flash files, as many bug hunters are doing. We had already noticed the same thing likely happened for CVE-2010-1297 and CVE-2010-2884.


The evidence presented by Bugix Security [and by Fortinet above], point to the attackers using the dumb fuzzing method on the legitimate flash file from

For those not familiar with dumb fuzzing, an attacker (or researcher) basically takes a legitimate valid file and then modifies it randomly (sometimes a single byte at a time) until a crash is produced, then those crashes are examined deeper for a exploitable vulnerability.

Possible AQAP Plot - 'Credible Terrorist Threat' Seen in U.S.-bound Packages

Via -

Two explosives-laden packages and other suspicious parcels aboard cargo jets, all originating from Yemen, 'underscore the necessity of remaining vigilant against terrorism,' President Obama says.

President Obama declared Friday that authorities had uncovered a "credible terrorist threat" against the United States after the overseas discovery of explosives in at least two U.S.-bound packages aboard cargo jets.

Discovery of the packages, addressed to Jewish organizations in Chicago, triggered a worldwide alert amid fears that Al Qaeda was attempting to carry out terrorist attacks. Authorities searched cargo planes and trucks in Philadelphia, New York and Newark, N.J., and were examining other packages addressed to the U.S. from Yemen, where the two containing explosives originated. More suspicious packages were discovered on UPS planes at the Philadelphia and Newark airports, the carrier said.

The events "underscore the necessity of remaining vigilant against terrorism," Obama said at a briefing Friday afternoon. He did not explicitly blame Al Qaeda but, referring to a Yemen-based branch of the terrorist network, said, "We also know that Al Qaeda in the Arabian Peninsula continues to plan attacks against our homeland, our citizens, and our friends and allies."


Intelligence officials have been concerned for months that Al Qaeda was changing tactics to focus less on spectacular attacks and more on small-scale strikes in the United States to sow fear and disrupt commerce, said a U.S. intelligence official speaking on condition of anonymity because he was not authorized to comment publicly.

All the packages in question were sent from Yemen to U.S. destinations. Bomb technicians searched numerous locations Friday, including UPS cargo hangars at Newark Liberty International Airport, the official said, who added that a UPS truck in Brooklyn also was searched.

The package examined in Britain contained a device that looked like a toner cartridge for a printer but had been altered with wires and a circuit board and had white powder coming out of it, CNN reported.

On its website, UPS said it was "working closely with authorities" after suspicious packages were found on its planes at the Philadelphia and Newark airports.

FedEx confirmed that local authorities, in cooperation with the FBI, had confiscated a suspicious package at its facility in the emirate of Dubai that originated in Yemen.

"As an additional safety measure, FedEx has embargoed all shipments originating from Yemen," said Maury Lane, spokesman for FedEx, the world's largest cargo airline.


A U.S. official said it is likely that the material used was PETN -- a highly explosive organic compound belonging to the same chemical family as nitroglycerin -- but said testing is ongoing to reach a definitive conclusion.

PETN was allegedly one of the components of the bomb concealed by Umar Farouk AbdulMutallab, who is accused of trying to set off an explosion aboard Northwest Airlines Flight 253 as it approached Detroit, Michigan, on December 25. Al Qaeda in the Arabian Peninsula is also believed to be behind that botched attack.

He [presidential counterterrorism advisor John Brennan] later issued a statement thanking Saudi Arabia, saying the United States is "grateful" for the country's help in identifying the threat within the two packages.

A source with firsthand knowledge of the tip told CNN that the Saudi Arabian government gave the United States tracking numbers of the two packages, allowing for quick tracing to the United Kingdom and Dubai.

Thursday, October 28, 2010

China's Tianhe-1A Takes Supercomputer Crown from US

Via The Guardian UK -

China has overtaken the US as home of the world's fastest supercomputer. Tianhe-1A, named for the Milky Way, is capable of sustained computing of 2.507 petaflops – equivalent to 2,507 trillion calculations – each second.

The US scientist who maintains the international rankings visited it last week and said he believed it was 1.4 times faster than the former number one, the Cray XT5 Jaguar in Oak Ridge, Tennessee. That topped the list in June with a rate of 1.75 petaflops a second.

The US is home to more than half of the world's top 500 supercomputers. China had 24 in the last list, but has pumped billions of pounds into developing its computational ability in recent years. The machines are used for everything from modelling climate change and studying the beginnings of the universe to assisting aeroplane design.

Housed in the northern port city of Tianjin, near Beijing, Tianhe-1A was developed by the National University of Defence Technology. The system was built from thousands of chips made by US firms – Intel and Nvidia – but domestic researchers developed the networking technology that allows information to be exchanged between servers at extraordinary speeds.


The NYT calculated that Tianhe-1 could perform mathematical operations about 29m times faster than one of the earliest supercomputers, built in 1976. Scientists in the US are already contemplating exascale computing – aiming to develop devices capable of performing a million trillion calculations a second.


If verified, Tianhe-1 would be significantly faster than the current title holder, the U.S. Department of Energy's Cray XT5 Jaguar in Oak Ridge, Tennessee, which topped the list issued in June at 1.75 petaflops per second.


So that's where all that rare-earth mineral went eh? ;)

Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat

A critical vulnerability exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.

This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.

We are in the process of finalizing a fix for the issue and expect to provide an update for Flash Player 10.x for Windows, Macintosh, Linux, and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.


Adobe Reader and Acrobat 9.x - Windows
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.


For background on the "in the wild" discovery, check out Mila's Contagio Malware Dump Blog....

Softpedia ran a story early this morning on the discovery and its associated malware with detection rates.

I have heard from trusted sources, this same vulnerability may have been seen in other attacks (delivered via PDFs in SE crafted e-mails) against high-value targets in the last week or so.

Microsoft Web Application Configuration Analyzer v1.0

Web Application Configuration Analyzer (WACA) analyzes server configuration for security best practices related to General Windows, IIS , ASP.NET and SQL Server settings.

Web Application Configuration Analyzer (WACA) is a tool that scans a server against a set of best practices recommended for pre-production servers. It can also be used by developers to ensure that their codebase works within a secure / hardened environment (although many of the checks are not as applicable for developers). The list of best practices is derived from the Microsoft Information Security & Risk Management Deployment Review Standards used internally at Microsoft to harden production and pre-production environments for line of business applications. The Deployment Review standards themselves were derived from content released by Microsoft Patterns & Practices, in particular: Improving Web Application Security: Threats and Countermeasures available at:

Here are some features of the tool:
  • Scan a server using more than 140 rules
  • Generate HTML based reports
  • Compare multiple scan results
  • Export results to Excel
  • Export results to Team Foundation Server


FYI - This tool does require credentials for the box being scanned.

Wednesday, October 27, 2010

Did the Dutch Police Break the Law Taking Down Bredolab?

Via PC World -

Dutch police took unprecedented action in taking down a botnet on Monday: They uploaded their own program to infected computers around the world, a move that likely violated computer crime laws.

The program causes a computer's Web browser to redirect to a special site set up by the Netherlands Police Agency, where users are informed their computer is infected with Bredolab, a password-stealing malicious software program.

Dutch police did that by taking command of 143 Web servers used to control computers infected with Bredolab. The servers belong to LeaseWeb, one of the top hosting providers in Europe, which was informed in August of the problem by police and other computer security experts, said Alex de Joode, LeaseWeb's security officer.

"For us, it's the first time we've seen something of this magnitude," de Joode said. "It's also the first time the police are trying to actively warn people that their computer is infected."


Botnets have been attacked by the good guys before, but end users were usually no better off: Their computers may still be infected with other malicious software, and PC owners may never know that their machines need to be scanned with security software. But many computer users are likely turning on their machines today and seeing the Web page from the Dutch police.

Most countries have laws that forbid unauthorized modification of a computer. In the U.K., the regulation is part of the Computer Misuse Act of 1990.

The action by the Dutch police is likely a breach of the Computer Misuse Act, said Struan Robertson, a technology lawyer with Pinsent Masons. Since the territorial scope of the legislation is wide, in theory it could be used against somebody in the Netherlands hacking into a U.K. computer, he said.

"There is no defense in the Computer Misuse Act for unauthorized access to another computer being for noble purposes," Robertson said. "That said, I think it is important to note it is unthinkable that anyone would prosecute for this," Robertson said. "They were making the best of a bad situation."


More on the Bredolab Botnet takedown...

According to a Dutch media report, a 27-year-old man suspected of running the Bredolab botnet has been arrested at Yerevan Airport in Armenia.


According to FireEye, at least one of the C&C was still active in Russia yesterday:

Non-authoritative answer:

Boonana Trojan for Mac OS X & Windows Spreads via Social Media

Via -

SecureMac has discovered a new Trojan horse in the wild that affects Mac OS X, including Snow Leopard (OS X 10.6). The Trojan horse, Trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. The Trojan is currently appearing as a link in messages on social networking sites with the subject "Is this you in this video?"

When a user clicks the infected link, the Trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system.

Additionally, the Trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the Trojan horse hijacks user accounts to spread itself further via spam messages. Users have reported the Trojan is spreading through e-mail as well as social media sites.

The Java component of the Trojan horse is cross-platform, and includes other files that affect Mac OS X as well as Microsoft Windows. There have been reports of similar behavior in recent Trojan horses targeting Microsoft Windows, but they have not included cross-platform capabilities until now.

The Trojan attempts to hide its internet communications and actions through obfuscated code spread through multiple files, and will attempt to contact additional command servers if the primary servers are unavailable.

This Trojan horse is currently in the wild affecting users of both operating systems.

Users can protect themselves from infection by turning off Java in their web browser.

"This is a sobering reminder that hackers are turning their efforts toward Mac OS X as Apple's marketshare grows, and users should be vigilant in protecting their computers and taking precautions when surfing the web," said Nicholas Ptacek, a security researcher at SecureMac.

SecureMac has released a free removal tool to eliminate this threat, which can be downloaded by visiting or downloaded directly from

Monday, October 25, 2010

China Has Ability to Hijack U.S. Military Data, Report Says

Via -

China in the past year demonstrated it can direct Internet traffic, giving the nation the capability to exploit “hijacked” data from the U.S. military and other sources, according to a new report.

Recent actions raise questions that “China might seek intentionally to leverage these abilities to assert some level of control over the Internet,” according to excerpts from the final draft of an annual report by the U.S.-China Economic and Security Review Commission. “Any attempt to do this would likely be counter to the interests of the United States and other countries.”

On April 8, China Telecom Corp., the nation’s third-largest mobile-phone company, instructed U.S. and other foreign-based Internet servers to route traffic to Chinese servers, the report said. The 18-minute re-routing included traffic from the U.S. military, the Senate and the office of Defense Secretary Robert Gates.

“Although the commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications,” the report said. The re-routing showed how data could be stolen and communications with websites could be disrupted, the report said.

Siemens Stuxnet Patch Does Not Provide Sufficient Protection

Va -

The Siemens SIMATIC Security Update for protecting WinCC systems against Stuxnet infections doesn't close the actual hole in the SQL server configuration. It only prevents the known Stuxnet variants from working. As IT forensics expert Oliver Sucker demonstrates (German language link) in a video, only a few steps are required to bypass the protection and regain full remote access to a WinCC system.

The issue is based around the hard-coded access data for the WinCC system's Microsoft SQL database. The Stuxnet worm uses this data to log into further systems from another infected system. There, it uses the integrated xp_cmdshell command shell to access the underlying Windows operating system at system privilege level from the database.

The SIMATIC update prevents the database from executing commands via xp_cmdshell by switching the pertaining configuration option from 1 to 0. According to Sucker, however, the privileges of the hard-coded WinCCAdmin database user are so comprehensive that an attacker can use a few trivial SQL commands to switch the setting back from 0 to 1 after logging in. This will re-enable the execution of commands via the command shell. Sucker has so far not disclosed the exact SQL commands required.

When asked by The H's associates at heise Security, Siemens refused to comment on the issue. Siemens spokesman Gerhard Stauss said in an email, "Our (latest) official statement to the effect that we are investigating ways of tightening authentication procedures remains in place". Until Siemens decides to improve its authentication by allowing the definition of custom access credentials, users can only hope that there will be no further Stuxnet variants or hacker attacks.


SCADA Vendors Still Need Security Wake Up Call

Speaking at the ToorCon Security Conference in San Diego, Jeremy Brown, a vulnerability researcher at security firm Tenable said that many SCADA software vendors lag far behind other IT firms in vulnerability research and lack even a basic awareness of modern security principles. Despite the recent, high profile Stuxnet worm, which made headlines around the world by targeting Siemens industrial control system (ICS) software used in power plants and other critical infrastructure, SCADA vendors are not receptive to vulnerability reports from security researchers and often lack the internal processes to properly handle and address vulnerabilities discovered by outside researchers, Brown said.

Friday, October 22, 2010

Wikileaks Hacked By “Very Skilled” Attackers Prior To Iraq Doc Release

Via (Firewall Blog) -

Someone is trying to spring a leak in Wikileaks.

As the whistle-blower organization prepared earlier this week for a Saturday press conference that some believe will announce a major release of secret data regarding the Iraq war, a staffer wrote Wednesday on the organization’s twitter feed that its “communications infrastructure is currently under attack,” adding the cryptic message “Project BO move to coms channel S. Activate Reston5.”

A Wikileaks source who asks to remain anonymous now says that the organization’s XMPP server in Amsterdam, used to host its encrypted instant messaging communications, was compromised earlier this week by an unknown attacker, and the chat service had to be relocated to another server in Germany. “The server got attacked, hacked, and the private keys got out,” says the source. “We needed new private keys. Now it’s back online and secure.”

The source added that the attack represented the first breach in Wikileaks’ history, and that “the people who are behind it are very skilled,” declining to comment further on the details of the hack.


Aside from digital sabotage, the site has also faced financial sniping. Wikileaks had one of its accounts frozen by the donation-collecting company Moneybookers, and claims the freeze was a result of the organization being placed on a U.S. government watchlist and an Australian government blacklist.

F0r whatever reason, the organization’s administrator have their guard up. On Tuesday, the site’s twitter feed recommended that followers copy the encrypted “insurance” file that it posted to the site in July.


WikiLeaks’ 400,000 Iraq War Documents Reveal Torture, Civilian Deaths

WikiLeaks Show WMD Hunt Continued in Iraq – With Surprising Results


For the Iraq War Logs, Wikileaks used a reverse approach to redaction (basically whitelisting). Everything in all reports was deemed harmful and redacted until proven otherwise, according to WikiLeaks' Kristinn Hrafnsson.

Mozilla Pays 12-year-old Boy for Firefox Security Bug

Via (San Jose, CA) -

It's safe to say a typical Willow Glen 12-year-old doesn't earn $3,000 for a couple of weeks' worth of work. Then again, Alex Miller is no typical 12-year-old.

Alex is a bug hunter, but the bugs he's uncovering are unlikely to end up in any entomological reference book. Instead, the bug Alex found was a valid critical security flaw buried in the Firefox web browser. For his discovery, he was rewarded a bug bounty of $3,000 by Mozilla, the parent company of Firefox.

Alex knows the value of bug bounties; he knows what other companies are offering, so when Mozilla upped its bug bounty from $500, he was motivated.


Alex is virtually self-taught, says his mother, Elissa Miller. Reading his parents' very technical books is not an assignment, it's something he just does; and he understands them. He has a "gift for the technical," Elissa says.

While some may contend that Alex spends too much time on the computer, Miller is quick to point out that he's not just playing games; what Alex is doing is learning.

"Clearly it's his passion," she says.

Alex has other interests, such as badminton and guitar. He's also learning Mandarin. And a smile breaks across his face as he recalls a quest to build a deadly robot in the Science Olympiad.

He can talk politics like a 40-year-old who's hooked on NPR news shows and enjoys a good debate. But there are reminders that he isn't yet old enough to vote.

"But you still have to do chores," Miller reminds him when he talks of his next debugging mission.

Until he produced a copy of the check from Mozilla, Alex says his friends didn't actually believe him when he told them about the money.


Spending the first $100 didn't take long; he made a donation to his neighbor's nonprofit organization, Unconditional Love Animal Rescue, which the Miller family also supports by fostering found kittens.

He very much wants a new computer, and since he says he's been pretty bad about it in the past, he plans to buy Christmas gifts for his family. The rest will stay put in the bank, where, if Alex gets his way, it will be joined by more bug bounty.


Here is the bug - MFSA 2010-65 (CVE-2010-3179)

Hat-tip to Charlie Miller and Dino A. Dai Zovi for spreading the story on Twitter.

DEF CON 18 Talks - Video is Live!

DEF CON 18 talks with the speaker video and slides has been processed and posted!

Information Warfare Monitor: RIM Monitoring Project

Recently a number of governments have threatened to ban Research in Motion’s BlackBerry services if the company does not make encrypted BlackBerry data and other content available to state authorities. A major concern of these regimes is that BlackBerry data can be encrypted and routed through servers located outside of their jurisdictions. Unconfirmed reports have circulated that RIM has made data sharing agreements with India and Saudi Arabia and the United Arab Emirates. Other countries are also requesting the company locate data centres within their jurisdictions.

The RIM Check ( Web site is a research project designed to gather information on how traffic exits the BlackBerry network depending on the country in which the user is located. The findings from this project will be published and made publicly available.

The project is being conducted by the Information Warfare Monitor and the Web site is maintained by the Citizen Lab at the Munk School of Global Affairs, University of Toronto.


In other UAE and Blackberry news....

Canadian BlackBerry maker Research In Motion (RIM) has signed a new agreement with the UAE's Telecommunications Regulatory Authority (TRA) and telecom service providers etisalat and du to enable advanced e-government services in the country.

Thursday, October 21, 2010

Data Browser Shows Views In Pakistan's Tribal Regions

This morning the Counterterrorism Strategy Initiative at the New America Foundation released, opening data from 1,000 face-to-face interviews across 120 villages in Pakistan's northwest Federally Administered Tribal Areas (FATA). The site is designed to let users quickly drill down and thin slice survey data and read agency-specific analysis from regional experts. This is the first comprehensive public opinion survey done in the region, and it is mashed with a mapping of 142 reported drone strikes in FATA through July 2010 to add additional context.

The architecture focuses on showing disaggregates for each of the seven agencies in FATA and breakouts for each survey question, allowing you to compare specific opinions across different agencies. Every response on both agency and question pages can be filtered by demographic data, gender, age, education, marital status, and income level.


The original survey was conducted from June 30 to July 20, 2010 and has a margin of error of +/- 3 percent. The full methodology is available on There you can also find details about how the drone strike data was gathered.

The site was launched this morning at the the United States Institute of Peace by Peter Bergen, the co-director of the Counterterrorism Strategy Initiative at New America Foundation, the team that lead the survey work.

ZeroDay: Adobe Shockwave Player rcsL Chunk Memory Corruption

Advisory Information

Title: Adobe Shockwave player rcsL chunk memory corruption
Version: Adobe Shockwave player (latest on writing time)
Impact: Critical
Contact: shahin[at], info[at]
Twitter: @abysssec
CVE: ZeroDay Not Patched

Vulnerability Information

Class - Memory corruption allow command execute
Impact - Successfully exploiting this issue allows remote attackers to execute arbitrary code or cause denial-of-service conditions.
Remotely Exploitable - Yes
Locally Exploitable - Yes


Shockwave player is a plug in for loading Adobe Director video files in to the browser. Director movies have DIR or compressed format of DCR. DIR file format is based on RIFF based formats. RIFF formats start with a 4byte RIFX identifier and length of the file. And subsequently chunks come together with format of 4byte chunk identifier + size of chunk + data. Some of the chunk identifiers are tSAC, pami, rcsL.

By help of our simple fuzzer we have manipulated a director movie file and found a vulnerability in part of an existing rcsL chunk.


PS1: This vulnerability is not [the] patched bug released by ZDI


Offensive Security has released a high-quality PoC video (MP4) of the exploit, featuring music by Dual Core.

The video shows the "attacker" setting up a local netcat listener, then the "victim" navigates to a website and a specially-crafted (malicious) shockwave file is loaded into the Adobe Shockwave player (via the browser)...resulting in a command shell being pushed back to the attacker. pwnage. game, set, match.

FBI Warns Businesses About Bank Fraud Scams

Via -

The FBI is warning businesses about the rash of scams that attack crews are using to target their bank accounts and drain them. The scams themselves are nothing new, but the FBI says that they're becoming more prevalent and sophisticated as the attackers adjust their tactics.

The warning from the FBI is somewhat unusual in that it's rather specific and detailed in its description of the tactics the attackers are using to get access to the companies' accounts and the ways in which they're planting malware on their machines. The advisory, which was written with the help of some banking industry trade groups, warns companies about common tactics such as spear phishing and targeted drive-by downloads that install various pieces of malware on vulnerable machines.


The FBI's advice to business owners are simple, common-sense methods for preventing the infections and identifying financial fraud as quickly as possible:
  • Ignore attachments from unknown sources
  • Be aware of rogue AV and fake security software scams
  • Teach employees basic security practices
  • Keep a close watch on all accounts and keep detailed records on anything that looks odd
The advisory points out that attackers change their tactics often and that businesses need to remain aware of new developments.


While none of this is "new" to those of us in security, it is important that we educate and get the word out to those that are not, especially those in SMBs.

If you run a small / medium business or you know someone that does...this is information that you / they need.

Avalanche Gang Dumps Phishing for ZeuS

Via -

APWG [Anti-Phishing Working Group] says its researchers have found a change in the methods of criminals behind the Avalanche botnet, which accounted for two-thirds of all phishing attacks observed worldwide in late 2009, leading victims to fake Web sites and tricking them into handing over details.

The Avalanche infrastructure was involved in just four conventional phishing attacks in the month of July 2010. Instead, the syndicate ramped up a concerted campaign of crimeware propagation to fool victims into receiving the Zeus Trojan and infecting their PCs with it.


Report co-author Rod Rasmussen says: "While the cessation of phishing operations by the Avalanche phishing group is great news for the anti-phishing community, their shift to the nearly exclusive distribution of Zeus malware is an ominous development in the e-crime landscape. Their spamming and other activities to target victims continues at high levels, implying they are finding malware distribution a more effective and profitable tactic than traditional phishing."


Oct 18th - APWG Releases Global Phishing Survey: Domain Name Use and Trends in 1H2010

Wednesday, October 20, 2010

South Park Hatin’ Internet Jihadi to Plead Guilty

Via (Danger Room) -

Matt Parker and Trey Stone can exhale now. Zachary Adam Chesser, the 20-year old who threatened the two South Park creators online for depicting the prophet Mohammed in a bear costume, will plead guilty to supporting terrorism this afternoon in a Virginia court.

A prolific blogger, Chesser used handles like Abu Talhah and Abu Talhah al-Amrikee to encourage terror-sympathizers “to actually go and fight against the disbelievers” on a variety of blogs and message boards. Acting on his impulses, he attempted twice this year to travel to Somalia to join the Qaeda-affiliated al-Shabaab, but his online threats landed him on a no-fly list. FBI agents arrested him in July.

Now the Washington Post reports that Chesser will plead guilty this afternoon to providing material support to terrorists, making threats and other charges that could land him up to 15 years in jail. His wife was also charged with making false statements to investigators.


One thing Chesser isn’t charged with: threatening Parker and Stone. After South Park aired an April episode featuring a (never-shown) Mohammed in a bear costume, Chesser posted to RevolutionMuslim, "We have to warn Matt and Trey that what they are doing is stupid, and they will probably wind up like Theo van Gogh for airing this show," a reference to the Dutch filmmaker murdered in 2004 for making a documentary critical of Islam. "This is not a threat, but a warning of the reality of what will likely happen to them."

That and other statements earned Chesser frequent opprobrium and ridicule by the Jawa Report bloggers, who’ve trailblazed mockery of open-source jihadis. The Jawa post today about Chesser is comparatively understated, predicting that during the plea hearing today, “the ‘freakishly intelligent’ Mr. Chesser will continue to overestimate his ability to ‘handle’ the federal agents he is dealing with, and will suffer further negative consequences as a result.” Yesterday, they weren’t as gentle with Mrs. Chesser, and celebrated news of the forthcoming guilty plea with an animated .gif of a dancing MC Hammer.

PinDr0p - Voice-Routing Call Fingerprint System Fights 'Vishing'

Via The Register UK -

Security researchers in the States say they have developed a cunning new method of "fingerprinting" voice calls that could offer a route to trustworthy caller ID and a barrier against so-called "vishing" or voice phishing.

The tool is called PinDr0p, and works by analysing the various characteristic noise artifacts left in audio by the different types of voice network - cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing to avoid giving away the origin of a call will often route a call through multiple different network types.


According to the system's inventors, there's no way for vishers or other voicey villains to eliminate the traces a given system of call routing leaves in the audio eventually received at the other end.

“They’re not able to add the kind of noise we’re looking for to make them sound like somebody else,” says Patrick Traynor, GIT compsci prof. “There’s no way for a caller to reduce packet loss. There’s no way for them to say to the cellular network, ‘Make my sound quality better.’”

The PinDr0p analysis can't produce an IP address or geographical location for a given caller, but once it has a few calls via a given route, it can subsequently recognise further calls via the same route with a high degree of accuracy: 97.5 per cent following three calls and almost 100 per cent after five.

Naturally a visher can change routings easily, but even so PinDr0p can potentially reveal details that will reveal a given call as being false. A call which has passed through a Russian cell network and P2P VoIP is unlikely to really be from your high-street bank in the UK, for instance.

The GIT researchers hope to develop a database of different signatures which would let their system provide a geolocation as well as routing information in time.


The PinDr0p research was funded by the US National Science Foundation. There's a statement on it here.

Tuesday, October 19, 2010

React Faster and Better: Introduction

Via Securosis Research Blog -

Over the past year, as an industry we have come to realize that we are dealing with different adversaries using different attack techniques with different goals. Yes, the folks looking for financial gain by compromising devices are still out there. But add a well-funded, potentially state-sponsored, persistent and patient adversary to the mix, and we need to draw a new conclusion. Basically, we now must assume our networks and systems are compromised. That is a tough realization, but any other conclusion doesn't really jive with reality, or at least the reality of everyone we talk to.

For a number of years, we've been calling bunk on the concept of "getting ahead of the threat" -- most of the things viewed as proactive. Anyone trying to take such action has been disappointed by their ability to stop attacks, regardless of how much money or political capital they expended to drive change. Basing our entire security strategy on the belief that we can stop attacks if we just spend enough, tune enough, or comply enough; is no longer credible -- if it ever was. We need to change our definition of success from stopping an attack (which would be nice, but isn't always practical) to reacting faster and better to attacks, and containing the damage.

We're not saying you should give up on trying to prevent attacks -- but place as much (or more) emphasis on detecting, responding to, and mitigating them. This has been a common theme in Securosis research since the beginning, and now we will document exactly what that means and how to get there.


So in the first part of this new series, we will talk about the data collection infrastructure you should be thinking about, what kind of organizational model allows you to react faster, and what to do before the attack is detected. If you know you are being attacked, you are already ahead of the vast majority of companies out there. But what then?


Once you understand you are under attack, then your incident response process needs to kick in. Most organizations do this poorly because they have neither the process nor the skills to figure out what's happening and do something useful about it. Many organizations have a documented incident response program, but that doesn't mean it's effective or that the organization has embraced what it really means to respond to an incident. And this is about much more than just tools and flowcharts. Unless the process is well established and somewhat second nature, it will fail under duress -- which is the definition of an incident.


We'll also discuss the current state of threat management tools, including SIEM, IDS/IPS, and network packet capture, to define their place in our approach. Finally we consider how network security is evolving and what kind of architectural constructs you should be thinking about as you revisit your data collection and defensive strategies.

At the end of this series you will have a good overview of how to deal with all sorts of threats and a high level process for identifying the issues, containing the damage, and using the feedback loop to ensure you don't make the same mistakes again. That's the plan, anyway.

Monday, October 18, 2010

Great Aussie Firewall - ACMA Blocks More Sites

Via The Register UK -

Internet censorship in Australia is once more on a roll, with more online content than ever coming up for a ban. It seems the Prime Minister, Julia Gillard, deciding that the great firewall was neither a political nor a technical issue, but a moral one.

First off, according to a report this week in The Australian, the amount of online content referred to the Australian Classification Board for a ruling by the Australian Communications and Media Authority (ACMA) more than tripled - up from 77 referrals in 2008-9 to 258 in 2009-10. This year, more than five times as many URLs were banned as last year - the figures went from 14 last year to 78 in this.

The figures came to light this week in a session before the Senate Communications Committee, in which ACMA also revealed that in respect of 2,892 complaints about 3,441 different online content items, it decided to take some action in relation to 1,767 items.

Exploit Kit Intelligence

Mila Parkour over at the Contagio Blog has released update 7 of her "Overview of Exploit Packs" spreadsheet. This spreadsheet pulls together information from various locations and outlines which exploits are being used by various exploit kits (including slang / abbreviated names of exploits with CVEs).

An Overview of Exploit Packs (Update 7) XLS

Technical Analysis of the Windows Win32K.sys Keyboard Layout Stuxnet Exploit

This time we will share very interesting technical details on how Stuxnet authors have achieved reliable code execution while exploiting one of the two Windows privilege escalation 0-Day vulnerabilities. This one was patched last week with the MS10-073 update, and a remaining Task Scheduler vulnerability is still unpatched.

While we deeply analyzed Stuxnet and its behaviors, we will not explain its architecture or features as two detailed documents have already been published by our friends from Symantec and ESET.

We will focus here on the Windows Win32K.sys keyboard layout vulnerability (CVE-2010-2743) and how it was exploited by Stuxnet using custom Portable Executable (PE) parsing tricks to achieve a reliable code execution.


The Stuxnet developers did a fair amount of work to ensure the exploit worked on all service pack versions of Windows 2000 and Windows XP

ESET has updated their "Stuxnet under the Microscope” whitepaper to include information about the recently-patched win32k.sys vulnerability (MS10-073, or CVE-2010-2743), and just a little about the Task Scheduler issue that hasn't been patched yet.

Dave Aitel, CTO of Immunity, wrote and informed me the still unpatched Task Scheduler 0day was released in the last version of CANVAS, along with improved version of the Win32K.sys keyboard exploit. He stated the "ESET paper does not really go into the details of making it reliable on cross-language versions, which STUXNET did do."

Microsoft Releases New Regex Fuzzer

Via -

Microsoft has released a new fuzzing tool designed specifically to find mistakes in regular expressions in application code that could be vulnerable to attack. The SDL Regex Fuzzer identifies problematic lines that might cause an application to be susceptible to attacks that consume huge amounts of resources and cause denial-of-service conditions.

The new fuzzer is meant to be used specifically to find vulnerable regular expressions in application code that could lead to a special kind of attack known as a ReDoS. Microsoft officials say that as more and more applications are moved to cloud providers, attackers will begin to focus their attention on those applications in new and profitable ways.

"I’ve predicted before that as cloud computing gains wider adoption, we’ll start to see a significant increase in denial of service (DoS) attacks against those services. When you’re paying for the processor time, bandwidth and storage that your applications use, attacks that explicitly target and consume those resources can get very expensive very quickly, not to mention the costs of downtime for legitimate users. Attackers will shift from pursuing elusive privilege elevation vulnerabilities to simply blackmailing SaaS providers: pay me $10,000 or I’ll make your app consume $20,000 worth of server resources," Microsoft's Bryan Sullivan wrote in a blog post explaining the SDL Regex Fuzzer.

As Sullivan explains in an article on the problem from earlier this year, a small change to an input string can cause major problems for a regular expression engine.


Microsoft Download Center - SDL Regex Fuzzer

Al-Shabab Order Ban on Mobile Phone Money Transfers in Somalia

Via BBC -

Somali Islamist group al-Shabab has ordered mobile phone companies to stop their popular money transfer services, saying they are "unIslamic".

Mobile phone banking was introduced in the northern Somaliland region in 2009 and has now spread across the country.

Al-Shabab and its allies control much of southern Somalia and one mobile phone company official said he had "no option but to obey" the order.

Despite years of conflict, Somalia's telecommunications sector is thriving.

Mobile phones are a common sight in the capital, Mogadishu, and three companies currently offer mobile phone banking.

But the al-Qaeda linked group has given them three months to stop.

Al-Shabab says mobile phone banking could expose Somalia to interference by Western countries, through the international partners of the Somali telecommunications firms.

Some observers believe the ban is intended to fend off a threat to the business of traditional money transfer systems, known as hawala, which al-Shabab can influence more easily, reports the AFP news agency.

The hundreds of thousands of Somalis living abroad use hawala and mobile phone banking to send money back to relatives still in the country.

This is one of the country's main sources of income, estimated to be worth some $1bn (£660m) a year.

Somali journalist Mohamed Sheikh Nor told the BBC that people like mobile phone money transfers as it means they do not have to carry around large amounts of cash.

Instead, mobile phone credits can be used to pay for goods and services.

One Mogadishu resident told the BBC he was very disappointed by the ban.

"This is the sole lifeline of the whole economy - the service was so useful to both poor and rich people," he said.

Somalia has not had a stable government since 1991.

The UN-backed authority only controls parts of Mogadishu and a few other areas, although it has been gaining ground from al-Shabab in recent weeks.

It has strongly condemned the ban and urged businesses to help it against al-Shabab.

Photo of the Day - A North Korean Anniversary and Debut

North Korean soldiers smile before a parade to commemorate the 65th anniversary of the founding of the Workers' Party of Korea in Pyongyang October 10, 2010. (REUTERS/Petar Kujundzic) 


Check out this photo and many others (including photos of Kim Jong Un) @

Newly Discovered Evasion Method For Targeted Attacks Silently Bypasses Network, Application Security

Via -

CERT-Finland has reported a newly discovered technique that evades network and security devices -- namely IDS/IPS systems, but could also work against network firewalls and Web application firewalls -- and lets attackers sneak in and conduct targeted attacks against an enterprise network.

The threat, which was discovered by researchers at Stonesoft's Helsinki labs, is based on vulnerabilities inherent in several vendors' IDS/IPS products, according to CERT-Finland, which has alerted the affected IDS/IPS vendors. The names of the vendors and their products have not been released publicly.

Jussi Eronen, head of vulnerability coordination at CERT-FI, which first issued an alert on the threat on October 4, will update its vulnerability alert on the threat today.


ICSA Labs has verified the attack and is also sounding the alarm about the risk to enterprises. Jack Walsh, intrusion detection and prevention program manager at ICSA Labs, says it could take some time for network security vendors to add protection for this attack to their products, thus leaving enterprises at risk until those patches become available. IDS/IPSes, firewalls, next-generation firewalls, and Web application firewalls are most at risk of this evasion technique, he says.


Some vendors may need to re-architect their products to fix this, while others may have to patch or build in protections, ICSA's Walsh says.

Meanwhile, CERT-Finland's Eronen wouldn't provide details of the products known to be affected thus far or their weaknesses that allow for the attack since coordination among the vendors is still under way.

"If [targeted] networks have systems that are for some reason left unpatched -- legacy systems, no supported patches available, compliance does not allow for any system modification, just to name a few possible reasons -- and IDS/IPS systems are employed as virtual patches, then these systems are particularly vulnerable to attacks using evasion techniques," Eronen says.

Adobe Reader X Preview - Release Expected Next Month

Today Adobe is announcing the new Acrobat X Family of Products which includes Adobe Reader X as well as Acrobat X Suite, Acrobat X Pro, and Acrobat X Standard. Reader X will be available for download next month and we want to give you a preview of the valuable new features you can expect.


Adobe's new Protected Mode, which will be included and enabled (by default) in Reader X, is one of the features everyone in security has been waiting to see.

This first release will sandbox all “write” calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. However, in future releases of Adobe Reader, Adobe plans on extending the sandbox to include read-only activities to protect against attackers seeking to read sensitive information on the user’s computer.

Saturday, October 16, 2010

U.S. Had Warnings on Plotter of Mumbai Attack

Via -

Less than a year before terrorists killed at least 163 people in Mumbai, India, a young Moroccan woman went to American authorities in Pakistan to warn them that she believed her husband, David Headley, was plotting an attack.

It was not the first time American law enforcement authorities were warned about Mr. Headley, a longtime informer in Pakistan for the United States Drug Enforcement Administration whose roots in Pakistan and the United States allowed him to move easily in both worlds.

Two years earlier, in 2005, an American woman who was also married to the 50-year-old Mr. Headley told federal investigators in New York that she believed he was a member of the militant group Lashkar-e-Taiba created and sponsored by Pakistan’s powerful intelligence agency.

Despite those warnings by two of his three wives Mr. Headley roamed far and wide on Lashkar’s behalf between 2002 and 2009, receiving training in small-caliber weapons and countersurveillance, scouting targets for attack, and building a network of connections that extended from Chicago to Pakistan’s lawless northwestern frontier.

Then in 2008, it was his handiwork as chief reconnaissance scout that set the stage for Lashkar’s strike against Mumbai, an assault intended to provoke a conflict between nuclear-armed adversaries, Pakistan and India.


Federal officials say that the State Department and the F.B.I. investigated the warnings they received about Mr. Headley at the time, but that they could not confirm any connections between him and Lashkar-e-Taiba. D.E.A. officials have said they ended their association with him at the end of 2001, at least two months before Mr. Headley reportedly attended his first terrorist training. But some Indian officials say they suspect that Mr. Headley’s contacts with the American drug agency lasted much longer.

The investigative news organization ProPublica reported the 2005 warning from Mr. Headley’s American ex-wife on its Web site and in the Saturday issue of The Washington Post. By ProPublica’s account, she told authorities that Mr. Headley boasted about working as an American informant while he trained with Lashkar.

On Saturday, Mike Hammer, a spokesman for the National Security Council, said, “The United States regularly provided threat information to Indian officials in 2008.” He added, “Had we known about the timing and other specifics related to the Mumbai attacks, we would have immediately shared those details with the government of India.”


Hindsight might be 20/20 but foresight is blind as a bat.

Ok, maybe not that blind...but predicting the future with just bits of information here and there isn't easy.

Friday, October 15, 2010

Win32k.sys: A Patched Stuxnet Exploit

Via ESET Threat Blog -

While the LNK vulnerability patched by MS10-046 dominated the headlines when the Stuxnet carnival started rolling back in early summer 2010, one of the surprises of further analysis of the Stuxnet binaries/components is that it exploited no less than three other vulnerabilities that were generally unknown at the time. The print spooler attack (MS10-61) is, like the LNK vulnerability, described in our lengthy analysis “Stuxnet under the Microscope”.

However, we also indicated in that paper that there are two Elevation of Privilege (EoP) vulnerabilities that we chose not to describe while patches were pending. One of these has now been patched (MS10-073, re CVE-2010-2743) , so we’re now able to publish some of the information we have on it. (When the other vulnerability has been patched, we plan to update the Stuxnet paper with information on both issues.)

When the Win32/Stuxnet worm doesn't have enough privileges to install itself in the system it exploits a recently patched 0-day vulnerability in the win32k.sys system module to escalate privilege level up to SYSTEM, which enables it to perform any tasks it likes on the local machine. The vulnerable systems are:

  • Microsoft Windows 2000
  • Windows XP – all service packs

To perform this trick, it loads a specially crafted keyboard layout file, making it possible to execute arbitrary code with SYSTEM privileges.


So what is the other, still unpatched, privilege escalate bug?

Symantec's Stuxnet Dossier hinted at both EOP bugs in Page 10 (Installation)....

When the process does not have Adminstrator rights on the system it will try to attain these privileges by using one of two zero-day escalation of privilege attacks. The attack vector used is based on the operating system of the compromised computer. If the operating system is Windows Vista, Windows 7, or Windows Server 2008 R2 the currently undisclosed Task Scheduler Escalation of Privilege vulnerability is exploited. If the operating sys tem is Windows XP the currently undisclosed win32k.sys escalation of privilege vulnerability is exploited.

Thursday, October 14, 2010

Pakistan: Plot to Kill Prime Minister

Via -

The Pakistani police arrested a group accused of plotting to kill the prime minister and several senior government figures, security officials said Thursday. The seven suspects who were arrested on Wednesday night after a shootout near the eastern city of Bahawalpur belong to the Sunni militant group Lashkar-e-Jhangvi. “They had plans to blow up an explosive-laden vehicle near the house of Prime Minister Yousaf Raza Gilani in Multan when he was visiting there,” said a security official in Bahawalpur, referring to the ancestral residence of Mr. Gilani in a nearby city in Punjab Province. The police said in a statement that the militants had plotted to kill Mr. Gilani, Foreign Minister Shah Mehmood Qureshi and other senior officials.


Lashkar-e-Jhangvi (LJ) has ties to the Taliban, the Islamic Movement of Uzbekistan (IMU), Sipahe-Sahaba, Ahlesunnat Wal Jamat (new name of Sipahe-Sahaba), Jamiat Ulamae-Islam, Tehreek Tahaffuze-Khatme Nabuwwat, various local establishments and loosely to al-Qaeda. The Government of Pakistan designated the LJ a terrorist organization in August 2001, and the U.S. classified it as a Foreign Terrorist Organization under U.S. law in January 2003.

Facebook Users Can No Longer Delete Chat History

Via -

It's starting to feel like anyone with anything to hide needs to find better hiding spots. For instance, people trying to keep their Facebook chats from prying eyes best find another IM program, because they can no longer erase chat history.

I discovered this while chatting the other day. Anyone who's ever IM'd knows those conversations can go all over the place, and frankly, I like to think of each conversation as a fresh start.

Nick O'Neill on AllFacebook also noticed, and linked to a forum where there are 132 posts complaining about the removal of the popular feature.

Sheesh, what's with this need to keep things? We just found out yesterday "deleted" photos stay on Facebook servers far longer than we ever would have imagined. Now, we find out conversations linger, too.

It used to be there, under your the thumbnail of your profile pic, in the chat box, a link that said, "Clear Chat History." It's been a feature since Facebook launched its chat program in April 2008. Now, our profile pics follow us on the chat as our avatars instead of our first names and that link is gone, to the great consternation of some Facebook users.


Instead of using Facebook chat, I would suggest using Pidgin on Windows along with the Off-the-Record (OTR) plugin.

OTR uses a combination of the AES symmetric-key algorithm, the Diffie-Hellman (DH) key exchange, and the SHA-1 hash function to provide authentication, encryption, perfect forward secrecy and malleable encryption (aka deniability).

For users that prefer Apple OS, check out Adium. Like Pidgin, it supports multiple IM networks and supports OTR out of the box - no additional plugin required.

STRATFOR Dispatch: Insight on the U.S.-Mexico Border Killings

VP of Intelligence Fred Burton discusses exclusive STRATFOR intelligence about the role of Mexican drug cartels in the murder of an American at a border lake on Sep. 30 and a Mexican police officer investigating the killing.


Mexican Investigator Searching for Killers of American David Hartley Is Decapitated

Microsoft Security Intelligence Report (SIR) - Volume 9

The Microsoft Security Intelligence Report (SIR) is a comprehensive evaluation of the evolving threat landscape and trends. The information can help you make sound risk-management decisions and identify potential adjustments to your security posture. Data is received from more than 600 million systems worldwide and internet services.

Volume 9 of the Security Intelligence Report covers the first half of 2010 (January 1 - June 30) and is divided into five sections:

  • Featured Intelligence for Volume 9 focuses on botnets and how to combat the threat.
  • Key Findings reveals data and trends analysis captured by Microsoft security analysts.
  • Reference Guide provides definitions for discussion points covered in the Key Findings.
  • Managing Risk recommends techniques to protect your organization, software, and people.
  • Global Threat Assessment looks at botnet and malware infection rates worldwide.

Wednesday, October 13, 2010

US Government Discovers 1,000 More Data Centers

Via -

The U.S. government has 2,094 data centers, nearly 1,000 more than previous estimates, according to an updated inventory by federal agencies. The finding underscores the scope of the challenge facing the Obama administration as it seeks to streamline the government’s IT infrastructure.

For months, Federal CIO Vivek Kundra has cited the existence of 1,100 federal data centers as evidence of government waste and inefficiency. Kundra has repeatedly used this data point to drive home the need for a major data center consolidation that will consolidate servers and drastically reduce the number of U.S. government facilities.

It turns out Kundra was massively underestimating the extent of the redundancy. The new total was included in a memo from Kundra and Department of Homeland Security CIO Richard Spires, who is coordinating the government consolidation effort.

How could the government lose track of 1,000 data centers? It’s not uncommon for consolidation-related inventories to uncover more servers and IT rooms than expected. The U.S. government’s effort looms as the largest data center consolidation in history, so the disconnect between initial estimates and the final count was equally epic.

The process defined a data center as any room larger than 500 square feet dedicated to data processing that meets the one of the four tier classifications defined by The Uptime Institute.

Which agencies have the most data centers? Not surprisingly, those with the most distributed operations:

  • Department of Defense (772)
  • State Department (361)
  • Department of the Interior (210)
  • Health and Human Services (185)
  • Department of Education (89)
  • Veteran’s Administration (87)
The plans and budgets submitted by federal agencies are being reviewed by the administration and the Office of Management and Budget (OMB), with a goal of approving final plans by Dec. 31. The process got underway back in March, when Kundra directed federal agencies to prepare an inventory of their IT assets by April 30 and submit a preliminary data center consolidation plan by Aug. 31.

Facebook Offers One-Time Passwords via Text Message

Via CNET -

Facebook added several new security features today, including the ability for people to request a one-time password for use on public computers.

When using a computer on which you don't want to type in your regular password you can now request a one-time password by texting "otp" to 32665 from a mobile phone. You have to have already confirmed that the phone is yours on your Facebook account. The one-time password will expire after 20 minutes, the company said in a blog post.

Facebook is rolling the feature out gradually, and it should be available to everyone in the coming weeks.

People should avoid using their regular passwords or accessing sensitive information on public computers because the machines could be infected with keylogging programs or other data-stealing malware.

The company also announced that it will regularly ask people to update their basic account information such as phone number, extra e-mail address, and security question so that in the event an account can not be accessed there will be updated information that can be used to help prove that the person requesting access is the owner.

Tuesday, October 12, 2010

Amerithrax: GAO To Review FBI’s Case Against Bruce Ivins

Via FAS Biosecurity Blog (Sept 23, 2010) -

The U.S. Government Accountability Office (GAO) will conduct an examination of the scientific and technical methods used by the FBI during its investigation of 2001 anthrax attacks, in response to a request made by U.S. Rep. Rush Holt (NJ-D) earlier this year.

After an eight year-long investigation, the FBI closed the Amerithrax case back in February and concluded that Bruce Ivins, a troubled lab worker at Ft. Detrick, was solely responsible for the anthrax mailings that killed five people in 2001. However, skepticism has long lingered the minds of many on the science and validity behind these conclusions, particularly after Ivin’s suicide in 2008. After maintaining that the FBI’s work on the case was insufficient, Holt and several other congressmen from the House and Senate sent a formal request for inquiry to the GAO regarding the Bureau’s investigation methods. The letters were originally mailed from Princeton, NJ, a district currently represented by Holt. In his request, questions concerning forensic methods, scientific concerns and uncertainties and laboratory security were asked to be addressed. Holt has also advocated for a formal congressional commission, similar to the 9/11 commission, to further investigate the 2001 anthrax attacks.

The GAO examination will be the first Congressionally-directed investigation of the FBI’s handling of the case. A separate review of the FBI’s work, by the National Academy of Sciences, is expected to be conducted this fall. The GAO states that it will conduct the review after the NAS releases its conclusions on the case. Click here to read the GAO letter to Rep. Holt.

In Global Hunt for Hit Men, Tantalizing Trail Goes Cold

Via -

Soon after the January assassination of a top Palestinian official here, Dubai police stumbled onto what looked like a big break in the case.

They linked a white-haired man with glasses to several suspects caught on security cameras preparing for the murder. Most of the suspects in the case had carried forged passports, but this man had a real British one. It identified him as 62-year-old Christopher Lockwood.

A cellphone linked to him had recently been switched on in France. U.K. authorities found his London address. They also discovered that in 1994, he had changed his name from Yehuda Lustig. Mr. Lustig, they determined, was born in Scotland to a Jewish couple from what was then British-controlled Palestine.

The findings raised hopes of nabbing one of the orchestrators of the hit, possibly providing proof for accusations by Dubai police that Israel's intelligence agency Mossad was behind it.

But just as quickly, the trail went cold, a Wall Street Journal examination of the case shows.


It has been more than eight months since the murder of top Hamas official Mahmoud al-Mabhouh, whose body was found in a Dubai hotel room Jan. 20. Quick work by Dubai police and a diplomatic furor over the use of dozens of forged passports in the case fed early optimism that at least some of the 30-plus suspects would be found. But a string of apparent dead ends has frustrated international investigators, lengthening the odds that anyone will be caught or that definitive proof of Mossad involvement will emerge.

And despite an initial burst of tough talk from various governments, some international investigators are concerned that politics may be hampering cooperation from some governments that support Israel.

Time isn't on the side of Dubai, one of seven emirates that make up the United Arab Emirates. International investigators have been operating under the assumption that, if Israel is behind the crime, the suspects already may have made their way back to Israel, where they'll be safe from extradition.

"The longer these investigations go on, the more enthusiasms dwindle and the more time for a security service to cover tracks and bury things," says Nick Day, a former operative in the U.K.'s MI5 security service who isn't involved in the probe.

Israel isn't cooperating in the probe. It has said there's no evidence linking Mossad to the murder of Mr. Mabhouh, one of the founders of the military wing of Hamas, the Islamist Palestinian group that Washington, London and Israel designate as a terror organization. Spokesmen for Israeli Prime Minister Benjamin Netanyahu and the Israeli foreign ministry declined to comment for this article.

Early this year, Dubai's police chief said he was "99%" sure of Mossad involvement. Still, investigators on the case, including those in the U.A.E., say they are working with an open mind. Early on, Dubai detained two Palestinians, raising the possibility that the killing was orchestrated by Palestinian rivals to Mr. Mabhouh. Since then, several allies of Israel have publicly blamed the country for forging many of the passports used by suspects in the case. That has reinforced the widespread suspicion of Israeli involvement.

Dubai investigators remain hopeful, but are coming to terms with the possibility that the probe could drag on for years. "They realize this might be a long process," says one person familiar with the probe.