Tuesday, November 30, 2010

Quotable: Secretary Gates on WikiLeaks

Via Small War Journal (SWJ) Blog -

Although today’s press briefing and Q&A with Secretary of Defense Robert Gates and Chairman of the Joint Chiefs of Staff Admiral Mike Mullen concentrated on the release of the DOD working group’s study on the repeal of “Don’t Ask, Don’t Tell”, the SECDEF's response to a Wikileaks question should be disseminated as widely as possible and hopefully someone in the press will pick it up and write about it (a journalist forwarded an excerpt to a e-mail list I belong to) – see the bolded portion below – the emphasis is mine. I would say no better words could have been spoken on this issue.

Every PAO [Public Affairs Officer] should have this in talking points – if queried, repeat the SECDDEF's words.



It’s not that Gates didn’t find the forced transparency annoying. He dug up a John Adams quote: "How can a government go on, publishing all of their negotiations with foreign nations, I know not."

But from his perspective, WikiLeaks won’t significantly disrupt U.S. foreign policy, because it doesn’t have the power to change basic geopolitical calculations.

Aztecas Gang Leader Arrested Over Weekend

Via CNN.com -

An alleged gang member who police say was behind 80 percent of the killings in Ciudad Juarez, Mexico, over the past 16 months was arrested over the weekend, officials said.

Police believe that Arturo Gallegos Castrellon, known as "El Farmero," was the leader of the Aztecas gang, a group closely linked with the Juarez cartel and its enforcement arm, La Linea.

Gallegos confessed to authorities that he ordered the killings of three people linked to the U.S. consulate in Juarez in March, as well as the attack on a party of young people that killed 14, federal police said.

The 32-year-old was arrested Saturday.

Gallegos "is allegedly responsible for homicides, extortions and distribution of drugs in all the sectors of Ciudad Juarez," the federal police said in a statement.

He was captured as part of an operation to dismantle the Aztecas gang, police said.

Surveillance and tips from the public led authorities to a house occupied by armed men, where Gallegos was arrested.

According to authorities, the gang leader also admitted to the killings of five federal police officers.

Two others were captured along with Gallegos. Carlos Rodriguez Ramirez, 41, is accused of smuggling drugs between Juarez and El Paso, Texas. Gisela Ornelas Nunez, 32, was identified as being in charge of transporting drugs and weapons to Juarez, police said.

Police seized two assault rifles and two handguns, along with 228 cartridges for different weapons. They also found 90 grams of what police believe is marijuana. Two cars and two trucks, including one that was armored, were also taken.

Analyst Finds Flaws in Canon Image Verification System

Via NetworkWorld.com -

A cryptographic system used by Canon to ensure that digital images haven't been altered is flawed and can't be fixed, according to a Russian security company that specializes in encryption.

Mid- to high-end Canon digital cameras have a feature called "Original Decision Data" (ODD), which is a digital signature that can be verified to see if a photo has been retouched or if data such as timestamps or GPS coordinates have been changed. The Associated Press news wire uses the system, which can also be used to verify photos used as evidence.


Elcomsoft has published photos -- including one with an astronaut planting the flag of the Soviet Union on the moon -- that, if checked using a smart card and special software from Canon, confirm that the photo has not been tampered with.

Elcomsoft shared a copy of Sklyarov's presentation, which hasn't been released publicly, with IDG News Service. In it, he describes how one component, the Hash-based Message Authentication Code (HMAC), which is used to calculate the ODD, can be extracted from the memory of several different Canon camera models.

In Canon's second version of its ODD system, the HMAC code is 256 bits. The code is the same for all cameras of the same model. Knowing the HMAC code for one particular model allows the ODD to be forged for any camera within that model range, Sklyarov wrote.

The problem is that the HMAC sits in the camera's RAM in a de-obfuscated form and can be extracted, according to Sklyarov. It is also possible to extract the HMAC from the camera's Flash ROM and manually de-obfuscate it. Canon also released a third version of ODD, which Sklyarov was also able to break and forge the ODD. Elcomsoft has written a program that can analyze a camera's processor and firmware.

The problem is a design flaw and can't be fixed, according to Elcomsoft. Sklyarov said he was able to extract the HMAC keys for the following models: EOS 20D, EOS 5D, EOS 30D, EOS 40D, EOS 450D, EOS 1000D, EOS 50D, EOS 5D Mark II, EOS 500D and EOS 7D.

With future models, Sklyarov wrote that Canon could implement an HMAC calculation in a cryptoprocessor that does not expose it. Also, Canon should prevent its cameras from running non-Canon code to avoid the use of software tools by an attacker.

Monday, November 29, 2010

How Facebook Applications Can Download All the Messages in Your Inbox

Via Fobes.com (The Not-So Private Parts) -

When Facebook rolled out its new Messages feature earlier this month — combining emails, chats, and SMS messages in one inbox and offering people @facebook.com email addresses — security engineer Joey Tyson tweeted, “Do you really want all your e-mail, IMs, and texts combined with all the data Facebook already has about you?”

SomeEcards expressed it different (at right): “One benefit to Facebook’s new email system is that your privacy can now be violated all in one place.”

One privacy protection model is to scatter your data about to make it more difficult to parse, akin to keeping valuables in different hiding spots in your house to thwart intruders getting everything in one go. For this reason, some people may be uncomfortable making Facebook their one-stop-shop for photo sharing, friend accumulation, and email storage. Another issue that may give the privacy-conscious pause is the fact that a Facebook permission exists that gives application developers the ability to download the content of your inbox…


If a user gives an application the “read_mailbox” permission, that application can have a field day with your private communications — downloading the content of a message, when it was sent, who it was sent to, etc.


The read_mailbox permission is not some kind of security oversight on Facebook’s part. “As with many products, we opened up an API for messages to make it possible for developers to create new opportunities on top of Facebook products,” says a Facebook spokesperson. “For example, with the messages API, a developer could create an application that people could use to read their Facebook messages directly from their desktop.”

She reiterated that an application can only rifle through a Facebooker’s messages if he or she “grant[s] expressed permission for the application to access his or her inbox on their behalf. And they can end that connection at anytime.” A recent post on the Facebook Developers blog reassures developers that they’ll still be able to access users’ inboxes with the permission with the new Facebook Messages.

Facebookers, here’s another reminder to pay attention to what an application asks permission to do when you add it to your Facebook page. And to think twice before deleting your non-Facebook email accounts.

Bomb Kills Iranian Nuclear Scientist in Tehran

Via NYTimes.com -

Unidentified assailants riding motorcycles launched bomb attacks early on Monday against two Iranian nuclear physicists here, killing one of them and prompting accusations by Iran that the United States and Israel were behind the episode.

At a news conference here, President Mahmoud Ahmadinejad said that “undoubtedly the hand of the Zionist regime and Western governments is involved” in the killing but did not identify those governments by name. The killing led Iran’s nuclear chief, Ali Akbar Salehi, to warn the West and its allies not to “play with fire.” Both Mr. Salehi and Mr. Ahmadinejad vowed that Tehran would not be deterred from expanding its nuclear project.

But Mr. Ahmadinejad publicly acknowledged, apparently for the first time, that Iran’s nuclear program had recently been disrupted by a malicious computer software that attacked its centrifuges. “They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts,” he said at the news conference.

Iranian officials had previously acknowledged unspecified problems with Iran’s centrifuges, which are used to enrich uranium that can be used for peaceful energy generation or atomic weapons. But the Iranians had always denied the problems were caused by malicious computer code.

A computer program known as Stuxnet is believed to have struck Iran over the summer. Experts said that the program, which is precisely calibrated to send nuclear centrifuges wildly out of control, was likely developed by a state government.


The dead scientist was identified as Majid Shahriari, a physics professor at Shahid Beheshti University in northern Tehran. He was killed and his wife was injured when a bomb that had been attached to his car was detonated remotely. A second professor at the same university, Fereydoon Abbasi, was injured in a separate, simultaneous attack. His wife was also hurt.

Iranian media reports said the motorcycle attackers had attached the bombs to the professors’ cars and detonated them from a distance. The attackers escaped. According to The Associated Press, the bombs were attached to both cars while they were moving.


Some unofficial Iranian media reports, controlled by hardliners, described Mr. Abbasi as a loyalist supporter of the Iranian regime involved in nuclear research at the Defense Ministry and said both scientists were from the nuclear engineering department of Shahid Beheshti University.



The [UN] resolution, from March 2007, identifies Abbasi as one of several people "involved in nuclear or ballistic missile activities" in Iran. It does not call him a "nuclear scientist" but describes him as a scientist for the Senior Ministry of Defense and Armed Forces Logistics who has links to the Institute of Applied Physics.

The European Union froze Abbasi's assets last month as it imposed additional sanctions on Iran.

The United Nations resolution says Abbasi has worked closely with another scientist, Mohsen Fakhrizadeh-Mahabadi, who led the Physics Research Center in Iran. The International Atomic Energy Agency has sought to interview Fakhrizadeh-Mahabadi, but Iran has declined to allow that, the resolution says.

The Background Dope on DHS Recent Seizure of Domains


As has been reported, it looks like ICE, which is the principal investigative arm of DHS, has begun seizing domains under the pretext of IP infringement. But it’s actually not ICE who is executing the mechanics of the seizures. It’s a private company, immixGroup IT Solutions. Here is what is going down.


ICE is not actually “seizing” any servers or forcing hosting companies to remove web content from their servers; what they are doing is using immixGroup IT Solutions to switch the authoritative name servers for these “seized domains.” But they are not doing it at the Registrar level(by contacting the registrar for the domain and forcing them to update the authoritative name server info to point to NS1.SEIZEDSERVERS.COM, NS2.SEIZEDSERVERS.COM), but rather through the agency who controls the top level domain. In this case, all the “seized domains” appear to be .com and the agency/company who has the ICANN contract for this TLD is VeriSign(which also controls .net TLD). The changes are being made at the top-level authoritative name servers for the .com TLD, which would be the [a-m].gtld-servers.net. These are controlled by VeriSign(note: these top-level name servers are also authoritative for .net and .edu TLDs).

So, VeriSign, the owner of the .com TLD, is working in cooperation with DHS, and it appears immixGroup IT Solutions has what we might call an “IT Support Ticket system” setup with VeriSign.


Now the .info TLD is not controlled by VeriSign; it’s controlled by Afilias. So, an interesting little experiment would be to see if the torrent-finder.info domain remains up. As of now, we can only conclude that there is back deal between DHS and VeriSign that makes any .com or .net domain subject to seizure by the actions of immixGroup IT Solutions.

Technology Alone Will Not End Terrorism

Via Newsweek.com (Nov 27, 2010) -

In September 11, 2001, I was sitting in my office at Tel Aviv’s Ben Gurion airport, where I was director of security, and watched in horror as the world changed. During the next few months, I saw America quickly identify screenings as the source of all evil and the reason for the attacks—despite, illogically, the fact that Mohamed Atta and his terrorist teams didn’t carry any weapons that were supposed to be detected at the checkpoints.

I’ve since moved to the U.S. to consult on airport security. Time after time, I’ve watched the country react retroactively—making us take off our footwear after Richard Reid’s attempted shoe bombing, deciding not to let us bring water or shampoo on flights after a failed plot to blow up planes with liquid explosives, and, now, subjecting passengers to full-body scans or invasive searches after last December’s thwarted underwear bombing. It’s time to accept that terrorist attacks are not carried out by things but by people. A security strategy based on detection technology alone is a failed one. Our great love of gadgetry—and the belief that it can solve all our problems, without a personal touch—has only led to one failure after another.

Looking for better solutions takes me back to Ben Gurion. Israeli aviation security manages to create a reasonable balance between detection technology and human interaction. While at American airports we deploy people to support technology, in Tel Aviv technology is deployed to support people. Does it work? Ask Anne Marie Murphy, a young Irishwoman who, in 1986, nearly boarded a plane while carrying an explosive device without her knowledge. Her terrorist boyfriend, who was supposed to be on a separate flight, had given her a bag with a concealed bomb. When a profiler began to ask her a standard set of questions, it became clear that she was an anomaly (she had no accommodations lined up, among other issues). The device, which was cleverly hidden, would not have been detected during a pat-down, or even by an X-ray scanner. But the profiler, who was not distracted by her ethnicity, religion, gender, or her obvious pregnancy, saved Murphy and hundreds of other passengers—simply by taking her aside and talking to her.

The Murphy case illustrates the limitations of ethnic and racial profiling. Not only does the P word contradict values so dear to us, it’s just not the smartest tactic. Analyzing someone’s behavior through observation and conversation—in real time and cumulatively—makes more sense. Screeners should be able to comb through a more comprehensive database of government and law-enforcement data as well as information from the airlines about, say, who has paid cash for a ticket and who is flying one way. These “tells” are unusual and would cause screeners to pay closer attention when it matters. (They’re also the behaviors that Atta, Reid, and the “underpants bomber” displayed.) Which is what’s needed: by relying on a one-size-fits-all approach to security, we spend too much time searching harmless travelers—and too little time rooting out legitimate threats.


This matches up very well with the viewpoint that STARTFOR has pushed for quite sometime - focus profiling on the “how” instead of the “who.”
In an environment where the potential threat is hard to identify, it is doubly important to profile individuals based on their behavior rather than their ethnicity or nationality — what we refer to as focusing on the “how” instead of the “who.” Instead of relying on physical profiles, which allow attack planners to select operatives who do not match the profiles being selected for more intensive screening, security personnel should be encouraged to exercise their intelligence, intuition and common sense.
But we are reminded that the US also isn't Israel....
There is frequent mention of the need to make U.S. airport security more like that employed in Israel. Aside from the constitutional and cultural factors that would prevent American airport screeners from ever treating Muslim travelers the way they are treated by El Al, another huge difference is simply the amount of money spent on salaries and training for screeners and other security personnel. El Al is also aided by the fact that it has a very small fleet of aircraft that fly only a small number of passengers to a handful of destinations.

Wednesday, November 24, 2010

AQIM and the Africa-to-Europe Narco-Trafficking Connection

Via The Jamestown Foundation -

Of the various Salafi-Jihadi militant groups currently operating, few have been as aggressive in their pursuit of financing as al-Qaeda in the Islamic Maghreb (AQIM), which has added narcotics trafficking to its staples of kidnapping for ransom as well as the smuggling of cigarettes and fuel in the wild and poorly patrolled border regions of the Sahel/Sahara region.

During a recent visit to Spain, Moroccan Foreign Minister Taieb Fassi Fihri expressed his alarm over the rise in cocaine shipments smuggled through Morocco to Europe (Jeune Afrique, November 3). Morocco's Minister of Interior Taieb Cherkaoui announced the arrest of 34 people in October, all members of an AQIM-affiliated cell with connections in South America, Africa and Spain (Le Matin, Oct 17). In late 2009, a Boeing 727 full of drugs and other illegal products landed in a remote northeastern area of Mali. It was a clear signal of the increasing importance of this region for global narco-trafficking (AFP, December 11, 2009; Le Figaro, March 19; see also Terrorism Monitor, January 7). Then in December 2009, three citizens of Mali alleged to be AQIM associates were arrested in Ghana after they told undercover agents of the American Drug Enforcement Agency (DEA) they had agreed to transport cocaine through Africa to Europe for AQIM and the Fuerzas Armadas Revolucionarias de Colombia (FARC - Revolutionary Armed Forces of Colombia), demonstrating an emerging reality which links terrorist groups and narco-traffickers in a new, heterodox and business-oriented alliance (VOA News, December 29, 2009; Le Parisien, December 22, 2009).


Drug smuggling activities have often been an important tool for terrorist groups to finance themselves. Islamist militants, however, are faced with Islamic injunctions against the use of narcotics. Although considered haram (illicit), according to Islamic beliefs and sensibility, the need to find remunerative ways to fund operations allows these groups to have a sort of “ideological flexibility” in which the importance of the aim can reduce the impact of the impurity of the means, a typical takfiri practice.


AQIM has strongly increased its involvement in illegal trafficking since 2008. There has been a change in the intensity and in the relative importance of these activities for this group. Weakened by Algerian counterterrorism activities and a decline in popular support, the group found itself with few members and poor financial resources. At that point, parasitic economic practices became key activities of the group (see Terrorism Monitor, January 28).

AQIM also offers security for traffickers operating in the region. AQIM taxes the shipments and provides geographical guidance and transport protection.


AQIM protects the shipments with their arms and provides the vehicles to transport them to Morocco, which is the main African terminal (L'Economiste du Maroc, October 19). They are also involved in the logistical organization of the transports through the Mediterranean, dealing with criminal groups specialized in illegal sea transportation to the southern European coasts. The supplies are shipped to Spain, the main doorway for these drugs and the main center of distribution in Europe (El Pais, March 1).


Taking a leading role in narcotics trafficking through Africa allows AQIM to finance its operations through a remunerative, constant and relatively stable source of income (since the demand for drugs is both stable and high). It helps AQIM pay for weapons and necessary equipment and, lastly, to pay its members well and regularly, an important consideration in making AQIM more attractive to local youth.


As noted by Shimron Issachar @ Shimron Letters blog, this isn't exactly breaking news but should serve as a reminder that AQIM and AQ overall isn't just a terrorist organization, but a criminal organization at its core.

But amongst counter-radicalisation practitioners, a wise policy proposal would be simply to brand al-Qaeda criminal. When I pen “criminal,” I am not referring to the crimes against humanity writ large or the crimes against Islam and mainstream salafism as al-Qa`ida rests its ideological laurels on flagrant exploitation of politically-chosen out-of-context Quranic kernels. But instead, I mean normal, run-of-the-mill secular criminality like we see with the brutal and calculated crimes of Mexican cartels.

Iran Temporarily Halted Uranium Enrichment - IAEA

Via Uskowi on Iran (Nov 23, 2010) -

IAEA reported today that Iran had temporarily halted its uranium enrichment work earlier this month. The agency’s inspectors visiting the country’s enrichment unit at Natanz on 16 November observed that none of the cascades, normally comprising 164 centrifuges, were being fed with UF6 (uranium hexaflouride) to produce low-enriched uranium (LEU).

It was not immediately clear when the outage had started, but the Iranian authorities informed IAEA on Monday that 28 cascades were enriching uranium again [AFP & Reuters, 23 November].

Iran’s director of Atomic Energy Organization Ali Akbar Salehi today denied media reports that the outage might have been linked to the Stuxnet worm [ISNA, 23 November]. Some experts believe a technical problem could have been the cause.

Despite the temporary halt in uranium enrichment, IAEA report indicates that Iran's total output of LEU has reached 3,183 kilograms (7003 pounds), suggesting steady production in recent months. The country’s inventory of 20-percent enriched uranium has reached 33 kilos.


The latest IAEA reports on Iran & Syria are accessible on the Arms Control Wonk blog.

Aviation Security Threats and Realities

Via STRATFOR (Security Weekly) -

Over the past few weeks, aviation security — specifically, enhanced passenger-screening procedures — has become a big issue in the media. The discussion of the topic has become even more fervent as we enter Thanksgiving weekend, which is historically one of the busiest travel periods of the year.


We believe that this review will help establish that there is a legitimate threat to aviation, that there are significant challenges in trying to secure aircraft from every conceivable threat, and that the response of aviation security authorities to threats has often been slow and reactive rather than thoughtful and proactive.


While understanding that the threat is very real, it is also critical to recognize that there is no such thing as absolute, foolproof security. This applies to ground-based facilities as well as aircraft. If security procedures and checks have not been able to keep contraband out of high-security prisons, it is unreasonable to expect them to be able to keep unauthorized items off aircraft, where (thankfully) security checks of crew and passengers are far less invasive than they are for prisoners. As long as people, luggage and cargo are allowed aboard aircraft, and as long as people on the ground crew and the flight crew have access to aircraft, aircraft will remain vulnerable to a number of internal and external threats.

This reality is accented by the sheer number of passengers that must be screened and number of aircraft that must be secured. According to figures supplied by the Transportation Security Administration (TSA), in 2006, the last year for which numbers are available, the agency screened 708,400,522 passengers on domestic flights and international flights coming into the United States. This averages out to over 1.9 million passengers per day.

Another reality is that, as mentioned above, jihadists and other people who seek to attack aircraft have proven to be quite resourceful and adaptive. They carefully study security measures, identify vulnerabilities and then seek to exploit them. Indeed, last September, when we analyzed the innovative designs of the explosive devices employed by AQAP, we called attention to the threat they posed to aviation more than three months before the Christmas 2009 bombing attempt. As we look at the issue again, it is not hard to see, as we pointed out then, how their innovative efforts to camouflage explosives in everyday items and hide them inside suicide operatives’ bodies will continue and how these efforts will be intended to exploit vulnerabilities in current screening systems.


This ability to camouflage explosives in a variety of different ways, or hide them inside the bodies of suicide operatives, means that the most significant weakness of any suicide-attack plan is the operative assigned to conduct the attack. Even in a plot to attack 10 or 12 aircraft, a group would need to manufacture only about 12 pounds of high explosives — about what is required for a single, small suicide device and far less than is required for a vehicle-borne improvised explosive device. Because of this, the operatives are more of a limiting factor than the explosives themselves; it is far more difficult to find and train 10 or 12 suicide bombers than it is to produce 10 or 12 devices.


There has been much discussion of profiling, but the difficulty of creating a reliable and accurate physical profile of a jihadist, and the adaptability and ingenuity of the jihadist planners, means that any attempt at profiling based only on race, ethnicity or religion is doomed to fail. In fact, profiling can prove counterproductive to good security by blinding people to real threats. They will dismiss potential malefactors who do not fit the specific profile they have been provided.

In an environment where the potential threat is hard to identify, it is doubly important to profile individuals based on their behavior rather than their ethnicity or nationality — what we refer to as focusing on the “how” instead of the “who.” Instead of relying on physical profiles, which allow attack planners to select operatives who do not match the profiles being selected for more intensive screening, security personnel should be encouraged to exercise their intelligence, intuition and common sense. A Caucasian U.S. citizen who shows up at the U.S. Embassy in Nairobi or Dhaka claiming to have lost his passport may be far more dangerous than some random Pakistani or Yemeni citizen, even though the American does not appear to fit the profile for requiring extra security checks.

However, when we begin to consider traits such as intelligence, intuition and common sense, one of the other realities that must be faced with aviation security is that, quite simply, it is not an area where the airlines or governments have allocated the funding required to hire the best personnel. Airport screeners make far less than FBI special agents or CIA case officers and receive just a fraction of the training. Before 9/11, most airports in the United States relied on contract security guards to conduct screening duties. After 9/11, many of these same officers went from working for companies like Wackenhut to being TSA employees. There was no real effort made to increase the quality of screening personnel by offering much higher salaries to recruit a higher caliber of candidate.

There is frequent mention of the need to make U.S. airport security more like that employed in Israel. Aside from the constitutional and cultural factors that would prevent American airport screeners from ever treating Muslim travelers the way they are treated by El Al, another huge difference is simply the amount of money spent on salaries and training for screeners and other security personnel. El Al is also aided by the fact that it has a very small fleet of aircraft that fly only a small number of passengers to a handful of destinations.


While it is impossible to keep all contraband off aircraft, efforts to improve technical methods and procedures to locate weapons and IED components must continue. However, these efforts must not only be reacting to past attacks and attempts but should also be looking forward to thwart future attacks that involve a shift in the terrorist paradigm. At the same time, the often-overlooked human elements of airport security, including situational awareness, observation and intuition, need to be emphasized now more than ever. It is those soft skills that hold the real key to looking for the bomber and not just the bomb.

Tuesday, November 23, 2010

Instant Analysis: New Issue of Inspire Magazine


This is an ICSR Instant Analysis of Recent AQAP Propaganda written by Senior Fellow Shiraz Maher

The latest edition of Al Qaeda’s ‘Inspire’ reveals more details about the recent airline bomb plot which emanated in Yemen.

‘Inspire’ is an English-language magazine produced quarterly by al-Qaeda in the Arabian Peninsula (AQAP). Its latest ‘special edition’ reveals more details of the plot and an insight in the strategic mindset of AQAP. The magazine is divided into three parts: a discussion of the strategic objectives (including its economic impact), the religious objectives, and technical information on the bomb itself.


Operational background

AQAP called this project ‘Operation Haemorrhage’ (in the magazine they use the American spelling: ‘Hemorrhage’).


Strategic Objectives

It now seems clear that the primary objective of this attack was not the synagogues to which the parcels were addressed. The objective of the plot is discussed twice in different articles. The first says:
The operation was to be based on two factors: The first is that the packages pass through the latest security equipment. The second, the spread of fear that would cause the West to invest billions of dollars in new security procedures.
The other states:
From the start our objective was economic. Bringing down a cargo plane would only kill a pilot and co-pilot.
The ‘head of operations’ claims that the primary aim was economic:
The air freight is a multi-billion dollar industry…For the trade between North America and Europe air cargo is indispensable and to be able to force the West to install stringent security measures sufficient enough to stop our explosive devices would add a heavy economic burden to an already faltering economy.
According to the magazine, the ink cartridge plot cost AQAP just $4200 (£2615), demonstrating how a relatively cheap operation can still inflict massive economic and financial damage. This is something AQAP is keen to underscore, telling readers:
Two Nokia mobiles, $150 each, two HP printers, $300 each, plus shipping, transportation and other miscellaneous expenses add up to a total bill of $4,200. That is all what Operation Hemorrhage cost us. In terms of time it took us three months to plan and execute the operation from beginning to end. On the other hand this supposedly "foiled plot", as some of our enemies would like to call, will without a doubt cost America and other Western countries billions of dollars in new security measures.
That is what we call leverage. A $4,200 operation will cost our enemy billions of dollars. In terms of time and effort, three months of work for a team of less than six brothers would end up costing the West hundreds of thousands, if not millions, of hours of work in an attempt to protect itself from our packages of death.

North Korean Artillery Attack on a Southern Island

AFP PHOTO - Hattip to Public Intelligence

This picture taken on November 23, 2010 by a South Korean tourist shows huge plumes of smoke rising from Yeonpyeong island in the disputed waters of the Yellow Sea on November 23, 2010


North Korea and South Korea have reportedly traded artillery fire Nov. 23 across the disputed Northern Limit Line (NLL) in the Yellow Sea to the west of the peninsula. Though details are still sketchy, South Korean news reports indicate that around 2:30 p.m. local time, North Korean artillery shells began landing in the waters around Yeonpyeongdo, one of the South Korean-controlled islands just south of the NLL. North Korea has reportedly fired as many as 200 rounds, some of which struck the island, injuring at least 10 South Korean soldiers, damaging buildings and setting fire to a mountainside. South Korea responded by firing some 80 shells of its own toward North Korea, dispatching F-16 fighter jets to the area and raising the military alert to its highest level.

South Korean President Lee Myung Bak has convened an emergency Cabinet meeting, and Seoul is determining whether to evacuate South Koreans working at inter-Korean facilities in North Korea. The barrage from North Korea was continuing at 4 p.m. Military activity appears to be ongoing at this point, and the South Korean Joint Chiefs of Staff are meeting on the issue. No doubt North Korea’s leadership is also convening.


While the South Korean reprisals — both artillery fire in response by self-propelled K-9 artillery and the scrambling of aircraft — thus far appear perfectly consistent with South Korean standard operating procedures, the sustained shelling of a populated island by North Korea would mark a deliberate and noteworthy escalation.

The incident comes amid renewed talk of North Korea’s nuclear program, including revelations of an active uranium-enrichment program, and amid rumors of North Korean preparations for another nuclear test. But North Korea also on Nov. 22 sent a list of delegates to Seoul for Red Cross talks with South Korea, a move reciprocated by the South, ahead of planned talks in South Korea set for Thursday. The timing of the North’s firing at Yeonpyeongdo, then, seems to contradict the other actions currently under way in inter-Korean relations. With the ongoing leadership transition in North Korea, there have been rumors of discontent within the military, and the current actions may reflect miscommunications or worse within the North’s command-and-control structure, or disagreements within the North Korean leadership.

North Korea v South Korea: Mapping Every Incident from 1958 to 2010

This is obviously not the first time this has happened - there have been over 150 incidents since the Korean War in 1950, that we know about. The reason we do know about these is because of an exhaustive report by the Congressional Research Service, published in 2007. It covers every incident, from diplomatic hostilities, through to the more serious events where people have died.

We wanted to map those events, using Google Fusion tables - and that's what you can see above. There are some hefty caveats here. Where we didn't know the precise location, we have made an educated guess, based on reports and the location details we do have. The other thing worth noting is that this was compiled in the US - a report compiled in Pyongyang would look very very different.

Exploit Code For Stuxnet Windows Task Scheduler Bug Posted

Via Threatpost.com -

Exploit code is now publicly available for one of the four previously undisclosed Windows vulnerabilities that the Stuxnet worm exploits. The availability of exploit code for the Windows Task Scheduler bug used by Stuxnet makes the bug somewhat more dangerous, as there is currently no patch available for the flaw.

The Windows Task Scheduler exploit code was added to the Exploit Database over the weekend and is designed for use against systems running Windows Vista, Windows 7 or Windows Server 2008. The Task Scheduler bug is just one of several vulnerabilities that the Stuxnet worm uses in its attack routine. It's one of the less severe of that group of flaws, in that it's only used for privilege escalation once an attacker has already compromised a machine.

Microsoft has not released a patch for the Task Scheduler vulnerability as yet. The company has patched three other bugs used by Stuxnet, including the LNK flaw that was one of the things that originally brought the worm to researchers' attention earlier this year.


On Saturday, Nov 20th, the unpatched Task Scheduler exploit was also added to Metasploit.


Monday, November 22, 2010

Chinese National Stole Ford Secrets Worth More Than $50 Million

Via Threatpost.com -

A ten year veteran of the U.S. automaker Ford Motor Company pleaded guilty in federal court on November 17 to charges that he stole company secrets, including design documents, worth more than $50 million and sharing them with his new employer: the Chinese division of a U.S. rival of Ford's.

Xiang Dong ("Mike") Yu admitted to copying some 4,000 Ford Documents to a external hard drive, including system design specifications for Ford's cars after surreptitiously taking a job with a competitor in 2006.

Under the plea agreement, announced last week, Yu faces a sentence ranging from five to six years in prison and a fine of up to $150,000 for a theft of trade secrets valued at between $50 million and $100 million, according to a statement by Barbara L. McQuade, the United States Attorney for the Eastern District of Michigan.

According to the Plea Agreement, Yu obtained documents containing prized Ford design documents, including those for components such as an Engine/Transmission Mounting Subsystem, Electrical Distribution system, Electric Power Supply, Electrical Subsystem and Generic Body Module. Yu was a Product Engineer at Ford, where he had worked since 1997, but the documents taken had no connection to his work at Ford.

Yu did not inform Ford of his decision to take a position with a competitor prior to leaving the country with the documents on December 20, 2006, He later e-mailed his supervisor at Ford from China to inform him that he was leaving the company. Yu later accepted a job with a Chinese based competitor of Ford's, Beijing Automotive Company, of Shenzhen, China, in November, 2008.

He was taken into custody by the FBI in October, 2009, after stopping over in Chicago on a return trip to China. An analysis of the laptop computer Yu carried at the time included copies of 41 Ford system design specification documents.

How the DEA Tracked Viktor Bout

Via Newsweek.com -

When celebrated Russian arms dealer Viktor Bout landed last Tuesday night at Stewart International Airport in upstate New York—before being whisked to Manhattan to appear the next day in front of a district-court judge—it marked the end of a saga known to the Drug Enforcement Administration as Operation Relentless. The man who ran it tells NEWSWEEK the affair began with a challenge from the White House.

After 9/11, law-enforcement agencies had expanded jurisdiction to arrest foreign nationals living outside the U.S. but accused of crimes against Americans. Michael Braun, the DEA’s head of operations from 2004 until 2008, had overseen a string of high-profile global arrests, including that of Monzer Al Kassar, a member of the Palestinian Liberation Front and, in his day, the world’s second-biggest arms dealer. Braun says that a colleague on the National Security Council, congratulating the DEA team on Kassar’s 2007 arrest (he’s serving a 30-year sentence), suggested it go after public enemy No. 1: Bout. According to Braun, the NSC official, whom Braun wouldn’t name, said, “Every other three-letter agency in town had been tracking him.” Could the DEA succeed where they had failed? “We said, ‘OK, yeah, let’s see what we can do here,’?” says Braun, who now runs a firm supporting State and Pentagon efforts to train law-enforcement personnel worldwide.

Posing as buyers for the Colombian insurgent group FARC, the DEA—which had played the same trick on Kassar—trapped Bout in a March 2008 sting operation in Bangkok; Thai police arrested him at the behest of the U.S., provoking a two-year battle with Russia, which wanted to keep Bout from being extradited to America. But last Monday, the Thais—who received periodic reminders from Washington of their privileged trade status—agreed to let the U.S. have Bout. (He pleaded not guilty, and his next hearing is scheduled for Jan. 10.)

Why were the Russians so anxious to keep Bout out of American hands? Known as "Africa’s merchant of death," Bout is thought by U.S. officials to have built an empire worth perhaps $6 billion. According to a U.N. report, he supplied arms to Angola, the Democratic Republic of the Congo, Liberia, Rwanda, Sierra Leone, and Sudan (not to mention Afghanistan). "Bout had the ability to acquire the most sophisticated weapons systems that the former Soviet bloc could offer," Braun says. "He could not have acquired the weapons systems he did without complicity at the highest ranks of the government and military in Russia." Yevgeny Khorishko, a spokesman for the Russian Embassy, says, "Russian officials were never involved in any activities of Mr. Bout, if there were any activities—and there is no proof of that."


Nov 16, 2010 - DEA Press Release
After more than two years of legal proceedings, alleged international arms dealer Viktor Bout has been extradited to the Southern District of New York from Thailand to stand trial on terrorism charges, the Justice Department announced today.

April BGP Route Hijack: Sifting Through the Confusion

Via McAfee Research Blog -

A lot has been written in recent days since we have posted the blog on the 18 minute traffic redirection issue earlier this week and the U.S. – China Economic and Security Review Commission report came out discussing it. Unfortunately, some media did get a few points wrong that I would like to address:

1. There is absolutely no proof that this was an intentional attack. Routing hijacks happen fairly frequently and most of them are accidental nature. We believe they do demonstrate a frightening lack of security in the fundamental building blocks on the Internet and that the security and the routing communities need to take steps to address those vulnerabilities — and soon.

2. A lot of media reports have claimed that ’15% of Internet traffic was hijacked’. That is a false statement. Based on our analysis, there were 53,353 network routing prefixes that had been announced false on April 8th, out of a total of roughly 330,000 network routes that existed in routing tables at that time. That amounts to 15% of the networks on the Internet, not necessarily 15% of the traffic. It is very difficult to estimate how much of the traffic was actually redirected and the true estimate can only come from the owner of the network that has routed all of this traffic

3. Craig Labovitz from Arbor Networks has posted a very good and detailed analysis of Arbor’s traffic estimate on this hijack. Unfortunately, Craig posted this analysis for the IDC Beijing China Telecom (AS23724), which was indeed the original announcer of the incorrect routes. However, China Telecom (AS4134) was the network that actually distributed that route to the public Internet. Thus, that is the network whose traffic levels should be measured to determine the true impact of the route redirection, as it would be the first (and quite likely last) recipient of the packets which would have been redirected.

This topic is unfortunately highly technical and very difficult to explain to people not fully immersed into the BGP routing jargon. Nevertheless, this incident underscores the very serious problems that exist on the Internet due to the system of trust that has been put in place more than 3 decades ago when this network was first invented. As Vint Cerf, the father of the Internet, as he is known, has said – ‘The Internet was an experiment that never ended’. It is now time for us as a community to come together to build more security into the core of the Internet to protect this vital global economic resource.

BackTrack 4 R2 Released


Yes, the time has come again, for a new kernel, and a new release of BackTrack. Codenamed "Nemesis". This release is our finest release as of yet with faster Desktop responsiveness, better hardware support, broader wireless card support, streamlined work environment.

Bypassing Microsoft's Export Address Table Address Filter (EAF)


In early September this year Microsoft released their Enhanced Mitigation Experience Toolkit v2.0 (EMET), which includes a new “pseudo”-mitigation called Export address table Address Filter (EAF). I decided to have a look at how this mitigation attempts to prevent exploits from succeeding and how an attacker might bypass it. For people that suffer from tl;dr syndrome, I’ve put my conclusion up front:

It is my conclusion that EAF should be effective at preventing most current shellcode from executing and therefore a useful mitigation. However, it is relatively simple to bypass. Proof of concept code to do this can be found here. I expect that if EAF becomes a common mitigation, attackers will update their shellcodes to bypass it. I cannot think of any effective way in which EAF can be updated that would not be relatively simple to bypass as well.


As SkyLined indicates the post was released and then pulled back...but it stayed in Google's cache and was accessible to anyone that looked for it last week. Thanks to @shazzzam for the heads up on it last week.

This bypass was all but expect by Microsoft....as stated in Page 10 of the EMET 2.0 User Guide.

Please note this is a pseudo mitigation designed to break current exploit techniques. It is not designed to break future exploits as well. As exploit techniques continue to evolve, so will EMET.
EAF is just another hoop that the attacker has to jump through, just like the Heapspray Allocation migitation provided by EMET. Can they be bypassed? Sure. But you have to plan to bypass them first.

In my view, the Mandarotry ASLR feature of EMET is one of the most useful mitigations provided by the tool....but sadly, Windows XP doesn't support ASLR, so you will have to be on Windows Vista, Windows 2008 or Windows 7 to get the benefits.

Foreign Cyber Spies Target British Defence Official

Via The Register UK -

Foreign spies targeted a senior British defence official in a sophisticated spear phishing operation that aimed to steal military secrets.

The plan was foiled last year when the official became suspicious of an email she received from a contact she had met at a conference.

The official showed the highly personalised message to Ministry of Defence IT experts, who then found the attachment contained malware designed to leak classified material to a foreign intelligence agency.

The MoD declined to comment on the incident, which was briefly discussed at a recent conference by Simon Kershaw, its head of defence security and assurance.

The Register, however, has established that the foreign spies' target was Joanna Hole, who until her retirement in March was the MoD's head of safety and sustainable development. She had responsibility for business continuity and regularly briefed ministers and forces chiefs.

In a previous role, according to her LinkedIn profile, Hole represented the MoD at the highly sensitive COBRA emergency committee.

Kershaw did not name the foreign power behind the operation, but China is the most likely culprit. Its huge online espionage effort was a major motivator of the recent government decision to spend £650m in improved cyber security over four years.

Sunday, November 21, 2010

Clues to Stubborn Secret in C.I.A.’s Backyard

Via NYTimes.com -

It is perhaps one of the C.I.A.’s most mischievous secrets.

“Kryptos,” the sculpture nestled in a courtyard of the agency’s Virginia headquarters since 1990, is a work of art with a secret code embedded in the letters that are punched into its four panels of curving copper.

“Our work is about discovery — discovering secrets,” said Toni Hiley, director of the C.I.A. Museum. “And this sculpture is full of them, and it still hasn’t given up the last of its secrets.”

Not for lack of trying. For many thousands of would-be code crackers worldwide, “Kryptos” has become an object of obsession.


The code breakers have had some success. Three of the puzzles, 768 characters long, were solved by 1999, revealing passages — one lyrical, one obscure and one taken from history. But the fourth message of “Kryptos” — the name, in Greek, means “hidden” — has resisted the best efforts of brains and computers.

And Jim Sanborn, the sculptor who created “Kryptos” and its puzzles, is getting a bit frustrated by the wait. “I assumed the code would be cracked in a fairly short time,” he said, adding that the intrusions on his life from people who think they have solved his fourth puzzle are more than he expected.

So now, after 20 years, Mr. Sanborn is nudging the process along. He has provided The New York Times with the answers to six letters in the sculpture’s final passage. The characters that are the 64th through 69th in the final series on the sculpture read NYPVTT. When deciphered, they read BERLIN.

But there are many steps to cracking the code, and the other 91 characters and their proper order are yet to be determined.

“Having some letters where we know what they are supposed to be could be extremely valuable,” said Elonka Dunin, a computer game designer who runs the most popular “Kryptos” Web page.

Saturday, November 20, 2010

Threat Revealed: Terrorists Believed to Be Planning Attack in Berlin

Via Spiegel.de (Germany) -

SPIEGEL has learned that terrorists may have been planning an attack on the Reichstag, the home of the German parliament and one of the most popular tourist destinations in Berlin. Two suspected culprits are already believed to be in Berlin.

According to information obtained by German security authorities, al-Qaida and associated groups are believed to be planning an attack on the Reichstag building in Berlin, the headquarters of Germany's parliament and also an attraction visited by thousands of tourists every day. As part of the attack, terrorists would seek to take hostages and perpetrate a bloodbath using firearms.

The information about the alleged plans came from a jihadist who is currently abroad and has reportedly contacted the German Federal Criminal Police Office (BKA) several times in recent days. The jihadist apparently wants to abandon the group. The information provided by the jihadist informant was apparently the reason behind German Interior Minister Thomas de Maizière's decision to hold a press conference on Wednesday warning of an imminent attack in the country.

According to the caller, the terror cell is comprised of six people -- two of whom are believed already to have traveled to Berlin six to eight weeks ago, and are now staying in the city. Four other perpetrators -- a German, a Turk, a North African and a further man the jihadist could not identify -- are currently waiting to travel to Germany. The attacks are purportedly being planned for February or March.

The second warning backing de Maizière's concerns came from the United States. The US federal police, the FBI, sent a cable to the BKA two weeks ago noting another possible further attack. A Shiite-Indian group known as the "Saif," or sword, is believed to have engaged in a pact with al-Qaida and to have sent two men to Germany to carry out an attack there.

Both were believed to be traveling to the United Arab Emirates on Nov. 22, where they would be supplied with new travel papers so that they could continue on to Germany. The suspects allegedly already posess visas for Europe's Schengen zone of visa-free travel. The FBI has named Mushtaq Altaf bin-Khadri as the man behind the attack plans.

The man believed to be trying to smuggle the would-be terrorists into Europe is 54-year-old weapons dealer Dawood Ibrahim, who the United Nations believes is a major backer of terrorism. He is considered to be one of the men behind the terror attacks perpetrated in Mumbai in November 2008. The FBI and Germany's BKA both consider the message to be extremely important. However, the US foreign intelligence service, the CIA, and both the German foreign intelligence service, the BND, and its domestic counterpart, the Office for the Protection of the Constitution, are skeptical.



The Congressional Research Service has issued a solid report on the nexus between criminal syndicates and terrorist groups. Entitled "International Terrorism and Transnational Crime: Security Threats, U.S. Policy, and Considerations for Congress," the report has a section devoted to Dawood Ibrahim, the criminal don of South Asia. The report acknowledges that Dawood is aligned with al Qaeda, the Lashkar-e-Taiba, and Pakistan's Inter-Services Intelligence agency.


Page 15 of the CRS report...

Dawood Ibrahim’s D-Company, a 5,000-member criminal syndicate operating mostly in Pakistan, India, and the United Arab Emirates, provides an example of the criminal-terrorism “fusion” model. The U.S. Department of Treasury designated Ibrahim as a Specially Designated Global Terrorist (SDGT) under Executive Order 13224 in October 2003. In June 2006, President George W. Bush designated him, as well as his D-Company organization, as a Significant Foreign Narcotics Trafficker under the Foreign Narcotics Kingpin Designation Act (hereafter “Kingpin Act”). D-Company is reportedly involved in several criminal activities, including extortion, smuggling, narcotics trafficking, and contract killing. The organization has also reportedly infiltrated the Indian film-making industry, extorting producers, assassinating directors, distributing movies, and pirating films.

Application Security Guide for the Acrobat Family of 9.x Products


Most users have reasons to care about security, but in enterprise settings security concerns are heightened by the value of the hardware, software, and data that comprise a company’s network. Administrators need to configure and maintain clients across the organization, and workflow architects need to create secure end-to-end workflows. Caring for the integrity of expensive networked systems and critical data certainly consumes much in the way of IT resources.

This Application Security Guide describes configuration details for the Acrobat family of products, including enhanced security, scripting controls, attachments, and any other features. The primary goal here is to encourage enterprise stakeholders who configure and deploy clients to manage them in a secure way. While the content here is primarily aimed at administrators, other potential audiences include:
  • Workflow owners and IT folks who are responsible for the integrity of their networked environment.
  • Technically savvy end users that need to customize their application’s security capabilities.

Friday, November 19, 2010

Ongoing DDoS Against Abuse.ch Services - ZeuS Tracker & SpyEye Tracker

According to tweets published by @abuse_ch, an ongoing DDoS attack against the name servers of abuse.ch has caused their services to be inaccessible. Their ISP has failed to mitigate the attack at this point.

In the meantime, here are the backup URLs....

ZeuS Tracker -
SpyEye Tracker -

Kudos to Abuse.ch for fighting the good fight. Clearly, the trackers are causing damage which forced these blackhats to waste both bots and money to facilitate the DDoS attack.

Faux-Targeted Attacks and the Magic of Cold Reading


Mass-scale computer attacks are sometimes mistaken for campaigns that target the concerned organization, causing unnecessary stress and expenses. The reason for the confusion is similar to the reason why a fortune teller seems to know so much about the customer whom he just met for the first time.


People are more aware of targeted computer attacks now than a year ago. This is, in part, the result of the publicity associated with the term Advanced Persistent Threat (APT), which highlighted the existence and success of a particular category of targeted attacks.

Targeted computer attacks are scary. It’s very difficult to resist targeted threats. Moreover, they feel very personal: targeted attack scenarios pierce the shield of emotional detachment that security professionals develop after being exposed to numerous security incidents.


Fortune tellers practice the magic of cold reading, whereby they seem to know the person’s history, worries and weaknesses by merely looking at him. They often accomplish this by making generalized statements that are true for most people, with the expectation that the subject will find a way to make the statement apply to himself.

This approach to cold reading relies on the Forer effect, which refers to people’s tendency to accept vague “personality descriptions as uniquely applicable to themselves without realizing that the same description could be applied to just about anyone.”


Computer attackers use a similar approach when social-engineering messages to make them feel personally-relevant to victims. A related phenomenon is people’s tendency to see patterns where none were intended; this is called illusory pattern perception.

Taken together, these psychological factors provide an explanation for why individuals believe they might be victims of targeted attacks, even when they are actually dealing with generic mass-scale incidents.

If you believe your organization is dealing with a targeted attack, you’re right to worry. But keep in mind that some attacks that feel targeted, aren’t. Consider all perspectives on the incident before making the diagnosis.

Public Intelligence - Afghan Landscapes

A girl looks South into the mountains surrounding Lower Kajakan Village in the Shinwari District of Afghanistan. Photo by David Elmore of the United States of America.


Check out the Public Intelligence Blog for some other greats landscape photos.

Thursday, November 18, 2010

EFF: The Case Against COICA


EFF is deeply disappointed to report that the Senate Judiciary Committee approved the COICA Internet censorship bill this morning, despite bipartisan opposition, and countless experts pointing out how it would be ineffective, unconstitutional, bad for innovation and the tech economy, and would break the Internet.

Notably, Senator Feinstein and Senator Coburn commented on the need for more work on elements of the bill — an important consideration as negotiations shift to the Senate at large. The bill is unlikely to come up again until next session, and in the meantime, we look forward to educating Congress about the dangers in COICA, and joining others to oppose this or any other infringement "solution" that threatens lawful speech online.

Adobe Reader X - Now Available


Since we first announced the development of a sandbox for Adobe Reader on July 20, 2010, there has been a tremendous level of interest in the sandboxing topic — and an equal level of anticipation for Adobe Reader X.


Today, all of the hard work has come to fruition, and we are happy to announce that Adobe Reader X (with Protected Mode, aka sandboxing, on Windows) is now available! To download the new version of Adobe Reader, visit www.adobe.com/reader.

Adobe’s product security initiatives are focused on reducing both the frequency and the impact of security vulnerabilities. Adobe Reader Protected Mode represents an exciting new advancement in mitigating the impact of attempted attacks. While sandboxing is not a security silver bullet, it provides a strong additional level of defense against attacks. Even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential victims’ computers.

For more information on Adobe Reader X and on Adobe Reader X Protected Mode in particular, see the following blog posts:

Kryptos Artist to Reveal Rare Clue to Baffling CIA Sculpture

Via Wired.com (Threat Level) -

Kryptos sleuths may finally get some help cracking the CIA sculpture that has confounded amateur and professional cryptographers for two decades.

Artist Jim Sanborn, who created the cypher sculpture in 1990 for CIA headquarters in Langley, Virginia, plans to release a new clue to help puzzle detectives solve the last 97 characters of his masterpiece. The new clue is to be revealed in a New York Times article this weekend, to mark the 20th anniversary of the sculpture, which was dedicated Nov. 3, 1990.

It will be the first clue Sanborn has revealed in four years, after he corrected a typo in his sculpture in 2006 to keep crypto detectives from being derailed in their search for solutions.

Sanborn wouldn’t disclose the clue to Threat Level but said only cryptically that it will "globalize" the sculpture. Asked if this meant it would take the sculpture off the CIA grounds and out of the United States, he conceded it would.

"I personally think it’s a significant clue," he said. "I’m throwing it out there. It just makes that many fewer characters people have to figure out."

Sanborn said he’d been thinking about revealing a clue for a long time but couldn’t decide on the right occasion until the 20th anniversary and his birthday coincided in the same month.

"I don’t have that many decades...left in me," the 65-year-old artist said.

The 12-foot-high, verdigrised copper, granite and wood sculpture is inscribed with four encrypted messages, three of which have been solved. The sculpture’s theme is intelligence gathering (Kryptos is Greek for “hidden”).

It features a large block of petrified wood standing upright, with a tall copper plate scrolling out of the wood like a sheet of paper. At the sculpture’s base is a round pool with fountain pump that sends water in a circular motion around the pool. Carved out of the copper plate are approximately 1,800 letters, some of them forming a table based on an encryption method developed in the 16th century by a Frenchman named Blaise de Vigenere.

Sanborn sells replicas of the sculpture for $150 at the International Spy Museum in Washington, D.C., and other locations.

n 1998, CIA analyst David Stein cracked three of the four messages using paper and pencil and about 400 lunch-time hours. Only his CIA colleagues knew of his success, however, because the agency didn’t publicize it. A year later, California computer scientist Jim Gillogly gained public notoriety when he cracked the same three messages using a Pentium II.

Tuesday, November 16, 2010

iPhone Forensics White Paper


This white paper is intended for forensic analysts, corporations and consumers who want to understand what personal information is stored on the iPhone and how to recover it. The research reveals the vast amount of personal information stored on Apple’s iPhone and reviews techniques and software for retrieving this information.

Cybercriminals, Insiders May Work Together To Attack Businesses

Via DarkReading.com -

For 19 months, an employee at Johns Hopkins Hospital allegedly stole patients' identities, feeding the information to a four outsiders who used the data to charge up more than $600,000 in goods on store credit. Jasmine Amber Smith, 25, has been charged with using her inside access to fuel the identity theft ring.

Employees working with cybercriminals may be not be the norm for security breaches, but it's not a rare crime, either, experts say. It's not unusual for cybercriminals to gain inside access through bribery and solicitation, two components of social engineering, according to Verizon Business' Data Breach Investigations Report. Social engineering accounted for 28 percent of breaches analyzed in the report, with solicitation and bribery leading to nearly a third of those breaches.

"These were scenarios in which someone outside the organization conspired with an insider to engage in illegal behavior," the report says. "They recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score."


Because partnerships between cybercriminals and insiders are still uncommon, companies should focus their defenses on mainstream practices and tools for monitoring employee behavior, says Phil Neray, vice president of security strategy for Guardium, an IBM company.

An employee could stay within their authorized limits and still steal from the company, Neray observes.

"The only way to handle that is to rely on other forms of security than just identity and access management," Neray says. "The bad guys may have someone on the inside -- or a copy of the log-in credentials for your most sensitive systems -- so you have to start using anomaly detection, not just at the network level, but at the user-activity level."

Most of the cases of insider cooperation analyzed by Verizon Business -- which included data from the U.S. Secret Service -- involved embezzlement from banks, retailers, or the hospitality industry. Companies in those industries should have policies and technology in place to catch insiders focused on cash.

The report from Forrester found that aerospace, defense, electronics and consulting companies had far more to lose from the theft of corporate secrets. A rogue employee stealing corporate information is generally the most expensive breach, according to that report.

Monday, November 15, 2010

Rule #1 for Pirate Hostages: Don’t Get Stoned

Via Wired.com (Danger Room) -

Don’t get high, don’t piss anyone off, and try to smile every once in a while: These are just some of the handy tips that can help you make your captivity in the hands of Somali pirates more enjoyable.

The waters around the Horn of Africa are getting more dangerous for seafarers. Hijackings by Somali piratesshootouts with mercs and hijack attempts against warships continue and pirates are holding hostages for as long as 13 months. EU Navfor, the European Union’s naval forces countering piracy off the coast of Somalia, has responded to this crisis with a handy pamphlet, “Surviving Piracy Off the Coast of Somalia,” containing all the wisdom you need to make the most of your captivity. are on the upswing this year, deadly

One tip from elementary school is particularly helpful: Just say no to drugs. Khat is a leaf with amphetamine-like effects common in Somalia, particularly among pirates, and may be available to you while detained on board your captured ship.  Though borrowing from your captors’ stash may provide you with some “temporary relief” from the drudgery of captivity, it can bad for your health in the form on an acute pirate beatdown. The “negative effects of withdrawal symptoms and increased tension due to cravings,” the pamphlet warns,  can irritate your pirate hosts and result in “unnecessary violence.” In other words, nobody likes a cranky junky, particularly not pirates, so be smart and politely decline if offered drugs.

Adobe to Issue Emergency Updates for Reader, Acrobat


Adobe is planning to release updates for Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh to resolve critical security issues, including CVE-2010-3654 noted in Security Advisory APSA10-05, CVE-2010-4091 referenced in the Adobe PSIRT blog ("Potential issue in Adobe Reader"), and the Adobe Flash Player update as noted in Security Bulletin APSB10-26. Adobe expects to make updates for Windows and Macintosh available on Tuesday, November 16, 2010. An update for UNIX is expected to be available on Monday, November 30, 2010.

Sunday, November 14, 2010

Stuxnet Breakthrough: Frequency Converter Drives


Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.

Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.

However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.

A frequency converter drive is a power supply that can change the frequency of the output, which controls the speed of a motor. The higher the frequency, the higher the speed of the motor.

The new key findings are:
  • We are now able to describe the purpose of all of Stuxnet’s code.
  • Stuxnet requires particular frequency converter drives from specific vendors, some of which may not be procurable in certain countries.
  • Stuxnet requires the frequency converter drives to be operating at very high speeds, between 807 Hz and 1210 Hz. While frequency converter drives are used in many industrial control applications, these speeds are used only in a limited number of applications.
  • Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process.
  • Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.
Stuxnet monitors the current operating frequency of these motors, which must be between 807 Hz and 1210 Hz, before Stuxnet modifies their behavior. Relative to the typical uses of frequency converter drives, these frequencies are considered very high-speed and now limit the potential speculated targets of Stuxnet. We are not experts in industrial control systems and do not know all the possible applications at these speeds, but for example, a conveyor belt in a retail packaging facility is unlikely to be the target. Also, efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment. We would be interested in hearing what other applications use frequency converter drives at these frequencies.

Once operation at those frequencies occurs for a period of time, Stuxnet then hijacks the PLC code and begins modifying the behavior of the frequency converter drives. In addition to other parameters, over a period of months, Stuxnet changes the output frequency for short periods of time to 1410Hz and then to 2Hz and then to 1064Hz. Modification of the output frequency essentially sabotages the automation system from operating properly. Other parameter changes may also cause unexpected effects.

With this discovery, we now understand the purpose of all of Stuxnet’s code. We’ve modified our paper, in particular multiple subsections of the Modifying PLCs section, to include the finer details. Since we are far from experts in industrial control systems, we appreciate any feedback or further tips or explanation of some of the data. You can click on my name at the top of the blog post to get in touch.

We’d like to sincerely thank the Dutch Profibus expert who got in touch, serving as the catalyst to this breakthrough in understanding the purpose and potential targets of Stuxnet.

Here is the link to the updated paper.

Friday, November 12, 2010

Koobface: Inside a Crimeware Network


The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and The SecDev Group, Ottawa) announce the release of Koobface: Inside a Crimeware Network by Nart Villeneuve, with a foreword by Ron Deibert and Rafal Rohozinski.

This report (PDF) documents the inner workings of Koobface—a botnet that spreads by compromising the computers of users of social networking platforms and placing them under the control of the botnet’s operators for the purpose of monetization.



Between April and November 2010, the Information Warfare Monitor conducted an investigation into the operations and monetization strategies of the Koobface botnet. The researchers discovered archived copies of Koobface’s infrastructure on a well-known Koobface command and control server. The data revealed a wealth of information about the inner workings of the botnet, including information on the malware, code, and database used to maintain the botnet as well as its monetization strategies. With this data, the Information Warfare Monitor was able to gain an in-depth understanding of how Koobface worked.

Koobface: Inside a Crimeware Network details Koobface’s propagation strategies, counter-security measures, and business model. The report contributes to the cybercrime literature by shedding light on the malware ecosystem that enables and sustains cybercriminal activity, and by demonstrating that it is possible to leverage the mistakes made by cybercriminals in order to better understand the scope of their operations.

Main Findings:
  • Koobface relies on a network of compromised servers that are used to relay connections from compromised computers to the Koobface command and control server. This creates a complex and tiered command and control infrastructure.
  • Koobface maintains a system that uses social networking platforms, such as Facebook, to send malicious links. Social networking platforms allow Koobface to exploit the trust that humans have in one another in order to trick users into installing malware and engaging in click fraud.
  • Koobface exists within a crime-friendly malware ecosystem that consists of buyers and sellers of the tools and infrastructure required to maintain a botnet. Koobface operators rely on relationships with other botnet operators and cybercriminals to sustain their operations.
  • The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs and forcing compromised computers to install malicious software and engage in click fraud, the Koobface operators earned over US$2 million between June 2009 and June 2010.
  • The operators of Koobface are employing technical countermeasures to ensure that the operations of the botnet remain undisrupted. The operators regularly monitor their malicious links to ensure that they have not been flagged as malicious.
  • Botnet operators benefit from the fact that their criminal acts spread across multiple jurisdictions. Issues of overlapping jurisdictions and international politics often complicate investigations and hinder law enforcement and takedown efforts. Furthermore, cross-border investigations are at times hampered by a lack of priority and willingness to respond. This is because criminal activity in any one jurisdiction appears minimal while in fact the sum of Koobface’s criminal activities is significant.

The Subconscious Art of Graffiti Removal

the subconscious art of graffiti removal (excerpt) from matt mccormick on Vimeo.


The Subconscious Art of Graffiti Removal is a tongue-in-cheek documentary directed by filmmaker Matt McCormick and narrated by Miranda July, who you might know from Me and You and Everyone We Know.

If you’ve ever admired the arrangement of gray squares on concrete, this video is for you.

Medvedev: Russia's Spies Must Learn From Betrayal

Via Reuters (AP) -

President Dmitry Medvedev told Russia's once mighty spy agency on Friday to put its house in order after a senior spymaster betrayed a network of agents to the United States.

The Foreign Intelligence Service (SVR) is grappling with the network's betrayal by the head of Moscow's deep cover spying operations in the United States, one of Russia's most serious intelligence failures since the end of the Cold War.

"There should be an internal investigation and lessons should be drawn," Medvedev told reporters at a briefing after the Group of 20 summit in Seoul.

Asked about a report in the newspaper Kommersant which broke the story, Medvedev said: "For me the Kommersant publication is not news, I knew about it on the day it happened."

Kommersant identified the man as Colonel Shcherbakov and said he was responsible for unmasking a Russian spy ring in the United States in June. The arrest of its members humiliated Moscow just days after a summit in Washington between Medvedev and President Barack Obama.

The detained agents were exchanged in July for Russians suspected of spying for the West in a Cold War-style spy swap.

They returned to a heroes' welcome in Moscow, singing patriotic songs with Prime Minister Vladimir Putin, himself a former KGB spy, and receiving awards from Medvedev at a private Kremlin ceremony.

Putin said at the time they had been betrayed but the seniority of the U.S. mole and the fact that Shcherbakov was able to slip out of Russia have added to speculation that SVR chief Mikhail Fradkov could be sacked.

"The alleged spy was a senior Russian official and thus one with great access to highly sensitive information, such as the identities and operations of operatives in the United States," said Jay LeBeau, a former CIA official.

"He would have been in a position to do enormous damage to Russian intelligence interests.

"One can be sure that this fellow provided his U.S. handlers with other information as well."

The failure has weakened the spy agency's position in Moscow, prompting a debate about whether it should be merged with the Federal Security Service (FSB), the main successor of the Soviet-era KGB.

Monday, November 8, 2010

Danger to IE Users Climbs as Hacker Crimeware Kit Adds Exploit

Via NetworkWorld -

An exploit of an unpatched Internet Explorer vulnerability has been added to a popular crimeware kit, a move that will probably push Microsoft to fix the flaw with an emergency update, a security researcher said Sunday.

Meanwhile, a prominent vulnerability expert has sided with Microsoft, which has said the bug will be difficult to exploit in Internet Explorer 8 (IE8), the most popular version of the company's browser.

Last week, Microsoft warned users of its IE6, IE7 and IE8 browsers that hackers were already exploiting a vulnerability in the programs by tricking them into visiting malicious or compromised Web sites. Once at such a site, users were subjected to a "drive-by" attack that required no action on their part to succeed

Symantec was the first to report the IE bug to Microsoft after the antivirus vendor captured spam posing as hotel reservation notifications sent to select individuals within several organizations.

On Sunday, Roger Thompson, chief research officer of AVG Technologies, said that an exploit for the newest IE flaw had been added to the Eleonore attack kit, one of several readily-available toolkits that criminals plant on hacked Web sites to hijack visiting machines, often using browser-based attacks.

"This raises the stakes considerably, as it means that anyone can buy the kit for a few hundred bucks, and they have a working zero-day," said Thompson in on his company's blog.

Microsoft has promised to patch the vulnerability, but last week said that the threat didn't warrant an "out-of-band" update, the company's term for a fix outside the usual monthly Patch Tuesday schedule. Microsoft will deliver three security updates Nov. 9, but won't fix the IE bug then.

Thompson disagreed with Microsoft's assessment.

"I think they'll have to [do an out-of-band update]," Thompson said via instant message on Sunday when asked to bet whether Microsoft will release an IE fix before Dec. 14, the next regularly-scheduled patch date after Tuesday. "I expect attacks will accelerate."

However, AVG -- like Microsoft and Symantec -- has so far seen only a small number of attacks leveraging the vulnerability.

The exploit added to Eleonore may have been cadged from the Metasploit open-source penetration testing kit. Last Thursday, researcher Joshua Drake added an exploit module for the IE bug to Metasploit.

"We do see a lot of exploits essentially cut and pasted from Metasploit [proof-of-concepts]," said Thompson.

Microsoft has urged IE users to enable DEP, or data execution prevention, for IE7, use IE8 or IE9, or run one of its automated "Fix-it" tools to add a custom CSS template to their browsers as protection until a patch is available.

Sunday, November 7, 2010

Introducing: SpyEye Tracker


The SpyEye Tracker is another project by abuse.ch. It is similar to the ZeuS Tracker with the slight difference that SpyEye Tracker tracks and monitors malicious SpyEye Command&Control Servers (and not ZeuS C&Cs). SpyEye Tracker provides blocklists in different formats (eg. for Squid Web-Proxy or iptables) to avoid that infected clients can access the C&C servers. Additionally, SpyEye Tracker should help ISPs, CERTs and Law Enforcement to track malicious SpyEye C&C servers which are their responsibility.


Excellent move to keep the pressure of the criminal underground that utilizes these trojans.

As a funny side note, at least one the comments posted on the Zeus/Speye merger thread [on the underground forums] highlighted the fact that a SpyEye tracker didn't exist and thus was more "hidden" than ZeuS.

Gap filled.

Saturday, November 6, 2010

10 Reasons Why Blocking Awlaki Youtube Speeches is Counter-Productive


Interesting article by Howard Clark discussing the possible negative effects of censoring Anwar al-Awlaki's on Youtube. Fighting radicalisation is a tricky area.

In a positive move, a Yemeni judge has issued an order on Nov 6th that the Anwar al-Awlaki has to be caught dead or alive, for alleged links to al-Qaeda and involvement in the killing of foreigners.

Friday, November 5, 2010

Hackers Break into OECD Computer System

Via EUObserver.com -

The OECD, the Paris-based club of the world's 33 richest countries, has been successfully hacked by people looking for sensitive information on money laundering, high-level corruption and tax evasion.

OECD spokesman Stephen Di Biasio told EUobserver by phone from France on Thursday (4 November) that the body first detected "unusual" activity in its IT network in August and is still battling to get malware out of its computers three months later despite calling in help from the French security services and private cyber-defence companies.

"We've got a team trying to close down their points of entry, but we're not in a position today to say we've cleared them out of our system," he said.

"What we know is it's quite a sophisticated attack. We've got quite high levels of security protocols at the OECD and this has been able to bypass those security measures ... What we are seeing is that it's not a destructive attack. It's obviously fishing for information. Because the OECD works in such a broad array of areas, they are searching around to see what they can get."

Mr Di Biasio said the malware appears to have got in via a USB memory stick and that the attacks are coming from "different geographical areas, quite a few points in Asia." He was unable to say if the assault involves a government or a private entity.

"The suspicion is it came in via USB keys. Our agents travel around the world. They often go to conferences - there are exchanges of information, exchanges of USB keys."

The OECD describes itself as a body which "brings together the governments of countries committed to democracy and the market economy." It collects economic data and conducts inter-governmental talks on issues including high-level government and corporate corruption, money laundering and tax evasion. Its members include 20 EU countries, as well as Canada, Israel, Japan, Switzerland, Turkey and the US.