Monday, July 26, 2010

Apple Loses Big in DRM Ruling: Jailbreaks are "Fair Use"

Via arstechnica.com -

Every three years, the Library of Congress has the thankless task of listening to people complain about the Digital Millennium Copyright Act. The DMCA forbade most attempts to bypass the digital locks on things like DVDs, music, and computer software, but it also gave the Library the ability to wave its magical copyright wand and make certain DRM cracks legal for three years at a time.

This time, the Library went (comparatively) nuts, allowing widespread bypassing of the CSS encryption on DVDs, declaring iPhone jailbreaking to be "fair use," and letting consumers crack their legally purchased e-books in order to have them read aloud by computers.

[...]

Other, broader exemptions were not allowed. Bypassing the DRM on purchased music when the authentication servers have gone dark? Still illegal. Bypassing the DRM on streaming video in order to watch it on non-supported platforms? Nope.

But the exemptions that did make it were carefully thought out and actually helpful this time around. That's the good news. The bad news is that they must be re-argued every three years, and the Library has taken so long getting its most recent ruling out that that the next review happens just two years from now.

So enjoy your exemptions while you can.

Hole 196: WPA2 Security Vulnerability Discovered

Via NetworkWorld.com -

Perhaps it was only a matter of time. But wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available.

Malicious insiders can exploit the vulnerability, named "Hole 196" by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried.

Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight.

The researcher who discovered Hole 196, Md Sohail Ahmad, AirTight technology manager, intends to demonstrate it at two conferences taking place in Las Vegas next week: Black Hat Arsenal and DEF CON 18.

[...]

The ability to exploit the vulnerability is limited to authorized users, AirTight says. Still, year-after-year security studies show that insider security breaches continue to be the biggest source of loss to businesses, whether from disgruntled employees or spies who steal and sell confidential data.

What can we do about Hole 196?

"There's nothing in the standard to upgrade to in order to patch or fix the hole," says Kaustubh Phanse, AirTight's wireless architect who describes Hole 196 as a "zero-day vulnerability that creates a window of opportunity" for exploitation.

Stuxnet: Iran Targeted by SCADA Worm

Via NetworkWorld.com -

Computers in Iran have been hardest hit by a dangerous computer worm that tries to steal information from industrial control systems.

According to
data compiled by Symantec, nearly 60 percent of all systems infected by the worm are located in Iran. Indonesia and India have also been hard-hit by the malicious software, known as Stuxnet.

Looking at the dates on digital signatures generated by the worm, the malicious software may have been in circulation since as long ago as January, said Elias Levy, senior technical director with Symantec Security Response.

Stuxnet was discovered last month by VirusBlokAda, a Belarus-based antivirus company that said it found the software on a system belonging to an Iranian customer. The worm seeks out Siemens SCADA (supervisory control and data acquisition) management systems, used in large manufacturing and utility plants, and tries to upload industrial secrets to the Internet.

Symantec isn't sure why Iran and the other countries are reporting so many infections. "The most we can say is whoever developed these particular threats was targeting companies in those geographic areas," Levy said.

The U.S. has a long-running trade embargo against Iran. "Although Iran is probably one of the countries that has the worst infections of this, they are also probably a place where they don't have much AV right now," Levy said.

Killed by Code: Software Transparency in Implantable Medical Devices

http://www.softwarefreedom.org/resources/2010/transparent-medical-devices.html

Abstract

Software is an integral component of a range of devices that perform critical, lifesaving functions and basic daily tasks. As patients grow more reliant on computerized devices, the dependability of software is a life-or-death issue. The need to address software vulnerability is especially pressing for Implantable Medical Devices (IMDs), which are commonly used by millions of patients to treat chronic heart conditions, epilepsy, diabetes, obesity, and even depression.

The software on these devices performs life-sustaining functions such as cardiac pacing and defibrillation, drug delivery, and insulin administration. It is also responsible for monitoring, recording and storing private patient information, communicating wirelessly with other computers, and responding to changes in doctors’ orders.

The Food and Drug Administration (FDA) is responsible for evaluating the risks of new devices and monitoring the safety and efficacy of those currently on market. However, the agency is unlikely to scrutinize the software operating on devices during any phase of the regulatory process unless a model that has already been surgically implanted repeatedly malfunctions or is recalled.

The FDA has issued 23 recalls of defective devices during the first half of 2010, all of which are categorized as “Class I,” meaning there is “reasonable probability that use of these products will cause serious adverse health consequences or death.” At least six of the recalls were likely caused by software defects.1 Physio-Control, Inc., a wholly owned subsidiary of Medtronic and the manufacturer of one defibrillator that was probably recalled due to software-related failures, admitted in a press release that it had received reports of similar failures from patients “over the eight year life of the product,” including one “unconfirmed adverse patient event.”2

Despite the crucial importance of these devices and the absence of comprehensive federal oversight, medical device software is considered the exclusive property of its manufacturers, meaning neither patients nor their doctors are permitted to access their IMD’s source code or test its security.

[...]

We at the Software Freedom Law Center (SFLC) propose an unexplored solution to the software liability issues that are increasingly pressing as the population of IMD-users grows--requiring medical device manufacturers to make IMD source-code publicly auditable. As a non-profit legal services organization for Free and Open Source (FOSS) software developers, part of the SFLC’s mission is to promote the use of open, auditable source code5 in all computerized technology. This paper demonstrates why increased transparency in the field of medical device software is in the public’s interest. It unifies various research into the privacy and security risks of medical device software and the benefits of published systems over closed, proprietary alternatives. Our intention is to demonstrate that auditable medical device software would mitigate the privacy and security risks in IMDs by reducing the occurrence of source code bugs and the potential for malicious device hacking in the long-term. Although there is no way to eliminate software vulnerabilities entirely, this paper demonstrates that free and open source medical device software would improve the safety of patients with IMDs, increase the accountability of device manufacturers, and address some of the legal and regulatory constraints of the current regime.

Saturday, July 24, 2010

Video of Times Square Bomber Faisal Shahzad with Taliban Commander Hakimullah Mehsud

Via The Long War Journal -

Failed Times Square car bomber Faisal Shahzad is seen embracing and shaking hands with Pakistani Taliban leader Hakeemullah Mehsud in a short videoclip.

In the previously unseen video, published by Flashpoint Partners yesterday, Shahzad and Hakeemullah are shown in front of a banner of the Movement of the Taliban in Pakistan [view video at Flashpoint Partners]. They rise, embrace , and shake hands, while Shahzad's voice is overlaid on the tape saying he executed the attack under the command of Hakeemullah, who answers to Mullah Omar.

"Today, along with the leader of Tehrik-e-Taliban Pakistan Hakeemullah Mehsud and under the command of Amir al-Mumineen Mullah Mohammed Omar Mujahid (may Allah protect him), we are planning to wage an attack on your side, inshallah (god willing)," Shahzad said.

"Amir al-Mumineen" means "the leader of the faithful." Mullah Omar is recognized as the Amir al-Mumineen by Taliban commanders on both sides of the Afghan-Pakistani border.

Shahzad had previously told the FBI that he had met Hakeemullah in the Waziristan region in Pakistan's lawless tribal areas.

Some US intelligence officials were dismissive of Shahzad's claims that he met Hakeemullah, and initially doubted that the Pakistani Taliban were even involved in the Times Square bomb plot.

It is unclear if the videoclip released by Flashpoint Partners is part of the 40-minute martyrdom tape that emerged on July 14. Al Arabiya released clips of the Shahzad martyrdom tape, but the full version has yet to be published. In that video segment, Shahzad said that waging jihad was a pillar of Islam and that Muslims had a duty to take up arms against the West and Muslim governments.

--------------------------------------------------

In the last year, videos by AQ (AQAP and AQ Core) have increasingly pushed for jihadists to strike targets that were close to them with simple assaults - advising them not to wait.

According to STRATFOR, these calls are part of a move toward a leaderless resistance model of jihadism that has accompanied the devolution of the jihadist threat from one based on al Qaeda the group to a broader threat based primarily on al Qaeda franchises and the wider jihadist movement.

The AQAP called this leaderless resistance, the 'Open Source Jihad'. They even devoted a entire section of the in the online 'Inspire' magazine.

Even with this devolution taking place, several recent attacks against the West have been found to contain connections with overseas groups, related to AQ.

Charlie Szrom @ criticalthreats.org stated the following....

We should not expect al Qaeda-linked attacks against the West to occur independently of one another. Instead, the network of violent Islamist movements led by al Qaeda produces and manages attacks against the West through a three-phase terror attack assembly line: recruiting, pre-deployment and training, and coordination with deployed operatives prior to attacks.

[...]

Evidence from the subway and Manchester plots reveals that al Qaeda coordinators play a guiding role in preparing attacks against the West as part of what appears to be the third phase of an al Qaeda terror attack assembly line. First, al Qaeda and its affiliates try to recruit English-speaking individuals with visas, residency permits, or citizenship in Western countries. This entails encouraging extremism among targeted recruits and providing individuals who have already become radicalized with the tools to act upon their militant beliefs. Second, the network trains and deploys potential recruits in safe havens around the world. Third, the network coordinates, supports, and directs operations while the recently trained al Qaeda-linked operatives are on the ground in targeted countries.

This may not apply to all cases of Islamist terrorism. Nidal Hasan, for example, despite expressing grievances common to Islamist terrorists and communicating with al Qaeda-linked cleric Anwar al Awlaki, does not appear to have received direct coordination for the assault he launched upon soldiers at Fort Hood. These three phases do provide, however, a rough rubric to help one understand how the al Qaeda network appears to launch most attacks against the West.

Hezbollah Spies via Facebook

Via Terror Wonk Blog -

In an excellent article in The Washington Times, UPI’s Shaun Waterman described a “red team” activity in which a security consultant created a false persona on Facebook that appeared to be attractive young woman who was working in cyber defense. She quickly garnered hundreds of friends in the national security community, as well as job offers and invites to conferences. In the process she gathered a great deal of sensitive materials such as inadvertently exposed passwords.

This is not a hypothetical concern – Hezbollah (long a terrorism pioneer) has already employed this strategy. According to the Israeli news site MySay:
The Hizbullah agent pretended she was an Israeli girl named “Reut Zukerman”, “Reut” succeeded during several weeks to engage more then 200 reserve and active personnel.

The Hizbullah agent gained the trust of soldiers and officers that didn’t hesitate to confirm him as a “friend” once they saw he/she is friends with several of their friends from the same unit. Most of them assumed that “Reut” was just another person who served in that elite intelligence unit.

In this way, Hizbullah collected information about the unit’s activity, names and personal details of its personnel, the unit’s slang, and visual information on its bases. This user / agent using Facebook is an example of a trend called fakebook.
The picture attached to “Reut Zukerman” was, of course, an appealing young woman (some tricks are timeless.)

North Korea Vows Nuclear Response to U.S.-Seoul Drills

Via MSNBC.com -

North Korea warned Saturday that it will respond with "powerful nuclear deterrence" to joint U.S. and South Korean military exercises poised to begin this weekend, saying the drills amount to a provocation that cannot be ignored.

North Korea routinely threatens war when South Korea and the U.S. hold joint military drills, which Pyongyang sees as a rehearsal for an attack on the North. The latest threat comes amid increased tensions on the peninsula over the deadly sinking of a South Korean warship that Seoul and Washington blame on Pyongyang.

[...]

North Korea vehemently denies any involvement and says any punishment would trigger war.

On Saturday, North Korea's powerful National Defense Commission — headed by leader Kim Jong Il — backed that threat up by promising a "retaliatory sacred war" against South Korea and the U.S. for what it called a second "unpardonable" provocation after wrongly accusing the North in the Cheonan incident.

"The army and people of the (North) will legitimately counter with their powerful nuclear deterrence the largest-ever nuclear war exercises," the commission said in a statement carried by the country's official Korean Central News Agency.

A day earlier in Hanoi, a North Korean spokesman for the delegation attending a regional security conference warned the drills would draw a "physical response" from Pyongyang.

Friday, July 23, 2010

Pentagon Pushes for Near-Perfect Regenerative Medicine

Via Wired (Danger Room) -

Military-funded research is already behind some of the most cutting-edge regenerative science. Extreme projects, like bone-fusing cement and muscle-growing cell scaffolds, are rolling into human trials thanks to a $12 million Pentagon grant earlier this year, and Darpa-funded scientists have made rapid strides toward regrowing human limbs.

But the military’s not done yet: The Office of the Secretary of Defense is
soliciting small business proposals for two new projects to transform the regeneration of damaged tissue and cartilage, which afflict 85 percent of injured troops in Iraq and Afghanistan.

LNK Vulnerability in Windows: Attack Wave Approaches

Via H-Online.com -

The critical vulnerability in the code for processing short-cuts (.lnk files) in all versions of Windows remains unpatched, attracting a growing number of exploits. At least two further malicious programs are now targeting the vulnerability, and the number of undetected cases is likely to be much higher. While the first .lnk trojan, Stuxnet, appeared to be the result of professional industrial espionage, new worms are not as selective in terms of their targets.

[...]

A few days ago, Microsoft added that specially crafted short-cuts for executing malicious code can also be embedded in Office documents. Furthermore, .lnk files are not the only file type affected: According to Microsoft's updated advisory, PIFs (Program Information Files) are also vulnerable. Core Security said it had` found a way of exploiting the hole via emails, although the security firm hasn't provided any details.

--------------------------------------------------

http://blog.eset.com/2010/07/22/new-malicious-lnks-here-we-go

These new families represent a major transition: Win32/Stuxnet demonstrates
a number of novel and interesting features apart from the original 0-day LNK
vulnerability, such as its association with the targeting of Siemens control
software on SCADA sites and the use of stolen digital certificates, However, the
new malware we're seeing is far less sophisticated, and suggests bottom feeders
seizing on techniques developed by others.

Couple Charged Over Hybrid Car Industrial Espionage Plot

Via The Register UK -

A Michigan couple faces charges of stealing industrial secrets on hybrid cars from GM before attempting to sell the data to a Chinese auto manufacturer.

Yu Qin, 49, and his wife, Shanshan Du, 51, of Troy, Michigan have been charged with four offences, including unauthorised possession of trade secrets and wire fraud under an indictment unsealed on Thursday. GM reportedly places a value of $40m on the stolen documents.

Former GM worker Du allegedly copied thousands of sensitive documents onto a hard disk after she was offered a severance agreement in January 2005. This hard drive was used by Millennium Technology International, a firm run by the two defendants, which months later allegedly offered hybrid vehicle technology to Chery Automobile in China.

-----------------------------------------------

http://www.justice.gov/usao/mie/press/2010/2010_7_22_yqin_et_al.pdf

Thursday, July 22, 2010

The Hackers Behind Stuxnet

Via Symantec Security Response Blog -

W32.Stuxnet has received a lot of media attention over the last few days. This incident provides almost a complete case study of how these attacks succeed and how they will probably be used in the future. A successful attack allowed the attacker to steal confidential SCADA design and usage documents.

Let’s start by saying we don’t know who is behind the attack, and historically discovering this is very rare. However, if someone proposed this type of attack a month ago, while we would have agreed it was theoretically possible, most would have dismissed such an attack as a movie-plot scenario. Furthermore, attacks of this nature are rarely disclosed publicly.

We know that the people behind this attack aren’t amateurs, but their final motive is unclear.

The principal facts in this case are:

  • The attackers discovered and used a zero-day vulnerability affecting all versions of Microsoft Windows.
  • They developed and used a rootkit to hide their presence.
  • They targeted software which is used to control industrial assets and processes; deep knowledge on the product internals was utilized.
  • The hackers were able to sign their files using a legitimate digital certificate from an innocent third party. This digital certificate expired in June but a new driver appeared in July; it was also digitally signed using a digital certificate from another company. Both of these companies have offices in Taiwan. The hackers either stole private keys or were able to get their files signed. The attackers may have more compromised digital signatures.
  • The hackers did not use a targeted means of attack. Instead, the threat replicates to USB keys and can infect any Windows computer.
The zero-day vulnerability, rootkit, main binaries, stolen digital certificates, and in-depth knowledge of SCADA software are all high-quality attack assets. The combination of these factors makes this threat extremely rare, if not completely novel.

Researchers Will Turn Google And Bing Into Web Bug Warning System

Via Firewall Blog (Fobes.com) -

Before last January's Chinese cyberspying scandal, "Google hacking" meant something rather different. For years, hackers have used the search engine to probe for security vulnerabilities around the Web: Search for certain lines of buggy code, and Google's results turn up hundreds of sites that are ripe for exploits.

Now two researchers hope to revive Google hacking in that original sense, and take it one step further. Rob Ragan and Francis Brown, two researchers at security consulting firm Stach & Liu, plan to debut a new set of tools at the Black Hat conference next week aimed at converting Google and Bing into a sort of automated early warning system for Web hacks around the globe.

They plan to debut "Google Hack Alert" and "Bing Hack Alert," two RSS feeds that will monitor a database of known Web vulnerability search strings and use the two search engines to periodically comb the Internet for those flaws. They're also releasing a set of free applications for iPhone, Android, and Windows that Brown and Ragan call "Google Diggity" and "Bing Diggity." Those apps will allow network administrators to narrow their searches to any domains or IP ranges they'd like, turning the tools into a scanning system for their company's Web-based vulnerabilities. Bug searches will be cached, so that users can check for the presence of flaws historically, too.

[...]

"It's impractical to ask people to run a manual Google hacking search [as a defensive measure on their own network] on some kind of regular basis," says Ragan. "But if you're running Google Hack alerts and it finds something relevant, that's the best defense mechanism to know that there's sensitive information potentially leaking from your site."

Wednesday, July 21, 2010

LNK Vulnerability: Embedded Shortcuts in Documents

http://www.f-secure.com/weblog/archives/00001994.html

Microsoft has updated Security Advisory 2286198 (version 1.2).

It's quite evident that the folks at Microsoft are working very diligently on this issue. Our concerns have been addressed and the advisory no longer lists Windows 7 AutoPlay as a mitigation. We thank them for this clarification.

And now the bad news.

Version 1.2 of the advisory has an important new detail:

"An exploit can also be included in specific document types that support embedded shortcuts."

This really expands the potential reach of the LNK vulnerability. Depending on the ease to which documents can be utilized, we will now almost certainly see targeted attack attachments via e-mail messages.

[...]

Let's review the workarounds listed in the advisory.

• Disable the displaying of icons for shortcuts
• Disable the WebClient service
• Block the download of LNK and PIF files from the Internet

Microsoft Support has a Knowledge Base Article which includes their one click "Fix it" buttons for disabling shortcut functionality.

Everyone should review this new information and evaluate it for their environment while Microsoft continues their work to develop a security update.

Tuesday, July 20, 2010

Researcher Pinpoints Widespread Common Flaw Among VxWorks Devices

Via DarkReading.com -

Renowned researcher HD Moore next week will reveal how a misconfiguration by developers using the VxWorks operating system found in many embedded systems has left a trail of vulnerable products across various vendors' products.

Moore, who is also the chief security officer and Metasploit chief architect at Rapid7, so far has found some 200 to 300 different products connected to the Internet that contain a diagnostics service or feature from VxWorks that leaves them susceptible to getting hacked. These devices include VoIP equipment and switches, DSL concentrators, industrial automation systems for SCADA environments, and Fibre Channel switches.

[...]

Moore says some of the devices he discovered while scanning for the flaw using a new Metasploit module he built may have firmware updates available to them, but may not have been applied and thus were left vulnerable. He says his research is mainly aimed at user awareness: "Even if there are firmware [updates that would fix this], no one looks for them," he says. He says the flaw is basically a weakness or misconfiguration.

VxWorks is found in all kinds of embedded systems, everything from printers to automobiles, airplanes, and robots. "The less networked the device is, the higher chance of this service being left exposed as it would reduce the perceived risk to an attack," Moore says.

For an enterprise perspective of the problem, Moore enlisted the help of a few friends, who ran a scan with his Metasploit tool internally and found several instances of the VxWorks flaw in their networks. "They found mostly storage and backup gear. If that goes offline, it's a huge deal. Business continuity is a huge issue for them," Moore says.

Although he's saving many of the nitty-gritty details for his talks next week in Las Vegas at Security BSides and Defcon, Moore says Dell and HP are among the vendors with products that contain this misconfiguration flaw.

Moore will present two demos of how an attacker could exploit the service. In the first demo, he'll show an exploit that modifies the memory settings in a D-Link DVC1000 videoconferencing system and can automatically answer videoconferencing calls. "It can be a remote spy device," Moore says. D-Link officially stopped selling the system in 2008, but the product is still in use, he notes.

His second demo will be an exploit that goes after an Apple Airport Extreme running the factory-firmware version. The attack steals the administrative password from the device's memory, allowing the attacker to log in remotely from the WAN.

Look for a new Metasploit exploit toolkit for VxWorks to arrive after Defcon as a result of Moore's new research. And on Aug. 2, CERT will publish two advisories on the flaws in VxWorks products, he says. "We will likely follow up with [an advisory] of our own, as well as information on how to test for the flaws," Moore says. They also may withhold detailed exploit modules for 30 more days to give users a chance to get patched, he says.

ICS-CERT: USB Malware Targeting Siemens Control Software

The DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released an advisory (PDF) related to the Stuxnet rootkit case.

In addition, Siemens has recently guidance information regarding to the Stuxnet worm:
The internal system authentication from WinCC to the Microsoft SQL database is based on pre-defined access data. This data is not visible for the customer and is used as an internal system mechanism for communication between the WinCC system components and the database. Changing the access data would impede communication between WinCC and the database and is therefore not recommended. Tightening up authentication procedures is being examined.

[...]

A tool specially developed for Siemens by TREND MICRO which detects the new Trojan and requires very limited system resources, is currently being subjected to a system test to check its compatibility with Simatic software and will be made available after the test has been completed.

DNSSEC Now Fully Deployed on the Internet Root

Via GCN.com -

Operators of the Internet’s authoritative root zone last week completed deployment of enhanced security protocols at the top level of the Domain Name System.

The Internet’s 13 root zone DNS servers have been digitally signed using the DNS Security Extensions (DNSSEC) since May. On July 15 the signed root zone was made available and a trust anchor was published with cryptographic keys that will allow users to verify the authenticity of DNS address requests.

To be fully effective DNSSEC must be deployed throughout the Internet’s domains, but the publication of the trust anchor for the Internet root means it now is possible to begin linking together the “islands of trust” that have been created by the deployment of DNSSEC in isolated domains, such as .gov and .org.

[...]

DNSSEC provides a layer of security in the Internet by using cryptographic digital signatures to authenticate responses to DNS queries. The effort by NTIA, VeriSign and the Internet Corp. for Assigned Names and Numbers to deploy DNSSEC in the root zone has been called the biggest structural improvement to the DNS in 20 years.

Digitally signed responses to DNS queries that can be cryptographically validated are more difficult to spoof or manipulate. This can help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to commit fraud and identity theft and to distribute malware.

MSF Module - Microsoft Windows Shell LNK Code Execution

http://www.metasploit.com/modules/exploit/windows/browser/ms10_xxx_windows_shell_lnk_execute

This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates a WebDAV service that can be used to run an arbitrary payload when accessed as a UNC path.


---------------------------------------------

The release of this exploit module has caused SANS ISC to raise to Threat Level: Yellow.

Another Signed Stuxnet Binary

Via F-Secure -

There's a couple of new developments in the Stuxnet rootkit case. Last night, the analysts in our Kuala Lumpur lab added detection for another digitally signed Stuxnet driver. This one uses a certificate from JMicron Technology Corporation.

[...]

This particular certificate is valid until July 25, 2012.

While there are some modifications, initial analysis indicates that this new driver is very similar to the first set of Stuxnet samples we've seen, with the same basic functions and approach.

A hat tip to Pierre-Marc Bureau at ESET, he notes that JMicron and Realtek Semiconductor Corp both have offices in Hsinchu Science Park, Taiwan. Realtek is the source of the previously used certificate which has now been revoked by VeriSign.

We've speculated internally that Realtek's Authenticode leak could have resulted from Aurora style attacks which targeted source code management systems, but now, with the physical proximity of these two companies, we wonder if some physical penetration was also involved.

Additional news regarding Stuxnet is that Siemens, whose SIMATIC WinCC databases are targeted, has advised against changing their SCADA system's hardcoded password. The concern is that adjusting the password will create damaging conflicts.

-----------------------------------------------------------------------

http://blog.eset.com/2010/07/19/win32stuxnet-signed-binaries

On July 17th, ESET identified a new malicious file related to the Win32/Stuxnet worm. This new driver is a significant discovery because the file was signed with a certificate from a company called "JMicron Technology Corp". This is different from the previous drivers which were signed with the certificate from Realtek Semiconductor Corp. It is interesting to note that both companies whose code signing certificates were used have offices in Hsinchu Science Park, Taiwan.

----------------------------------------------------------------------

http://www.networkworld.com/news/2010/072010-after-worm-siemens-says-dont.html


Symantec is now logging about 9,000 attempted infections per day, according to Gerry Egan, a director with Symantec Security Response.

[...]

If Stuxnet does discover a Siemens SCADA system, it immediately uses the default password to start looking for project files, which it then tries to copy to an external website, Egan said.

"Whoever wrote the code really knew Siemens products," said Eric Byres, chief technology officer with SCADA security consulting firm Byres Security. "This is not an amateur."

By stealing a plant's SCADA secrets, counterfeiters could learn the manufacturing tricks needed to build a company's products, he said.

Monday, July 19, 2010

Vaccine Patch May Replace Needles

Via BBC -

A vaccine patch could cut out the need for painful needles and boost the effectiveness of immunisation against diseases like flu, say US researchers.

The patch has hundreds of microscopic needles which dissolve into the skin.

Tests in mice show the technology may even produce a better immune response than a conventional jab.

Writing in Nature Medicine, the team of researchers said the patch could one day enable people to vaccinate themselves.

Each patch, developed by researchers at Emory University and the Georgia Institute of Technology, contains 100 "microneedles" which are just 0.65mm in length.

They are designed to penetrate the outer layers of skin, dissolving on contact.

[...]

If proven to be effective in further trials, the patch would mean an end to the need for medical training to deliver vaccines and turn vaccination into a painless procedure that people could do themselves.

It could also simplify large-scale vaccination during a pandemic, the researchers said.

Although the study only looked at flu vaccine, it is hoped the technology could be useful for other immunisations and would not cost any more than using a needle.

"We envision people getting the patch in the mail or at a pharmacy and then self-administering it at home," said Sean Sullivan, the study lead from Georgia Tech.

"Because the microneedles on the patch dissolve away into the skin, there would be no dangerous sharp needles left over."

Sunday, July 18, 2010

U.S. Citizen Believed to be Writing for Al-Qaeda

Via CNN -

A senior U.S. law enforcement official has told CNN that U.S. intelligence believes the principal author of the new online al Qaeda magazine is an American citizen who left for Yemen in October 2009.

The magazine -- called "Inspire" -- appeared last week. Running to nearly 70 pages online, it included articles on bomb-making and encrypting electronic messages, as well as an interview with fugitive Yemeni-American cleric Anwar al Awlaki.

The source has identified the driving force behind "Inspire" as 23-year-old Samir Khan, who previously lived in North Carolina and was involved in radical Islamist blogs, including one he ran called "Jihad Recollections." The source says Khan traveled to Yemen on a round-trip ticket but has not come back to the United States.

[...]

Khan was born in Saudi Arabia, and moved to Queens, New York, with his family when he was 7. The family later moved to Charlotte, North Carolina.

VeriSign Revokes Certificate Used to Sign Stuxnet Malware

Via Threatpost.com -

The digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers fro the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers.

Stuxnet's infection method takes advantage of a previously unknown vulnerability in most of the current versions of Windows, including Windows Vista, Windows 7, both 32- and 64-bit versions, and Windows Server 2008. The vulnerability in the Windows shell is what enables the malware to execute via the .lnk files. Microsoft said it is investigating the flaw and looking at possible solutions, however there was no clear indication that the company intends to patch the flaw in the near future.

Stuxnet is an odd case. It is spread via infected USB thumb drives, which contain the rootkit code, along with two drivers that researchers say are used to hide the existence of the malware both on the USB drive and on the PC, once it's infected. The drivers are signed using a valid digital certificate owned by Realtek, a Taiwanese hardware manufacturer, and Stuxnet uses .lnk shortcut files to launch as soon as the USB drive is opened on a PC.

Microsoft malware researchers said on Friday that they had been working with VeriSign to revoke the Realtek certificate, a process that Realtek officials signed off on. The certificate in question actually expired in June. Microsoft oficials also said that they expect other attackers to begin using the techniques utilized by Stuxnet.

-----------------------------------

http://www.f-secure.com/weblog/archives/00001987.html

Malicious software using valid digital signatures is something that our Jarno Niemelä recently predicted in his Caro 2010 Workshop presentation: It's Signed, therefore it's Clean, right?

Microsoft Windows Automatic LNK Shortcut File Code Execution

Public Exploit for CVE-2010-2568
http://www.exploit-db.com/exploits/14403/

Record Collapse of Earth's Upper Atmosphere Puzzles Scientists

Via Space.com -

An upper layer of Earth's atmosphere recently collapsed in an unexpectedly large contraction, the sheer size of which has scientists scratching their heads, NASA announced Thursday.

The layer of gas – called the thermosphere – is now rebounding again. This type of collapse is not rare, but its magnitude shocked scientists.

"This is the biggest contraction of the thermosphere in at least 43 years," said John Emmert of the Naval Research Lab, lead author of a paper announcing the finding in the June 19 issue of the journal Geophysical Research Letters. "It's a Space Age record."

The collapse occurred during a period of relative solar inactivity – called a solar minimum from 2008 to 2009. These minimums are known to cool and contract the thermosphere, however, the recent collapse was two to three times greater than low solar activity could explain.

"Something is going on that we do not understand," Emmert said.

The thermosphere lies high above the Earth's surface, close to where our planet meets the edge of space. It ranges in altitude from 55 miles (90 km) to 370 miles (600 km) above the ground. At this height, satellites and meteors fly and auroras shine.

[...]

Emmert suggests carbon dioxide (CO2) in the thermosphere might play a role in explaining the atmospheric collapse.

This gas acts as a coolant, shedding heat via infrared radiation. It is widely-known that CO2 levels have been increasing in Earth's atmosphere. Extra CO2 in the thermosphere could have magnified the cooling action of solar minimum.

"But the numbers don't quite add up," Emmert said. "Even when we take CO2 into account using our best understanding of how it operates as a coolant, we cannot fully explain the thermosphere's collapse."

The researchers hope further monitoring of the upper atmosphere will help them get to the bottom of the situation.

-----------------------------

Check out these NASA sunspot photos - comparing the solar minimum to the solar maximum
http://earthobservatory.nasa.gov/IOTD/view.php?id=37575

Saturday, July 17, 2010

US Designates Anwar al Awlaki an Al-Qaeda (AQAP) Leader

Via The Long War Journal (July 26, 2010) -

The US Treasury Department has designated an American-born Muslim cleric who is a senior member of al Qaeda in the Arabian Peninsula and is based in Yemen as a terrorist for his involvement in several terror attacks.

Anwar al Awlaki, a senior cleric, recruiter, propagandist, and planner for al Qaeda in the Arabian Peninsula has been
designated as a terrorist under Executive Order 13224 "for supporting acts of terrorism and for acting for or on behalf of AQAP." The designation allows the US to freeze his assets, prevent him from using financial institutions, and prosecute him for terrorist activities.

"Anwar al Awlaki has proven that he is extraordinarily dangerous, committed to carrying out deadly attacks on Americans and others worldwide," Stuart Levey, the Under Secretary for Terrorism and Financial Intelligence, said in a Treasury Department press release. "He has involved himself in every aspect of the supply chain of terrorism -- fundraising for terrorist groups, recruiting and training operatives, and planning and ordering attacks on innocents."

Awlaki has sworn allegiance to Nasir al Wuhayshi, the leader of al Qaeda in the Arabian Peninsula, and "has also recruited individuals to join AQAP, facilitated training at camps in Yemen in support of acts of terrorism, and helped focus AQAP's attention on planning attacks on US interests.''

US Judge Jails Cuba Spying Couple

Via BBC (July 16, 2010) -

A US judge has sentenced a retired State Department worker to life in prison without the possibility of parole for spying for Cuba.

Walter Kendall Myers' wife Gwendolyn was also sentenced to 81 months for helping her husband steal US secrets.

US District Judge Reggie Walton said the pair deserved heavy punishment for betraying the United States.

Mr Myers, 72, had access to top-secret US government information and admitted spying for Cuba for three decades.

The couple shared Cuba's communist ideology and an admiration of the Cuban revolution, according to federal prosecutors.

Mr Myers, who is the great grandson of Alexander Graham Bell, was contacted by the Cuban intelligence service to be a covert agent.

He recruited Ms Myers in 1979, and the two married three years later.

Mr Myers said he stole secrets, but had no intent to harm the United States.

Judge Walton said he was "perplexed" how Mr Myers could think he was not hurting US, considering the level of antagonism between the two countries.

Myers was known as Agent 202, while his wife was Agent 123, according to court documents.

The couple were originally arrested in June 2009, following an undercover FBI sting operation.

Car Bomb in Mexican Drug War Changes Ground Rules

Via Yahoo! News -

Mexican drug traffickers' first car-bomb attack against police has revealed a new level of cold-blooded planning that is forcing this border city and security forces to change the way they confront violence.

Police said Friday that La Linea drug gang — the same group blamed for the March killing of a U.S. consulate employee and her husband — lured federal officers and paramedics to the site of a car bomb by dressing a bound, wounded man in a police uniform and calling in a false report of an officer shot.

The gang then exploded a car holding as much as 22 pounds (10 kilograms) of explosives, killing the decoy, a rescue worker and a federal officer. A regional military commander said a cell phone might have been used to detonate the bomb.

The gang promised to strike again, with graffiti painted on the wall of a Ciudad Juarez shopping center. "What happened ... is going to keep happening against all the authorities," the message read. "We have more car bombs."

Microsoft Windows Shell Shortcut Handling Code Execution Vulnerability

http://www.vupen.com/english/advisories/2010/1836
A vulnerability has been identified in Microsoft Windows, which could be exploited by attackers or malware to compromise an affected system. This issue is caused by an error in the Windows Shell component when parsing shortcuts (*.LNK files), which could allow attackers to automatically execute a malicious binary by tricking a user into browsing a remote network or WebDAV share, or opening in Windows
Explorer a removable drive (e.g. USB) containing a specially crafted shortcut file.


Note: This vulnerability is being exploited in targeted attacks.

-----------------------------------------

http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/
Independent researcher Frank Boldewin has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems.

"Looks like this malware was made for espionage," Boldewin
writes.
-----------------------------------------

http://www.microsoft.com/technet/security/advisory/2286198.mspx
Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.
---------------------------------------

It's important to note that MS isn't listing some affected operating system...simply because they aren't supported officially - e.g. Windows XP SP2 and Windows 2000. They are vulnerable, therefore the listed workarounds should be evaluated for these OSs as well, if used in your environment.

While the idea that the trojan was made for espionage is currently just an educated guess, it goes without saying that worms that use the USB propagation vector would be well suited for reaching systems which might be air-gapped or otherwise well isolated.

The DoD found this out all too well in late 2008.
USB Flash Drive Network Weaponization
http://www.darkreading.com/blog/archives/2008/12/usb_flash_drive.html

DoD Preparing To Lift USB Ban
http://www.darkreading.com/insiderthreat/security/storage/showArticle.jhtml?articleID=220100601

Wednesday, July 14, 2010

Phantom Eye Hydrogen-powered Spy Plane Unveiled

Via BBC -

Boeing has unveiled its unmanned hydrogen-powered spy plane which can fly non-stop for up to four days.

The high-altitude plane, called Phantom Eye, will remain aloft at 20,000m (65,000ft), according to the company.

The demonstrator will be shipped to Nasa's Dryden Flight Research Center in California later this summer to prepare for its first flight in early 2011.

Boeing says the aircraft could eventually carry out "persistent intelligence and surveillance".

It is a product of the company's secretive Phantom Works research and development arm.

Boeing says the aircraft is capable of long endurance flights because of its "lighter" and "more powerful" hydrogen fuel system.

"We flew Condor [the company's previous reconnaissance drone] for 60 hours in 1989 on regular jet fuel, and that was the maximum," said Chris Haddox from Boeing Phantom Works. "Now we're talking 96 hours."

[...]

"It isn't built for stealth - it's built for endurance," Mr Haddox told BBC News.

The UK Ministry of Defence (MoD) has an ongoing interest in long-endurance high-altitude planes for surveillance and is considering a several different technologies, including solar power, to meet the requirements of what it refers to as its "Scavenger project".

Ex-MI6 Officer Admits Attempt to Sell Secrets

Via The Register UK -

A former MI6 officer faces jail after he pleaded guilty this morning to two breaches of the Official Secrets Act.

Mr Justice Bean told Daniel Houghton, of Hoxton, that a prison sentence was inevitable, PA reports.

In an apparent plea deal, Houghton denied a third charge, of theft, which was accepted by the prosecution.

The 25-year-old, who holds joint British-Dutch nationality and a computer science degree, was arrested leaving a central London hotel in March, carrying a briefcase that contained £900,000 cash. He had just met undercover MI5 officers, who he believed had bought British secrets on behalf of a foreign government.

Prosecutors disclosed in a previous hearing that MI5 counter-espionage investigators acted on a tip-off from Dutch authorities, who he had approached asking for £2m.

He had left MI6 after less than two years, apparently with Top Secret papers, and a laptop hard drive and memory sticks stuffed with highly classified information. It was ten months between his departure from the service and the climax of the operation to catch him.

Houghton pleaded guilty today to disclosing details of intelligence-gathering techniques, and disclosing two lists of British intelligence personnel. The theft charge, effectively abandoned today, accused him of stealing files from MI5.

The apparent bargain means details of how Houghton was able to leave MI6 with a cache of printed and electronic Top Secret material - which remained undetected until Dutch authorities alerted MI5 - will remain a worrying mystery. He will be sentenced on 3 September.

Tuesday, July 13, 2010

Thousands of Laptops Stolen During Nine-hour Heist

Via Yahoo News! (AP) -

Thousands of laptops have been stolen from the Florida office of a private contractor for the U.S. military's Special Operations Command.

Surveillance cameras caught up to seven people loading the computers into two trucks for nine hours.

U.S. Special Operations Command coordinates the activities of elite units from the Army, Navy, Air Force and Marines. A spokeswoman said Tuesday that none of the stolen laptops contained military information or software.

The Virginia-based company iGov was awarded a $450 million contract earlier this year to supply mobile technology services linking special operations troops worldwide. A company executive says iGov is cooperating with authorities and the March 6 break-in at its Tampa facility remains under investigation.

Twelfth Person Detained in Investigation of Russian Spy Ring

Via WashingtonPost.com -

Federal authorities have detained a 12th person in their investigation of a Russian spy ring, and he is expected to be deported to Russia as early as Tuesday, two U.S. law enforcement officials said.

he man, a Russian citizen in his early-to-mid 20s, entered the United States in October and was living in the western part of the country, officials said. He is being held on immigration violations because there was insufficient evidence to charge him with a crime and has agreed to be sent back to Russia, they said.

"He was just in the early stages, had just set up shop," said one senior federal law enforcement official, who spoke on condition of anonymity because the information has not been made public. The official added that the Russian was monitored by the FBI almost immediately after his arrival and that he "obtained absolutely no information."

[...]

Senior federal officials indicated last week that the case had effectively shut down the ring, which was run by the headquarters of Russian foreign intelligence, known as "Moscow Center." But law enforcement officials said Tuesday that the 12th man arrested was not part of the same ring and had no direct ties to the other spies, though his name came up in the broader investigation of their activities.

[...]

It was unclear when the 12th man, whose name was not released, was detained, though one official said he was in custody by last week. He was apparently not part of the spy swap because unlike the other 10 agents, he was not charged with a crime, and there was no indication Tuesday that his pending deportation would be part of an additional swap or agreement with Russia. The man would have been charged criminally if there had been evidence, officials said.

One official said the 12th man had obtained a job in the United States and was "just doing the things he needed to do to establish cover."

--------------------------------

Not surprisingly, the Guardian UK is reporting that Russia is interrogating the 10 deported sleeper agents at a secret facility. Russian intelligence officers are using various tests (including lie detectors) to establish whether there was a traitor in the SVR who had betrayed the agents.

Monday, July 12, 2010

Two Venezuelans Face Up To 11 Years In Prison For Twittering

Via The Firewall Blog (Forbes.com) -

Hugo Chavez seems to like Twitter as a mouthpiece for power. Since joining the service last April, he's sent 522 messages, sometimes dozens a day, all apparently from his BlackBerry.

But he's not such a fan of uncensored microblogging from the masses. Last week two Venezuelans, a 35-year old woman and a 41-year old man, were charged with making statements on Twitter critical of Venezuela's banking system and face up to 11 years in prison,
according to Reporters Without Borders. Fifteen more Internet users may face similar charges in the coming days.

The two defendants are accused of violating a 2001 law prohibiting spreading false rumors about or attempting to destabilize the nation's banks, a loaded topic in the midst of
wider financial troubles in the country. “Ladies and Gentlemen, don’t say you weren’t warned... Pull out today... I’m telling you, there are just a few days left," Luis Acosta Oxford wrote late last month, for instance.

But the threat of a decade of imprisonment for 140 characters of investment advice goes beyond any financial fears, says Lucie Morillon, head of the Internet desk at Reporters Without Borders (RSF). "We see this arrest and the fact that these individuals face 11 years in jail as not just an unfortunate incident, but a way to intimidate other users who would use Twitter as a platform to criticize the government and its decisions"

[...]

Twitter and other microblogging services are facing a crackdown worldwide, as net-repressive governments have seen the tools used for dissent or political discussion. Iran and China have long blocked the service and its clones, and Saudi Arabia recently banned the microblogging accounts of two activists in the country, according to RSF.

But the censorship is especially ironic given Chavez's own newfound love of twittering and using the Internet in general as a political platform, says Morillon. "We’d like to see him let others exercise the same freedoms he has," she says.

The War That We Don’t Recognize Is The War We Lose

Via GreyLogic -

Unlike the United States, the European Union and other Western nations, Russian and Chinese military writers generally do not use the term “Cyber Warfare”, preferring “Information Warfare” or “Informatized Warfare” instead. This is a significant difference; understanding it may better inform those who are still struggling to fit the round peg of Cyber Warfare into the square hole of the Western way of war.

The People’s Republic of China considers the United States a technologically superior adversary, and is simultaneously dependent upon U.S. consumers and the support of U.S.-based multi-national corporations. What is the appropriate military strategy for a nation that finds itself in such a position?

“Therefore the skillful leader subdues the enemy’s troops without any fighting; he captures their cities without laying siege to them; he overthrows their kingdom without lengthy operations in the field.” (Sun Tzu, 500 BC)

Lab Tests: Why Consumer Reports Can't Recommend the iPhone 4

Via consumerreports.org (Electronic Blog) -

It's official. Consumer Reports' engineers have just completed testing the iPhone 4, and have confirmed that there is a problem with its reception. When your finger or hand touches a spot on the phone's lower left side—an easy thing, especially for lefties—the signal can significantly degrade enough to cause you to lose your connection altogether if you're in an area with a weak signal. Due to this problem, we can't recommend the iPhone 4.

[...]

Our findings call into question the recent claim by Apple that the iPhone 4's signal-strength issues were largely an optical illusion caused by faulty software that "mistakenly displays 2 more bars than it should for a given signal strength."

The tests also indicate that AT&T's network might not be the primary suspect in the iPhone 4's much-reported signal woes.

[...]

The signal problem is the reason that we did not cite the iPhone 4 as a "recommended" model, even though its score in our other tests placed it atop the latest Ratings of smart phones that were released today.

The iPhone scored high, in part because it sports the sharpest display and best video camera we've seen on any phone, and even outshines its high-scoring predecessors with improved battery life and such new features as a front-facing camera for video chats and a built-in gyroscope that turns the phone into a super-responsive game controller.

But Apple needs to come up with a permanent—and free—fix for the antenna problem before we can recommend the iPhone 4.


------------------------------

Apple needs to put the brake on the PR train and really decide if it wants to continue down its current path - the path of half-truths and treating their own customers like children.

Apple may believe that giving free bumper cases away to fix a fatal design flaw is "appeasing customers", but I call doing it the right thing and treating your phone customers with respect.

Let's remember, this isn't an iPod...it's a phone. In the end, it isn't a very good phone if it doesn't work when holding in it a natural way.

Should Apple give out free Bumper Cases?

We asked our readers what they thought, and a staggering 97% of you agreed that Apple should hand out free Bumper Cases to all iPhone 4 customers.

Metasploit Framework 3.4.1 Released

http://mail.metasploit.com/pipermail/framework/2010-July/006569.html

The Metasploit Project is proud to announce the release of the Metasploit Framework version 3.4.1. As always, you can get it from our downloads page for Windows, Linux or as an OS-independent tarball. This release sees the first official non-Windows Meterpreter payload,
in PHP as discussed last month
(
http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html).

Rest assured that more is in store for Meterpreter on other platforms. A new extension called Railgun is now integrated into Meterpreter courtesy of Patrick HVE, giving you scriptable access to Windows APIs and an unprecedented amount of control over post-exploitation. For those of you wishing to contribute to the framework, a new file called HACKING has been introduced that lays out a few guidelines for making it easier.

This release has 16 new exploits, 22 new auxiliary modules and 11 new Meterpreter scripts for your pwning enjoyment. For more in-depth information about this release, see the 3.4.1 release notes at
https://www.metasploit.com/redmine/projects/framework/wiki/Release_Notes_341

- The Metasploit Team

Iran's Global Terrorist Reach

Via CT Blog (by Dr. Walid Phares) -

The United States became painfully aware of the threat posed by global jihadism after the terror attacks of September 11, 2001. Until that day, Iranian-backed terrorist networks, such as Hezbollah, were responsible for killing more American citizens than al-Qaeda. In the years since, the balance has been gradually tilting back towards Iran. In the words of former U.S. Deputy Secretary of State Richard Armitage, al-Qaeda may be the 'B' team of international terrorism, but Hezbollah is the 'A' team. Indeed, Iran's Khomeinists began their war on the U.S. and other democracies years before Osama bin Laden began his jihad.

[...]

Because it cannot project much conventional military power, Iran threatens the United States, Israel and other democracies by unconventional means. Through the use of its terrorist surrogates—such as Hezbollah—Tehran's reach extends around the world.

[...]

Hezbollah was an Iranian project designed to export its revolution globally and it fast became the single most dangerous terrorist network. Since the 1979 revolution, the ayatollahs have invited radical Shia clerics from Lebanon to Iran for theological training. They also recruited militants, including Imad Mughniyeh, who became the central figure in the terror nexus for decades. The Iranian Revolutionary Guard Corps (Pasdaran) established its first bases in the northern Bekaa valley in 1980. From there, it connected with "Islamic Amal," an offshoot of the Amal Movement, and with radical religious scholars who studied at the holy cities of Qom in Iran and Najaf in Iraq.

[...]

From a U.S. counterterrorism perspective, the threats posed by Iran, Hezbollah, and its global terrorist network are considerable. But the addition of nuclear weapons into this global network of Khomeinists may well prove as dangerous if not more so than nuclear weapons in the hands of al-Qaeda.

Al-Shabaab Claims Responsibility for Uganda Bombings

Via CNN -

A Somali Islamist militant group, Al-Shabaab, issued a direct claim of responsibility Monday for three bombings in Uganda that left at least 74 people dead.

"The best of men have promised and they have delivered," said the statement obtained by CNN. "Blessed and exalted among men -- taking full responsibility."

An Al-Shabaab leader said in a separate website posting Monday that Uganda would be targeted for retribution over the "massacres" perpetrated against Somalis.

"My message to the Ugandan and Burundian nations is that you will be the target for our retribution to the massacres perpetrated against the Somali men, women and children in Mogadishu by your forces," said an Arabic statement from Sheikh Abu Al Zubeir, identified as "the Emir of Al-Shabaab in Somalia." The statement was posted on an al Qaeda-affiliated website which previously has carried statements and videos from Al-Shabaab.

[...]

The three explosions ripped through two venues where crowds were watching the World Cup final match on Sunday.

At least 71 people were hospitalized, police spokeswoman Judith Nabakooba said.

"If you want to fight, why don't you attack soldiers or military installations instead of fighting innocent people watching football?" said President Yoweri Museveni, who on Monday visited a rugby sports center where two of the blasts occurred Sunday.

The casualties included one American death, the U.S. Embassy said. The American killed was Nate Henn, according to an organization that works with children in Uganda.

Skype's Encryption Procedure Partly Exposed

Via H-Online.com -

Developer Sean O'Neill, famous in cryptographic circles for designing the EnRUPT hash algorithm, has released an open source Skype library that emulates the modified version of the RC4 encryption algorithm used by Skype. Skype chose to modify key generation for the stream cipher to make its product incompatible with other IM clients and ensure that it remained a closed system. However, initial analysis suggests that O'Neill's publication does not mean that Skype's encryption can be considered 'cracked'. Further study will be needed to determine whether key expansion and initialisation vector generation are secure.

Because Skype has not released details of its encryption procedures, for years researchers have been trying and failing to reverse engineer the company's encryption. What is clear is that Skype uses a variety of encryption procedures. AES-256 is used to communicate with Skype's login server, SMS/event server and search servers. Supernodes and clients use the modified version of RC4 for the actual communication.

No further information is currently available – O'Neill's website, on which he announced his breakthrough, is currently offline. Even the
Skype Library RC4 v1.108 download is currently offline. O'Neill has promised further details, but not until December, when he intends to present his findings at the Chaos Communication Congress in Berlin (27C3).

Until then, interested users can examine the code and use it for test purposes. Commercial usage is currently permissible only after consultation with O'Neill.

Secunia 1H2010 Report: Apple Ranks First in Surging Security Bug Count

Via The Register UK -

The number of vulnerabilities in the first half of 2010 was close to the number recorded in the whole of 2009, security notification firm Secunia reports.

Apple ranks first, ahead of runner-up Oracle, and Microsoft in the number of security bugs found in all their products in 1H 2010. During the first six months of 2010, Secunia logged 380 vulnerabilities within the top-50 most prevalent packages on typical end-user PCs, or 89 per cent of the figure for the entire year of 2009.


----------------------------------------------

In the end, Secunia is continuing to ring the bell on the need for better patching and vulnerability management, by all involved parties (software makers, home users & enterprise software customers).

Secunia Half Year Report 2010
http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf

"Further, the report shows an alarming development in 3rd party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored. This trend is supported by the fact that users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals."
As far as the Apple rating first in bug count, I think this is yet more proof that Apple isn't "Highly Secure by Design", but "More Safe by Limited Global Percentage".

Safe != Secure

Impromptu Freestyle Nerdcore Rap - int80 vs Dr. RAID at REcon 2010



impromptu freestyle -- int80 vs Dr. RAID rapping, backed by The Gulf Stream & VJ MA" at Petit Campus in Montreal for the Recon 2010 party. Sorry for shakycam, it gets better until I ran out of space on my phone.

http://dualcoremusic.com/nerdcore/
http://recon.cx/2010/party.html

Saturday, July 10, 2010

Special Look: Apple's FaceTime Call Process

Joshua Wright over @ the Packetstan blog has put up a nice three piece series on the Apple FaceTime process (ports, protocols, auth, SIP, etc).

Special Look: Face Time (part 1: Introduction)


Special Look: Face Time (part 2: SIP and Data Streams)

Special Look: Face Time (part 3: Call Connection Initialization)

Music: Amplicon - Let Go of the Release



---------------------------------

http://www.myspace.com/amplicon

In science, amplicons are pieces of DNA formed as the products of natural or artificial amplification events (e.g. PCR, LCR).

Friday, July 9, 2010

Internet Filter Rules Under Review in Australia

Via BBC -

The Australian government is conducting an independent review of websites due to be blocked by its controversial internet filter.

The country's Communications Minister, Stephen Conroy, said the review was needed to see if the scheme "reflects current community standards".

The project has attracted widespread criticism over what is perceived by some as government censorship.

Parliament has yet to vote on making filtering a legal requirement.

Mr Conroy said the review would look at what makes up content that currently falls under a rating, unique to Australia, called "refused classification" (RC).

[...]

Geordie Guy, vice chairman of the online liberties and rights watchdog Electronic Frontiers, told BBC News that the filtering was tied in with a rating that does not exist anywhere else in the world.

"We're the only country to have a wacky category; this is the stuff that they intend to block," he said.

"Although video games are rated Mature Audience 15+, the associated websites are 18s so all these websites would be blocked."

A previous consultation into whether video games should be able to get an R18+ rating found that out of almost 60,000 votes, nearly 98.2 percent of Australians were in favour.

"They said they would have a look at that [video games] and that's all we've heard," said Mr Guy.

"Whenever there is a consultation, if the government doesn't get the answer they want, they either have another consultation or put it on the back burner.

"Given that the goalposts on the filtering keep on moving - and the issue of who is going to pay for the costs - the earliest we could see the filtering bill go in front of the Australian parliament is September; but it could be towards the end of next year," he added.

Patch Tuesday: Microsoft Preparing Four Security Bulletins for Next Week

Via eWeek.com -

Microsoft plans to release four security bulletins July 13 for Patch Tuesday, including one to cover the security hole discovered by Google engineer Tavis Ormandy.

Two of the four bulletins cover Windows, while the others are related to Microsoft Office. All told, the company plans to fix five different vulnerabilities in its products.

The bug reported in June by Ormandy affects the Windows Help and Support Center function in Windows XP and Windows Server 2003.
Ormandy's finding has been controversial because he only gave Microsoft five days to provide a patch before going public, though his actions have been defended by some. The vulnerability has since come under attack.

Also being fixed is a
vulnerability in the cdd.dll (Canonical Display Driver) that the company first warned about in May. The cdd.dll is used by desktop composition to blend GDI and DirectX drawing.

"The good news is that with the release of these four bulletins next week Microsoft will take care of the two recent security advisories listed below and address the Help Center, Windows XP and Server 2003 vulnerabilities that have been under attack now for a few weeks," said Don Leatham, senior director of solutions and strategy at Lumension Security.

July also marks the end of Microsoft support for Windows 2000 and Windows XP SP2, and the company is urging customers to upgrade to supported versions of the operating system.

----------------------------------

More info on the coming fixes here, here and here.

NSA: 'Perfect Citizen' is a Research Program

Via ComputerWorld.com -

The U.S. National Security Agency confirmed the existence of a controversial program aimed at protecting the country's critical infrastructure Thursday, but disputed claims that the program would monitor network traffic on critical infrastructure networks.

The program, called Perfect Citizen, was first disclosed Thursday in a Wall Street Journal article that said the NSA "would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity."

Raytheon won the US$100 million contract for the first phase of Perfect Citizen, which is funded by the Comprehensive National Cybersecurity Initiative, the Journal reported.

In a statement released late Thursday, the NSA confirmed that Perfect Citizen exists. But the spy agency called the newspaper's description "inaccurate," saying that the program is "purely a vulnerabilities-assessment and capabilities-development contract."

"This is a research and engineering effort," the NSA said. "There is no monitoring activity involved, and no sensors are employed in this endeavor."

"This contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA's mission of defending the nation," the NSA said. "Any suggestions that there are illegal or invasive domestic activities associated with this contracted effort are simply not true."

Raytheon declined to comment.


--------------------------------------

According to the WSJ article...

"The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security," said one internal Raytheon email, the text of which was seen by The Wall Street Journal. "Perfect Citizen is Big Brother."

The Pirate Bay Hacked By SQLi, User Information Exposed

Via Net-Secuirty.org -

It's one problem after another for the (in)famous file-sharing Web site.

Dogged by the music and movie industry, its founders are defending themselves and their creation in the court of law and the site is in danger of getting its domain
seized by the US Government.

But this latest development could prove even more damaging to the site - and it's users. A group of Argentinian hackers (or, as they call themselves, security researchers)
have discovered multiple SQL injection vulnerabilities that allowed them to access the site's administration panel and, through it, information regarding its members.

Usernames, e-mail and IP addresses, the number and name of torrents uploaded by users, and other data could be viewed, modified or deleted by the group, although they claim that they did not alter or delete any of it. As they told
Brian Krebs, their goal was to show to the users that their information is not adequately protected.

They admit that they have thought about how much this information would be worth to all those anti-piracy companies and associations that are set on bringing The Pirate Bay down and on persecuting everyone who uses the site, but they claim that they are not trying to sell the information to them or to anyone else.

Krebs received confirmation of the hack when he shared his TPB username with Russo, and Russo reciprocated by sending him the matching e-mail address and a hash of the password.

On Tarmac in Vienna, U.S. and Russia Swap Prisoners

Via NYTimes.com -

In a seeming flashback to the cold war, Russian and American officials traded prisoners in the bright sunlight on the tarmac of a Vienna airport on Friday, bringing to a quick end an episode that had threatened to disrupt relations between the two countries.

Planes carrying 10 convicted Russian sleeper agents and 4 men accused by Moscow of spying for the West swooped into Vienna, once a hub of clandestine East-West maneuvering, and the men and women were transferred, according to an American official. The planes soon took off again, presumably heading back to Russia and the United States in a coda fitting of an espionage novel.

Live television from Vienna showed an American Vision Airlines jet believed to be carrying the Russian agents deported from the United States parked only a matter of yards from the Russian plane, identified by The Associated Press as belonging to Moscow’s Emergencies Ministry. Then, more than an hour later, the Russian-flagged plane took off into clear blue skies, and the American airplane departed shortly after.

[...]

The 10 sleeper agents had pleaded guilty to conspiracy before a federal judge in Manhattan after revealing their true identities. All 10 were sentenced to time served and ordered deported.

[...]

The agreement we reached today provides a successful resolution for the United States and its interests,” Attorney General Eric H. Holder Jr. said in a statement.

Within hours of the New York court hearing, the Kremlin announced that President Dmitri A. Medvedev had signed pardons for the four men Russia considered spies after each of them signed statements admitting guilt.

The Kremlin identified them as Igor V. Sutyagin, an arms control researcher held for 11 years; Sergei Skripal, a colonel in Russia’s military intelligence service sentenced in 2006 to 13 years for spying for Britain; Mr. Zaporozhsky, a former agent with Russia’s Foreign Intelligence Service who has served 7 years of an 18-year sentence; and Gennadi Vasilenko, a former K.G.B. major who was arrested in 1998 for contacts with a C.I.A. officer but eventually released only to be arrested again in 2005 and later convicted on illegal weapons charges.

In a statement, the Russian Foreign Ministry attributed the agreement to the warming trend between Washington and Moscow.

“This action was carried out in the overall context of improved Russian-American relations,” the statement said. “This agreement gives reason to hope that the course agreed upon by Russia and the United States will be accordingly realized in practice and that attempts to derail the course will not succeed.”

[...]

Administration officials who insisted on the condition of anonymity to discuss the delicate decision would not say who initially proposed a swap but added that they considered it a fruitful idea because they saw “no significant national security benefits from their continued incarceration,” as one put it. Some of the four Russians to be freed are in ill health, the official added.

Another American official, who was not authorized to speak about the case, said officials of the intelligence agencies were the channel for most of the negotiations, particularly Leon E. Panetta, the director of the C.I.A., and Mikhail Y. Fradkov, director of the S.V.R., Russia’s foreign intelligence agency.

The official said the American side decided “we could trade these agents — who really had nothing to tell us that we didn’t already know — for people who had never stopped fighting for their freedom in Russia.”

Thursday, July 8, 2010

NYC Subway Terror Plot Had Global Reach

Via WSJ.com -

Federal prosecutors charged a senior al-Qaeda leader Wednesday with helping to mastermind last year's attempted bombing of New York City's subway and said the effort was part of a larger plot that included a failed terrorist attempt in the U.K.

Three suspected al-Qaeda members were arrested in Europe Thursday morning in what Norwegian and U.S. officials said was a bombing plot linked to the New York and U.K. plans.

In an indictment unveiled in federal court in Brooklyn Wednesday, prosecutors said 34-year-old Adnan el Shukrijumah, described as a leader of an al-Qaeda program dedicated to terrorist attacks in the U.S. and other Western countries, "recruited and directed" three U.S. citizens to carry out suicide bombings in Manhattan in September 2009.

The indictment also charged Abid Naseer and Tariq ur Rehman, who were previously arrested by authorities in the U.K. as part of a raid in relation to suspected terrorist activity there. Prosecutors said the two cases were "directly related." The charges underscored "the global nature of the terrorist threat we face," said David Kris, assistant attorney general for national security.

On Wednesday, U.K. police again arrested Mr. Naseer, who is 24 years old and of Pakistani descent, in Middlesbrough, in the northeast of England, according to a police spokesman. Mr. Rehman isn't in custody and is believed to be in Pakistan. The last known lawyers for Messrs. Rehman and Naseer couldn't immediately be reached for comment.

A day later, three men were arrested on suspicion of "preparing terror activities," the Norwegian Police Security Service said. Two of the men were arrested in Norway and one in Germany, said Janne Kristiansen, the head of Police Security Service. She said one of the men was a 39-year-old Norwegian of Uighur origin, who had lived in Norway since 1999. The other suspects were a 37-year-old Iraqi and a 31-year-old citizen of Uzbekistan, both of whom have permanent residency permits in Norway. The three had been under surveillance for more than a year.

Officials told the Associated Press that the men were attempting to make portable but powerful peroxide bombs, but it wasn't clear whether they had selected a target for the attacks. The officials, who spoke on condition of anonymity because they weren't authorized to discuss the case, said they believe the plan was organized by Salah al-Somali, al-Qaeda's former chief of external operations who was charge of plotting attacks world-wide but is believed to have been killed in a CIA drone airstrike last year.

U.S. prosecutors, meanwhile, said the New York and U.K. plots were directly linked by a man identified in court documents as "Ahmad," who was also charged on Wednesday, though he wasn't in custody and prosecutors said his identity was unknown. Prosecutors said Ahmad transported Najibullah Zazi, an Afghan native who worked as an airport shuttle driver in Colorado, and two others to Waziristan, Pakistan, so they could receive training. Mr. Shukrijumah recruited them at a camp there, prosecutors said.

Lawyer Says Swap With Russia Is Expected Soon

Via NYTimes.com -

The lawyer for an imprisoned Russian scientist, Igor V. Sutyagin, said on Thursday that she expected him to be freed by the end of the day, probably through a prisoner exchange in Britain, but that his departure would take place under conditions of complete secrecy.

[...]

The lawyer, Anna Stavitskaya, said that Mr. Sutyagin had verbally agreed to an exchange during a meeting with Russian officials who he believed were from Russia’s Foreign Intelligence Service, or S.V.R., and that Americans had also been present at the meeting.

[...]

“If he is free, the United States could be thanked for one thing, for saving a person,” she said. “I am thankful to the United States, if it was the United States that included him on the list. If at last he is freed — not in the way we wanted, because we wanted him to restore his good name, but it is difficult to do it given our judicial system — at least he will be freed in this way,” she said. “If he leaves today, it will happen quietly.”

Mr. Sutyagin’s mother, Svetlana Y. Sutyagina, said that the scientist was allowed a meeting with his wife and daughters at the prison last night at 7 o’clock, and that she expected to hear from him next from Vienna or Britain. There has been no new information Thursday, she said.

[...]

It was not clear who, other than Mr. Sutyagin, might be considered for a potential prisoner swap. Ernst Chyorny, executive secretary of the public committee in Defense of Scientists in Moscow, said Mr. Sutyagin had been shown a list of names but could only recall one — Sergei Skripal, a colonel in Russian military intelligence who was sentenced in 2006 to 13 years for spying for Britain.

Citing Russian intelligence sources, Kommersant newspaper identified two additional candidates for exchange: Aleksandr Zaporozhsky, a former S.V.R. agent who has served 7 of an 18-year sentence for espionage; and Aleksandr Sypachev, who was sentenced to eight years in 2002 for spying for the C.I.A.

[...]

An exchange would have some advantages for the Obama administration, avoiding costly trials that could be an irritant for months or years in American-Russian relations. But the White House might be reluctant to give up the spy suspects, who were the targets of a decade-long F.B.I. investigation, without getting prisoners that the United States valued in return.

[...]

The reports of a pending exchange, like the spy ring itself, seemed to have the accouterments of cold war espionage without the high stakes for national security. The Russian spy suspects were described by American officials as using high-tech methods but acquiring no real secrets. A swap — in Vienna, a favorite rendezvous for 20th-century spies — would serve as a colorful final chapter for the espionage-novel plot.

No American accused of spying is known to be in Russian custody. But Mr. Sutyagin, who is serving a 14-year term, is one of a number of Russian scientists imprisoned after being accused of revealing secrets to the West.