Saturday, December 31, 2011

FAA Plans to Propose Small Drone Rules in January 2012

Via LA Times -

Drone aircraft, best known for their role in hunting and destroying terrorist hide-outs in Afghanistan, may soon be coming to the skies near you.

Police agencies want drones for air support to spot runaway criminals. Utility companies believe they can help monitor oil, gas and water pipelines. Farmers think drones could aid in spraying their crops with pesticides.

"It's going to happen," said Dan Elwell, vice president of civil aviation at the Aerospace Industries Assn. "Now it's about figuring out how to safely assimilate the technology into national airspace."

That's the job of the Federal Aviation Administration, which plans to propose new rules for the use of small drones in January, a first step toward integrating robotic aircraft into the nation's skyways.

The agency has issued 266 active testing permits for civilian drone applications but hasn't permitted drones in national airspace on a wide scale out of concern that the pilotless craft don't have an adequate "detect, sense and avoid" technology to prevent midair collisions.

Other concerns include privacy — imagine a camera-equipped drone buzzing above your backyard pool party — and the creative ways in which criminals and terrorists might use the machines.

[...]

Sheriff's Department Cmdr. Bob Osborne said that there's "no doubt" that the department is interested in using drones. "It's just that the FAA hasn't come up with workable rules that we can harness it. If those roadblocks were down, we'd want to use it."

Drones' low-cost appeal has other industries interested as well.

Farmers in Japan already use small drones to automatically spray their crops with pesticides, and more recently safety inspectors used them at the crippled Fukushima Daiichi nuclear power plant. Archaeologists in Russia are using small drones and their infrared cameras to construct a 3-D model of ancient burial mounds. Officials in Tampa Bay, Fla., want to use them for security surveillance at next year's Republican National Convention.

But the FAA says there are technical issues to be addressed before they're introduced in civil airspace. Among them is how to respond if a communication link is lost with a drone — such as when it falls out of the sky, takes a nose dive into a backyard pool or crashes through someone's roof.

[...]

Drones could also be useful to real estate agents to showcase sprawling properties. Oil and gas companies want to utilize them to keep an eye on their pipelines. Even organizations delivering humanitarian assistance want to use drones.

Thursday, December 29, 2011

Terrorists Struggle To Gain Recruits On The Web

Via NPR -

Terrorist groups seemed to be all over the Web in 2011. There were al-Qaida videos on YouTube, Facebook pages by Islamic militants in Somalia, and webzines – like Inspire magazine – produced by al-Qaida affiliates in Yemen.

If there were an award for the best known terrorist music recording in the past couple of years, it would probably go to the Somali militia group al-Shabab for a YouTube video that extolled the virtues of jihad, or holy war.

The tune became so popular it was actually covered by other aspiring violent jihadis, who added hip-hop beats and rap lyrics.

The Shabab music video caught the attention of U.S. counter-terrorism officials. They saw it as dangerous because it was slick and catchy and in English. The video ignited an effort in Washington to figure out how to counter the use of social media among terrorist groups.

What no one is saying, however, is that the effort to use social media sites like Facebook and YouTube, and even Twitter, hasn't been the recruitment boon that terrorist organizations had been hoping for.

Terrorist groups appear to be still working out the kinks in their new media strategy and concerns about terrorists and social media may be overblown.

"The worry in official Washington has been that kids are going to be attracted by its message and that they are going to spontaneously arise and become terrorists," said Will McCants, an analyst at the Center for Naval Analysis. "But we just haven't seen the numbers to suggest that that's true. Before social media, after social media... it is just a trickle of individuals who get involved in terrorist activities."

McCants says U.S. officials — perhaps because they don't use social media on a regular basis — may see it as a larger menace than it actually is.

[...]

One of the early players in jihadi social media was a radical Islamic organization called Revolution Muslim. Based in New York, the group's founders claimed that the RevMuslim blog received 1,500 hits a day. Its YouTube channel had some 1,000 subscribers. The group was open about its goals to establish Islamic law in the U.S., destroy Israel, and take al-Qaeda's messages to the masses.

Revolution Muslim became like a gateway drug for young men, enabling those who might be just tangentially interested in the global jihad to link up with real jihadists in Pakistan and other places.

[...]

There is one part of government that has learned to exploit the intersection of terrorism and the web: law enforcement.

The New York Police Department and FBI never shut the Revolution Muslim website down because it provided leads on young men who were inclined toward violent extremism. Now law enforcement can go to Facebook to provide the same kind of intelligence.

"I have been very surprised by the number of people who are moving to Facebook who are talking openly about their admiration for al-Qaeda," said CNA's McCants. "This can be a great boon for law enforcement because you can watch the flow of propaganda and you can see who is connecting to whom and if they are getting in the orbit of very dangerous people."

Al-Shabab, the Islamist militia that produced that popular music video, now has a Twitter account with thousands of followers. The joke among terrorism experts? About 99 percent of them are journalists and law enforcement.


--------------------------------------------------------------------------------

https://twitter.com/#!/will_mccants/status/152488334629941248
Just heard some guy in radio promo for NPR segment today. I thought "Why is he speaking so slowly? Holy shit, thats me!"

=)

Wednesday, December 28, 2011

China’s New/Used Aircraft Carrier Ain’t Scary

Via Wired.com (Danger Room) -

When China launched the maiden voyage of its first aircraft carrier in August, it had a lot of eyes on it. Some were from way, way up in the heavens — specifically, DigitalGlobe’s satellites. They provide the clearest pictures yet of China’s much-heralded floating toy, and make it seem less than meets the eye.

Truth be told, the Shi Lang isn’t actually new-new. It’s more like the aircraft carrier equivalent of buying a used car. China purchased the Varyag, a Kuznetsov-class carrier from Ukraine, refurbished it, and set it to sea as Shi Lang, intending to show the world it was a first-class naval power.

And there’s something to that: Very few countries have a full-sized aircraft carrier at all. (The U.S. Navy has 10.) But the Shi Lang isn’t exactly state of the art. It carries mediocre aircraft and accompanies unimpressive ships. And DigitalGlobe’s satellites find that Shi Lang also “appears to lack the P-700 Granit surface-to-surface missiles that were part of the original Kuznetzov designs,” as Stratfor analyst Rodger Baker puts it.

Translation: sure, the Shi Lang is merely supposed to be a training ship, but it’s conspicuous that the first Chinese aircraft carrier can’t defend itself from seaborne threats.

The Shi Lang is probably best thought of as a starter aircraft carrier. Who knows what weaponry its next carrier — the one it’s building, not purchasing — will possess. And it can’t just be one new carrier, Baker says: “It will be years before China has the three hulls needed for minimum ability to keep one on station at all times.”

Stuxnet/Duqu: The Evolution of Drivers

Via SecureList (Kaspersky Lab) -

We have been studying the Duqu Trojan for two months now, exploring how it emerged, where it was distributed and how it operates. Despite the large volume of data obtained (most of which has yet to be published), we still lack the answer to the fundamental question - who is behind Duqu?

In addition, there are other issues, mostly to do with the creation of the Trojan, or rather the platform used to implement Duqu as well as Stuxnet.

In terms of architecture, the platform used to create Duqu and Stuxnet is the same. This is a driver file which loads a main module designed as an encrypted library. At the same time, there is a separate configuration file for the whole malicious complex and an encrypted block in the system registry that defines the location of the module being loaded and name of the process for injection.

This platform can be conventionally named as ‘Tilded’ as its authors are, for some reason, inclined to use file names which start with "~d".

We believe Duqu and Stuxnet were simultaneous projects supported by the same team of developers.

Several other details have been uncovered which suggest there was possibly at least one further spyware module based on the same platform in 2007-2008, and several other programs whose functionality was unclear between 2008 and 2010.

These facts significantly challenge the existing "official" history of Stuxnet. We will try to cover them in this publication, but let us first recap the story so far.

[...]

Conclusion

From the data we have at our disposal, we can say with a fair degree of certainty that the “Tilded” platform was created around the end of 2007 or early 2008 before undergoing its most significant changes in summer/autumn 2010. Those changes were sparked by advances in code and the need to avoid detection by antivirus solutions. There were a number of projects involving programs based on the “Tilded” platform throughout the period 2007-2011. Stuxnet and Duqu are two of them – there could have been others, which for now remain unknown. The platform continues to develop, which can only mean one thing – we’re likely to see more modifications in the future.

US Will Not 'Tolerate' Disruption of Vital Oil Strait Traffic

Via VOA News -

The U.S. military says it will not tolerate disruptions in Strait of Hormuz traffic as Iran has threatened to block oil shipments coming through the waterway.

A spokeswoman for the Bahrain-based U.S. Fifth Fleet said the flow of goods through the strait is "vital to regional and global prosperity." Lieutenant Rebecca Rebarich said Wednesday the U.S. Navy is ready to "counter malevolent actions" to ensure navigation freedom.

Earlier Wednesday, Iran's top naval officer, Admiral Habibollah Sayyari, said closing the Strait of Hormuz would be "very easy" for his forces, though he added no immediate action was "necessary."

Sayyari is the second Iranian official this week to raise the possibility of closing the entrance to the Persian Gulf in response to Western threats to put sanctions on Iran's petroleum exports because of the country's controversial nuclear program.

[...]

Iran's warnings have come as its naval forces continue a 10-day exercise in the strait and nearby waters that began on Saturday.

[...]

European Union ministers have said that a decision on further economic sanctions - including a boycott of Iranian oil - would be made in the coming weeks. The vast majority of Iran's foreign revenue comes from oil exports.

More than one-third of the world's tanker-borne oil supply passes through the Strait of Hormuz. A closure could temporarily cut off some oil supplies and force shippers to use longer, more expensive routes.

It could impact the price of oil worldwide. After an initial spike following the Iranian threats, however, oil futures edged lower on Wednesday.

The Associated Press quoted a Saudi oil ministry official as saying Gulf oil producers would be ready to step in, if necessary, to make up for any losses of Iranian crude.

Tuesday, December 27, 2011

Body Language vs Micro-Expressions

Via Psychology Today's SpyCatcher Blog -

Thoughtful questions often prompt thoughtful analysis and recently a series of questions from a reader regarding "micro-expressions" had such an effect on me. His questions made me stop and think about how the public perceives "micro expressions" and their significance in our overall understanding of body language, and more importantly, their relevance in detecting deception.

By now most people have heard of "micro-expressions" as a result of the show Lie to Me, or because the term has been popularized by the media. In fact, I routinely run into people who say they have taken courses on "micro-expressions" and have been "certified" or who want to become experts on "micro-expressions." (It reminds me of when students first wanted to be "criminal profilers" and then they wanted to be "CSI agents," just like on TV, now I guess it is "micro-expression experts") That's fine I say, but what about the rest of the body? And that is when I hear silence. After all, the rest of the body is transmitting information about thoughts, desires, fears, emotions, and intentions with far more regularity. If someone ventilates their shirt or hides their thumbs while being asked questions, you should know what that means beyond it's hot and they don't know what to do with their hands (it means: issues, discomfort, insecurities) because there may be no "micro-expressions" to help you at all.

[...]

Recommendation

After studying nonverbals for over 40 years, I think it is wiser to understand what all of the body communicates, not just the face, or just "micro-expressions." Especially knowing that the feet are more accurate than the face in revealing sentiments and intentions and that all of our body is constantly transmitting vital information (Navarro 2008).

f you truly want to learn about body language and nonverbal communications and go beyond the tripe usually served on television, give yourself a treat and read Desmond Morris' trilogy on nonverbals (Manwatching, Bodywatching, Peoplewatching). Morris looks at humans with the critical eye of a scientist discovering a new species and explains why we do the things we do. He is an authority without equal when it comes to nonverbal communications and as a zoologist and anthropologist, will open your eyes as no other author or expert can, with perhaps the exception of Charles Darwin, who started it all one day while watching orangutans in the London zoo.

Chinese Confirm Beidou SatNav System is Operational

Via The Register UK -

Chinese officials have confirmed that the country’s Beidou satellite navigation system is operational, albeit mainly in China, and say they plan to have free, global coverage in place by 2020.

At a press conference the China Aerospace Science and Technology Corporation said that Beidou – which translates as Big Dipper - is providing location data and SMS messaging using a network of ten satellites currently in orbit, and another six launches are planned for next year. Once operational, they should cover most of the Asia/Pacific region, and will form the backbone of a global system of over 30 satellites that should be in place by 2020.

Company spokesman Ran Cheng made a formal commitment that the Beidou service would be free to all and said that the Chinese would be working on interoperability with the US GPS system, Russia’s GLONASS and the forthcoming EU Galileo network. An initial version of the interface control documentation has been published online.

[...]

China plans to add many more satellites for a variety of purposes over the coming years, and wants 100 in orbit under the current schedule, according to spokesman Zhao Xiao-chun. Last year China had 19 launches he said, compared to 18 from the US - but behind Russia with 36.

Having its own global positioning system will give Chinese global ambitions a fillip, since the vast bulk of the world currently runs on the US GPS network. Russia has spent billions upgrading and adding to its GLONASS satellite system, initially constructed in the 1980s but which fell into disrepair during the post-Cold War collapse, and this should be operational within a year or so.

The EU has been lagging behind on this front, mainly down to squabbling over funding methods and cost overruns. Its Galileo network should be operational by 2014 – emphasis on the “should” as we were due to have it next year – with plans for global coverage by 2019.

The news of China’s plans will be causing some furrowed brows at the Pentagon. Global positioning is vital for modern warfare and some of the more excitable members of the military have been suggesting that having an alternative system would let China destroy GPS if war ever came, and the US already has plans for satellites to monitor orbital war.

Monday, December 26, 2011

Mexico Captures Drug-Lord's Top Lieutenant

Via CNN -

Mexican army special forces have arrested a top lieutenant for alleged drug kingpin Joaquin "El Chapo" Guzman, the Defense Ministry said Monday.

Troops arrested Felipe Cabrera Sarabia on Friday in "a surgical operation in Cuiliacan" in the northwestern state of Sinaloa, said Ricardo Trevilla Trejo, a Defense Ministry spokesman.

Cabrera, who was responsible for the activities of the Pacific Cartel in Durango and the southern part of the state of Chihuahua, was detained after fleeing from Durango, Trevilla told reporters.

"The analysis of his behavior permitted (us) to find the building where he was hiding" and Cabrera was taken into custody without violence, Trevilla said. Firearms, computer equipment and other documentation were seized, too, he said.

Cabrera, who appeared Monday in the office of a prosecutor who specializes in organized crime, was responsible for Guzman's security in Durango, the state-run Notimex news agency said.

[...]

Guzman, who is under indictment by U.S. authorities in Chicago, New York and Los Angeles, is described by the U.S. Drug Enforcement Administration as one of "the most powerful drug traffickers in Mexico." In 2004, the U.S. government announced a $5 million reward for information leading to his arrest and conviction.


----------------------------------------------------------------

Joaquin "El Chapo" Guzman heads Mexico's and the world's largest and most powerful drug trafficking organization, the Sinaloa Cartel, named after the Mexican Pacific coast state of Sinaloa where it was initially formed.

How Downed U.S. Drone Helps China

Via The Diplomat (Dec 24, 2011) -

The loss of a U.S. RQ-170 stealth drone over eastern Iran has led to speculation that the Unmanned Aerial Vehicle (UAV) will eventually find its way into Chinese hands. Access to the drone could allow China to use reverse engineering to incorporate key technologies into its own indigenous aerospace systems and to develop countermeasures that would make it harder for U.S. stealth UAVs and aircraft to operate near China. Iran has significant political, military, and financial incentives to provide such access, reversing the usual flow of technology from China to Iran.

Despite the claims of some Iranian officials, Iran lacks the technical capacity to exploit and duplicate the advanced technologies in the RQ-170 on its own. Providing access to China could therefore generate benefits in terms of expanded Iranian access to Chinese military technologies, potential future access to UAV countermeasures, and Chinese diplomatic support in Iran’s confrontation with the West over its nuclear program.

[...]

Access to the RQ-170 would give Chinese engineers the opportunity to study the drone’s sensor systems, control and communication systems, and the materials and design elements that make it stealthy. Access to the drone might further allow engineers to understand how its subsystems are fused together and how it operates as an integrated whole. Even if the Chinese aerospace industry can’t use reverse engineering to produce an indigenous equivalent of the RQ-170, Chinese engineers could probably learn enough from the RQ-170 to develop improved countermeasures and defenses against it and similar systems. China is already devoting considerable attention to improving its air defenses and developing means to defeat U.S. stealth technology, and so access to the RQ-170 would facilitate Chinese efforts to understand how advanced U.S. UAVs operate and to devise new ways to exploit their operational weaknesses.

It’s unclear whether Iranian air defenses or countermeasures played a role in downing the RQ-170. A senior Pentagon official, speaking on condition of anonymity, told the Washington Post that there was a “95 percent chance” that the drone crashed due to technical malfunction.In later statements, U.S. officials flatly denied Iranian claims that a sophisticated cyber attack brought down the RQ-170, but have been less definitive about whether Iran might have used other means like GPS jamming to interfere with the drone’s flight.

But even if the loss of the RQ-170 over Iran was due to a technical malfunction, Chinese access to the drone may eventually help produce countermeasures and improved air defenses that make it harder for the United States to operate stealthy UAVs over hostile territory. Iran would be a prime customer for such systems; a Chinese commitment to sell UAVs and countermeasures might be part of Iran’s price tag for access to the RQ-170.

JASON on Severe Space Weather and the Electric Grid

Via FAS Secrecy News (Dec 20, 2011) -

The U.S. electric power grid is vulnerable to damage from severe electromagnetic solar storms and remedial measures should be taken to reduce that vulnerability, a new study (large pdf) from the JASON scientific advisory panel concluded.

On the other hand, the JASONs said, catastrophic worst-case scenarios advanced by some are not plausible, and they should not serve as a basis for policy making.

Public disclosure of the new JASON study was blocked by the Department of Homeland Security, which sponsored the analysis. But a copy was obtained by Secrecy News.

“Concerns about the vulnerabilities of technical infrastructure to space weather have been growing since the sun entered the early stages of the current sunspot cycle in 2009, increasing prospects for severe solar storms,” the report said.

“We agree that the U.S. electric grid remains vulnerable,” the JASONs concluded. “Mitigation should be undertaken as soon as possible to reduce the vulnerability of the U.S. grid. The cost appears modest compared to just the economic impact of a single storm,” they added.

But the panel declined to endorse a worst-case scenario proposed in 2010 by J. Kappenman (large pdf), who envisioned “the possibility of catastrophic damage to the U.S. electric grid, leaving millions without power for months to years.”

“We are not convinced that the worst case scenario… is plausible. Nor is the analysis it is based on, using proprietary algorithms, suitable for deciding national policy,” the JASON report said.

[...]

Ironically, the Department of Homeland Security, which requested the JASON study, refused to make it publicly available. In a November 20 letter to the Federation of American Scientists, DHS said that no portion of the study would be released under the Freedom of Information Act because it was subject to the “deliberative process privilege.” A copy of the report was obtained independently.

No, China Does Not Have 3,000 Nuclear Weapons

Via FAS Strategic Security Blog (Dec 3, 2011) -

Only the Chinese government knows how many nuclear weapons China has. As in most other nuclear weapon states, the number is a closely held secret. Even so, it is possible to make best estimates of the approximate size that benefit the public debate.

A recent example of how not to make an estimate is the study recently published by the Asia Arms Control Project at Georgetown University. The study (China’s Underground Great Wall: Challenge for Nuclear Arms Control) suggests that China may have as many as 3,000 nuclear weapons.

Although we don’t know exactly how many nuclear weapons China has, we are pretty sure that it doesn’t have 3,000. In fact, the Georgetown University estimate appears to be off by an order of magnitude.

[...]

Conclusions

The Georgetown University study has collected an impressive amount of scattered information from the Internet about Chinese underground facilities. That is obviously interesting in and of itself, but in terms of assessing Chinese nuclear capabilities, it does the public debate a disservice by disseminating exaggerated and poorly analyzed information.

Readers can obviously read into the report what they want, but a quick Google search for news article headlines about the report shows the damage: “China may have 3000 n-warheads;” “China’s nuclear arsenal ‘many times larger’ than previously thought;” “China ‘hiding up to 3,000 nuclear warheads in secret tunnels.” Many people will not remember the details, but they tend to remember the headlines. A misperception will stick in the public consciousness that China has 3,000 nuclear weapons hidden in tunnels.

But China does not have 3,000 nuclear weapons. It neither has produced the fissile material needed to build that many, not does it have delivery vehicles enough to delivery that many warheads. The Georgetown University study warhead estimate appears to be off by an order of magnitude.

China is in the middle of a significant military modernization and it is important that it is not hyped or exaggerated but analyzed and understood for what is actually happening.

Sunday, December 25, 2011

CFR - The World Next Year: 2012

http://www.cfr.org/us-strategy-and-politics/world-next-year-2012/p26893

In this special edition, CFR.org Editor Robert McMahon and CFR's Director of Studies James Lindsay preview major world events in the coming year.

Saturday, December 24, 2011

Kim Jong-il Son Cleared as Top Military Commander

Via New York Times -

North Korea’s state-run media on Saturday published an entreaty to the country’s new young leader, Kim Jong-un, to become “supreme commander” of the military, signaling that his succession is moving forward unimpeded.

The military’s support is considered crucial to his consolidating control after the death of his father, Kim Jong-il, a week ago, and the commentary is part of the pattern set when Kim Jong-il took power: entreaties are made and then the leader graciously accepts.

[...]

The state-run media’s call for Kim Jong-un to lead the military suggests that, at least for now, he is on pace to take full control of the country. Analysts outside North Korea had long predicted that a regent might rule while Kim Jong-un gained more experience. While he could still be subject to power plays by influential leaders, it appears for now that he will not have to share control publicly.

South Korea and the United States have been worried that a power struggle could lead the North to lash out with some type of military strike to build the new leader’s military credentials. But the announcement that Kim Jong-un will continue his father’s military-first policy raises the same worry.

Analysts have already suggested that he was involved in the planning of two attacks on the South in 2010: the sinking of a warship and the shelling of an island. Fifty South Koreans died in the two attacks. North Korea has denied responsibility for the sinking.

[...]

The military is not the only group of elites that Kim Jong-un must keep in line. On Saturday, the North Korean news media reported that the young Mr. Kim released truckloads of fish to Pyongyang residents, presenting them as a gift from his deceased father. In the centrally controlled country, the only families who can live in the capital are those deemed particularly trustworthy, including families of party members and military officers.

The reports Saturday carried photos of housewives lining up to receive rations of herring and pollock at state-run grocery stores.

-------------------------------------------------------------------

Reuters Exclusive: North Korea's Military to Share Power with Kim's Heir (Dec 21, 2011)
http://www.reuters.com/article/2011/12/21/us-korea-north-exclusive-idUSTRE7BK0FX20111221
North Korea will shift to collective rule from a strongman dictatorship after last week's death of Kim Jong-il, although his untested young son will be at the head of the ruling coterie, a source with close ties to Pyongyang and Beijing said.

The source added that the military, which is trying to develop a nuclear arsenal, has pledged allegiance to the untested Kim Jong-un, who takes over the family dynasty that has ruled North Korea since it was founded after World War Two.

The source declined to be identified but has correctly predicted events in the past, telling Reuters about the North's first nuclear test in 2006 before it took place.

Friday, December 23, 2011

APT: Amnesty International Site Serving Java Rhino Exploit

Via Krebs on Security -

Amnesty International‘s homepage in the United Kingdom is currently serving malware that exploits a recently-patched vulnerability in Java. Security experts say the attack appears to be part of a nefarious scheme to target human rights workers.

The site’s home page has been booby trapped with code that pulls a malicious script from an apparently hacked automobile site in Brazil. The car site serves a malicious Java applet that uses a public exploit to attack a dangerous Java flaw that I’ve warned about several times this past month. The applet in turn retrieves an executable file detected by Sophos antivirus as Trojan Spy-XR, a malware variant first spotted in June 2011.

[...]

This is hardly the first time Amnesty International’s sites have been hacked to serve up malware. The organization’s site was hacked in April 2011 with a drive-by attack. In November 2010, security firm Websense warned Amnesty International’s Hong Kong Web site was hacked and seeded with an exploit that dropped malware using a previously unknown Internet Explorer vulnerability.


--------------------------------------------------------------

Human Rights Group Used to Spy on Activists
http://www.blogger.com/blogger.g?blogID=18341144#editor/target=post;postID=3727886387342724071
The exploit payload possesses properties of targeted malware but is being served by an exploit of a popular, public website. The working theory for this anomaly relates to Amnesty International as a human rights non-governmental organization. To explain, certain countries use zero day exploits and other techniques to gain electronic information about the activities of human rights activists. Of course, a subset of these activists are too smart to click on links in even well-worded spearphishing emails. But what if you compromised a website frequented by these activists (e.g., Amnesty International)? Then your targets come to you. The context-specific damage potential is significant.
-------------------------------------------------------------

In recent weeks, I have become aware of APT actors using the CVE-2011-3544 exploit in targeted attacks. This Amnesty International attack seems to match all the characteristics associated with previous attacks on human rights organizations - many which were believed to be APT actors as well.

Information Warfare Monitor has been blogging about attacks against human rights organizations for some time...

Flash Malware Leads to Poison Ivy RAT on Human Rights Site (July 2011)

Ongoing Attacks on Human Rights Web sites and the Problem of Attribution (April 2011)

Flash cache exploit debuts in Amnesty attack (April 2011)

Nobel Peace Prize, Amnesty HK and Malware
(Nov 2010)

Human Rights and Malware Attacks (Aug 2010)

Thursday, December 22, 2011

Former Pakistan Army Chief Reveals Intelligence Bureau Harbored Bin Laden in Abbottabad

Via The Jamestown Foundation -

In spite of denials by the Pakistani military, evidence is emerging that elements within the Pakistani military harbored Osama bin Laden with the knowledge of former army chief General Pervez Musharraf and possibly current Chief of Army Staff (COAS) General Ashfaq Pervez Kayani. Former Pakistani Army Chief General Ziauddin Butt (a.k.a. General Ziauddin Khawaja) revealed at a conference on Pakistani-U.S. relations in October 2011 that according to his knowledge the then former Director-General of Intelligence Bureau of Pakistan (2004 – 2008), Brigadier Ijaz Shah (Retd.), had kept Osama bin Laden in an Intelligence Bureau safe house in Abbottabad. In the same address, he revealed that the ISI had helped the CIA to track him down and kill on May 1. The revelation remained unreported for some time because some intelligence officers had asked journalists to refrain from publishing General Butt’s remarks. [1] No mention of the charges appeared until right-wing columnist Altaf Hassan Qureshi referred to them in an Urdu-language article that appeared on December 8.

In a subsequent and revealing Urdu-language interview with TV channel Dawn News, General Butt repeated the allegation on December 11, saying he fully believed that “[Brigadier] Ijaz Shah had kept this man [Bin Laden in the Abbottabad compound] with the full knowledge of General Pervez Musharraf… Ijaz Shah was an all-powerful official in the government of General Musharraf.” Asked whether General Kayani knew of this, he first said yes, but later reconsidered: “[Kayani] may have known – I do not know – he might not have known.” The general’s remarks appeared to confirm investigations by this author in May 2011 that showed that the Abbottabad compound where bin Laden was captured and killed was being used by a Pakistani intelligence agency. However, General Butt failed to explain why Bin Laden was not discovered even after Brigadier Shah and General Musharraf had left the government.

General Butt was the first head of the Strategic Plans Division of the Pakistan army and the Director General of Inter-Services Intelligence (ISI) under Nawaz Sharif, Prime Minister of Pakistan from 1990 to 1993, and again from 1997 to 1999. Sharif promoted General Ziauddin Butt to COAS after forcibly retiring General Pervez Musharraf on October 12, 1999, but the army’s top brass revolted against the decision and arrested both Prime Minister Sharif and General Butt while installing Musharraf as the nation’s new chief executive, a post he kept as a chief U.S. ally until resigning in 2008 in the face of an impending impeachment procedure.

Brigadier Shah has been known or is alleged to have been involved in several high profile cases of terrorism. The Brigadier was heading the ISI bureau in Lahore when General Musharraf overthrew Prime Minister Sharif in October 1999. Later, General Musharraf appointed Shah as Home Secretary in Punjab. As an ISI officer he was also the handler for Omar Saeed Sheikh, who was involved in the kidnapping of Wall Street Journal journalist Daniel Pearl in 2002. Omar Saeed Sheikh surrendered to Brigadier Shah who hid him for several weeks before turning him over to authorities. In February 2004, Musharraf appointed Shah as the new Director of the Intelligence Bureau, a post he kept until March 2008 (Daily Times [Lahore] February 26, 2004; Dawn [Karachi] March 18, 2008). The late Pakistani Prime Minister Benazir Bhutto accused Brigadier Shah, among others, of hatching a conspiracy to assassinate her (The Friday Times [Lahore], February 18-24).

Prime Minister Nawaz Sharif and the Pakistani top military brass had serious differences on several issues. One of the most serious of these concerned Pakistan’s relations with Osama bin Laden. However, the disastrous1999 Kargil conflict in Kashmir overshadowed all of these. General Butt says that Prime Minister Sharif had decided to cooperate with the United States and track down Bin Laden in 1999. According to a senior adviser to the Prime Minister, the general staff ousted Sharif to scuttle the “get-Osama” plan, among other reasons: “The evidence is that the military regime abandoned that plan.” [7] General Butt corroborates this. In his latest interview, he says that Prime Minister Nawaz Sharif had constituted a special task force of 90 American-trained commandos to track down Bin Laden in Afghanistan. If the Sharif government had continued on this course, this force would likely have caught Bin Laden by December 2001, but the plan was aborted by Ziauddin Butt’s successor as ISI general director, Lieutenant General Mahmud Ahmed.

More Sykipot Malware Clues Point To China

Via InformationWeek -

The Sykipot malware used in recent, targeted attacks against defense contractors appears to have been designed, at least in part, to steal information relating to U.S. military drones and unmanned aerial vehicles.

To date, "there have been a lot of different campaigns with different command-and-control servers," said researchers at Alienvault Labs in a blog post. "The modus operandi is simple, they send emails with a malicious attachment or link, sometimes using a zero-day exploit [on] key employees of different organizations."

The Sykipot malware used in recent targeted attacks involved JavaScript-embedded malicious PDF files that were emailed to targets, and which exploited a zero-day Adobe Reader vulnerability that was recently patched.

[...]

The Alienvault researchers found that the related attack campaigns appear to have been running since at least August 2011, although the command-and-control server used was first registered in March 2011.

Again, the drone-information-seeking Sykipot variant is but one of many. Symantec said it's seen "unconfirmed traces" of Sykipot dating as far back as 2006. But the Sykipot family of malware only appeared to become widespread last year, via obfuscated script files that exploited Internet Explorer vulnerabilities to execute arbitrary code.

Interestingly, the Alienvault researchers found that while many of the command-and-control servers involved in Sykipot appear to be based in the United States, it appears that attackers "used well-known public exploits to hack into U.S.-based servers and then [installed] ... software to proxy the connections between the infected systems and the real C&C server."

Most of those C&C servers use a Web server known as Netbox, which is a Windows-based server that allows developers to deploy ASP applications as standalone executables. All told, about 80% of the world's Netbox servers are located in China. Furthermore, the tool's documentation is available solely in Mandarin. That squares with previous research into Sykipot conducted by Symantec, which found that the malware produced Chinese-language error messages.

The Alienvault researchers also cross-referenced which of those Netbox servers were using a digital certificate that was known to have been employed as part of the Sykipot attacks. Ultimately, they matched seven IP addresses, all owned by "China Unicom Beijing province network." Of those, six appeared to point directly to a known Sykipot C&C server.

"Most of the domains used on these campaigns are registered on Xinnet, a Chinese domain registrant," said the researchers. "Also the information [for] the domain owners (names, addresses, etc.) are from China." But they said the ownership information wasn't reliable, since it could easily be faked. Even so, the evidence appears quite strong that whoever is behind Sykipot speaks Chinese, and may be based in China. Of course, whether they're state-backed hackers or freelance operators--perhaps working for businesses--remains unknown.


---------------------------------------------------------------------------------

Are the Sykipot’s authors obsessed with next generation US drones?
http://labs.alienvault.com/labs/index.php/2011/are-the-sykipots-authors-obsessed-with-next-generation-us-drones/

Monday, December 19, 2011

STRATFOR Dispatch: Kim Jong Il's Death and North Korea's Transition

http://www.stratfor.com/analysis/20111219-dispatch-kim-jong-ils-death-and-north-koreas-transition

Vice President of Strategic Analysis Rodger Baker examines the prospects for political stability in North Korea following the death of Kim Jong Il.

Read more: Dispatch: Kim Jong Il's Death and North Korea's Transition | STRATFOR


-----------------------------------------------------------------

Basically, there will be a level of uncertainty & uneasiness for some time...but ensuring a smooth transition is the primary focus of the North Korean elite currently.

Mexico Drug Cartels Kidnap Telecommunication Workers to Build Private Phone Networks

Via NPR (Dec 9th, 2011) -

The Mexican military has recently broken up several secret telecommunications networks that were built and controlled by drug cartels so they could coordinate drug shipments, monitor their rivals and orchestrate attacks on the security forces.

A network that was dismantled just last week provided cartel members with cellphone and radio communications across four northeastern states. The network had coverage along almost 500 miles of the Texas border and extended nearly another 500 miles into Mexico's interior.

Soldiers seized 167 antennas, more than 150 repeaters and thousands of cellphones and radios that operated on the system. Some of the remote antennas and relay stations were powered with solar panels.

In announcing the operation, a spokesman for the Mexican army in Monterrey, Maj. Margarito Mendez Guijon, said the clandestine system allowed organized criminals to communicate throughout all of northeast Mexico.

[...]

Kidnappings Linked To Technical Needs

Stewart says these networks are relatively simple to build and often use commercially available equipment. But the Zetas still needed technicians and engineers to design, construct and maintain their system.

And it appears that they got at least some of this expertise through kidnappings.

Over the past two years, at least 13 cellphone network technicians have been abducted in northeastern Mexico. None of them have returned alive. Two radio communication specialists working for the state-run oil company Pemex disappeared in 2010 and were later found dead. The other 11 remain missing.

In the northeastern state of Coahuila, Blanca Martinez works with a support group for family members of the disappeared. She says in 2009, a group of Nextel technicians who were repairing cell towers in Tamaulipas were abducted from their hotel. Martinez says it wasn't a normal kidnapping.

She says there has never been a ransom demand in any of the cases involving telecommunications workers. Martinez says this is quite unusual in kidnappings. Wives of several missing Nextel workers say they believe their husbands are still being forced to work for the cartels.

APT: The Sykipot Campaign

Via TrendMico Malware Blog -

Last week reports surfaced about a “zero-day” exploit for Adobe Reader (CVE-2011-2462) that had been actively used in targeted attacks beginning in November. The malicious PDFs were emailed to targets along with text encouraging the target to open the malicious attachment. If opened, the malware known as BKDR_SYKIPOT.B installs onto the target system. The reported targets have been the defense industry and government departments.

Targeted attacks are typically organized into campaigns. Such a campaign commences as a series of attacks against a variety of targets over time – and not isolated “smash and grab” attacks. While information about any particular incident may be less than complete, over time we aim to assemble the various pieces (attack vectors, malware, tools, infrastructure, targeting) to gain a broader understanding of a campaign.

The Sykipot campaign, which has been known by many names over the years, can be traced back to 2007 and possibly 2006. Here, I will focus on a few key incidents, though there have been a variety of attacks consistently over the years.

A similar attack occurred in September 2011 that used a government medical benefits document as lure. This attack also leveraged a zero-day exploit in Adobe Reader (CVE-2010-2883). In March 2010, the malware was used in conjunction with a zero-day exploit of Internet Explorer 6. That’s three zero-day exploits in the last two years.

Another attack was reported in September 2009 that leveraged CVE-2009-3957 using information about a defense conference and the identity of a well-known think-tank as lure. In August 2009, there was another attack targeting government employees leveraging the theme of emergency management and the identity of the Federal Emergency Management Agency (FEMA) as lure. The same command and control (C&C) server used in this attack was also used in a 2008 attack.

Finally, an attack was reported in February 2007 that used malicious Microsoft Excel files (CVE-2007-0671) to drop malware that is functionally similar and most likely the predecessor of BKDR_SYKIPOT.B. The C&C server used in this attack was used in attacks dating back to 2006.

[...]

All of the samples over the years contain a backdoor functionality that allows the attackers to have a remote shell on the compromised computers. While the old versions execute shell commands via cmd.exe, the new ones execute via the winexec API. This provides the attackers with full remote control of the victim.

The Sykipot campaign remains a high priority threat.


-----------------------------------------------------------------------------------------------------

APT Attackers Maximize the Return on Exploit Investment (ROEI)

Given the research time it takes to find a new exploitable vulnerability and then develop a working and reliable exploit for that new vulnerability, it would make sense that the attackers want to maximize the return on their exploit 'investment'. Of course, the 'return' for these type of threat actors (APT) is not money, but the amount of sensitive data that can be obtained from the targeted companies. In this specific case, attackers were seen running unencrypted PDFs, AESv3 encrypted PDFs and at least two zero-day vulnerabilities in Adobe Reader. The use of AESv3 encrypted PDFs is of particular interest, given the AESv3 was implemented for developer purposes in Reader and is not widely used or an accepted standard..yet.

Sunday, December 18, 2011

North Korean Leader Kim Jong Il Dies

Via Bloomberg -

The following is a reformatted version of an e-mailed statement released today by the official Korean Central News Agency announcing the death of North Korean dictator Kim Jong Il.

“Kim Jong Il, general secretary of the Workers’ Party of Korea, chairman of the DPRK National Defence Commission and supreme commander of the Korean People’s Army, passed away from a great mental and physical strain at 08:30 December 17, 2011, on train during a field guidance tour.

“The WPK Central Committee and Central Military Commission, DPRK National Defence Commission, Presidium of the Supreme People’s Assembly and Cabinet released a notice on Saturday informing the WPK members, servicepersons and all other people of his passing away.”


-------------------------------------------------------------------

Kim Jong-un Poised to Extend his Family's Dynasty
http://www.telegraph.co.uk/news/worldnews/asia/northkorea/8964914/Kim-Jong-un-poised-to-extend-his-familys-dynasty.html

Saturday, December 17, 2011

CFR - The World Next Week: December 15, 2011

http://www.cfr.org/us-strategy-and-politics/world-next-week-december-15-2011/p26810

CFR's Director of Studies James M. Lindsay and CFR.org Editor Robert McMahon preview major world events in the week ahead. In this week's podcast: the Arab Spring's one year anniversary is marked; the U.S. Senate must pass a funding bill or face a government shutdown; and the Mercosur summit convenes in Uruguay.

-------------------------------------------

Best Quote = "What's Basketball?...I had totally forgotten we had professional basketball in this country."

Friday, December 16, 2011

Adobe Kills Two Actively Exploited Bugs in Reader

Via The Register UK -

Adobe has released updates for its Reader and Acrobat applications that fix two vulnerabilities that attackers were exploiting to seize control of Windows-based machines.

Version 9.4.6 of the programs fix two memory-corruption bugs that Adobe says are “being actively exploited in limited, targeted attacks in the wild” against machines running Windows. The same bugs are present in Mac and Unix versions of the applications, but there are no reports of machines running them being exploited. The bugs are also present in Reader X for Windows, but a security sandbox, which Adobe added last year to minimize the damage that results from code flaws, prevents the attacks from working.

As a result, those versions will be updated next month, during a regularly scheduled patch release.

Adobe warned of the attacks earlier this month in an advisory that credited military contractor Lockheed Martin and the Defense Security Information Exchange. A day later, researchers from antivirus provider Symantec warned that email-born attacks exploiting the flaw to install the Backdoor.Sykipot were detected as early as November 1. The vulnerability in the U3D, or Universal 3D, file format is identified as CVE-2011-2462.

On Friday, Adobe said a second vulnerability – in an RPC, or remote procedure call, component – was also under attack. It's identified as CVE-2011-4369. Adobe representatives provided no other details of the vulnerability, except to say they are “only aware of one instance” of it being used.


-------------------------------------------

APSB11-30: Security Updates Available for Adobe Reader and Acrobat 9.x for Windows
http://www.adobe.com/support/security/bulletins/apsb11-30.html

Tuesday, December 13, 2011

Key US Lawmaker: Iran Did Not Shoot Down RQ-170 Drone

Via Google (AP) -

A key US lawmaker on Tuesday denied Iran's claims of having brought down a US drone, saying "technical" problems pulled the state-of-the-art unmanned aircraft from the sky and into Tehran's hands.

"I will say without hesitation that this is not something that anyone had anything to do with coming down with, other than a technical problem," said US House Intelligence Committee Chairman Mike Rogers, a Republican.

"There was a technical problem that was our problem, nobody else's problem. I think there's a lot of PR (public relations) going on," he said at The Foreign Policy Initiative think tank's 2011 forum.

[...]

Iran has vowed to reverse engineer the drone but has given contradictory accounts of how the aircraft went down on December 4. Tehran initially said it shot down the drone, but later claimed the Iranian military managed to hack into the plane's flight controls.

Rogers said "it's not a good day for the United States" anytime a hostile nation nabs a piece of high-tech intelligence hardward, but played down the potential impact of Tehran dismantling and analyzing the drone.

"The good news is: While they're spending time re-engineering, we will be spending time engineering, and that's the biggest difference," he said.

"They're very proud that they're going to re-engineer this, and I hope they spend five, six, seven, eight years doing that, that would be great, because we'll be long past that" level of technology, said Rogers.

US President Barack Obama acknowledged for the first time Monday that the drone was in Iranian hands, and said the United States has asked Tehran to return the sophisticated aircraft.

"We've asked for it back. We'll see how the Iranians respond," Obama said at a news conference with Iraqi Prime Minister Nuri al-Maliki.

[...]

Obama, however, shed no further light on the plane's mission or why it failed to return to a base in Afghanistan.

"These things are not infallible," said Rogers.

Higgs Boson: ‘Tantalizing Hints’ but No Direct Proof in Particle Search

Via New York Times -

Two teams of scientists sifting debris from high-energy proton collisions in the Large Hadron Collider at CERN, the European Center for Nuclear Research, said Tuesday that they had recorded “tantalizing hints” — but only hints — of a long-sought subatomic particle known as the Higgs boson, whose existence is a key to explaining why there is mass in the universe. It is likely to be another year, however, before they have enough data to say whether the elusive particle really exists, the scientists said.

The putative particle weighs in at about 125 billion electron volts, about 125 times heavier than a proton and 500,000 times heavier than an electron, according to one team of 3,000 physicists, known as Atlas, for the name of their particle detector. The other equally large team, known as C.M.S. — for their detector, the Compact Muon Solenoid — found bumps in their data corresponding to a mass of about 126 billion electron volts.

If the particle does exist at all, it must lie within the range of 115 to 127 billion electron volts, according to the combined measurements. “We cannot conclude anything at this stage,” said Fabiola Gianotti, the Atlas spokeswoman, adding, “Given the outstanding performance of the L.H.C. this year, we will not need to wait long for enough data and can look forward to resolving this puzzle in 2012.”

Over the last 20 years, suspicious bumps that might have been the Higgs have come and gone, and scientists cautioned that the same thing could happen again, but the fact that two rival teams using two different mammoth particle detectors had recorded similar results was considered to be good news. Physicists expect to have enough data to make the final call by the summer.

The Atlas result has a chance of less than one part in 5,000 of being due to a lucky background noise, which is impressive but far short of the standard for a “discovery,” which requires one in 3.5 million odds of being a random fluctuation. Showing off one striking bump in the data, Ms. Gianotti said, “If we are just being lucky, it will take a lot of data to kill it.”


-----------------------------------------------------------------------------

CERN Press Release
http://press.web.cern.ch/press/pressreleases/Releases2011/PR25.11E.html
The main conclusion is that the Standard Model Higgs boson, if it exists, is most likely to have a mass constrained to the range 116-130 GeV by the ATLAS experiment, and 115-127 GeV by CMS. Tantalising hints have been seen by both experiments in this mass region, but these are not yet strong enough to claim a discovery.

Higgs bosons, if they exist, are very short lived and can decay in many different ways. Discovery relies on observing the particles they decay into rather than the Higgs itself. Both ATLAS and CMS have analysed several decay channels, and the experiments see small excesses in the low mass region that has not yet been excluded.

Taken individually, none of these excesses is any more statistically significant than rolling a die and coming up with two sixes in a row. What is interesting is that there are multiple independent measurements pointing to the region of 124 to 126 GeV. It's far too early to say whether ATLAS and CMS have discovered the Higgs boson, but these updated results are generating a lot of interest in the particle physics community.

Monday, December 12, 2011

Mexico's Navy Captures Zetas Leader "El Lucky"

Via Reuters (Dec 12, 2011) -

Mexico's navy captured a leader of the Zetas drug cartel, Raul Fernandez, President Felipe Calderon said on Monday via his Twitter account.

Fernandez, who is also known as "El Lucky" (The Lucky One), had a bounty of 15 million pesos ($1.09 million) on his head, operated in the Gulf state of Veracruz as well as the central state of Puebla and Oaxaca state in the south, Calderon said.

The Zetas, formed at the end of the 1990s by deserters from elite army forces, are believed to have been behind some of the bloodiest crimes against civilians in recent years including the arson attack on a casino in northern Mexico that killed 52 people in August.

Since sending in the army five years ago to crack down on cartel activity, Calderon has made a point of targeting top leaders. With Fernandez's capture, Calderon said the government had accounted for 22 of Mexico's 37 most-wanted drug lords.


-------------------------------------------------

Raúl Lucio Fernandez-Lechuga (alias El Lucky) was a Mexican drug lord of the Los Zetas. He was captured on Monday 12th December 2011. The government of Mexico has listed Fernandez-Lechuga as one of its 37 most wanted drug lords and offers the equivalent of over $2 million USD for information leading to his capture.

A Never Before Seen Optical Trick Creates Ultra-Secure Cash

Via Fast Company (Technology) -

If all goes as planned, the world's supply of cash will soon be secured with a nano-scale optical defense that is as secure as it is visually impressive. Using arrays of holes no bigger than a virus, scientists at Toronto-based Nanotech Security have created an atoms-thick display that can be read by humans or machines and that shines with the brightness of a typical LED despite using nothing but reflected light.

The technology was inspired by the Blue Morpho butterfly, whose brilliant blue coloration comes not from pigment but the way that tiny holes in its scales reflect light. But the tech, called Nano-Optic Technology for Enhanced Security (NOtES), is different from the Morpho butterfly's wings, and pretty much all other bio-inspired reflective optical technologies, in that it is both extraordinarily thin and functions even in dim light.

NOtES exploits an obscure area of physics to accomplish its bright and sharp display, known as plasmonics. Light waves interact with the array of nano-scale holes on a NOtES display--which are typically 100-200 nanometers in diameter--in a way that creates what are called "surface plasmons." In the words of the company, this means light "[collects] on the films surface and creates higher than expected optical outputs by creating an electromagnetic field, called surface plasmonic resonance."

Exploit Kit Intelligence: Blackhole 1.2.1 & Java

Building on top of the reports by Brain Kerbs over at Krebs on Security....

Steven over at the XyliBox blog outlines the recent update to the Blackhole Exploit Kit.
BlackHole 1.2.1:
1. Added Java Rhino exploit [CVE-2011-3544], working silently on all browsers and OS, this increased success rate.
2. Java SMB, Java Skyline, Java Trust removed for no need (Java Rhino covers the whole range of vulnerable JRE from these exploits)
According to just the single instance of Blackhole outlined by Steven, the CVE-2011-3544 exploit was responsible for over 83% of the successful infections made by this specific kit. That is huge!

PDF exploits followed Java with just 11% of the successful hits. Very likely due to Adobe works to harden Adobe X against PDF exploitation.

------------------------------------------------------------------------

CVE-2011-3544: Oracle Java Applet Rhino Script Engine Remote Code Execution
http://schierlm.users.sourceforge.net/CVE-2011-3544.html

------------------------------------------------------------------------

Oracle Java SE Critical Patch Update Advisory - October 2011
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
This Critical Patch Update contains 20 new security fixes for Oracle Java SE - including CVE-2011-3544.
Users are recommended to update to Java 6 Update 29 or Java 1 Update 1 to close the CVE-2011-3544 vulnerability.

Sunday, December 11, 2011

The Covert Intelligence War Against Iran

Via STRATFOR (Security Weekly) -

There has been a lot of talk in the press lately about a “cold war” being waged by the United States, Israel and other U.S. allies against Iran. Such a struggle is certainly taking place, but in order to place recent developments in perspective, it is important to recognize that the covert intelligence war against Iran (and the Iranian response to this war) is clearly not a new phenomenon.

Indeed, STRATFOR has been chronicling this struggle since early 2007. Our coverage has included analyses of events such as the defection to the West of Iranian officials with knowledge of Tehran’s nuclear program; the Iranian seizure of British servicemen in the Shatt al Arab Waterway; the assassination of Iranian nuclear scientists; the use of the Stuxnet worm to cripple Iranian uranium enrichment efforts; and Iranian efforts to arm its proxies and use them as a threat to counteract Western pressure. These proxies are most visible in Iraq and Lebanon, but they also exist in Yemen, Afghanistan, Syria, the Palestinian territories, Saudi Arabia and other Gulf states.

While the covert intelligence war has been under way for many years, the tempo of events that can readily be identified as part of it has been increasing over the past few months. It is important to note that many of these events are the result of hidden processes begun months or even years previously, so while visible events may indeed be increasing, the efforts responsible for many of them began to increase much earlier. What the activities of recent months do tell us is that the covert war between Iran and its enemies will not be diminishing anytime soon. If anything, with the current withdrawal of U.S. troops from Iraq and Iranian nuclear efforts continuing, we likely will see the results of additional covert operations — and evidence of the clandestine activity required to support those operations.

Read more: The Covert Intelligence War Against Iran | STRATFOR


---------------------------------------------------------------------

CFR - Crisis Guide: Iran
http://www.cfr.org/interactives/CG_Iran/index.html#/overview/

Of particular note is the "Analyzing The Options" section.

Saturday, December 10, 2011

This Week at War: Disposable Warfare

Via Foreign Policy (Small Wars) -

This week we learned that a stealthy RQ-170 Sentinel unmanned aerial vehicle (UAV) crashed 140 miles inside Iran with its wreckage recovered by Iranian security forces. Dubbed "the Beast of Kandahar" in 2009 after it appeared at a U.S. airbase there, the RQ-170 flew clandestine missions over Abbottabad, Pakistan, collecting intelligence prior to the May raid that killed Osama bin Laden. According to the Wall Street Journal, U.S. officials considered a covert mission to either recover or destroy the wreckage before Iranian forces were able to reach the crash site, before concluding that the drone's technology likely didn't warrant the risk of another intrusion into Iran.

Rather than slow the march toward the future of drone warfare, this incident only supports the expanded development and deployment of smarter and more capable drones. That means that U.S. officials and commanders will have to live with more such losses of sensitive drone hardware to adversaries.

[...]

The lesson learned from this incident is not to hold back on drone employment but rather to build better drones and to accept the risks that come with their use. Stealthier drones will soon be able to provide continuous observation of suspected targets, gathering information that was not previously available to policymakers, thus reducing some of the guesswork from decision-making. Drones will be able to fly very long missions beyond the physiological endurance of human aircrews. In expansive theaters like the Asia-Pacific region, this capability will reduce U.S. dependence on forward bases currently vulnerable to missile attack. Long-range UAVs on aircraft carriers will allow the Navy to conduct strike operations from much longer ranges and with greater safety to its ships. Finally, long-endurance drones will provide isolated infantry patrols with continuous scouting and fire support.

Next-generation drone development seems to be ahead of schedule. The Navy's combat UAV demonstrator project recently took 16 flights rather than the anticipated 49 flights to reach initial flight test milestones. This rapid advance in robotic aircraft is in stark contrast to the delays experienced by the F-35 Joint Strike Fighter, many caused by software problems in the F-35's manned cockpit. In explaining the Navy UAV's test success, the program manager, in a subtle dig at pilots, said, "we will not have to fly the platform as much as manned systems, which are less predictable."


-----------------------------------------------------

Several other stories on the RQ-170 crash and the possible consequences....

FP: Iran Has America's Super Spy Drone. So What?
http://www.foreignpolicy.com/articles/2011/12/09/iran_has_americas_super_spy_drone_so_what
That one of many drones dedicated to collecting intelligence over Iran has fallen into Iranian hands is also expected given the law of averages. Drones crash at rates higher than manned aircraft for any number of reasons, including due to human error, incorrect information, network interference, system failure, weather, or being shot down. As a former official warned: "It was never a matter of whether we were going to lose one but when."
US Air Force Times: Iran’s Captured RQ-170: How bad is the damage?
http://www.airforcetimes.com/news/2011/12/defense-iran-captured-rq-170-how-bad-120911/

Aviation Week: Downed UAV Technology Already Dated (Dec 5th)
http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/awx/2011/12/05/awx_12_05_2011_p0-401894.xml&headline=Downed%20UAV%20Technology%20Already%20Dated

Wednesday, December 7, 2011

Analyzing CVE-2011-2462 - Part One

Via 9bplus.com (Brandon Dixon) -

Before I went to bed last night I took a look at uploaded files to PDF X-RAY in hopes that Christmas would come early (CVE-2011-2462 in my reports) and was surprised when I came across a file with /U3D references. I snatched the file off the server, opened up my snapshots to the latest 9.4 build of Adobe and ran the file. Reader crashed, and a new document was successfully opened. That was enough to stay up, so analysis started and can be found below.

Read the full analysis by Brandon @ 9bplus.com

--------------------------------------

Mila Parkour also links to Brandon's analysis and adds additional information over at Contagio.

Al-Shabab Changes Name to 'Somali Islamic Emirate'

Via barigaafrika.com (Dec 7, 2011) -

A major conference to discuss the future of Al-Shabab which has been ongoing in Baydhabo, Bay Regions [south western Somalia] in the last five days has now been concluded after which a statement was issued.

The conference was attended by clerics from areas under Al-Shabab control as well as senior Al-Shabab officials among them Sheikh Hasan Dahir Aweys, Shaykh Muqtar Robow and other prominent figures of the extremists group.

Towards the end of the conference, religious clerics attending the conference addressed the gathering in which they all expressed their excitement in the participation of the conference dubbed "the future of Al-Shabab".

The statement issued at the end of the conference comprised of seven major points some of which the Somali public are already quite familiar with while others are new and are to effect major changes in Al-Shabab.

[...]

The name 'Movement for the Al-Shabab Mujahidin' is to be replaced with 'Somali Islamic Emirate'. It has been said that as from the time of the release of the statement, the official name for the men used to be known as Al-Shabab will be 'Somali Islamic Emirate'.

Some of the new points in the statement include the formation of a new organization for Somali religious scholars that is to be under Al-Shabab which has been renamed as Islamic Emirate. It is believed that the whole point of this conference was to change Al-Shabab's name given that the rest of the points in the statement are issues which have already been implemented in areas under the group's control.

Mexico: Gadhafi Son Tried to Enter Country Under False Name

Via Google News (AP) -

Mexico said Wednesday that a son of the late Libyan dictator Moammar Gadhafi and three relatives had plotted to sneak into Mexico under false names and take clandestine refuge at a posh Pacific coast resort.

The elaborate plan to bring al-Saadi Gadhafi to Mexico allegedly involved two Mexicans, a Canadian and a Danish suspect, all of whom have been detained, Interior Secretary Alejandro Poire said.

He did not reveal which relatives had planned to accompany Al-Saadi Gadhafi, who is known for his love of professional soccer and run-ins with police in Europe.

The plot was uncovered by Mexican intelligence agents in early September as al-Saadi was fleeing Libya shortly after his father's ouster. He never made it to Mexico, but did reach the Western African country of Niger, where he has been living.

The plotters allegedly jetted into Mexico, opened bank accounts and bought properties meant to be used as safe houses in several parts of the country, including one at a resort on Mexico's Pacific coast.

"The large economic resources which this criminal organization has, or had, allowed them to contract private flights," Poire told a news conference.

Poire said the leader of the plot was a Canadian woman he identified as Cynthia Vanier. He said she had been detained on Nov. 10 and is being held, along with three other suspects, under a form of house arrest on suspicion of using false documents, human smuggling and organized crime.

Poire said Vanier "was the direct contact with the Gadhafi family and the leader of the group, and presumably was the person in charge of the finances of the operation.

The plot also allegedly involved a Mexican woman who lived in the United States, who Poire said served as the liaison to obtain the falsified Mexican identity documents.

A Danish man was "the logistic liaison" for the plan, Poire said. He said the alleged conspirators also traveled to Kosovo "and several Middle Eastern countries."

"The activities of the criminal organization in our country included the falsification of official documents, the opening of bank accounts with false documents (and) the purchase of real estate that was intended, among other things, to serve as a residence for the Gadhafi family at a house located in the zone of the Bahia de Banderas," just north of the resort of Puerto Vallarta, Poire said.

The Mexican officials made no mention of Moammar Gadhafi himself being involved in the plan, and Poire did not say which relatives might have planned to accompany the son to Mexico. The elder Gadhafi was ousted from power in late August and was captured and killed in Libya on Oct. 20.

Symantec: Four-Fold Increase in the Number of Daily Targeted Attacks Since January

Via Symantec Intelligence Blog -

With targeted attacks and advanced persistent threats being very much in the news this year, we thought it would be a good time as the end of the year draws closer to begin our review of targeted attacks and look more closely at what has been described as “advanced persistent threats” or APTs for short. Terms such as APT have been overused and sometimes misused by the media, but APTs are a real threat to some companies and industries.

In November, one in 255 emails was malicious, but approximately one in 8,300 of those were highly targeted. This means that highly targeted attacks, which may be the precursor to an APT, account for approximately one in every two million emails, still a rare incident rate. Targeted malware in general has grown in volume and complexity in recent years, but as it is designed to steal company secrets, it can be very difficult for recipients to recognize, especially when the attacker employs compelling social engineering techniques, as we highlight in this report.

A persistent threat residing inside your company’s network may be the by-product of a successful targeted attack, rather than the targeted email itself containing an APT, it is likely to contain a downloader component for the actual APT. Hence, targeted attacks of this nature can lead to an APT being deployed on your network if you don’t have the right defenses in place.

[...]

Targeted attacks have been around for a number of years now, and when they first surfaced back in 2005, Symantec.cloud would identify and block approximately one such attack in a week. Over the course of the following year, this number rose to one or two per day and over the following years it rose still further to approximately 60 per day in 2010 and 80 per day by the end of the first quarter of 2011. By November 2011, the number of attacks blocked rose to approximately 94 per day, almost four times the number in January.

[...]

The types of organizations being targeted tended to be large, well-known multi-national organizations, and were often within particular industries, including the public sector, defense, energy and pharmaceutical. In more recent years the scope has widened to include almost any organization, including smaller and medium-sized businesses.

[...]

To find out more, the full report can be downloaded here (PDF).

------------------------------------------------------------------------------------

The number of targeted attacks outlined by Symantec are only representative of Symantec E-mail service customers and Symatec.cloud customers, however two general points can be taken from the data. Targeted attacks are happening on a daily basis and the sectors which experience targeted attackers continue to increase and widen.

Whitepaper - Advanced Persistent Threats: A Symantec Perspective
http://www.symantec.com/content/en/us/enterprise/white_papers/b-advanced_persistent_threats_WP_21215957.en-us.pdf

"An APT is always a targeted attack, but a targeted attack is not necessarily an APT."

Tuesday, December 6, 2011

New Adobe Reader Zeroday Used in Targeted Attacks

Via Adobe Secure Software Engineering Team (ASSET) Blog -

We have just posted Security Advisory APSA11-04 regarding a new vulnerability (CVE-2011-2462) that is currently being exploited in the wild in limited, targeted attacks against Adobe Reader 9.4.6 on Windows. Here is a summary of our approach to address this issue:

  • We are planning to release an out-of-cycle security update for Adobe Reader and Acrobat 9.x for Windows no later than the week of December 12, 2011.
  • Because Adobe Reader X Protected Mode and Adobe Acrobat X Protected View would prevent an exploit targeting this vulnerability from executing, we are planning to address this issue in Adobe Reader and Acrobat X for Windows with the next quarterly security update on January 10, 2012.
  • The risk to Macintosh and UNIX users is significantly lower. We are therefore planning to address this issue in Adobe Reader and Acrobat X and earlier versions for Macintosh as part of the next quarterly update on January 10, 2012. An update to address this issue in Adobe Reader 9.x for UNIX is planned for January 10, 2012.
The reason for addressing this issue quickly for Adobe Reader and Acrobat 9.4.6 for Windows is simple: This is the version and platform currently being targeted. All real-world attack activity, both in this instance and historically, is limited to Adobe Reader on Windows. We have not received any reports to date of malicious PDFs being used to exploit Adobe Reader or Acrobat for Macintosh or UNIX for this CVE (or any other CVE).

[...]

I’d like to take this moment to encourage any remaining users still running Adobe Reader or Acrobat 9.x (or worse, older unsupported versions) to PLEASE upgrade to Adobe Reader or Acrobat X. We put a tremendous amount of work into securing Adobe Reader and Acrobat X, and, to date, there has not been a single piece of malware identified that is effective against a version X install. Help us help you by running the latest version of the software!


------------------------------------------------------

http://www.adobe.com/support/security/advisories/apsa11-04.html

Acknowledgments
Adobe would like to thank Lockheed Martin CIRT and members of the Defense Security Information Exchange for reporting this issue and for working with Adobe to help protect our customers.

Downed RQ-170 Drone Was On CIA Mission

Via CNN's Security Clearance Blog -

A stealth US drone that crashed in Iran last week was part of a Central Intelligence Agency reconnaissance mission which involved both intelligence community and military personnel stationed in Afghanistan, two U.S. officials tell CNN. The officials said they did not believe the mission involved flying the drone directly over Iran because the reconnaissance capability of the RQ-170 drone allows it to gather information from inside Iran while remaining on the Afghanistan side of the border. The officials also for the first time acknowledged to CNN it was an RQ-170 drone that was lost.

When the drone crashed in Iran late last week, the U.S. briefly considered all potential options for retrieving the drone or bombing the wreckage, according to a third official. But those ideas were relatively quickly discarded as impractical, the official said. There was also satellite surveillance over the site which helped confirm the location of the wreckage before the Iranians retrieved it.

All of the officials have direct knowledge of the events, but spoke on the condition of anonymity because of sensitive intelligence matters. CIA officials have declined to comment.

Monday, December 5, 2011

Senior US Official: American RQ-170 Drone in Iranian Hands

Via MSNBC (Dec 5, 2011) -

Iran's military has recovered a super-secret American stealth drone after the unmanned vehicle flew out of control and crashed inside Iran, NBC News reported Monday, citing a senior U.S. official.

According to the official, the RQ-170 drone was flying inside Afghanistan along the Iranian border, when ground commanders "lost control" of the aircraft. It took a "hard turn" into Iran and ultimately crashed, the source said.

Iranian media reported on Sunday that their country's military had shot down a U.S. reconnaissance drone in eastern Iran, but a U.S. official said there was no indication the aircraft had been shot down.


--------------------------------------------------

Lockheed Martin RQ-170 Sentinel (aka Beast of Kandahar)
http://en.wikipedia.org/wiki/Lockheed_Martin_RQ-170_Sentinel
RQ-170 Sentinels have been deployed to Afghanistan, where one was sighted at Kandahar International Airport in late 2007. This sighting, and the Sentinel's secret status at the time, led Bill Sweetman to dub it the "Beast of Kandahar". The UAV being deployed to Afghanistan, despite the Taliban having no radar, has led to speculation that the aircraft is being used to spy on Pakistan or Iran.

On the night of 1/2 May 2011 at least one RQ-170 monitored the area while elements of the United States Naval Special Warfare Development Group launched an assault on the compound which resulted in bin Laden's death.

There have been a number of reports, which the New York Times describes as "unconfirmed", that RQ-170s have operated over Iran during 2011 to spy on the country's missile and nuclear programs.

Operation Northeast: Mexican Military Dismantles Clandestine Radio Networks

Via Valley Central (AP) -

The Mexican army says its troops have dismantled a telecommunications system set up by organized crime in four northern states.

A Defense Department statement Thursday says soldiers confiscated 167 antennas and 166 power supplies that gang members used to communicate among themselves and to monitor military movements.

The operation also netted more than 1,400 radios and 2,600 cellphones in the border states of Tamaulipas, Nuevo Leon and Coahuila and in the state of San Luis Potosi.

The army hasn't said which cartel was affected.

During the summer, Mexico's navy dismantled a communication system used by the Zetas cartel in the Gulf state of Veracruz.

The Zetas have a strong presence in all four of the states involved in the army's operation.


-----------------------------------------------------------------

Official Statement (Spanish)
http://www.sedena.gob.mx/index.php/sala-de-prensa/comunicados-de-prensa-de-los-mandos-territoriales/8104-1-de-diciembre-de-2011-monterrey-nl

Google Translated Version (English)
http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.sedena.gob.mx%2Findex.php%2Fsala-de-prensa%2Fcomunicados-de-prensa-de-los-mandos-territoriales%2F8104-1-de-diciembre-de-2011-monterrey-nl&act=url

-----------------------------------------------------------------

By being able to maintain their communication capabilities isolated from public telecommunication infrastructure, such as mobile operators, the cartels are able to communicate between members and cells spread across their territory with minimal risk of interception or detection.

Pakistan: Anti-Terror Agreements With U.S. To Be Dropped

Via The Express Tribune (Pakistan) -

Pakistan has decided to scrap all existing anti-terror cooperation agreements with the United States in a development that may not only take the uneasy alliance between the two countries to the point of no return but also impede world efforts at bringing sustainable peace in Afghanistan.

The decision, which was taken after consultations at the top civil and military levels following the Nato airstrikes, is part of a review of political, diplomatic and military ties with the US, officials familiar with the development told The Express Tribune.

This, however, does not mean the government is seeking a complete breakdown in the relationship with the US. Rather, it is aiming to enter a fresh agreement that clearly states in writing Pakistan’s ‘red lines’ and firm assurance from Washington not to violate those in the future, added the officials, who spoke on condition of anonymity because of the sensitivity of the issue.

MITEI: With Changes, The [U.S. Power] Grid Can Take It

Via MIT News -

Over the next two decades, the U.S. electric grid will face unprecedented technological challenges stemming from the growth of distributed and intermittent new energy sources such as solar and wind power, as well as an expected influx of electric and hybrid vehicles that require frequent recharging. But a new MIT study concludes that — as long as some specific policy changes are made — the grid is most likely up to the challenge.

Study co-director Richard Schmalensee, the Howard W. Johnson Professor of Economics and Management at the MIT Sloan School of Management, says the two-year study came about “because a number of us were hearing two sorts of rhetoric” about the U.S. power grid: that it’s on the brink of widespread failure, or that simply installing some new technology could open up wonderful new opportunities.

[...]

The report was commissioned by the MIT Energy Initiative (MITEI) and carried out by a panel of 13 faculty members from MIT and one from Harvard University, along with 10 graduate students and an advisory panel of 19 leaders from academia, industry and government.

While the grid’s performance is adequate today, decisions made now will shape that grid over the next 20 years. The MIT report recommends a series of changes in the regulatory environment to facilitate and exploit technological innovation. Among the report’s specific recommended changes: To enable the grid of the future — one capable of handling intermittent renewables — the United States will need effective and enhanced federal authority over decisions on the routing of new interstate transmission lines. This is especially needed, the report says, in cases where power is produced by solar or wind farms located far from where that power is to be used, requiring long-distance transmission lines to be built across multiple regulatory jurisdictions.

[...]

The MITEI report recommends that the Federal Energy Regulatory Commission (FERC) either be given the authority to make decisions in such cases, or be designated as the “backstop” authority in cases where there are disputes.

The grid would also benefit from a restructuring of the way customers pay for its costs, the study found. Payment for electric distribution, like payment for generation, is currently calculated based on usage. But most of the costs involved are fixed; they don’t depend on usage. This gives utilities incentives to resist distributed generation, such as homeowners installing rooftop solar panels, and gives consumers excessive incentives to install such systems — and thereby to shift their share of fixed network costs to their neighbors. Fixed network costs, the reports says, should be recovered primarily through customer charges that don’t depend on electricity consumption.

In addition, while many utilities have begun to install “smart meters” for their customers, most of these are not yet being used to provide feedback to customers that could shift electricity usage to off-peak hours.

[...]

Another area that will require restructuring, the study concluded, is cybersecurity: The more thoroughly the grid is interconnected, and the more smart meters are added to gather data about usage patterns, the greater the risk of security breaches or cyberattacks on the system.

Thursday, December 1, 2011

STRATFOR Above the Tearline: Mexican Cartel Violence In Texas

http://www.stratfor.com/analysis/20111129-above-tearline-mexican-cartel-violence-texas

In this week’s Above the Tearline, we are going to look at an incident that appears to be a Mexican cartel-related murder in Texas.

Last Monday, in the Houston area, several undercover officers from a High Intensity Drug Trafficking Areas Task Force (known as a HIDTA) were following a tractor-trailer from south Texas transporting drugs in an undercover operation. Four suspects ambushed the truck, firing shoulder weapons, shooting and wounding a task force police officer and killing the driver, who media have identified as an undercover government informant.

Read more: Above the Tearline: Mexican Cartel Violence In Texas | STRATFOR

Sunday, November 27, 2011

Phone Hacking Tied to Terrorists

Via NY Times -

Four people in the Philippines hacked into the accounts of AT&T business customers in the United States and diverted money to a group that financed terrorist attacks across Asia, according to police officials in the Philippines.

A statement from the Philippines Criminal Investigation and Detection Group, a law enforcement agency, said three men and one woman had been arrested in raids across the capital, Manila, last week.

According to the agency, the men were working with a group called Jemaah Islamiyah, a terrorist group linked to Al Qaeda and responsible for the 2002 bombings in Bali, which killed 202 people.

The group has been held responsible for several other terrorist attacks in Southeast Asia, mostly in Indonesia but including the Philippines.

If the new accusation holds up, it would point to a troubling connection between hackers and terrorist cells.

The Federal Bureau of Investigation said on Saturday that it was working with the police in the Philippines on the investigation into the telephone hacking effort, which apparently began as early as 2009.

The suspects remotely gained access to the telephone operating systems of an unspecified number of AT&T clients and used them to call telephone numbers that passed on revenues to the suspects.


--------------------------------------------

Jemaah Islamiah (JI) is a Southeast Asian militant Islamic organization dedicated to the establishment of a Daulah Islamiyah (regional Islamic caliphate) in Southeast Asia incorporating Indonesia, Malaysia, the southern Philippines, Singapore and Brunei. JI was added to the United Nations 1267 Committee's list of terrorist organizations linked to al-Qaeda or the Taliban on 25 October 2002 under UN Security Council Resolution 1267.

After the 2002 Bali bombings, the U.S. State Department designated Jemaah Islamiah as a Foreign Terrorist Organization.

Saturday, November 26, 2011

UK Cyber Security Strategy: Protecting & Promoting the UK in a Digital World

http://www.cabinetoffice.gov.uk/sites/default/files/resources/The%20UK%20Cyber%20Security%20Strategy-%20web%20ver.pdf

Executive Summary

The internet is revolutionising our society by driving economic growth and giving people new ways to connect and co-operate with one another. Falling costs mean accessing the internet will become cheaper and easier, allowing more people in the UK and around the world to use it, ‘democratising’ the use of technology and feeding the flow of innovation and productivity. This will drive the expansion of cyberspace further and as it grows, so will the value of using it. Chapter 1 describes the background to the growth of the networked world and the immense social and economic benefits it is unlocking.

As with most change, increasing our reliance on cyberspace brings new opportunities but also new threats. While cyberspace fosters open markets and open societies, this very openness can also make us more vulnerable to those – criminals, hackers, foreign intelligence services – who want to harm us by compromising or damaging our critical data and systems. Chapter 2 describes these threats. The impacts are already being felt and will grow as our reliance on cyberspace grows.

The networks on which we now rely for our daily lives transcend organisational and national boundaries. Events in cyberspace can happen at immense speed, outstripping traditional responses (for example, the exploitation of cyberspace can mean crimes such as fraud can be committed remotely, and on an industrial scale). Although we have ways of managing risks in cyberspace, they do not match this complex and dynamic environment. So we need a new and transformative programme to improve our game domestically, as well as continuing to work with other countries on an international response.

Chapter 3 sets out where we want to end up – with the Government’s vision for UK cyber security in 2015.