Monday, February 28, 2011

Mexico Arrests Two Zetas in US Agent Jaime Zapata Murder

Via BBC -

Mexican authorities have arrested two alleged leaders of the Zetas drug gang in connection with the murder of a US immigration official.

The suspected local head of the Zetas drugs gang in the northern state of Coahuila, Sergio "El Toto" Mora, was arrested by marines in Saltillo.

Federal police meanwhile detained Luis Miguel Rojo in San Luis Potosi, where the attack took place. Another suspected gang member has been accused of killing Agent Jaime Zapata.

Julian Zapata Espinoza, who was arrested last week, told soldiers he and other gunmen opened fire on the agent's car, thinking it belonged to a rival gang, officials said.

Another US Immigrations and Customs (ICE) official, Victor Avila, was injured in the ambush outside the city of San Luis Potosi.

Mr Mora is suspected of running the Zetas' operations in San Luis Potosi. Mr Rojo is alleged to be responsible for handling the gang's finances in the region.

Jaime Zapata, a 32-year-old Texan, was assigned to the Immigration and Customs Enforcement Agency (ICE) human smuggling and trafficking unit.

He had been on attachment to the ICE office within the US embassy in Mexico City.

Sunday, February 27, 2011

Report: South Korea Spied on Indonesia Delegation

Via Google News (AFP) -

Members of South Korea's spy agency broke into a hotel room of a visiting high-level Indonesian delegation to try to steal sensitive information on a possible arms deal, a report said Monday.
A spokesman for the National Intelligence Service (NIS) denied the front-page report in Chosun Ilbo newspaper, but declined to elaborate.

The break-in last week has been previously reported but Chosun was the first newspaper to allege that NIS members carried it out.

The 50-member Indonesian presidential delegation visited last week for talks on economic cooperation, including the possible purchase of South Korea's T-50 Golden Eagle supersonic trainer jet and other weapons systems.

"The NIS agents, for the national interest, were trying to figure out the Indonesian delegation's negotiating strategies," Chosun quoted a senior Seoul official as saying.
"Getting caught was an unintended mistake."

The paper said three agents entered the room in the Lotte hotel last Wednesday. It said they left after being disturbed by a delegate while looking at a laptop computer belonging to an aide to Economic Minister Hatta Rajasa.

The incident was reported by police and has caused a buzz in Seoul's diplomatic circles, Chosun said.

A group of NIS officials last Thursday visited the city's Namdaemun police station and took away all evidence including footage from the hotel's CCTV cameras, Munhwa Ilbo newspaper reported.

"They came to the station and took everything... the quality of CCTV footage was very good so it would not have been hard to identify the intruders," said one police officer quoted by Munhwa.


Hat-tip to

Trustwave's Global Security Report 2011

Based on data collected by Trustwave's SpiderLabs, this report includes analysis of investigations of data compromise in 2010, detailed technical information on top vulnerabilities and an actionable global remediation plan. In 2010, the most notable trend was the continued use of existing attack techniques despite the security industry's awareness of these vulnerabilities. The report discusses this trend, defines how companies across the globe are leaving themselves open to data security threats, and offers a top 10 list of strategic and attainable initiatives for all companies.


Very good report, compiled from data of real-world global investigations.

BTW, I hear that can be used to bypass the required e-mail registration. ;)

If the main doesn't work, try one of the alternative domains (e.g.

Saturday, February 26, 2011

BlackHole RAT: New Remote Access Trojan for Mac OS X

Via Naked Security (Shophos Blog) -

It appears there is a new backdoor Trojan in town and it targets users of Mac OS X. As even the malware itself admits, it is not yet finished, but it could be indicative of more underground programmers taking note of Apple's increasing market share.

SophosLabs analyzed the sample we received and determined that it is a variant of a well-known Remote Access Trojan (RAT) for Windows known as darkComet, although the Trojan's creator appears to be keen to call it BlackHole RAT.

The Mac OS X version is very basic and there appears to be a mix of German and English in the user interface. Its functions include:

* Placing text files on the desktop
* Sending a restart, shutdown or sleep command
* Running arbitrary shell commands
* Placing a full screen window with a message that only allows you to click reboot
* Sending URLs to the client to open a website
* Popping up a fake "Administrator Password" window to phish the target


SophosLabs has published protection for our customers as OSX/MusMinim-A. Trojans like this are frequently distributed through pirated software downloads, torrent sites, or anywhere you may download an application expecting to need to install it.


Spike in Apple Targeting
According to data from Cisco IntelliShield, while reported vulnerabilities and updates are on the rise from most major vendors, Apple shows the greatest increase.

“As with most large vendors with a broad product base and many new product and software releases, you’d expect to see a related increase in vulnerabilities,” explains Jeff Shipley, Security Research and Operations manager at Cisco. “In Apple’s case, the difference is that its products are being rapidly adopted by a growing user base, providing an attractive pool of potential targets.”

In other words, Apple reached the “tipping point” at which scammers see potential in shifting their exploits to a new venue.

Friday, February 25, 2011

Tatanga: A New Banking Trojan with Man-in-the-Browser Functions

Via S21sec Blog -

Recently our e-crime unit has detected a new banking trojan, named as Tatanga, with Man in the Browser (MitB) functions affecting banks in Spain, United Kingdom, Germany and Portugal. Like SpyEye, it can perform automatic transactions, retrieving the mules from a server and spoofing the real balance and banking operations of the users. Its detection rate is very low, and the few antivirus engines that can detect it yield a generic result.

The trojan in question is rather sophisticated. It is written in C++ and uses rootkit techniques to conceal its presence, though on occasion, its files are visible. The trojan downloads a number of encrypted modules (DLLs), which are decrypted in memory when injected to the browser or other processes to avoid detection by antivirus software.

Thursday, February 24, 2011

Saudi National Arrested in Texas on Terror Charge

Via -

A Saudi national living in Texas was arrested Wednesday for allegedly researching and acquiring chemicals to make a bomb, authorities said Thursday.

Khalid Ali-M Aldawsari, 20, of Lubbock is accused of researching several possible targets, including the Dallas home of former President George W. Bush, and nuclear power plants and hydroelectric dams.

Aldawsari was arrested in Lubbock on a federal charge of attempted use of a weapon of mass destruction in connection with his alleged purchase of chemicals and equipment necessary to make an improvised explosive device, according to the Justice Department.

Aldawsari is expected to make his initial appearance in federal court in Lubbock on Friday morning, the Department of Justice said.


According to court records, Aldawsari has been researching online how to construct an improvised explosive device, or IED, using several chemicals as ingredients. He has also "acquired or taken a substantial step toward acquiring most of the ingredients and equipment" needed for the bomb.

Authorities said Aldawsari described his desire for violent jihad and martyrdom in blog postings and a personal journal.

Aldawsari conducted research on various targets and e-mailed himself information on these locations and people, the Department of Justice said.


"As alleged in the complaint, Aldawsari purchased ingredients to construct an explosive device and was actively researching potential targets in the United States. Thanks to the efforts of many agents, analysts and prosecutors, this plot was thwarted before it could advance further," said David Kris, assistant attorney general for national security. "This case serves as another reminder of the need for continued vigilance both at home and abroad."


Factbox: Details of Bomb Plot in U.S. by Saudi National
* Khalid Aldawsari was born in Saudi Arabia on April 24, 1990, and came to the United States on a student visa in September 2008. He took English language classes for a year and attended Texas Tech University where he majored in chemical engineering from August 2009 until last month. He then transferred to South Plains College to major in business.

* FBI agents received on February 1 a tip from a chemical supply company, Carolina Biological Supply in North Carolina, after Aldawsari tried to order 10 500-ml bottles of concentrated phenol, a chemical that can be used to make the explosive picric acid. A freight company also called police after he tried to have the chemicals delivered there.

* After receiving the tips, the FBI conducted an authorized review of his e-mail communications and a surreptitious search of his Texas apartment. They discovered he had successfully bought nitric acid and sulfuric acid, other materials to build a bomb, obtained directions on how to turn a cell phone into a remote detonator, and had drawn up lists of potential targets.

* FBI agents also found journal belonging to Aldawsari in which he said that he had planned to commit an attack inside the United States for years and that he was inspired by al Qaeda leader Osama bin Laden's speeches. He also listed in the journal the steps he needed to take to carry out an attack, including getting fake U.S. documents, renting cars and placing the vehicles with bombs in them at different locations during rush hour.

* The list of targets for his alleged plot included the address in Dallas for former President George W. Bush, 12 reservoirs and dams in California and Colorado, nuclear power plants, New York City and a Dallas night club. He also researched baby accessories like a stroller, diapers and a doll as a possible way to conceal explosives or weapons

Wednesday, February 23, 2011

80% Of Browsers Have Known Vulnerabilities

Via -

Roughly 80% of browsers today are insecure, owing to their having a known vulnerability either in the browser itself, or due to a vulnerable plug-in, such as an outdated version of Shockwave, Flash, the Java runtime environment, or QuickTime.

That finding comes from research conducted by vulnerability management and security policy compliance vendor Qualys. The results are based on the 200,000 people who, over the past 6 months, used the company's free BrowserCheck tool, which looks for known vulnerabilities in Internet Explorer, Firefox, Chrome, Safari, and Opera browsers, running on Windows, Mac OS X, or Linux machines. About 10% of people who used the tool appeared to be doing so from a corporate network.

Interestingly, more than half of browser vulnerabilities stem from plug-ins. "The number was very high for the plug-ins, higher than I had expected," said Wolfgang Kandek, CTO of Qualys, in an email interview.

The most common insecure browser plug-ins in use are (in order): Java, Adobe Reader, QuickTime, Flash, Shockwave, and Windows Media Player. Many of these plug-ins are widespread -- 97% of computers have the Adobe Flash plug-in installed, and 95% have one for Windows Media Player.

Meanwhile, only about 20% of browsers are insecure due to the native browser application (not counting plug-ins). Kandek said that's testament to browser makers' structured approach to updates, which includes alerting users or simply updating browsers automatically when a new version becomes available.

Night Dragon: Exxon, Shell Said to Have Been Hacked Via Chinese Servers

Via Bloomberg (Feb 23, 2011) -

Computer hackers working through Internet servers in China broke into and stole proprietary information from the networks of six U.S. and European energy companies, including Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc, according to one of the companies and investigators who declined to be identified.

McAfee Inc., a cyber-security firm, reported Feb. 10 that such attacks had resulted in the loss of “project-financing information with regard to oil and gas field bids and operations.” In its report, Sacramento-based McAfee, assisted by other cyber-security firms, didn’t identify the energy companies targeted. The attacks, which it dubbed “Night Dragon,” originated “primarily in China” and occurred during the past three years.

The list of companies hit, none of which disclosed the attacks in filings with regulators, also includes Marathon Oil Corp., ConocoPhillips and Baker Hughes Inc., according to the people who worked on or are familiar with the companies’ investigations and asked not to be identified because of the confidential nature of the matter.

Chinese hackers broke into the computer network of Baker Hughes, said Gary Flaharty, spokesman for the Houston-based provider of advanced drilling technology. Baker Hughes concluded the incident didn’t need to be disclosed because it wasn’t material to investors, he said, declining to comment further.

In some of the cases, hackers had undetected access to company networks for more than a year, said Greg Hoglund, chief executive officer of Sacramento-based HBGary Inc., a cyber- security company that investigated some of the security breaches at oil companies. Hoglund, who was cited by McAfee as a contributor to its report, declined to identify his clients.

“Legal information, information on deals and financial information are all things that appear to be getting targeted,” Hoglund said, summing up conclusions his firm made from the types of documents and persons targeted by the hackers. “This is straight up industrial espionage.”

Hackers targeted computerized topographical maps worth “millions of dollars” that show locations of potential oil reserves, said Ed Skoudis, whose company, Washington-based InGuardians Inc., investigated two recent breaches of U.S. oil companies’ networks. He declined to name his clients or the origin of the hackers.


'Night Dragon' sound very similar to a case highlighted in January 2010 by Christian Science Monitor.....
At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.

The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show.

The companies – Marathon Oil, ExxonMobil, and ConocoPhillips – didn’t realize the full extent of the attacks, which occurred in 2008, until the FBI alerted them that year and in early 2009. Federal officials told the companies proprietary information had been flowing out, including to computers overseas, a source familiar with the attacks says and documents show.

The data included e-mail passwords, messages, and other information tied to executives with access to proprietary exploration and discovery information, the source says.

Tuesday, February 22, 2011

Mobile Zeus Variants Target Windows Mobile, Symbian Phones

Via -

There are two new versions of the Zeus malware making the rounds right now, both of which target popular mobile phone platforms. One of the variants targets Windows Mobile devices, while the other is going after the Symbian platform, and both are intent on silently stealing data from infected devices.

The new mobile Zeus variants surfaced within the last couple of days and are similar to an older mobile version of the venerable malware. The first Zeus mobile variant appeared in September of last year and aimed to trick users into downloading the malware through a warning about the need for a "certificate update."


"The new version of the Symbian ZeuS trojan (detected as Trojan-Spy.SymbOS.Zbot.b) is similar to the previous one: same commands and same functionality. The Windows Mobile version of the ZeuS trojan (detected as Trojan-Spy.WinCE.Zbot.a) has the same functionality and even the same commands. For example, both versions will report to the same C&C cell phone number (British) after a successful infection," Denis Maslennikov, a malware researcher at Kaspersky Lab, wrote in an analysis of the new Zeus variants.

Smartphones are now near the top of the list for attackers looking for the path of least resistance to gathering sensitive user or corporate data. Mobile malware has not really emerged as the major threat that has been predicted since roughly 1999, but malicious smartphone apps and other threats have surfaced to take up the slack.

"The first ZeuS in the Mobile attack showed us that cybercriminals continue to extend their activities into new platforms and target new areas (mTANs in this case). The second Zeus in the Mobile attack proved that cybercriminals are still very far away from stopping their activities. The newly targeted platform only confirms this fact."

Monday, February 21, 2011

Going to Extremes: Why Muslim Fundamentalists May Be Our Best Hope for Stopping Terror

Via -

In 1996, Richard Reid, a petty criminal recently released from prison, found his way to an unassuming mosque in the rough-edged south London neighborhood of Brixton. The majority of worshippers were converts to Islam: some of them ex-convicts who had taken up the faith in prison, some immigrants. Most of the women wore the full niqab and abaya, showing only their eyes in accordance with the mosque's strictly conservative bent.


Although Brixton Mosque was scrupulously anti-violence, Britons began to worry that the mosque had become, in the words of Time magazine, "an ideal hunting ground for terrorist talent spotters." But some of Britain's front-line experts on Islamist radicalism soon came to believe that this cloud hanging over the mosque had a silver lining -- that the same fundamentalist Muslim community that had been a departure point for Britain's most notorious terrorists could be used to persuade other alienated young Muslim men not to make the same decision. "The Brixton Mosque is not a center of violent extremism -- it is a center of resistance to violent extremism," says Robert Lambert, a former counterterrorism operative with London's Metropolitan Police Service.

Nearly a decade after 9/11, this thinking has evolved into one of Britain's most promising counterterrorism strategies -- and perhaps its most controversial. The government is, in effect, betting that the ideology that so many Islamist radicals claim to believe in can be employed to keep them from becoming terrorists in the first place.

The man at the center of this idea is Abdul Haqq Baker, a Londoner who converted to Islam as a young man and served as Brixton Mosque's chairman for 15 years. Born Anthony Baker to Nigerian and Guyanese parents, he adopted a Muslim name when he embraced Salafism, the fundamentalist branch of Sunni Islam preached at the Brixton Mosque. Hard-line mosques like Brixton have often been the last stop before radicalism for people like Moussaoui and Reid. But mosques generally don't know what to do with such young men, especially if they stop short of openly advocating violence. The usual response is to expel them. But once they're out the door, they may be gone for good.

In this dilemma, Baker saw an opportunity. In March 2007, he launched the Strategy to Reach, Empower and Educate Teenagers (STREET), a center near the Brixton Mosque aimed at young Muslims. Operating on a shoestring budget, STREET offers mentoring for thousands of drop-ins and recently released Muslim convicts, helping with schooling, job training, and anti-violence counseling. If a STREET drop-in mentions an al Qaeda propaganda video he has seen, counselors watch it with him, pointing out the fallacies in its interpretation of Islam. STREET's mostly Salafi staff members are credible to their audience because they are like them -- indeed, several were once in their shoes. "If they cannot relate to you," says Baker, "if your lifestyle doesn't resonate, they will not accept anything from you."


This is straight out of what social scientists call group dynamics theory -- it explains not only why people become terrorists, but also why they join gangs or cults. Sageman named the phenomenon after a term the Canadian police had used to label a Montreal group that later turned out to be a terrorist cell: BOG, or "bunch of guys." It is the bunch-of-guys theory of terrorism -- and by building his STREET community, Baker is creating a bunch-of-guys strategy for preventing it.

Mixing fundamentalist Islam and counterterrorism, however, has proved to be controversial with just about everyone. Baker has received threats from Islamist extremists, serious enough that in 2002 he moved his family to Saudi Arabia, where he now lives most of the time. But many in mainstream Britain are also wary. One influential critic is the Quilliam Foundation, a London-based think tank that promotes a liberal, pro-Western Muslim identity. "The Brixton Mosque subscribes to an austere, conservative Saudi brand of Islam. Without that ideology, you can't promote terrorist acts," says Ghaffar Hussain, director of training and consultancy for Quilliam. "It's not enough to say, 'Well, I oppose terrorism, but I still embrace a harsh Islam.'"

Call it the Good Muslim/Bad Muslim debate. Why should the British government give money and support to groups that share much of the ideology and grievances of terrorists? Baker has an answer: A would-be terrorist is unlikely ever to walk into an event sponsored by a group like Quilliam. But he might very well stop by STREET. "We are the ones who have credibility with these young people, and we're the ones addressing their concerns," says Baker.

Baker is far from alone in claiming that his approach is working. "The feedback that we get from offenders and probation officers is that STREET is very successful," says Simon Cornwall, a senior probation officer with the London Probation Trust's Central Extremism Unit. Security officials as far afield as Vancouver and Los Angeles have contacted Baker about the STREET model, with an eye to starting something similar. But as paranoia over Islam has hit new heights in Europe and the United States -- where even the decidedly moderate Park51 community center proposed for Lower Manhattan provoked weeks of outrage -- such projects are certain to be a tough sell. STREET has had to lay off half its staff since the new cost-cutting Conservative-led government took over. With a wholesale review of Britain's anti-terrorism programs under way, Baker says his project will almost certainly lose financing for its drop-in center and remain open only to referrals from agencies such as the probation service.

Western governments may well prefer working only with Muslims who share basic liberal values, teach English and civics, and try to convince angry young men that reports of their oppression are greatly exaggerated. But they will be talking to the wrong men. Grievances aren't the real problem; after all, millions of people who never take up violence are irate over the Iraq war, the Arab-Israeli conflict, Abu Ghraib, Guantánamo, and the banning of full head coverings in France. There are many angry Muslims and very few terrorists. And it may be that you need the first to stop the second.

American Held in Pakistan Shootings Worked With C.I.A.

Via (Feb 21, 2011) -

The American arrested in Pakistan after shooting two men at a crowded traffic stop was part of a covert, C.I.A.-led team collecting intelligence and conducting surveillance on militant groups deep inside the country, according to American government officials.

Working from a safe house in the eastern city of Lahore, the detained American contractor, Raymond A. Davis, a retired Special Forces soldier, carried out scouting and other reconnaissance missions as a security officer for the Central Intelligence Agency case officers and technical experts doing the operations, the officials said.

Mr. Davis’s arrest and detention, which came after what American officials have described as a botched robbery attempt, has inadvertently pulled back the curtain on a web of covert American operations inside Pakistan, part of a secret war run by the C.I.A. It has exacerbated already frayed relations between the American intelligence agency and its Pakistani counterpart, created a political dilemma for the weak, pro-American Pakistani government, and further threatened the stability of the country, which has the world’s fastest growing nuclear arsenal.

Without describing Mr. Davis’s mission or intelligence affiliation, President Obama last week made a public plea for his release. Meanwhile, there have been a flurry of private phone calls to Pakistan from Leon E. Panetta, the C.I.A. director, and Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, all intended to persuade the Pakistanis to release the secret operative. Mr. Davis has worked for years as a C.I.A. contractor, including time atBlackwater Worldwide, the controversial private security firm (now called Xe) that Pakistanis have long viewed as symbolizing a culture of American gun slinging overseas.

The New York Times had agreed to temporarily withhold information about Mr. Davis’s ties to the agency at the request of the Obama administration, which argued that disclosure of his specific job would put his life at risk. Several foreign news organizations have disclosed some aspects of Mr. Davis’s work with the C.I.A.

On Monday, American officials lifted their request to withhold publication. George Little, a C.I.A. spokesman, declined to comment specifically on the Davis matter, but said in a statement: “Our security personnel around the world act in a support role providing security for American officials. They do not conduct foreign intelligence collection or covert operations.”


Several American and Pakistani officials said that the C.I.A. team in Lahore with which Mr. Davis worked was tasked with tracking the movements of various Pakistani militant groups, including Lashkar-e-Taiba, a particularly violent group that Pakistan uses as a proxy force against India but that the United States considers a threat to allied troops in Afghanistan. For the Pakistanis, such spying inside their country is an extremely delicate issue, particularly since Lashkar has longstanding ties to Pakistan’s intelligence service, the Directorate for Inter-Services Intelligence, or ISI.

Still, American and Pakistani officials use Lahore as a base of operations to investigate the militant groups and their madrasas in the surrounding area.

The officials gave various accounts of the makeup of the covert team and of Mr. Davis, who at the time of his arrest was carrying a Glock pistol, a long-range wireless set, a small telescope and a headlamp. An American and a Pakistani official said in interviews that operatives from the Pentagon’s Joint Special Operations Command had been assigned to the group to help with the surveillance missions. Other American officials, however, said that no military personnel were involved with the team.

Special operations troops routinely work with the C.I.A. in Pakistan. Among other things, they helped the agency pinpoint the location of Mullah Abdul Ghani Baradar, the deputyTaliban commander who was arrested in January 2010 in Karachi.

Even before his arrest, Mr. Davis’s C.I.A. affiliation was known to Pakistani authorities, who keep close tabs on the movements of Americans. His visa, presented to the Ministry of Foreign Affairs in late 2009, describes his job as a “regional affairs officer,” a common job description for officials working with the agency.

According to that application, Mr. Davis carried an American diplomatic passport and was listed as “administrative and technical staff,” a category that typically grants diplomatic immunity to its holder.

American officials said that with Pakistan’s government trying to clamp down on the increasing flow of Central Intelligence Agency officers and contractors trying to gain entry to Pakistan, more of these operatives have been granted “cover” as embassy employees and given diplomatic passports.


In a bizarre twist that has further infuriated the Pakistanis, a third man was killed when an unmarked Toyota Land Cruiser racing to Mr. Davis’s rescue, drove the wrong way down a one-way street and ran over a motorcyclist, killing him. As the Land Cruiser drove “recklessly” back to the consulate, the report said, items fell out of the vehicle, including 100 bullets, a black mask and a piece of cloth with the American flag.

Pakistani officials have demanded that the Americans in the S.U.V. be turned over to local authorities, but American officials say they have already left the country.

Mr. Davis and the other Americans were heavily armed and carried sophisticated equipment, the report said.

The Pakistani Foreign Office, generally considered to work under the guidance of the ISI, has declined to grant Mr. Davis what it calls the “blanket immunity” from prosecution that diplomats enjoy. In a setback for Washington, the Lahore High Court last week gave the Pakistani government until March 14 to decide on the issue of Mr. Davis’s immunity.

Sunday, February 20, 2011

Somalia: Piracy’s Terrorism Nexus Revealed

Via -

First, let me caveat this post that news sources out of Somalia are notoriously unreliable. Anything coming out of Southern Somalia is suspect as al Shabaab owns the media and uses it as their own propaganda arm. There has been OSINT reporting of indirect coordination between al Shabaab and pirates before and much of this nexus has been overstated. But this reporting (and similar recent stories) seems credible and should be a concern to those who still argue that piracy is little more than a nuisance to shipping companies. A 10-20% piece of the total 2010 piracy haul would amount to 20-40 million USD added to al Shabaab’s coffers for 2011 if piracy trends continue unabated.

Shaking down clans, other militant groups, and the general population for revenue is par for Shabaab’s course. With a number of diverse revenue sources, some involving maritime trade,
al Shabaab has become the richest of the Al Qaeda affiliates (and yes, they are al Qaeda). Many of AQ’s traditional funding sources for have dried up. Yet terrorism remains an economy of force tactic, so a few million distributed between affiliates here and there is sufficient to sustain the global jihaadi movement. Chalk up another reason to develop a more aggressive, coherent, and decisive campaign against piracy (and needless to say, al Shabaab).

Canada Hit by Cyberattack

Via (Feb 17, 2011) -

A federal cabinet minister said Thursday that hackers, perhaps from China, compromised computers in two Canadian government departments in early January, leaving bureaucrats with little or no Internet access for nearly two months.

The minister, Stockwell Day, the president of the Treasury Board, told reporters that hackers had infiltrated computers in his department, which supervises the bureaucracy and government operations, as well as in the Department of Finance, which is responsible for the government’s budget and fiscal policy.

“Every indication we have at this point is that our sensors and our cyberprotection systems got the alerts out in time, that the information doors were slammed shut,” Mr. Day said.

He added that the attack, the latest in a series of confirmed assaults on government computer systems, was more directly focused than were previous strikes against Canada.

“It was a significant one — significant that they were going after financial records,” he said.

After the attack was discovered in early January, the government largely isolated computers in the two departments from the Internet. The computers have, for the most part, remained disconnected while security officials searched individual computers for evidence in case of a criminal investigation and to remove the compromising software.


There are concerns that the hackers may have gained advance knowledge of the federal budget, to be released next month. Because Canadian budgets are generally not amended after being presented to Parliament, they are prepared in great secrecy to prevent advance knowledge of their contents from being used for financial gain.

Vic Toews, the minister of public safety, said in an e-mail that “we have no indication that budget security has been compromised.”


According to the CBC and other Canadian news organizations, the attackers adopted the same approach as the one used by a China-based computer espionage ring that stole information from the Indian Defense Ministry. That gang was exposed last year by a team of researchers from the Munk School of Global Affairs at the University of Toronto.

The hackers used a technique that is sometimes known as “executive spear phishing.” First they took control of computers used by senior officials in the affected departments. Once inside, the hackers generated messages that appeared to be from those officials to the departments’ information technology section, which provided the hackers with passwords to various government computer systems.

At the same time, other employees in the departments received e-mails that falsely appeared to come from the senior officials that included Adobe PDF attachments. Once opened, those attachments started hidden programs that hunted for information on the government network to send back to the hackers.

While security scanning software is supposed to catch and block destructive software hidden in attachments, the hackers either developed programs that were unknown to software security companies or found a novel method of hiding their unwanted computer code.

The Canadian news reports said that the government had traced the hackers to an Internet address in China.

Rafal A. Rohozinski, one of the Munk School researchers who documented the earlier Chinese attack, said it should be possible for the Canadian government to determine if the attack originated in China or if the hackers had merely disguised their location by using Chinese servers.

Nevertheless, Mr. Rohozinski said that China was the most likely source of the attack, although that did not necessarily indicate that it was a government-sanctioned action.

“There are more people online in China than anywhere else,” he said. “Most of them are young, so you see a lot of digital promiscuity coming from China.”

Ma Zhaoxu, a spokesman for China’s Foreign Ministry, rejected suggestions of a link to China, Reuters reported. “What you mentioned is purely fictitious and has an ulterior motive,” he said.

Meanwhile, Mr. Rohozinski was skeptical that Canadian government investigators could demonstrate that no information was stolen from the systems. The government adopted a new computer security plan last fall, but he said that very little of the plan had been put in effect, leaving security largely uncoordinated and varying in quality from department to department.

STRATFOR: The Threat of Civil Unrest in Pakistan and the Davis Case

Via STRATFOR (Security Weekly) -

On Feb. 13, the Tehrik-i-Taliban Pakistan (TTP) issued a statement demanding that the government of Pakistan execute U.S. government contractor Raymond Davis or turn him over to the TTP for judgment. Davis, a contract security officer for the CIA, has been in Pakistani custody since a Jan. 27 incident in which he shot two men who reportedly pointed a pistol at him in an apparent robbery attempt.

Pakistani officials have corroborated Davis’ version of events and, according to their preliminary report, Davis appears to have acted in self-defense. From a tactical perspective, the incident appears to have been (in tactical security parlance) a “good shoot,” but the matter has been taken out of the tactical realm and has become mired in transnational politics and Pakistani public sentiment. Whether the shooting was justified or not, Davis has now become a pawn in a larger game being played out between the United States and Pakistan.

When one considers the way similar periods of tension between the Pakistanis and Americans have unfolded in the past, it is not unreasonable to conclude that as this current period plays out, it could have larger consequences for Davis and for American diplomatic facilities and commercial interests in Pakistan. Unless the Pakistani government is willing and able to defuse the situation, the case could indeed provoke violent protests against the United States, and U.S. citizens and businesses in Pakistan should be prepared for this backlash.


As a contract employee assigned to the U.S. Consulate in Lahore, Davis was likely not on the diplomatic list and probably did not enjoy full diplomatic immunity. He was probably considered a member of the administrative or technical staff. Protecting himself during a robbery attempt would not be considered part of his official function in the country, and therefore his actions that day would not be covered under functional immunity. So determining exactly what level of immunity Davis was provided will be critical in this case, and the information provided by the Pakistani Foreign Ministry will have a big impact on the Pakistani judge hearing the arguments.

In all likelihood, Davis was briefed regarding his legal status by his company and by the CIA prior to being assigned to post. He also would have been told that, while he had limited immunity, the U.S. government would do its best to take care of him if some incident occurred. However, it would have been made clear to him that in working as a protective contractor he was running a risk and that if there was an incident on or off duty, he could wind up in trouble. All security contractors working overseas know this and accept the risk as part of the job.


And this is the environment in which the Davis shooting occurred. Even though some Pakistani civilians apparently came forward and reported that they had been robbed at gunpoint by the men Davis shot, other Pakistani groups like the Jamaat-ud-Dawah (JuD) — the successor to the Lashkar-e-Taiba, which was presumably banned by the Pakistani government — have demanded that Davis be hanged. The Jamaat-e-Islami (JeI), an Islamist political party, has also demanded that Davis be hanged and has called for large protests if he is released without a court order. As noted above, TTP spokesman Azam Tarik made a statement demanding that the Pakistani government either hang Davis or hand him over to them. Interest in this issue is not just confined to Islamist groups. There are some right-wing conservative nationalists and even some secular liberals who are asking: “If the United States can give CIA shooter Mir Amal Kansi the death penalty, why can’t Pakistan do the same thing to Davis?”

The result is that the Davis case has aroused much controversy and passion in Pakistan. This not only complicates the position of the Pakistani government but also raises the distinct possibility that there will be civil unrest if Davis is released.


Due to the widespread discontent over the issue of U.S. security contractors in Pakistan, if protests do follow the release of Davis, they can be expected to be similar to the protests that followed the Mohammed cartoon case, i.e., they will cut across ethnic and sectarian lines and present a widespread threat.

Physical security measures such as concrete barriers, standoff distances and security cameras can add to a facility’s defenses against a terrorist attack, but they really do not pose much of an obstacle to an angry mob intent on overrunning a property — especially if local and indigenous security forces are unwilling or unable to intervene in a timely fashion and the mob has the time and latitude to assault the facility for a prolonged period. The protesters can scale barriers and their overwhelming numbers can render most security measures useless. Barriers such as hard-line doors can provide some delay, but they can be breached by assailants who possess tools and time.


Once a mob attacks, there often is little that can be done — especially if the host government either cannot or will not take action to protect the facility being attacked. At that point, the focus should be on preventing injuries and saving lives — without regard to the physical property. In most cases, when a mob attacks a multinational corporation, it is attacking a symbolic target. KFC restaurants, for example, have been frequent targets of attacks in Pakistan because of the company’s association with the United States. In many cases, multinational franchises such as KFC and even some hotels are owned by locals and not Americans, but that does not matter to the mobs, which see nothing but a U.S. symbol.

When an issue such as the Mohammed cartoons, the Bhutto assassination or the release of Raymond Davis spirals into violent protests, the only real precaution that many companies can take is to escape the area and avoid loss of life. The best defense is to use good intelligence in order to learn about the protests in advance, to track them when they occur and then to evacuate personnel before they can be affected by the violence.

U.S. diplomatic facilities and business interests in Pakistan are almost certainly reviewing their contingency plans right now and planning for the worst-case scenario. During such times, vigilance and preparation are vital, as is a constant flow of updated intelligence pertaining to potential demonstrations. Such intelligence can provide time for an evacuation or allow other proactive security measures to be taken. With the current tension between Pakistan and the United States, there might not be much help coming when the next wave of unrest erupts, so keeping ahead of potential protests is critically important.


Reuters - Pause in U.S. Pakistan Strikes Seen Linked to U.S. Prisoner
The United States has halted drone attacks on militants along Pakistan's western border in a development analysts believe is linked to U.S. attempts to secure the release of a jailed U.S. consular employee.

After months of frequent strikes from unmanned U.S. aircraft on militant hideouts in tribal areas on Pakistan's border with Afghanistan, where bloodshed has hit record levels, reports of covert strikes have gone quiet for over three weeks.

Many analysts believe Washington has stopped the attacks to avoid further inflaming anti-American fury in Pakistan just as it pressures a vulnerable Islamabad government to release Raymond Davis, a U.S. consulate employee imprisoned after shooting two Pakistanis last month during what he said was an attempted robbery.

Saturday, February 19, 2011

SpyTunes: Privacy Hole Lets Anyone with Your Email Address Spy on Your iTunes Library

Via Andrew McAfee's Blog -

A little while back I was putting together an iTunes playlist to give to my Mom as a gift, and found myself frustrated by the application’s user interface. It kept telling me that Mom already had one song after another, and refusing to let me complete the gifting process until I removed the duplicate song from the playlist.

After I did this three or four times I gave up, complaining to my girlfriend how clunky the process was. She replied “That’s not the real problem. The real problem is that iTunes is telling you what music someone else has.”

She’s right. I’ve been doing some poking around, and have found that it’s pretty straightforward for one person (let’s call him George Smiley, after John Le Carré’s master spy) to find out what music, video, and apps someone else (like me) has purchased or had gifted to them on iTunes.

Wednesday, February 16, 2011

Lessons to Learn From the HBGary Federal Hack

Via (Naked Security Blog) -

The Anonymous attack on HBGary may have amused some who enjoyed the sight of a security firm left embarrassed and exposed, but it should send a shiver down the spine of any IT administrator responsible for securing their own company.

Because can you honestly put your hand on your heart and say a hack like the one against HBGary couldn't happen at your organisation too?

As Ars Technica explains, a weakness in a third-party CMS product used by HBGary's website allowed Anonymous hackers to steal passwords that employees used to update the webpages.

Unfortunately they were passwords that weren't encrypted strongly enough, and were possible to crack with a rainbow-table based attack. Amongst those exposed were CEO Aaron Barr and COO Ted Vera.

Worse still, it appears that Aaron Barr and Ted Vera were using the same passwords for their Twitter and LinkedIn accounts, and even for an account which administered the entire company's email.

By exploiting software vulnerabilities, poor passwords and even some tried-and-trusted social engineering it was trivial for the hackers to steal the entire company's email and deface its website.


According to Anonymous, here are the details on the rather simple SQLi that was found in HBGary's homepage (in the CMS used to run it).
HBGary Federal's website,, was powered by a content management system (CMS)....Unfortunately for HBGary, this third-party CMS was poorly written. In fact, it had what can only be described as a pretty gaping bug in it. A standard, off-the-shelf CMS would be no panacea in this regard—security flaws crop up in all of them from time to time—but it would have the advantage of many thousands of users and regular bugfixes, resulting in a much lesser chance of extant security flaws.

The custom solution on HBGary's site, alas, appeared to lack this kind of support. And if HBGary conducted any kind of vulnerability assessment of the software—which is, after all, one of the services the company offers—then its assessment overlooked a substantial flaw. The CMS was susceptible to a kind of attack called SQL injection.

The exact URL used to break into was The URL has two parameters named pageNav and page, set to the values 2 and 27, respectively. One or other or both of these was handled incorrectly by the CMS, allowing the hackers to retrieve data from the database that they shouldn't have been able to get.
Given the simple nature of the injection, I would assume even free tools (like Paros Attack Proxy or OWASP Zed Proxy) would have discovered this SQLi flaw.

After the discovery of the SQLi flaw, a series well-known techniques and hacks (e.g. cracking MD5, re-used passwords, excessive privilege, unpatched local priivielge esclation vulnerability, informed and targeted SE attack) were used by Anonymous to dig deeper and gather more and more information - which they turned around and used to get more information (SE attack).

In the end, the author of the Ars Techica article says it best...
So there are clearly two lessons to be learned here. The first is that the standard advice is good advice. If all best practices had been followed then none of this would have happened. Even if the SQL injection error was still present, it wouldn't have caused the cascade of failures that followed.

The second lesson, however, is that the standard advice isn't good enough. Even recognized security experts who should know better won't follow it. What hope does that leave for the rest of us?

Tuesday, February 15, 2011

Panel Review Questions FBI Theory in Anthrax Attacks After 9/11

Via ABC News -

It's a case that's been marked by controversy and mystery for nearly a decade: who was responsible for the deadly anthrax-laced letters sent after 9/11?

Today, the National Academy of Science raised more questions.

A review panel said that the FBI overstated the scientific evidence that linked the anthrax flask controlled by Dr. Bruce E. Ivins to the anthrax used in the 2001 attack letters. Dr. Ivins, a researcher at Ft. Detrick, MD., was identified by the FBI as the primary suspect in the case. He maintained his innocence until his suicide in 2008.

The cornerstone of the FBI case against Dr. Ivins was that the anthrax in the flask to which he had access -- labeled RMR-1029 -- had a unique make-up that identified it as the parent material for the anthrax in the attack letters. It took years of research for the FBI to conclude that the anthrax in the letters came from Dr. Ivins' flask, and they cited it as "powerful evidence" against him.

The NAS has reviewed the FBI's scientific work on the anthrax, and today, Dr. David A. Relman, the vice chair of the NAS panel, said, "One cannot arrive at a definitive conclusion about the origins of the anthrax."

The review by the NAS concludes that while the anthrax in the letters was "consistent with" the RMR-1029 flask, that flask was not the "immediate source" of the spores used in the letters. The NAS found that one or more growth steps would have been required to produce the spores used in the letters. The NAS found that "the data did not rule out other possible sources" of the anthrax.

In addition, the NAS found that the anthrax used in letters sent to New York locations -- including ABC News, NBC News and the New York Post -- had different physical properties from the anthrax in letters that killed several postal workers and closed down some Senate offices in Washington, D.C.

The FBI says it did not rely on science alone to close in on Dr. Ivins. Investigators said they also used circumstantial evidence, including late-night lab visits by Ivins and e-mail messages describing his psychological turmoil, to identify him as a suspect.

In response to the NAS review, the FBI issued a statement saying, "The committee…concluded that it is not possible to reach a definitive conclusion about the origins of the B. anthracis in the mailings based on the available scientific evidence alone. The FBI has long maintained that while science played a significant role, it was the totality of the investigative process that determined the outcome of the anthrax case."

The Cyberweapon that Could Take Down the Internet

Via -

A new cyberweapon could take down the entire internet – and there's not much that current defences can do to stop it. So say Max Schuchard at the University of Minnesota in Minneapolis and his colleagues, the masterminds who have created the digital ordnance. But thankfully they have no intention of destroying the net just yet. Instead, they are suggesting improvements to its defences.

Schuchard's new attack pits the structure of the internet against itself. Hundreds of connection points in the net fall offline every minute, but we don't notice because the net routes around them. It can do this because the smaller networks that make up the internet, known as autonomous systems, communicate with each other through routers. When a communication path changes, nearby routers inform their neighbours through a system known as the border gateway protocol (BGP). These routers inform other neighbours in turn, eventually spreading knowledge of the new path throughout the internet.

A previously discovered method of attack, dubbed ZMW – after its three creators Zhang, Mao and Wang, researchers in the US who came up with their version four years ago – disrupts the connection between two routers by interfering with BGP to make it appear that the link is offline. Schuchard and colleagues worked out how to spread this disruption to the entire internet and simulated its effects.

Surgical strike

The attack requires a large botnet – a network of computers infected with software that allows them to be externally controlled: Schuchard reckons 250,000 such machines would be enough to take down the internet. Botnets are often used to perform distributed denial-of-service (DDoS) attacks, which bring web servers down by overloading them with traffic, but this new line of attack is different.

"Normal DDoS is a hammer; this is more of a scalpel," says Schuchard. "If you cut in the wrong places then the attack won't work."


Meltdown not expected

So is internet meltdown now inevitable? Perhaps not. The attack is unlikely to be launched by malicious hackers, because mapping the network to find a target link is a highly technical task, and anyone with a large enough botnet is more likely to be renting it out for a profit.

An alternative scenario would be the nuclear option in a full-blown cyberwar – the last resort in retaliation to other forms of cyberattack. A nation state could pull up the digital drawbridge by adjusting its BGP to disconnect from the internet, just as Egypt did two weeks ago. An agent in another country could then launch the attack, bringing down the internet while preserving the attacking nation's internal network.

Israeli General Claims Stuxnet Attacks as One of his Successes

Via -

The latest results of a Symnatec study concentrating on the Stuxnet worm revealed that its developers knew what they were doing - once finished, it took only 12 hours to infect the first target.

The study also concluded that the Stuxnet attacks can be dated back to June 2009 - more than a year prior to it being first discovered by security experts - and that its initial targets were five separate organizations that have a presence in Iran and most of which have been attacked at various points through 2009 and 2010.

Last month, The New York Times ran a story about Stuxnet having been developed by the Americans and the Israelis as a part of a joint project, but it was based on the claims by confidential sources and there was only circumstantial evidence that would corroborate them.

But, it now seems that the information from these sources was correct. The Haaretz - Israel's oldest daily newspaper - reports (via Google Translate) about the a surprising video that was played at a party organized for General Gabi Ashkenazi's last day on the job.

The video contained references to the successes he achieved during his stint as chief of staff, and enumerated among them was the Stuxnet worm attack on Iran's uranium enrichment facility at Natanz and and the nuclear reactor at Bushehr.

There is always the possibility that this was just a way of magnifying the General's achievements, but it is also possible it is true. As we all know, Israel has never commented on the speculations about its involvement in the attacks.

Sunday, February 13, 2011

Updated W32.Stuxnet Dossier is Available

When we released our paper on Stuxnet by Nicolas Falliere, Liam O Murchu, and Eric Chien in September, we mentioned we’d likely continue to make revisions.

We have two major updates to the paper and some other minor changes throughout. A summary of these updates follows and more detailed information can be found in the paper. Please note that these new details are included in version 1.4 or higher.


According to the revision history....

Version 1.4 (February 11, 2011)
  • New content added to the Infection Statistics, The monitor thread, Sequence C, and Variants sections.
  • Minor edits and updates to Configuration Data Block, Behavior of a PLC infected by sequence A/B, and Other export hooks sections.

REcon 2010 Slides

RECON is a computer security conference being held in Montreal. The conference offers a single track of presentations over the span of three days. REcon 2010 took place on July 9-11, 2010.

Saturday, February 12, 2011

Disabling AOL Lifestream for AIM

If you use AOL Instant Messenger (AIM), it automatically publishes a feed of your chat status at - and it's opt-out, not opt-in. Shame on you AOL.

For more information on Lifestream, check here.

Here is how you opt-out....

Step 1: Go to and sign in using your AIM credentials.

Step 2: In the upper right hand corner, select "Account" -> "Settings".

Step 3: Under "Share updates from this account with", modify the default "Everyone - Public" to "No one - Private"

Thanks to Chris Hanson (@eschaton) for the reminder.

JaZeus: When Zeus Meets Java

Via -

This is the first analysis as far as I know, of a Zeus malware that uses a Java engine to infect a victim system, by using a multi-stage approach. The sample is md5: 92869c9f958b5bfddefc09d6bfc03591. Are you curious to know more about? If so, please follow me.


Once the code is decrypted it will drop a temporary EXE in the %user_temp% directory.
Would you like to see its content? Sure, you can but you will find only a “normal” EXE, which has nothing malicious…

The point here is that the file actually dropped is not the malicious one. You need to figure out how to obtain such file.

Any ideas? Sure, let’s patch the Java class code in order to let the malicious JAR drop the real malicious EXE for us :]

To do that, you need to drop somewhere on the disk the content of the malicious EXE in memory.


Part 3 : The second EXE

By taking a quick look at the entrypoint of this dropped EXE, we can quickly see that the code is mainly the same as the main EXE.

So there is something wrong, no? Actually no, it is using the same dropping scheme, but this time it will drop a new JAR, like the previous one but with a different data section. A matrioska!


Part 5 : The real Zeus

After retrieving the real executable by using the approach described in the section: “Investigating the JAR”, we will be eventually able to meet Zeus :]

I will not go into the analysis of this sample since it acts like a normal zeus, which connects to a .ru domain in order to download a config file and to proceed with the usual “divine” stuff.

Feds: Hezbollah Gets Into the Used Car Business

Via (Detroit, Michigan) -

The DEA and the Treasury Department announced Thursday that under provisions of the Patriot Act, the U.S. is barring American financial institutions from doing business with the Lebanese Canadian Bank (LCB). Treasury officials allege that the bank has been laundering narcotics proceeds -- as much as $200 million per month -- on behalf of an international drug ring run by a Lebanese trafficker named Ayman Joumaa. According to officials, a big slice of the drug profits were then funneled back to Hezbollah in Lebanon by Joumaa and nine coconspirators through an African affiliate of LCB.

According to the Treasury, cash from drug sales in Europe, Latin America and the Middle East was first laundered through money exchanges in Lebanon, then wired to U.S. car dealers via LCB. The dealers then shipped cars to West Africa, and the proceeds from the sales of the cars in Africa were sent via an LCB affiliate in The Gambia to Hezbollah in Lebanon. None of the American used car dealers allegedly involved in the transactions were identified.

Treasury officials also said that wire transfers from LCB were sent to U.S. correspondents to pay Asian suppliers of consumer goods. The goods were then shipped to Latin America and sold for local currency.


DEA: Drug Investigations Lead to Treasury 311 Patriot Act Designation Against Lebanese Bank Tied to Hizballah (Feb 10, 2011) -

Facebook, YouTube Aid in Al-Qaeda's Spread, Study Says

Via -

Osama bin Laden's al-Qaeda, which planned and executed the 9/11 terrorist attacks, has morphed into an array of regional terrorist groups that are using the Internet to recruit and train members at home, according to a report released Tuesday.

The 25-page report even coins a term for the disparate groups - AQAM, for "al-Qaeda and Associated Movements." Groups lumped under that acronym include al-Qaeda in the Arabian Peninsula, which claimed responsibility for mailing bombs disguised as printers in cargo packages last year, and Lashkar-e-Taiba, which is believed to have orchestrated the November 2008 terrorist attacks in Mumbai, India.

"What was once a hierarchical organization composed of Osama bin Laden and his close associates has grown to include an array of regional terrorist groups, small cells, and even individuals," according to the report issued by the Center for Strategic and International Studies. Al-Qaeda has been diminished and has lost support, but its message still energizes diverse groups around the globe.

"The emergence of affiliates and nonaffiliated cells and individuals also presents a troubling paradox for the United States and its partners: Despite extensive counterterrorism successes against the group responsible for 9/11, the al-Qaeda 'brand' now resonates with an increasingly diverse (though still narrow) cross-section of Muslims around the world," the report said.

The document specifically cites the Internet as a critical and growing tool terrorist groups in recruiting, training, and funding individuals to carry out attacks.


The report notes that terrorist operative Anwar al-Awlaki has used the Internet to recruit individuals. "Once an al-Awlaki, or a YouTube video of terrorist violence, helps spark radicalization, e-mail, Facebook, and other forms of online communication can forge links between terrorist operatives and recruits thousands of miles apart," the report said.

Rick (Ozzie) Nelson, director and senior fellow of the CSIS Homeland Security and Counterterrorism Program, said that the U.S. should take into consideration that some of its counterterrorism policies may be fueling anti-American sentiment and inspiring groups or individuals to carry out terrorist acts.

Although the report does not single out specific policies that might be inflaming violent Islamic extremism, a follow-on effort later this year is expected to examine that issue, said Juan Zarate, a CSIS senior adviser who spoke on a panel with Nelson about the report.


CSIS: A Threat Transformed - Al Qaeda and Associated Movements in 2011

Jihadi Encryption: U.K. Case Reveals Terror Tactics

Via (h/t Jihadica) -

A British Airways PLC employee named Rajib Karim allegedly exchanged electronic messages with an al Qaeda cleric in Yemen for more than two years, his activities cloaked by an encrypted fortress he created on a laptop computer and an external hard drive, prosecutors say.

The sophisticated encryption tactics Mr. Karim allegedly used to shield his communications with U.S.-born radical cleric Anwar al-Awlaki—and the small clue he left behind that enabled police forensics teams to defeat them—are center stage in a high-profile trial here in which Mr. Karim is accused of preparing for terrorist acts related to his work at the airline and to his alleged communications with Mr. Awlaki.

The case provides a rare and detailed look at how terror suspects may be able to communicate surreptitiously—and how difficult and laborious it is for law enforcement to crack their codes.

Mr. Karim used layer upon layer of encryption and other techniques to prevent others from being able to read the messages and access other data stored on his computer equipment, prosecutors allege.

The encryption is so complex and layered that "I could give an analogy of Russian dolls," Detective Constable Stephen Ball, the policeman in charge of the computer forensics in Mr. Karim's case, said in court Thursday.

Mr. Karim, a 31-year-old Bangladeshi national, pleaded guilty in November to fund-raising for the purposes of terrorism; possessing documents likely to be of use to a person committing or preparing to commit an act of terrorism; and engaging in conduct for the preparation of terrorist acts, all charges mainly related to his association with a banned Bangladeshi terrorist group.

Mr. Karim, who is in custody, is being tried on four counts of engaging in conduct in preparation of terrorist acts, including providing information about his employer to others for terrorist purposes.


Upon raiding Mr. Karim's apartment police recovered, among other things, a laptop and an external hard drive able to store some 320 gigabytes of data, according to prosecutors. The hard drive held some 35,000 files including messages with Mr. Karim's brother, with Mr. Awlaki—a leader of terror group al Qaeda in the Arabian Peninsula—and with other colleagues, prosecutors say.

Mr. Karim allegedly hid the messages and other data stored on the drive by changing the suffix at the end of the name of key files, which would typically tell a computer what program would be needed to open them up. That included four files labeled "Quran DVD Collection," which appeared to be compressed files because they took the suffix ".rar," which relates to a type of software that reduces the size of a file, according to prosecutors.

Mr. Ball said he noted these files were unusually large, and discovered that they were actually created in a different program, Pretty Good Privacy, which enabled each file to run as a separate, encryption-protected "virtual hard drive." Without the correct password, the files were completely unintelligible.


He sent the files to British intelligence services, which returned them decrypted, or unlocked. Once able to open the files, Mr. Ball testified, he still wasn't able to read most of the messages contained with them: Mr. Karim had enciphered the text, leaving it scrambled and unreadable.

Mr. Karim left police a clue, however. On the external hard drive was a disguised file that looked like it was meant for viewing thumbnail-size photographs—but that actually consisted of text with instructions for using a spreadsheet containing a purpose-built formula to decipher the message, according to Mr. Ball. The spreadsheet also worked in reverse, enciphering messages before sending to another member of the group, Mr. Ball said.

Those instructions helped Mr. Ball decrypt the messages and see that—according to prosecutors' account—Mr. Karim was passing to Mr. Awlaki information about British Airways' computer and security systems that could be vitally important for those wishing to conduct a terrorist attack.

Still, it took many more months for the messages to fully come into focus. There were many spreadsheets on the hard drive, and sometimes numerous versions of each one. Even once unscrambled, prosecutors allege the messages contained false names and other coded words, further obscuring their contents. The names of countries and people, as well as their sex, were changed, and their movements and activity were discussed as if involved in business transactions, prosecutors allege.

As an additional layer of protection, prosecutors say, Mr. Karim and his colleagues didn't exchange their messages as emails, which can be intercepted. They instead uploaded them to public websites that host files, where another member of the group could then download them to his or her own machine.

Thursday, February 10, 2011

'Night Dragon' Attacks From China Strike Energy Companies

Via -

Chinese hackers working regular business hours shifts stole sensitive intellectual property from energy companies for as long as four years using relatively unsophisticated intrusion methods in an operation dubbed "Night Dragon," according to a new report from security vendor McAfee.

The oil, gas and petrochemical companies targeted were hit with technical attacks on their public-facing Web sites, said Greg Day , director of security strategy. The hackers also used persuasive social-engineering techniques to get key executives in Kazakhstan, Taiwan, Greece, and the U.S. to divulge information.

The attacks have been linked to China due to the use of Chinese hacking tools commonly seen on underground hacking forums. Further, the attacks appeared to originate from computers on IP (Internet protocol) addresses in Beijing, between 9 a.m. to 5 p.m. local time there, suggesting that the culprits were regular company employees rather than freelance or unprofessional hackers, McAfee said in its report [PDF].

Although McAfee said a group of hackers likely executed the attacks, it had pinpointed "one individual" located in Heze City in Shandong Province "who has provided the crucial C&C infrastructure to the attackers."

"It is likely this person is aware or has information that can help identify at least some of the individuals, groups, or organizations responsible for these intrusions," McAfee said. Day said it is routine for McAfee to notify law enforcement in such instances.

McAfee's report is just the latest to underscore the continuing efforts of hackers to steal sensitive corporate information. In late 2009, Google said it had seen attacks believed to come from China, which targeted dozens of other multinational companies, called "Operation Aurora."

McAfee did not publicly identify the companies attacked, but Day said some employed McAfee's professional services consultants.

Writing on a company blog, McAfee's CTO George Kurtz said the attackers used "an elaborate mix of hacking techniques" but methods and tools that were "relatively unsophisticated."

But while seemingly downplaying the hackers' methods, McAfee admitted that it had only recently been able to detect the broad pattern.

"Only through recent analysis and the discovery of common artifacts and evidence correlation have we been able to determine that a dedicated effort has been ongoing for at least two years, and likely as many as four," the report said.

Day said that despite penetration testing designed to ensure a company's IT systems are secure, the breadth and complexity of corporate computer systems has made it increasingly difficult to link malicious actions together.

"I don't want to say it's the thing right under the nose that you miss but it's the very reality that things get through due to the depth and scope of the world we have to deal with today," Day said. "We keep seeing all kinds of infiltration because of that challenge."

Starting in November 2009, covert cyberattacks were launched against several global oil, energy, and petrochemical companies. The attackers targeted proprietary operations and project-financing information on oil and gas field bids and operations. This information is highly sensitive and can make or break multibillion dollar deals in this extremely competitive industry.

McAfee has identified the tools, techniques, and network activities used in these attacks, which continue on to this day. These attacks have involved an elaborate mix of hacking techniques including social engineering, spear-phishing, Windows exploits, Active Directory compromises, and the use of remote administration tools (RATs).

While the list above may seem impressive to the layperson, these methods and tools are relatively unsophisticated. The tools simply appear to be standard host administration techniques that utilize administrative credentials. This is largely why they are able to evade detection by standard security software and network policies.


We have also taken a close look at who might be behind these attacks. We have strong evidence suggesting that the attackers were based in China. The tools, techniques, and network activities used in these attacks originate primarily in China. These tools are widely available on the Chinese Web forums and tend to be used extensively by Chinese hacker groups.McAfee has determined identifying features to assist companies with detection and investigation.

McAfee Stinger includes detection for 'Night Dragon' sigantures...

Wednesday, February 9, 2011

Taiwan Says General Spied for China

Via -

Taiwan's Defense Ministry said it arrested a military general on suspicion of spying for China in the most high-profile cross-Strait espionage case in decades.

Taiwan government officials and some experts said the case highlights a determined effort by China to infiltrate the island's military despite warming economic and political ties between the two sides.

The Ministry of National Defense confirmed on Wednesday it arrested Maj. Gen. General Lo Hsien-che on suspicion of leaking confidential information to Chinese intelligence sources after he was approached by Chinese operatives in 2004 while he worked in Thailand as a military attache.

Although it remained uncertain just what information Gen. Lo might have leaked, the arrest could complicate further U.S. military sales to Taiwan, according to Chih-cheng Lo, president of the Taiwan Brain Trust, a think-tank that advocates independence for the island, which China claims as its own.

"China has been very aggressive lately in its efforts to penetrate Taiwan's military," Mr. Lo said. "This isn't an isolated case, there are most likely more," he said. "It's likely now we're in a time when the U.S. is thinking about sending F-16 C/D fighters. If Taiwan can't rectify some of these problems, the U.S. may reconsider some of its lines of exchange with Taiwan."

Local media, citing military sources, reported that General Lo had access to secret documents on the Po Sheng program, a system that integrates ground, naval, and air forces with command centers being sold to Taiwan by U.S. contractor Lockheed Martin Corp. as well as classified documents related to the Apache helicopter procurement plan.

But Jung-feng Chang, former deputy of Taiwan's National Security Council, said he doubted the reports. "The U.S. has very strict anti-espionage regulations, and I would be very surprised if Lo were able to get his hands on any critical information," he said.

Veracode: The Top 10 Mobile Application Risks

Via Veracode Blog -

The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent.

Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are designed around personal and communication functionality which makes the top mobile applications risks different from the top traditional computing risks.

The Mobile App Top 10 can be used to determine the coverage of a security solution which can protect against these risks. A mobile app security solution can declare its coverage of the Mobile App Top 10 so customers can understand what risks the solution mitigates. Mobile app security solutions can be used in the development of an app, as part of an app store vetting process, for acceptance testing of an app, or for security software running on a mobile device.

Tuesday, February 8, 2011

Adobe Security Bulletins: Shockwave, Flash Player, Reader / Acrobat & Coldfusion


APSB11-01: Security update available for Shockwave Player
Adobe recommends users of Adobe Shockwave Player and earlier versions upgrade to the newest version, available here:
APSB11-02: Security update available for Adobe Flash Player
Adobe recommends all users of Adobe Flash Player and earlier versions upgrade to the newest version by downloading it from the Adobe Flash Player Download Center. Windows users can install the update via the auto-update mechanism within the product when prompted.
APSB11-03: Security updates available for Adobe Reader and Acrobat
Adobe recommends users of Adobe Reader X (10.0) and earlier versions for Windows and Macintosh update to Adobe Reader X (10.0.1), available now.Adobe recommends users of Adobe Acrobat X (10.0) for Windows and Macintosh update to Adobe Acrobat X (10.0.1).
APSB11-04: Security update: Hotfix available for ColdFusion
Adobe recommends affected ColdFusion customers update their installation using the instructions provided in the technote:

New SpyEye Gains Zeus Features – A Detailed Analysis of SpyEye Trojan v1.3

Via RSA Blog -

The RSA Research Lab has analyzed one of the most recent SpyEye v1.3 variants and has determined beyond doubt that the new hybrid Trojan is in fact already active in the wild. RSA’s researchers were able to reverse engineer the code and assert that it does indeed contain an exact code piece that has long been part of the Zeus Trojan’s sophisticated HTML injection mechanism.

Ever since the initial release of the SpyEye Trojan in December 2009, its coder, who goes by two aliases, “Harderman” and “Gribodemon”, has been working incessantly on upgrading his Trojan, harvesting the fruits of his labor by selling it to fraudsters. Harderman has already released numerous SpyEye versions, often adding unique features which were never used in Trojan codes before it.


Looking back to late October 2010, one can appreciate the surprise factor that marked one of the most significant events recorded in cybercrime history to date: a code merger between the most popular commercially sold Trojan kits – Zeus, and its biggest competitor – SpyEye.

Immediately after the news washed through underground forums and security blogs, fraudsters and security professionals alike turned their attention to Harderman’s announcements. The new owner of both Trojans posted information about his upcoming creation, which he dubbed – “one super Trojan”; a merged code uniting both Trojans and his promise of new features to make it bigger and better than ever.


New Remote Process Injection Method Makes SpyEye Harder to Detect

The SpyEye hybrid now has a new injection mechanism; instead of injecting itself into a target process (for example, into an IE process), SpyEye will inject the embedded EXE into a completely different process, using that process’ memory space and resources. SpyEye loads its embedded (core) executable into that “borrowed” process’ memory space, and then creates a remote thread that will actually execute the loaded code from that location.



And so the perpetual Trojan arms race continues. It appears that the more security features are put in place to protect online banking environments, the further Trojan developers will go in their attempts to infiltrate the systems, compromise security, and better hide their activities within infected computers.

Although one may assume that the new SpyEye hybrid, or super-Trojan if you will, is going to be Harderman’s (and cybercrime’s) main focus going forward, security researchers hold different forecasts concerning the subsequent Zeus and SpyEye versions to come. RSA believes that the Zeus Trojan may gradually become a relic of the past. Although the old Zeus may still be the subject of new underground upgrades, it will most likely begin fading away as fraudsters turn to SpyEye – a Trojan code offering both technical support and future upgrades.

Syria Opens Facebook, YouTube for First Time in Five Years

Via -

The Syrian Telecommunications Establishment (STE), Syria's state-owned Internet Service Provider (ISP), asked distributors to remove the firewall that blocks access to Facebook and YouTube. The changes should come into effect at some point today.
Read the full story at The Next Web.


While this is positive news, one must ask - "Now that they are open, how OPEN are they?"

Just because a user can get to a site, doesn't mean they can get to all content on said site - enter DPI and increased stealth censorship.

ZDI Public Disclosure: Microsoft

These vulnerabilities are being published as per the ZDI disclosure changes announced in August of 2010.
  • ZDI-CAN-811 = Microsoft Office Excel 2003 Invalid Object Type Remote Code Execution Vulnerability
  • ZDI-CAN-829 = Microsoft Office Excel Office Art Object Parsing Remote Code Execution Vulnerability
  • ZDI-CAN-904 = Microsoft Office Excel Axis Properties Record Parsing Remote Code Execution Vulnerability
  • ZDI-CAN-798 = Microsoft Excel 2007 Office Drawing Layer Remote Code Execution Vulnerability
  • ZDI-CAN-827 = Microsoft PowerPoint 2007 OfficeArt Atom Remote Code Execution Vulnerability

ZDI Outlined Mitigations

1) Microsoft Office File Block Policy can be used to block the opening of Office 2003 and earlier documents from unknown or untrusted sources and locations. This mitigation could be problematic in environments where 2003 binary files are still used.

2) Use Microsoft Office Isolated Conversion Environment (MOICE) when opening Excel and PowerPoint files in Office 2003 or 2007 - & (Enable MOICE with Simple “Fix it”)

3) Use Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) with Microsoft Excel and Microsoft PowerPoint processes to force utilization of ASLR (only on Windows Vista or Windows 7) and DEP mitigations which could prevent exploitation.

Chechen Rebel Leader Claims Responsibility for Moscow Airport Attack

Via -

Chechen rebel leader Doku Umarov claimed responsibility for last month’s deadly bombing of Moscow's Domodedovo Airport in a video posted online late Monday. The video of Russia’s most-wanted criminal was the second to surface in the past few days, stoking fears of further acts of terrorism by radical Caucasus groups.

Mr. Umarov said in the video that he ordered the Jan. 24 attack on Russia’s largest airport, which killed 36 people and injured 180, and warned that more bombings will follow if Russia does not grant the Caucasus independence.

"You see this special operation carried out by my order ... more special operations will be carried out in the future," Mr. Umarov said in the video, as translated from Russian by the Associated Press.


Umarov is the leader of Caucasus Emirate, a self-proclaimed Islamic state in the North Caucasus that has been labeled a terrorist organization by the United States and Russia. He is wanted in Russia for kidnapping, treason, and homicide, and has taken responsibility for several large-scale terrorist attacks including the Moscow metro bombings last year, which killed 40.


STRATFOR Dispatch: Caucasus Leader Claims Moscow Airport Attack
Doku Umarov has an interest in attaching himself to this attack on Jan. 24. First of all, the attack was fairly successful; it did kill a number of foreigners and Russians, and in one of Moscow’s larger airports. Doku Umarov has been weakened considerably since his August 2010 fallout with other militant leaders from the Caucasus. Russian authorities dealt a fairly large blow to Doku Umarov when they caused basically a split within his organization, the Caucasus Emirate. Umarov has a lot to prove to the public. he wants to show that the August 2010 fallout didn’t completely incapacitate him and if he can prove that he actually was the one who ordered the Jan 24 attack, it would be a pretty strong indication that he wasn’t as week as we thought he was.

However, at STRATFOR we’re pretty skeptical of this video. We’re not convinced that it necessarily proves that Doku Umarov did order the Jan. 24 attack even though he claims it. First of all, Doku Umarov isn’t really known to work with militants from Ingushetia, he himself has more frequently in the past worked with militants from Chechnya and Dagestan. He doesn’t necessarily have as close of links to Ingushetia. So the fact the prime suspect in the Jan. 24 bombing is Ingushetian leads us to become skeptical of the connections between Doku Umarov and the bomber. Additionally Umarov has made false claims before. Back in 2009 he claimed responsibility for an explosion at a dam in Russia. However we later learned that the explosion was due to mechanical failure and not terrorist activity. So Umarov does have a reputation for making false claims so we have to be pretty skeptical of this claim

Monday, February 7, 2011 - Introducing: Palevo Tracker

Via Blog -

Today we are going to talk about a nasty worm called Palevo.

Palevo (also known as Rimecud, Butterfly bot or Pilleuz) made some big press in 2009 when Panda Security announced the coordinated takedown of a huge botnet that they called Mariposa.

Since then the threat lost its media attention, but what most people don’t known is: Palevo is still a big player in the global threat landscape. According to FireEye, in 2010 Palevo was the top malware (# of infections) in the world:


Palevo is a so called bot kit that is being sold in underground forums (like ZeuS) using the name BUtterFly BOT. Therefore there are dozens of different botnets out there run by different criminal groups.


A further problem is the way Palevo communicates with its Command&Control server (C&C): The worm uses UDP and encrypts the data sent to the C&C server on (in most cases) a high port (e.g. 7700 UDP). The reason why Palevo uses UDP is simple: There is a bunch of Firewalls/Appliances out there which are poorly configured and therefore:
  • aren’t logging UDP packets in the Firewall log
  • allow UDP traffic by default
That makes it pretty easy to keep the Palevo C&C traffic hidden even in corporate networks.


To keep it simple I’ve created Palevo Tracker as sub-project on AMaDa. This means that the Palevo Tracker blocklist is included in the AMaDa C&C Blocklist.
You can use the blocklist to block Palevo C&C traffic proactively and/or to identify infected clients (e.g. by matching the blocklist against your Firewall logs).