Saturday, July 30, 2011

Leader of La Linea Gang Arrested in Mexico

Via CNN -

A purported leader of the infamous La Linea criminal organization has been arrested in Mexico, state-run media reported, citing a military leader.

Jose Antonio Acosta Hernandez, known as El Diego, was taken into custody during an operation in Chihuahua, Emilio Zarate Landeros told Notimex on Saturday.

Zarate, who leads troops in Mexico's Quinta Zona Militar or Fifth Military Zone, said the raid had been carefully planned and coordinated.

Video from CNN affiliate XHIJ shows several armed men going into a Chihuahua building to detain Acosta.

La Linea is the armed branch of the Juarez drug cartel, federal police official Ramon Eduardo Pequeno Garcia has previously told CNN.

This group ordered the March 2010 killing of U.S. consulate employee Lesley Enriquez, the same official added. She and her husband, Arthur Redelfs, were gunned down as they left a birthday party in a white SUV.

Authorities have said that Jesus Ernesto Chavez Castillo -- arrested last summer in connection with various deadly shootings in Ciudad Juarez -- got his orders directly from Acosta.

Acosta, whose other alias is Blablazo, himself worked under La Linea leader Emilia Ramirez Castillo, or El Negro, according to the general prosecutor's office of Mexico. A 15 million-peso reward was being offered for information leading to his arrest.

Friday, July 29, 2011

Officials: Iranian was Nuclear Scientist, Not Student as Tehran Claims

Via Washington Post (AP) -

A man shot dead on a Tehran street by motorcycle-riding gunmen last weekend was a scientist involved in suspected Iranian attempts to make nuclear weapons and not a student as officially claimed, a foreign government official and a former U.N. nuclear inspector have told The Associated Press.

The man was shot Saturday by a pair of gunmen firing from motorcycles in an attack similar to recent assassinations of two nuclear scientists that Iran blames on the United States and Israel. State-run media initially identified him as Darioush Rezaei, a physics professor and expert in neutron transport, but backtracked within hours, with officials subsequently naming him as Darioush Rezaeinejad, an electronics student.

An official — from a member nation of the Vienna-based International Atomic Energy Agency — verified that the victim was named Darioush Rezaeinejad, but said he participated in developing high-voltage switches, a key component in setting off the explosions needed to trigger a nuclear warhead. An abstract seen by the AP and bearing the name Darioush Rezaeinejad as a co-author appears to back that claim.

Two other men, both of them nuclear scientists, were killed last year by assassins on motorcycles. While the possibility remained that there may be two Darioush Rezaeinejads, a senior Western diplomat in Vienna said the three assassinations, as well as the “back and forth by the Iranians” on the latest victim’s identity, had sharpened suspicions in his capital of a possible cover-up. He asked for anonymity because he was relaying confidential information.

Thursday, July 28, 2011

EMC and AmCham-China: A Perfect Recipe For A Network Breach

Via Digital Dao (Jeffrey Carr's Blog) -

Here is a classic scenario for how critical technology gets stolen. Take a C-level executive of a company whose focus is high value technology (like Cloud computing) and send him to a country who is spending millions of their currency to acquire that technology (like China) to speak at an event organized by an association that has itself been compromised (like the American Chamber of Commerce in China).

The event I'm writing about is coming up on August 9 in Beijing: USITO/AmCham-China's ICT Breakfast Series: Cloud Meets Big Data

China is heavily investing in Cloud Computing, having set up its own Cloud Valley located in the Beijing Economic Technological Development Area for RMB 500 million.

One of AmCham-China's employees was sending out email messages with malicious attachments in January, 2011. These were not spoofed emails, which means that the entire organization's network had been compromised and probably still is.

The speaker for the event is the CTO of EMC Jeffrey Nick, whose RSA security division suffered a massive breach last March and whose company offers Cloud computing solutions.

This is a textbook case for how executives may be targeted and compromised by a nation state who's interested in their technology. And if this year has taught us anything, it's that everyone is vulnerable - even a top executive at one of the world's largest information security companies.


It is pretty hard to counter his logic on this one....

Hack of South Korean Sites Affects Up to 35 Million Users

Via -

According to a report from Reuters, hackers from China have attacked an internet portal and blogging site operated by South Korea's SK Communications, gaining access to the personal information of up to 35 million users. The news agency says that the cyber attack could be the largest the country has ever experienced.

In a statement, the Korea Communications Commission confirmed that the personal information targeted by the attackers included names, telephone numbers, email addresses and other data from the Nate portal and Cyworld blogging sites run by the SK Telecom subsidiary. An official at the commission told Reuters that the police have started an investigation, but have yet to ask for assistance from Chinese authorities.


Interestingly enough, Microsoft recently outlined the malware threat landscape in the Republic of Korea - characterizing it as one of the most active in the world. Korea has a malware threat landscape that is characterized by a mix of global threats as well as threats that are targeting users in Korea specifically.

To put this active landscape in a border context, you only need to look at the July 2011 McAfee analysis of the March 2011 South Korean DDoS attacks. McAfee analysis of the March 2011 attacks against South Korean government and U.S. military Websites notes the attacks likely came from North Korea - based on circumstantial evidence. However, the report [PDF] does echo other assessments of North Korea's improving cyber war capabilities.

Wednesday, July 27, 2011

TWR: Advanced Reactor Gets Closer to Reality

Via MIT Technology Review -

Terrapower, a startup funded in part by Nathan Myhrvold and Bill Gates, is moving closer to building a new type of nuclear reactor called a traveling wave reactor that runs on an abundant form of uranium. The company sees it as a possible alternative to fusion reactors, which are also valued for their potential to produce power from a nearly inexhaustible source of fuel.

Work on Terrapower's reactor design began in 2006. Since then, the company has changed its original design to make the reactor look more like a conventional one. The changes would make the reactor easier to engineer and build. The company has also calculated precise dimensions and performance parameters for the reactor. Terrapower expects to begin construction of a 100-megawatt demonstration plant in 2016 and start it up in 2020. It's working with a consortium of national labs, universities, and corporations to overcome the primary technical challenge of the new reactor: developing new materials that can withstand use in the reactor core for decades at a time. It has yet to secure a site for an experimental plant—or the funding to build it.

The reactor is designed to be safer than conventional nuclear reactors because it doesn't require electricity to run cooling systems to prevent a meltdown. But the new reactor doesn't solve what is probably the biggest problem facing nuclear power today: the high cost of building them. John Gilleland, Terrapower's CEO, says the company expects the reactors to cost about as much to build as conventional ones, "but the jury is still not in on that."

Conventional reactors generate heat and electricity as a result of the fission of a rare form of uranium—uranium 235. In a traveling wave reactor, a small amount of uranium 235 is used to start up the reactor. The neutrons the reactor produces then convert the far more abundant uranium 238 into plutonium 239, a fissile material that can generate the heat needed for nuclear power. Uranium 238 is readily available in part because it's a waste product of the enrichment processes used to make conventional nuclear fuel. It may also be affordable in the future to extract uranium 238 from seawater if demand for nuclear fuel is high. Terrapower says there's enough of this fuel to supply the world with power for a million years, even if everyone were to use as much power as people in the United States do.


One challenge with this design is ensuring that the steel cladding that contains the fuel in the fuel rods can survive exposure to decades of radiation. Current materials aren't good enough: for one thing, they start to swell, which would close off the spaces between the fuel rods through which coolant is supposed to flow. To last 40 years, the materials need to be made two to three times more durable, Terrapower says.


Terrapower has also developed designs for a passive cooling system. Like many other advanced reactor designs, Terrapower's uses molten sodium metal as the coolant. Sodium takes much longer to boil than water, which gives plant operators more time to respond to accidents. It would also be possible to use natural convection in the event of a power outage—coolant wouldn't have to be continuously pumped into the reactor, as was the case at Fukushima. One danger of using sodium, however, is that it reacts violently when it's exposed to air or water.

TWRs differ from other kinds of fast-neutron and breeder reactors in their ability to, once started, reach a state whereafter they can achieve very high fuel utilization while using no enriched uranium and no reprocessing, instead burning fuel made from depleted uranium, natural uranium, thorium, spent fuel removed from light water reactors, or some combination of these materials.

Tuesday, July 26, 2011

Analysts Expect Mexican Drug Violence to Continue

Via -

A prediction that one of the most notorious cartels operating on the Texas-Mexico border could soon meet its demise was premature, according to a new report on Mexican cartels. Instead, its authors caution that daily bloodshed may continue unabated.

Though it’s not expected to reach the record highs witnessed in 2010, this year’s death toll in Ciudad Juárez is still expected to be in the thousands as multiple massacres continue as a weekly occurrence. At least 1,230 have been murdered there this year, and about 8,670 since 2008, according to local media reports.

The assessment is part of global intelligence firm STRATFOR’s latest quarterly report on Mexico. In April it forecast that the Juárez cartel — the Vicente Carrillo Fuentes organization that has operated under the family’s direction for decades across from El Paso — might meet its end at the hands of its rival, Joaquin “El Chapo” Guzman’s Sinaloa cartel. The prediction was a result of intelligence stating the Sinaloa outfit was successfully choking off the hometown gang in the city and surrounding areas, squeezing off its eastern and western supply routes.

STRATFOR estimated then that the violence in the border city might escalate as the Juárez cartel sought ways to replenish its lost revenue, mainly through kidnappings, thefts and extortions. The Juárez cartel has proven more resilient, and Juárez has seen a surge in murders after some observers thought the death toll there would subside.

“Though STRATFOR previously reported that the VCF was hemmed in on all sides by the Sinaloa Federation and essentially confined to downtown Ciudad Juárez, STRATFOR sources have recently indicated that this is no longer quite the case,” the report states.


In somewhat related news....

Mexico Arrests 1K In Human Trafficking Raids
Authorities in Ciudad Juarez arrested more than 1,000 people over the weekend in an operation aimed at cracking down on human trafficking, police said. Federal police said raids in two dozen bars, hotels and boarding houses netted arrests of 500 men and 530 women they suspect are connected with human trafficking and sexual exploitation. In addition, 20 female minors were rescued, police said.

And as a reminder of the activity that is happening in US cities right now...!/STRATFOR/status/95917111058243584
35 LFM [La Familia Michoacana] cartel members arrested in Austin Texas 7/21. Police say Austin used as drug-trafficking hub.

Monday, July 25, 2011

DJ Fenner & Quazzer - I Was Wrong (Dubstep Remix)

An Analysis of Anonymity in the Bitcoin System


Bitcoin is not inherently anonymous. It may be possible to conduct transactions is such a way so as to obscure your identity, but, in many cases, users and their transactions can be identified. We have performed an analysis of anonymity in the Bitcoin system and published our results in a preprint on arXiv.

Report: Iran Resorts to Rip And Replace To Kill Off Stuxnet

Via -

Reports that Iran had recovered from the infection of the Stuxnet worm may have been overblown, as a new report suggests the country is being forced to replace thousands of expensive centrifuges damaged by the worm.

The report from the Web site DEBKAfile cites "intelligence sources" in claiming that Stuxnet was not purged from Iran's nuclear sites and that the country was never able to return its uranium enrichment operation to "normal operation." Instead, the country has said in recent days that it is installing newer and faster centrifuges at its nuclear plants and intends to speed up the uranium enrichment process, according to the country's foreign ministry.

Iran was believed to have 8,700 centrifuges in operation at the country's Natanz facility the time the Stuxnet worm was released, which is believed to be around June, 2009. A recent report from Wired's ThreatLevel blog cites International Atomic Energy Agency (IAEA) officials who inspected the plant in January 2010 as saying up to a quarter of those centrifuges were disabled at that point, just months after the worm was released, and a full six months before it would be publicly identified by researchers at the Belarussian antivirus firm VirusBlokAda.

A report from the Institute for Science and International Security (PDF), dating from February, 2011, as well as contemporary news reports at the time that assessed the damage caused to Iran's uranium enrichment program to be limited. Debkafile, citing Western intelligence sources, reports that Iran failed to eradicate the worm, which resurfaced and began spreading within the Iranian facilities, prompting the government to replace an estimated 5,000 working centrifuges.


It definitely is within the scope of possibility that Iran would have difficult in eradicating the sophisticated Stuxnet worm. Most corporations have just as much trouble eradicating much less sophisticated malware on a daily basis.

Interesting story if true, but I would advise taking the it with a grain of salt at this point.

Friday, July 22, 2011

Apple Laptops Vulnerable To Hack That Kills Or Corrupts Batteries

Via (Firewall Blog) -

Your laptop’s battery is smarter than it looks. And if a hacker like security researcher Charlie Miller gets his digital hands on it, it could become more evil than it appears, too.

At the Black Hat security conference in August, Miller plans to expose and provide a fix for a new breed of attack on Apple laptops that takes advantage of a little-studied weak point in their security: the chips that control their batteries.

Modern laptop batteries contain a microcontroller that monitors the power level of the unit, allowing the operating system and the charger to check on the battery’s charge and respond accordingly. That embedded chip means the lithium ion batteries can know when to stop charging even when the computer is powered off, and can regulate their own heat for safety purposes.

When Miller examined those batteries in several Macbooks, Macbook Pros and Macbook Airs, however, he found a disturbing vulnerability. The batteries’ chips are shipped with default passwords, such that anyone who discovers that password and learns to control the chips’ firmware can potentially hijack them to do anything the hacker wants. That includes permanently ruining batteries at will, and may enable nastier tricks like implanting them with hidden malware that infects the computer no matter how many times software is reinstalled or even potentially causing the batteries to heat up, catch fire or explode. “These batteries just aren’t designed with the idea that people will mess with them,” Miller says. “What I’m showing is that it’s possible to use them to do something really bad.”


Miller says he’s received messages from several other researchers asking him not proceed with the battery work because it could be too dangerous. But Miller has worked to fix the problems he’s exposing. At Black Hat he plans to release a tool for Apple users called “Caulkgun” that changes their battery firmware’s passwords to a random string, preventing the default password attack he used. Miller also sent Apple and Texas Instruments his research to make them aware of the vulnerability. I contacted Apple for comment but haven’t yet heard back from the company.

Implementing Miller’s “Caulkgun” prevents any other hacker from using the vulnerabilities he’s found. But it would also prevent Apple from using the battery’s default passwords to implement their own upgrades and fixes. Those who fear the possibilities of a hijacked chunk of charged chemicals in their laps might want to consider the tradeoff.

Thursday, July 21, 2011

APT: Attack On Pacific Northwest National Lab Started At Public Web Servers

Via Dark Reading (July 20, 2011) -

The cyberattack discovered at Pacific Northwest National Laboratory (PNNL) during the Fourth of July holiday weekend used a combination of a Web server vulnerability and a payload that delivered a zero-day Adobe Flash attack, according to officials at the Department of Energy-contracted facility.

PNNL, a research and development facility operated under contract to the Department of Energy, discovered what it described as a "sophisticated" targeted attack on its systems the Friday before the holiday, compelling the organization to temporarily shut down most of its internal network services, including email, SharePoint, its wireless LAN, voicemail, and Internet access. PNNL also blocked internal traffic while investigating and mitigating the attack. The lab says no classified or sensitive information was accessed in the attack.

Now more details are emerging on just how the attackers got into the Richland, Wash.-based lab, which employs around 4,900 people and handles homeland security analysis and research, as well as smart grid and environmental development.

Jerry Johnson, chief information officer for Pacific Northwest National Laboratory, said in an interview with Dark Reading that the attackers at first infiltrated some of PNNL's public-facing Web servers that contained publicly available information. These servers are considered "low impact" by government security standards, meaning that they require only minimal security under NIST standards.

The attackers exploited an undisclosed bug in the server, and then rigged it with a malicious payload that planted an Adobe Flash zero-day exploit on victims' machines. Johnson declined to elaborate on the Flash bug and exploit.

Another DOE facility, Newport News, Va.-based Thomas Jefferson National Lab, was also hit around the same time frame as PNNL, according to published reports. The attacks have been described as having the earmarks of advanced persistent threat (APT) actors, typically nation-state sponsored and focused on cyberespionage.


Even though the attackers used such a blanketed method of drive-by Web attack, Johnson says it was obvious they were zeroing in on PNNL. They netted non-PNNL workstations in their attack as well, but that wasn't their focus. "There were some workstations compromised by other DOE contractors we had on-site, but they were never exploited. [The attackers] didn’t care about them, only about the ones inside the lab. It was very clear that they knew what they wanted," and that was to target PNNL, he says.

Meanwhile, the more serious part of the breach against PNNL came in a second-wave attack that originated from another laboratory, which has not been identified but sources say was not Jefferson Lab.


Like targeted spear-phishing, this technique appears to be increasingly used by APT actors: attack a company's public website(s), plan malicious exploits on the public sites (mostly 0-days), and wait for employees to visit the site (likely), thus infecting internal / trusted PCs by exploiting public websites.

This exact technique has been outlined in various attacks against human rights organizations since 2009 as well, which are also common targets for specific APT actors.

Wednesday, July 20, 2011

ICSR Insight: AQAP Releases Sixth Edition of Inspire Magazine

Via ICSR -

ICSR Senior Research Fellow, Shiraz Maher, has written a summary and analysis of the sixth edition of Inspire Magazine released by Al-Qaeda in the Arabian Peninsula.

To read this in full, please click here.

Tuesday, July 19, 2011

FBI: Pakistani Spies Spent Millions Lobbying US

Via (AP) -

For years, the Pakistani spy agency funneled millions of dollars to a Washington non-profit group in a secret effort to influence Congress and the White House, the Justice Department said Tuesday in court documents that are certain to complicate already strained relations between the U.S. and Pakistan.

FBI agents arrested Syed Ghulam Nabi Fai, the executive director of the Kashmiri American Council, on Tuesday morning and charged him with being an unregistered agent of a foreign government. Under the supervision of a senior member of Pakistan's spy agency, Inter-Services Intelligence, Fai worked to influence Congress and develop contacts at the White House and State Department, prosecutors said.

"I believe that Fai has received approximately $500,000 to $700,000 per year from the government of Pakistan," FBI agent Sarah Webb Linden said in documents filed at the federal court in Alexandria, Va.

The Pakistani Embassy in Washington quickly denied any knowledge of such an arrangement.

A second man, Zaheer Ahmad, was also charged. Prosecutors said he recruited people to act as straw donors who would give money that really was coming from the Pakistani government. Ahmad is not under arrest and is in Pakistan, prosecutors said. Both men are U.S. citizens.

A soft-spoken man, Fai is a leading voice in the debate over the future of Kashmir, the mountainous border area that India and Pakistan have fought over for years. He supports the pro-Pakistan viewpoint that Kashmiris should vote on whether to be part of Pakistan or India. India claims the territory as its own.

Prosecutors said the Kashmiri American Council was being run in secret by the Pakistani government. Government officials reviewed Fai's budget and directed him to make campaign donations to Congress, meet with lawmakers and attend political events. The group's phone rang unanswered and a doorman said Tuesday that nobody from the organization had arrived at the office building, a few blocks from the White House in the heart of Washington's lobbying district.

Israr Mirza, the former president of the Pakistani Student Association at George Mason University, recalled hearing Fai speak at a February event his organization hosted on India-Pakistan relations.

"I don't see him as a spy or anything. He's an old gentleman," said Mirza, who has since graduated from George Mason. "He seemed like a very collected guy. He was speaking just to promote peace."

Though the charges are not related to espionage, the arrest adds new strain to the already difficult relationship between the U.S. and Pakistan, which suffered after the U.S. found Osama bin Laden hiding inside Pakistan and killed him without telling the government there.

In Court Papers, U.S. Openly Suggests Pakistan Interested in Thermonuclear Weapon

Via -

The United States in federal court documents offered its first open suggestion that nuclear-armed Pakistan could be seeking to build a thermonuclear weapon, the Pittsburgh Tribune-Review reported.

The Justice Department has charged a Chinese woman living in the United States with illegally exporting high-tech paint coatings that could aid Pakistan's nuclear-weapons development. As the ex-managing director of a Chinese branch of PPG Industries, Xun Wang is accused of shipping the material five years ago in direct disobedience of the Pittsburgh-based company and of nonproliferation guidelines issued by the Commerce Department.

Pakistan holds nuclear arms outside the Nuclear Nonproliferation Treaty and is a known past proliferator of sensitive technology and information through the black-market operation once led by scientist Abdul Qadeer Khan. As such, the United States has placed a number of restrictions on the trade of sensitive goods with the South Asian nation.

The U.S. Justice Department questions in court filings whether the paint-coating shipments could "aid Pakistan in developing thermonuclear weapons," the first instance in which Washington has formally in an open forum raised the issue of Islamabad's potential interest in a hydrogen weapon, according to Hans Kristensen, the Federation of American Scientists' nuclear information project director.

Although Pakistan has carried out nuclear tests using uranium-based weapons, it is not definitively known whether the country is recycling used atomic fuel to build a thermonuclear bomb, he said.

Wang holds permanent residency status in the United States. Before she joined PPG in 2006, the company had exported 290 gallons of the sophisticated coating to Pakistan to be used in building the nation's second atomic energy reactor at the Chashma complex, court filings state.

Chinese firms assisted Pakistan in constructing the first and second reactors at Chashma.

Two different deliveries totaling 360 gallons of epoxy coatings were also sent to Pakistan, while a fourth containing 265 gallons was stopped in Shanghai, records show.

Pakistan needed extra epoxy to complete covering the inside of the reactor. Otherwise, it would have been forced to conduct the costly work of stripping the PPG coating that had already been applied and replacing it with a different product.

Company officials besides Wang are believed to have tried to assist China's atomic work in Pakistan, government documents state.

Atomic analysts think it is highly likely that Islamabad constructed a facility close to the second Chashma reactor that could recycle used atomic fuel into weapon-usable plutonium.

Satellite photographs taken in the last decade reveal building taking place at the site of an unfinished Chashma-area plutonium reprocessing facility that had been abandoned in the 1970s, according to a 2007 analysis by Paul Brannan and David Albright, nuclear experts at the Institute for Science and International Security. As recently as 2006, construction vehicles and materials could be viewed at the site, and pavement had been laid on roads leading up to the unfinished processing plant.

The ISIS analysts speculated that the plutonium facility was close to finished and that China possibly aided Pakistan in the project. If they are correct, the analysts asserted that used nuclear fuel rods from the first and second Chashma energy reactors "would aid Pakistan in developing thermonuclear weapons as well as increasing the size of its nuclear arsenal."

RSA FraudAction News Flash: Trojan Add-On Forces Zombie PCs into Slavery to Mine Bitcoins

Via RSA Blog -

The RSA FraudAction Research Lab recently discovered a novel Trojan feature annexed to SpyEye Trojan variants (v1.03.45) and to Zeus Trojan variants (v2.0.8.9), made to maliciously target the Bitcoin e-currency system. The Trojans are now being used by their operators in a practice designed to leverage the extended botnet in order to mine Bitcoins.

This innovation is not to be confused with the hacking or stealing of the Bitcoin wallet; (which is likely also stolen by the Trojan), but rather a way to have the zombie computers on the botnet be part of a joint resource used for mining – and thus earning – Bitcoins.

This blog elaborates on what Bitcoins are, on the technical aspect of this new Trojan module as well on some of the possible implications this may have in the near future.


Recently, Symantec released a write-up on the possibility of mining Bitcoins (BTC) using botnets.
"One of the selling points of the Bitcoin currency is that anyone with a computer can begin to earn Bitcoin blocks by using his or her computer’s computational power, along with open source Bitcoin software, to solve a difficult cryptographic proof-of-work problem. This is referred to as Bitcoin mining and, if successful in solving a block, it will lead to a reward of up to 50 Bitcoins per block...Taking this information into account, Bitcoin botnet mining as an attractive and profitable venture for cybercriminals is very questionable. However, with recent spikes in the valuation of Bitcoins reaching as high as $26, it may become more appealing in the future to cybercriminals as another source of illegal earnings from their botnets. Based, as the stability and value of Bit increase, as does the attractiveness of bitcoin botnet mining."
Looks like the developers of ZeuS and SpyEye are looking to get ahead of the curve.

Internet's Memory Effects Quantified in Computer Study

Via BBC (Science and Environment) -

Computers and the internet are changing the nature of our memory, research in the journal Science suggests.

Psychology experiments showed that people presented with difficult questions began to think of computers.

When participants knew that facts would be available on a computer later, they had poor recall of answers but enhanced recall of where they were stored.

The researchers say the internet acts as a "transactive memory" that we depend upon to remember for us.

Lead author Betsy Sparrow of Columbia University said that transactive memory "is an idea that there are external memory sources - really storage places that exist in other people".

"There are people who are experts in certain things and we allow them to be, [to] make them responsible for certain kinds of information," she explained to BBC News.

Co-author of the paper Daniel Wegner, now at Harvard University, first proposed the transactive memory concept in a book chapter titled Cognitive Interdependence in Close Relationships, finding that long-term couples relied on each other to act as one another's memory banks.

"I really think the internet has become a form of this transactive memory, and I wanted to test it," said Dr Sparrow.


"This suggests that for the things we can find online, we tend keep it online as far as memory is concerned - we keep it externally stored," Dr Sparrow said.

She explained that the propensity of participants to remember the location of the information, rather than the information itself, is a sign that people are not becoming less able to remember things, but simply organising vast amounts of available information in a more accessible way.

"I don't think Google is making us stupid - we're just changing the way that we're remembering things... If you can find stuff online even while you're walking down the street these days, then the skill to have, the thing to remember, is where to go to find the information. It's just like it would be with people - the skill to have is to remember who to go see about [particular topics]."

Monday, July 18, 2011

Analysis of the JailBreakMe v3 Font Exploit

Two weeks ago, comex released the third version of jailbreakme. Two exploits are used to jailbreak Apple devices by opening a PDF file in the MobileSafari browser: initial code execution is obtained through a vulnerability in the Freetype Type 1 font parser, allowing subsequent exploitation of a kernel vulnerability to disable code signing enforcement, get root privileges and "install" the jailbreak. The same kernel vulnerability is also exploited at each reboot to provide an untethered jailbreak, using the Incomplete Codesign technique to bootstrap the kernel exploit. The two vulnerabilities (and another Freetype vulnerability not used by jailbreakme) were patched with the release of iOS 4.3.4.


The jailbreakers claim to be back in already. By all reports, the latest jailbreak doesn't work for iPad2 users, and it can't be done simply by visiting a website. You need to plug your device in to a computer, in what's called a "tethered" jailbreak, and you need to re-jailbreak it every time you reboot. Nevertheless, Apple's latest security fix has been circumvented already.

Saturday, July 16, 2011

How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History

Via Wired's Threat Level Blog (July 11, 2011) -

It was January 2010, and investigators with the International Atomic Energy Agency had just completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something was off within the cascade rooms where thousands of centrifuges were enriching uranium.
Natanz technicians in white lab coats, gloves and blue booties were scurrying in and out of the “clean” cascade rooms, hauling out unwieldy centrifuges one by one, each sheathed in shiny silver cylindrical casings.

Any time workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up for IAEA inspection to verify that no radioactive material was being smuggled out in the devices before they were removed. The technicians had been doing so now for more than a month.

Normally Iran replaced up to 10 percent of its centrifuges a year, due to material defects and other issues. With about 8,700 centrifuges installed at Natanz at the time, it would have been normal to decommission about 800 over the course of the year.

But when the IAEA later reviewed footage from surveillance cameras installed outside the cascade rooms to monitor Iran’s enrichment program, they were stunned as they counted the numbers. The workers had been replacing the units at an incredible rate — later estimates would indicate between 1,000 and 2,000 centrifuges were swapped out over a few months.

The question was, why?

Iran wasn’t required to disclose the reason for replacing the centrifuges and, officially, the inspectors had no right to ask. Their mandate was to monitor what happened to nuclear material at the plant, not keep track of equipment failures. But it was clear that something had damaged the centrifuges.

What the inspectors didn’t know was that the answer they were seeking was hidden all around them, buried in the disk space and memory of Natanz’s computers. Months earlier, in June 2009, someone had silently unleashed a sophisticated and destructive digital worm that had been slithering its way through computers in Iran with just one aim — to sabotage the country’s uranium enrichment program and prevent President Mahmoud Ahmadinejad from building a nuclear weapon.

But it would be nearly a year before the inspectors would learn of this. The answer would come only after dozens of computer security researchers around the world would spend months deconstructing what would come to be known as the most complex malware ever written — a piece of software that would ultimately make history as the world’s first real cyberweapon.


Definitely the best write-up on Stuxnet thus far. It is hard to believe that it has just about a year since its public discovery.

A Malware Anniversary to Remember (by Liam O Murchu)

Backgrounder: Lashkar-e-Taiba (LeT)


The Indian government has often accused the group Lashkar-e-Taiba (LeT) of terrorist attacks, including the November 2008 deadly assault in Mumbai that killed nearly two hundred people and injured more than three hundred. LeT is among several banned Pakistani militant groups that experts say received backing from Pakistan's intelligence agency, the ISI, to fight in Indian-administered Kashmir. Analysts say the group continues to operate freely inside Pakistan under a different name and has now become a global terrorist organization.

Friday, July 15, 2011

Symantec: A Look Inside Targeted Email Attacks

Via Symantec Über Security Response Blog -

The number of targeted attacks has increased dramatically in recent years. Major companies, government agencies, and political organizations alike have reported being the target of attacks. The rule of the thumb is, the more sensitive the information that an organization handles, the higher the possibility of becoming a victim of such an attack.

Here, we’ll attempt to provide insight on a number of key questions related to targeted attacks, such as where did the malicious email come from, which particular organizations are being targeted, which domains (spoofed or not) sent the email, what kinds of malicious attachments did the emails contain, etc. Our analysis of the data showed that, on average, targeted email attacks are on the rise:


Three out of the top 10 are governmental agencies. Among the remaining seven organizations, four have strong ties to either local or international governmental bodies. Two organizations (in sixth and tenth position) are not under governmental control; however, their business operations are heavily regulated and may be influenced by governmental organizations.

Governmental organizations are obviously targeted for their politically sensitive information. But why target NPOs and private companies? It’s a foot-in-the-door technique. By compromising those companies with strong ties to government agencies, attackers may acquire contact information for government personnel and craft their next attack around that stolen information.

In one particular organization, ranked 7th on our most targeted list, we observed the following:
  • Forty-one people received 10 or more emails, making up 98% of the total attack emails sent to that organization.
  • The remaining 2% of emails were targeted at 13 others, resulting in an average of less than two emails per person.
This clearly indicates that certain individuals are targeted more than others, probably because of their profile or particular status within the organization. In this organization, the President, Vice President, Directors, Managers, and Executive Secretary were all targeted. All of their profiles—including email addresses and job titles—are publicly available, which is most likely how malicious attackers got hold of their information in the first place.

Having said that, targeting the top-ranking personnel in an organization is not a “must” for attackers; often, targets are likely to include P.A.s as well as I.T. staff (who often have administrative rights on the target infrastructure). Once the attacker successfully infects or compromises one machine in the organization, they then have the potential to compromise other machines or devices on the same network. This may enable the attackers to harvest further contact information (belonging to other organizations) along the way, which leads to future attacks against different entities—the attackers just need that initial foot in the door.


In summary:

  • On average, targeted email attacks increased during the two-year period we looked at.
  • The more sensitive the information that an organization handles, the higher the probability of becoming a victim of such an attack.
  • The government/public sector is the most targeted industry.
  • A small percentage of people receive the bulk of the emails.
  • The attachments of choice are .pdf and .doc, making up a combined 67% of all targeted email attachments.
  • Some targeted attacks can be extremely well crafted and quite convincing.
  • Certain organizations and companies make for more attractive targets than others.
  • The people who work for these “higher value targets” need to take extra special care when dealing with emails that contain attachments or links.

Wednesday, July 13, 2011

Microsoft: Mitigating Software Vulnerabilities

This whitepaper describes how exploit mitigation technologies can help reduce or eliminate risk, prevent attacks and minimize operational disruption due to software vulnerabilities.The whitepaper explores the exploit mitigation technologies provided by Microsoft and also provides a business case for the value of these technologies. The concept of an exploit mitigation is then solidified by introducing the fundamental tactics and technologies that are used to break exploitation techniques. This information forms the basis for providing guidance on how software development teams and IT administrators can use these technologies to protect the applications they develop and deploy.

Tuesday, July 12, 2011

Mexico Arrests US-Born Man Linked to Tijuana Drug Cartel

Via VOA News -

Mexican federal police say they have captured a U.S.-born man tied to Mexico's Arellano Felix drug cartel, also known as the Tijuana cartel.

Officials say 33-year-old Armando Villarreal Heredia, known as “El Gordo”, was taken into custody Saturday in the northern Mexican city of Hermosillo, the capital of Sonora state. Authorities have accused the San Diego native of trafficking drugs from Mexico's northern state of Sinaloa into the United States. The U.S. also wants him on federal conspiracy and racketeering charges.

Investigators have linked him to Fernando Sanchez Arellano, a leader in the cartel, which has been weakened in recent years. Sanchez is a nephew of the Arellano Felix brothers for whom the cartel is named. Many of the brothers have either been arrested or killed.


Charges against him include conspiracy, money laundering, drug trafficking and organized crime.


In July 2010, the US Justice department named, the then 32-year old Armando Villarreal Heredia, in a criminal compliant of participating in a federal racketeering (RICO) conspiracy.

Saturday, July 9, 2011

STS-135: The Last Shuttle Mission

(Image Credit: NASA/Bill Ingalls)

This image of space shuttle Atlantis was taken shortly after the rotating service structure was rolled back at Launch Pad 39A, Thursday, July 7, 2011.


NASA's last-ever Space Shuttle mission is now being carried live on's Mission Control - Live Space Shuttle STS-135 mission audio mixed with ambient & space music.

And be sure to check out NASA TV for live video coverage.

For even more geekness, users of Google Earth can track the shuttle in obit in real-time!

CERN Launches Open Hardware initiative

Geneva, 7 July 2011. Four months after launching the alpha version, CERN1 has today issued version 1.1 of the Open Hardware Licence (OHL), a legal framework to facilitate knowledge exchange across the electronic design community.

In the spirit of knowledge and technology dissemination, the CERN OHL was created to govern the use, copying, modification and distribution of hardware design documentation, and the manufacture and distribution of products. Hardware design documentation includes schematic diagrams, designs, circuit or circuit-board layouts, mechanical drawings, flow charts and descriptive texts, as well as other explanatory material.

Version 1.0 of the CERN OHL was published in March 2011 on the Open Hardware Repository (OHR), the creation of electronic designers working in experimental-physics laboratories who felt the need to enable knowledge-exchange across a wide community and in line with the ideals of "open science" being fostered by organizations such as CERN.


"The CERN OHL is an exciting achievement, with the potential of being the lead licence for new hardware projects, like the GNU GPL has been for free software," said Alessandro Rubini, Free Software developer and co-author of "Linux Device Drivers".

"Version 1.1 integrates feedback received from the community in order to follow generally accepted principles of the free and open source movements," said Ayass, "and purports to make the CERN OHL even more easily usable by entities other than CERN".

"By sharing designs openly," said Serrano, "CERN expects to improve the quality of designs through peer review and to guarantee their users - including commercial companies - the freedom to study, modify and manufacture them, leading to better hardware and less duplication of efforts."

"CERN efforts to build an ecosystem for Open Hardware certainly bode well for more Freedom in the digital space," said Carlo Piana, Digital liberties advocate and General Counsel of the Free Software Foundation Europe (FSFE).

Friday, July 8, 2011

Identifying Slow HTTP Attack Vulnerabilities on Web Applications

Via Qualys Security Labs -

Slow HTTP attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an http request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service.

These types of attack are easy to execute because a single machine is able to establish thousands of connections to a server and generate thousands of unfinished HTTP requests in a very short period of time using minimal bandwidth.

Due to implementation differences among various HTTP servers, two main attack vectors exist:
  • Slowloris: Slowing down HTTP headers, making the server wait for the final CRLF, which indicates the end of the headers section; 
  • Slow POST: Slowing down the HTTP message body, making the server wait until all content arrives according to the Content-Length header; or until the final CRLF arrives, if HTTP 1.1 is being used and no Content-Length was declared.
The scary part is that these attacks can just look like requests that are taking a long time, so it's hard to detect and prevent them by using traditional anti-DoS tools.

FBI: Employee Passed Chicago Mercantile Exchange Secrets to China

Via -

A 10 year employee of CME Group in Chicago is alleged to have stolen trade secrets and proprietary source code used to run trading systems for the Chicago Mercantile Exchange, according to a criminal complaint filed in U.S. District Court in Illinois.

The complaint, dated June 30, 2011 and signed by FBI Special Agent Joanne Cullinan, alleges that Chunlai Yang, 49, downloaded "thousands of files" containing "source code and proprietary algorithms" used by CME to run its trading systems. The files were downloaded from a company-owned source code repository maintained by CME to Yang's work computer, then copied them to removable "thumb" drives. The complaint also cites personal e-mail correspondence between Yang and an official in China that contained proprietary CME information.


Yang was born and educated in China, but received his Ph.D in physics in the U.S and is a naturalized U.S. citizen. He had been working at CME since 2000.


Forensic analysis of his hard drive and active monitoring of his activities suggests that Yang was perusing CME's ClearCase source code repository for sensitive documents, then offloading them to portable media. The evidence against him includes screen captures showing Yang in the act of copying source code files to removable drives from his laptop.

Evidence presented in the complaint, including e-mail messages, suggest that Yang was preparing to leave CME and set up a new company, East China Technology Innovation Park Co. Ltd." in mainland China, with Yang and two other individuals listed as sole directors and shareholders. The purpose of the company, according to e-mail messages obtained by CME, was to increase the trading volume at the Zhangjiagang chemical electronic trading market and build a futures exchange using software provided by Yang's new company.

Thursday, July 7, 2011

Phishers’ World in Your Cell Phone

Via Symantec Uber Security Response Blog -

Technologies in cell phones are advancing day after day, and so phishers are also seeking various means to exploit vulnerable cell phone users. The two key areas in which we can see this trend are, firstly, the increase in phishing against wireless application protocol (WAP) pages, and secondly, the use of compromised domain names that have been registered for mobile devices.

Many legitimate brands have designed their websites for cell phones or WAP pages. The difference between a WAP page and a regular Web page is that the WAP page uses reduced file sizes and minimal graphics. This is done for cell phone compatibility and also to achieve higher browsing speeds while the user is on the move. Symantec has recorded phishing sites spoofing such Web pages and has monitored the trend. In June, social networking and information services brands were observed in these phishing sites. In the example shown below, the phishing page consists of nothing more than a form asking for users’ credentials. (This is a typical design created for cell phones.) When a victim enters the required information, the phishing page is redirected to the WAP page of the legitimate brand. The phishing site in this case was hosted on a free Web hosting site.


The domain names used for websites accessed by mobiles devices commonly have a “.mobi” top level domain (TLD). These domain names are compromised and utilized by phishers to host several phishing sites. Over the past six months, about 65 percent of these phishing sites spoofed brands from the banking sector, whereas 19 percent were from the e-commerce sector and the remaining were from the ISP, social networking, and information services sectors.

The primary motive of phishers in these attacks continues to be identity theft. Targeting cell phone users is just part of a new strategy for achieving the same result.


In January 2011, Trusteer, makers of the Rapport security software, gained access to the log files of several web servers that were hosting phishing websites. Analysis of these logs yields some interesting insight:
  1. Mobile users are the first to arrive at the phishing website
  2. Mobile users accessing phishing websites are three times more likely to submit their login info than desktop users
  3. Eight times more iPhone users accessed these phishing websites than Blackberry users
While the data obtained by Trusteer is quite limited in scope, it does seem to reinforce the concern expressed by Symantec above – mobile phone users are as susceptibility (likely more susceptibility) to phishing as desktop users.

Compound that idea with the current lack of mobile phone security suites in general use (e.g. Anti-virus, Anti-phishing, etc) and you have a massive unprotected userbase which is more likely to act in a dangerous manner when mobile.

Wednesday, July 6, 2011

Canada Officially Lists Pakistan Taliban as Terrorist Organization

Via The Globe and Mail (July 5, 2011) -

The group has claimed responsibility for many suicide attacks in Pakistan and on a CIA base in Afghanistan, as well as the attempted bombing of New York's Times Square in May 2010.

[The Canadian] Public Safety Minister Vic Toews says the threat of terrorism is “real, persistent, and evolving” and that authorities must “remain vigilant in confronting it.”

The minister calls the listing under Canada's Criminal Code an essential part of Canada's efforts to combat terrorism and “keep our communities safe.”

He says the Pakistani Taliban meets the legal threshold, which requires reasonable grounds to believe it has “knowingly participated in or facilitated a terrorist activity or is knowingly acting on behalf of, at the direction of, or in association with such an entity.”

The listing of enables authorities to prosecute supporters of terrorism and plays a key role in countering the financing of terrorist activities.

For example, the listing prohibits people in Canada as well as every Canadian abroad from knowingly dealing with assets owned or controlled by the Pakistani Taliban.

It is also an offence to knowingly participate in, contribute to, or facilitate certain activities of a listed entity. Other related offences are set out in the Criminal Code.

The Pakistani Taliban is not directly affiliated with the original Afghan Taliban, which controlled Afghanistan from 1996 to 2001, sheltered al-Qaeda terrorists and supported terrorist training.

Several years ago, Mullah Omar, leader of the Afghan Taliban, asked Tehrik-i-Taliban Pakistan to support the war in Afghanistan.

Pakistani Taliban leaders agreed to put aside their differences to help counter increasing numbers of U.S. troops in Afghanistan. They reaffirmed their allegiance to Mullah Omar and to Osama bin Laden.

The group has almost exclusively targeted elements of the Pakistani state, though its leaders said in April 2010 they would make U.S. cities a “main target” in response to U.S. drone strikes across the Afghan-Pakistan border.


On September 1, 2010 the United States designated the TTP as a Foreign Terrorist Organization (FTO) and identified Hakimullah Mehsud and Wali ur-Rehman as "specially designated global terrorists."

Tuesday, July 5, 2011

Australian Department of Defence - iOS Hardening Configuration Guide

June 2011

This guide is for users and administrators of iOS 4.3.3 or later devices. These devices
include the iPod Touch, iPhone and iPad. To use this guide, you should be:

  •  familiar with basic networking concepts;
  • an experienced Mac OS X or Windows administrator: and
  • familiar with the Mac OS X or Windows interface.

Parts of this guide refer to features that require the engagement of the technical resources of
your telephony carrier, firewall vendor, or Mobile Device Management vendor. While every
effort has been made to ensure content involving these third party products is correct at the
time of writing, you should always check with these vendors when planning an

Additionally, mention of third party products is not a specific endorsement of that vendor over
another; they are mentioned as illustrative examples only.

Some instructions in this guide are complex, and could cause serious effects to the device,
your network and your agency’s security posture. These instructions should only be used by
experienced administrators, and should be used in conjunction with thorough testing.

Finally, for further clarification or assistance, IT Security Advisors of Australian government
agencies can consult the Defence Signals Directorate by contacting emailing or the DSD Cyber Hotline on 1300 CYBER1 (1300 292 371).

Al-Shabaab Member Brought to US to Stand Trial

Via -

A member of the al-Shabaab terror group in Somalia was secretly brought to the U.S. early Tuesday to stand trial in federal court, after spending weeks giving the U.S. "valuable intelligence information" about al-Qaeda's operations in both Somalia and Yemen, senior U.S. officials said.

Ahmed Abdulqadir Warsame, a native of Somalia, was arrested April 19 in the Persian Gulf region by the U.S. military and kept on a Navy ship at sea where he was questioned by a team of U.S. interrogators.

"He gave us very valuable intelligence," one official said. The officials declined to say where the arrest took place.

Administration officials said Warsame was in a special position to reveal details about al-Qaeda's operations in both Somalia and Yemen. They describe him as a go-between for the two groups and said he spent the past year in Yemen.

"The information he provided has been used to get a better understanding of what we're up against" involving Al-Qaeda in Yemen, one official said.

The officials said Warsame was questioned for two months before he was given a Miranda warning about his right to remain silent.

"After waiving those rights, he spoke to law enforcement agents for several days," the Justice Department said, and then his cooperation stopped.

Warsame was brought to New York City early Tuesday morning and appeared later in the day before a federal judge in Manhattan to face terrorism charges. He's accused of providing money, weapons, advice and training to the two terrorist groups. He faces a mandatory life sentence if convicted. Nothing in the charges suggests that he had any direct role in specific al-Qaida plots.

"He would teach and demonstrate the making and use of explosives and destructive devices," according to an indictment filed under seal and made public Tuesday.

Many members of Congress have been critical of the Obama administration for bringing terror suspects to the U.S. to stand trial, instead of declaring them enemy combatants and trying them before military commissions. The officials said the decision to bring him to the U.S. to stand trial in a civilian court was unanimous among federal agencies, including the Defense Department.


In January 2009, Al-Qaeda in Yemen (AQY) merged with Al-Qaeda in Saudi Arabia to form Al-Qaeda in the Arabian Peninsula (AQAP).

In late June 2011, it was reported that a U.S. drone aircraft fired on two senior members of al-Shabaab, a militant Somali organization tied to al-Qaeda, allegedly killing at least one midlevel operative and wounding others.

The airstrike makes Somalia at least the sixth country where the United States is using drone aircraft to conduct lethal attacks, joining Afghanistan, Pakistan, Libya, Iraq and Yemen.

Mexico Arrests 'Top Leader of Zetas Drug Gang'

Via BBC News (July 4, 2011) -

Mexican police have arrested a leader of the feared Zetas drug gang, Jesus Enrique Rejon Aguilar. Mr Rejon is alleged to be the third in command of the Zetas, a drug gang formed by former Mexican special forces soldiers.

He is suspected of involvement in various crimes and is being linked to the murder of US immigration agent Jaime Zapata, officials said. But officials gave no specific details of that alleged link.

Mexico's public security ministry said Mr Rejon, known as El Mamito, had been arrested in Atizapan de Zaragoza, in Mexico State, on Sunday "without a shot being fired".

A police officer with him was also detained, and officers recovered weapons, money, various documents and communication equipment.

A ministry statement said Mr Rejon was a founding member of the Zetas and one of the most wanted criminals in the country, sought by both the Mexican and US governments.

The United States has offered a reward of up to five million dollars for information leading to his arrest and possible conviction.

But the BBC's Mexico City correspondent, Julian Miglierini, notes that Mr Rejon did not figure in a list of the top 37 criminals which the Mexican authorities issued two years ago.


Jesús Enrique Rejón Aguilar, a.k.a: El Mamito (Pretty Boy)


Texas Warns US Tourists Against Travel to Nuevo Laredo, Due to Zetas Threat (July 3, 2011)
The authorities in Texas have warned United States citizens not to travel to a Mexican border city over the 4 July holiday weekend because of the threat posed by a major drugs cartel. The Texas Department of Public Safety said in a statement that it had "credible intelligence" that the Zetas cartel was specifically planning to target US citizens in Nuevo Laredo.

The threats, it said, ranged from robberies to extortion and car-theft. "Multiple sources" had tipped it off. "We urge US citizens to avoid travel to Nuevo Laredo this weekend if it can be avoided," said the department's director, Steven McCraw. The department also said the sheriff's office from Webb County, on the other side of the border from Nuevo Laredo, had received similar intelligence.

Monday, July 4, 2011

Al-Qaida's Top-tier Communications Forum Restored After Apparent Hack

It would seem Al-Qaida's top-tier communications forum, al-Shamukh, has been restored. It has been unavailable for just about a week, due to a suspected government-based hack.

Evan Kohlmann, of Flashpoint Global Partners, posted the following tweets (@IntelTweet) today....!/IntelTweet/status/87949364466696192
Al-Qaida's top-tier communications forum, al-Shamukh, has been restored and is now re-open for registered users following an apparent hack.!/IntelTweet/status/87949856123002880
A message posted by Shamukh administrators boasted that the forum has been restored "despite the determination and cunning of our enemies."

I would strongly discourage curious readers from searching or accessing these forums, however for those interested in these very serious Jihadi forums, I would suggest checking out Internet-Haganah. This blog monitors and tracks activity on these top forums and has been on my CT related RSS feeds for many years.

Sunday, July 3, 2011

Three U.S. National Labs Attacked on July 1

Via Digital Dao (Jeffery Carr) -

On July 1, 2011, Battelle Memorial Institute suffered a "sophisticated" attack against its network which also impacted Pacific Northwest National Lab and one other lab which wasn't named. Both PNNL and Battelle shut down their email servers and their Internet access as a precaution. As of 0200 03JUL2011, Battelle's website was still down ( while was functioning normally. Oak Ridge National Lab suffered a similar attack on April 11 which involved a spear phishing email with an human resources related theme that exploited a 0-day in the IE browser. Battelle manages several Department of Energy labs including:
  • Brookhaven National Laboratory
  • Idaho National Laboratory
  • National Renewable Energy Laboratory
  • Oak Ridge National Laboratory
  • Pacific Northwest National Laboratory
  • Lawrence Livermore National Laboratory
EMC's RSA SecurID division was compromised in a similar way in early March, 2011 via a spear phishing attack with a HR-related theme. In RSA's case it exploited an Adobe Flash 0-day. While Battelle and its managed national labs are all RSA SecurID customers, there is no publicly available information on the ORNL, PNNL, or Battelle attacks which suggests that the SecurID breach played a role at this time.


It is pretty well known, APT actors like to take advantage of long holiday weekends.

It shouldn't come as a surprise APT actors would target National Labs, as they are heavily involved in classified scientific research - impacting the DoD, DoE, and other agencies. The data would be of significant strategic interest to other nation-states.

Saturday, July 2, 2011

Bin Laden Document Trove Reveals Strain On Al-Qaeda

Via The Washington Post -

Toward the end of his decade in hiding, Osama bin Laden was spending as much time exchanging messages about al-Qaeda’s struggles as he was plotting ways for the terrorist network to reassert its strength.

Over the past year, the al-Qaeda leader fielded e-mails from followers lamenting the toll being taken by CIA drone “explosions” as well as the network’s financial plight, according to U.S. officials who have completed an exhaustive review of the trove of bin Laden files collected at his compound after the May 2 U.S. raid that killed him.

Bin Laden approved the creation of a counterintelligence unit to root out traitors and spies, only to receive a complaint in mid-2010 from the unit’s leader that it was losing the “espionage war” and couldn’t function on its paltry budget.


Analysts at the CIA and other agencies are likely to continue poring over the bin Laden files for years. But the multi-agency task force that was set up to review what officials have described as the largest cache of terrorism records recovered to date finished its job and was disbanded last month.

“We believe the materials will continue to yield new insights on al-Qaeda for years to come,” said a U.S. counterterrorism official familiar with the task force’s work. “But the task force is done.”

The group produced more than 400 intelligence reports in a span of six weeks and prompted public warnings of al-Qaeda plots against trains and other targets. U.S. officials said the findings also triggered a small number of operations overseas, including arrests of suspects who are named or described in e-mails that bin Laden received.

But officials said that the main value of the data is in enabling analysts to construct a more comprehensive portrait of al-Qaeda and that many of the most recent files found on bin Laden’s computers depict an organization beset by mounting problems even as its leader remained singularly focused on delivering a follow-up to the Sept. 11, 2001, strikes.

“The trove makes it clear that bin Laden’s primary goal — you can call it an obsession — was to attack the U.S. homeland,” said a senior U.S. counterterrorism official. “He pushed for this every way he could.”


Bin Laden’s messages were mostly composed on computers, then smuggled out on small disks or thumb drives by couriers, who would then copy the contents into e-mails that could be sent securely to followers — whether they were mere miles from bin Laden’s compound or overseas.

The analytic task force was based at a CIA facility in Northern Virginia. Officials declined to disclose the current location of the more than 15 computers and 100 storage devices recovered from the bin Laden compound, except to say that they are in FBI custody.

Friday, July 1, 2011

Spam Profits Down, Cybercrooks Flock to Targeted Attacks

Via -

A new report from Cisco Systems Inc. analyzing illegal activities from spammers and other online scams suggests that cyber criminals are abandoning large spam runs and indiscriminate attacks in search of higher profits doing targeted hacks.

The findings of the report, released at a press and analyst event on Thursday, suggest a precipitous drop in revenue generated by mass spam- and phishing attacks of the last five years, and a shift to lower volume, but more profitable targeted attacks, according to the report.

Cisco estimated that worldwide revenue from high volume spamming has decreased by more than two thirds since last year, from $1 billion a year ago to just $300 million today. During the same period, revenue from scams and other malicious attacks has quadrupled from $50 million to around $200 million, the company reported.


Targeted attacks are a subset of spam and share many characteristics with mass spam runs, including the use of e-mail messages containing malicious file attachments or Web links. However, targeted attacks rely on extensive planning and research on the likely recipients of the e-mail. Time is taken to craft e-mail messages that seem to be from legitimate sources and directed to the recipient.

Targeted spam runs are far smaller than mass spam runs, but have similar block rates. The key difference is a far higher conversion rate among the few users who end up seeing the targeted e-mails. Fully 70% of those who see a targeted e-mail message opened it, Cisco data suggests, and 50% of those clicked through to the malicious Web page or attachment and were "converted."

The average value per victim, for attackers, can be 40 times that of a mass attack and the profit from a spearphishing campaign can be 10 times that of a high volume spam run, Cisco said.


In the current security landscape and marketing hype, it can be difficult to remember not every attack is an APT, even if that attack is very well planned, executed and has the objective of obtaining data to facilitate or improve future cybercrime / fraud.

A quote on targeted attacks from McAfee's 2011 Threat Predictions whitepaper (PDF)..
"Not all APT attacks are highly advanced and sophisticated, just as not every highly complex and well-executed targeted attack is an APT."
So why would standard cybercriminals want to improve their attacks? The same reason anyone wants to improve a process - to do it cheap and to make it more profitable. The new Cisco report above shows just how profitable a little improvement can be for the bad guys.

So how are they improving? By going for quality over quantity and improving the social engineering aspects of their attacks with better aim - increasing the likelihood that the victim will bite the bait.

In Nov 2010, Return Path Inc. issued a warning to their ESP (Email Service Provider) partners...
Over the course of the past five weeks, spam campaigns have been aimed at the staff members of over 100 ESPs and gambling sites. These targets have received emails typically with content that mentions the staffer by name, and purports to be from a couple, presumably friends or co-workers.

The phish message has been sent numerous times, over several different systems, including using the facility of some ESPs, using online greeting card sites, and by way of a botnet. Sources confirm the list of addresses is very small (less than 3,000 addresses) and aimed 100% at staff responsible for email operations.


This is an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems. Further, the potential consequences should ESP client mailing lists be compromised at this time of the year is unimaginable.

What better to improve than stealing the customer mailing list for Company X, spending a small amount of time crafting a fake e-mail from Company X and then sending it specifically to their customers, which are already expecting an e-mail from Company X? Brilliant!

It's spear-phishing (or spear-spamming) by group, as opposed to by individual. The attacker could use take it one step further, depending on the stolen o loytaly btained...and include each person's first and last name....perhaps part of their loyalty number.

The better the information obtained before the attack (e.g. intelligence), the more targeted the attack can be...and thus more effective (and profitable). It's simple economics.

iJAVA: JAVA Drive-by On Demand

Via Malware Intelligence -

JAVA is one of the largest computer technology integration in the field of cybercrime because of its status as a "hybrid". This transforms Java platform in a highly exploited vector for the spread of all types of malicious code.

Even the modern crimeware includes a battery of exploits created to exploit vulnerable versions of JAVA through Exploit Packs, and in fact, together with the PDF files, exploits for JAVA are those with higher success rate.

Now, Drive-by is one of the most widely used techniques to propagate and automate the process of infection via the web. Especially through websites that promise via streaming video display or visual social engineering strategies similar. Combining this methodology with JAVA simply results a Java Drive-by; that is technically the same but using JAVA language and resources.


iJAVA is a On Demand generator (Java Drive-by Generator) of Arab origin, since its first version had a very good acceptance in the area of ​​cybercrime because it allows in just a few clicks, create a simple web page, link to this site a customized malware and automatically upload the page, for example, to one of these services free storage. A dose of visual trivial social engineering but unfortunately extremely effective.