Wednesday, August 31, 2011

Dutch Site Claims Mozilla, Yahoo, Wordpress, Tor Project All Targets in Diginotar Certificate Theft

Via -

There are more signs that a July compromise of Diginotar, a certificate authority based in the Netherlands, may have been driven by political motives. A Dutch Web site,, reported on Wednesday that digital certificates belonging to Mozilla,, Wordpress and The Tor Project were among dozens reported stolen from Diginotar.

The story, based on information from a confidential source, fills in details about which other firms were among "dozens" that Diginotar and its parent company Vasco have admitted were victims of the break in. It also adds weight to speculation that the hack may have had links to the Iranian regime and may have had, as its goal, the surveillance and identification of political activists and bloggers within the country.

Vasco, Yahoo and The Tor Project didn't immediately respond to requests for comment from Threatpost.

The forged certificates could be used most easily in man in the middle attacks, allowing attackes to carry out very sophisticated spear phishing attacks using Web sites that would appear to be legitimate, said Chris Nutt, a principal consultant at Mandiant Inc. of Alexandria, Virginia.

"We align certificate authority hacks with attacking organizations who are encountering security at target organizations that they wish to work around," he told Threatpost. "These are the same types of people who would be interested in breaching a company like RSA."

In the case of Diginotar, there have been suggestions from the very first that the hack may have been directed by Iran. For one thing, the first reports about man in the middle attacks using forged Google certificates originated in Iran. A subsequent review of Diginotar's Web site found a page that was defaced with the name of an Iranian hacking group.

Attribution for the hack will probably never be determined. However, Nutt said that attacks of this caliber - involving a multi stage attack against sophisticated organizations - are often perpetrated by nation states. "This is consistent with other nation-state sponsored attacks," he said.


Writing on Securelist, the blog of Kaspersky Lab's research group, Kaspersky Lab Expert Roel Schouwenberg said that statements from the company about the extent of the breach don't add up. Among other things, Diginotar claims that the breach was limited to a "few dozen" rogue certificates, while Google has blocked more than 250 of them. The company, Schouwenberg adds, may not actually know how many rogue certificates were generated -either because no logs exist or because they were deleted after the attack was complete.

Assuming that the Diginotar attack has links to Iran's government, it could be an effort by supporters of the regime to monitor political dissidents within the country using compromised Web browsers, blogging software (Wordpress), by snooping on Web mail sessions (Yahoo and Google) or unravelling efforts to mask a user's identity using Tor and other anonymity services.


Nutt said the Diginotar hack, combined with those on RSA and the certificate authority Comodo are bound to prompt some soul searching among security professionals, governments and Internet governance groups.

"This is a serious trend. You're talking about attacking the foundational security mechanisms of the Internet. Two factor authentication and certificates are used everywhere, so this really shakes the confidence of the security mechanisms we have in place today," he said.

Mac OS X Can't Properly Revoke Dodgy Digital Certificates

Via PC World -

A programming glitch in Apple's OS X operating system is making it hard for Mac users to tell their computers not to trust digital certificates, exacerbating an ongoing security problem with a Dutch certificate authority that was recently hacked.

Mac users began reporting problems Tuesday when they tried to revoke digital certificates issued by DigiNotar, a Dutch company whose servers were compromised last month and used to issue fraudulent digital certificates. Mac users revoked the certificates on their computers, but still saw some sites that used those certificates being marked as trustworthy.

Digital certificates are an important part of the way the Internet works, and are essential whenever two computers try to connect using the HTTPS protocol. The problem is that Apple's operating system does not allow users to revoke DigiNotar certificates properly, and marks some websites as trustworthy when it shouldn't.


Most users don't revoke digital certificates themselves; they let the browser makers handle it. Chrome, Firefox and Internet Explorer have all blocked DigiNotar certificates, but Apple hasn't said what it plans to do with its Safari browser. That means that, for now, Mac Safari users will have a hard time solving the problem.

Ryan Sleevi, a software developer who has contributed to Google's Chrome project, noticed the issue too. After poking around the Mac OS X source code, though, he uncovered the cause. Users can revoke a certificate using Keychain, but if they happen to visit a site that uses the more-secure Extended Validation Certificates, the Mac will accept the EV certificate even if it's been issued by a certificate authority marked as untrusted in Keychain.

"When Apple thinks you're looking at an EV Cert, they check things differently," Sleevi said in an interview Wednesday. "They override some of your settings and completely disregard them."


It's troubling that such a basic component of Internet security could have such an obvious flaw on the Mac, several security experts said Wednesday. "In a real-world sense, it probably won't affect a lot of people, but for me it's a little bit troubling that the security advice on what you're supposed to do plain doesn't work," said Jeremiah Grossman, chief technology officer with WhiteHat Security.

Apple, which is often tight-lipped about anything to do with computer security, did not return messages Wednesday seeking comment.


Reason #101 not to use Safari, even on Mac OS X.

I personally use Chrome 13 and Firefox 7 Beta on my MBP. Google has already updated Chrome to deal with the DigiNotar incident. Mozilla has released new release versions of Firefox and will be fixing the issue in the beta versions (7) very soon.

STRATFOR: Reconstructing the Monterrey Arson Attack from Surveillance Footage

STRATFOR Vice President of Intelligence Fred Burton demonstrates how video surveillance footage is used to reconstruct the recent arson attack in Monterrey, Mexico.

Pakistani Government Warns ISPs to Block Encrypted Traffic / VPNs

Via Softpedia -

Pakistan's The Express Tribune reports that the Pakistan Telecommunication Authority (PTA) has sent warning notices to ISPs about the continuous use of encrypted virtual private networks.

"In line with [Monitoring & Reconciliation of International Telephone Traffic] Regulations 2010 and national security, Authority prohibited usage of all such mechanisms including encrypted virtual private networks (EVPNs) which conceal communication to the extent that prohibits monitoring. It is observed that the aforementioned directive has not been followed in true letter and spirit as EVPNs are heavily being used on the Licensees Network," reads a letter received by one ISP.

The new telecom law, which was adopted in July, is meant to make it harder for militants to use secure communications and easier for national security agencies to monitor them. Unfortunately, these regulations affect all Internet users in the country and if the government go as far as to block all forms of encryption, including HTTPS, they might have serious effects.

"The problem is that banning every sort of 'communications concealing' technology online would destroy the very fabric of the internet's law-abiding use. There would be no SSH, no SSL, no TLS, no HTTPS. There would be no Wi-Fi security. Online commerce would implode," writes Sophos security expert Paul Ducklin.

FireEye Advanced Threat Report 1H2011

Via FireEye Blog -

This report [PDF] really illuminates the sophistication of the new breed of cyber-attacks and the success cyber criminals are having penetrating today’s corporate networks. Based on 1H 2011 data, we found a significant gap in today’s enterprise IT defenses. After reviewing hundreds of thousands of infection cases, 99% of enterprises had malicious infections in their network. Plus, 80% of the enterprises facing more than a hundred new infections per week. The bottom line: Today’s existing traditional enterprise IT defenses are not keeping up with highly dynamic, multi-stage attacks that cyber-criminals now use to attack today’s enterprises and federal agencies. We highlight the top infections for 2011, and the (not-so-surprising) fact that attackers continue to rely on customized malicious code toolkits to develop and distribute their threats.


Key findings:
  • 99% of enterprise networks have a security gap despite $20B spent annually on IT security.
  • Successful attacks employ dynamic, “zero-day” malware tactics. 90% of malicious binaries and domains change in just a few hours; 94% within a day.
  • The fastest growing malware categories are Fake-AV programs and Info-stealer executables.
  • The “Top 50” of thousands of malware families generate 80% of successful malware infections.

Drug War Sparks Exodus of Affluent Mexicans

Via Washington Post -

For years, national security experts have warned that Mexico’s drug violence could send a wave of refugees fleeing to the United States. Now, the refugees are arriving — and they are driving BMWs and snapping up half-million-dollar homes.

Tens of thousands of well-off Mexicans have moved north of the border in a quiet exodus over the past few years, according to local officials, border experts and demographers. Unlike the much larger population of illegal immigrants, they are being warmly welcomed.

It goes counter to the conventional wisdom about the Mexican presence in the United States,” San Antonio Mayor Julian Castro said. The influx “is positive, it is entrepreneurial . . . and one of the keys to a very successful growing city like San Antonio.”

Castro estimates that Mexicans own at least 50,000 of the approximately 500,000 homes and apartments in his city of 1.3 million, which has a vibrant Hispanic culture. Many are in gated communities that have sprung up in the city’s sun-baked northern hills.

Affluent Mexicans have long visited the United States for business and shopping. What’s different now is that they are coming to stay, fleeing cartel wars that have left more than 37,000 Mexicans dead in four years, according to U.S. and Mexican officials and analysts. The number of investment visas granted to Mexicans has risen sharply over the past five years.

“It’s a very substantial flow; I would say probably the largest since the 1920s, the last great period of upheaval in Mexico,” said Henry Cisneros, a former mayor of San Antonio who served in President Clinton’s Cabinet. “We have whole areas of San Antonio that are being transformed.”

The size of the new wave is difficult to measure, since some of the new arrivals hold dual citizenship or U.S. work visas or already had American vacation homes. One Mexican think tank, the Security and Civic Culture Observatory, estimated last year that 230,000 people had fled the violence-wracked border city of Juarez, with half going across Mexico’s northern border.

But Aaron Terrazas, a policy analyst at the Washington-based Migration Policy Institute, found in a recent study that most of those fleeing Juarez appeared to be moving to other parts of Chihuahua state, not the United States. Still, Terrazas said he found a noticeable increase in one segment of those actually leaving Chihuahua: “the highly educated.”

Tuesday, August 30, 2011

DigiNotar Says Its CA Infrastructure Was Compromised

Via -

VASCO, the parent company of DigiNotar, says that the fraudulent certificate for Google's domains that the certificate authority issued was just one of many such bogus certificates it handed out in recent months, and blamed the growing scandal on an attack on its CA infrastructure.

In a statement responding to stories detailing the use of the fraudulent--but valid--wildcard certificate DigiNotar issued to an unknown third party for Google domains, VASCO officials said that the company became aware of the attack on its CA infrastructure on July 19, which is nine days after the Google certificate was issued. DigiNotar has stopped issuing certificates for the time being while it tries to figure out what happened.

"On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Once it detected the intrusion, DigiNotar has acted in accordance with all relevant rules and procedures," the statement says.

"At that time, an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. After being notified by Dutch government organization Govcert, DigiNotar took immediate action and revoked the fraudulent certificate."


Dark Reading: Digital Certificate Authority Hacked, Dozens Of Phony Digital Certificates Issued

But security experts say the problem is that if the fake certificates were used for man-in-the-middle attacks, the damage may already have been done. "This press release only has made me more worried about how much this may be just the tip of the iceberg," says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "The cert was only revoked yesterday afternoon EST."

Schouwenberg says DigiNotar's statement raises more questions. "The conducted audit does not inspire any confidence. How did they miss the Google cert? How did they miss the website hacks pointed out by F-Secure?" he says, referring to a F-Secure Mikko Hypponen's post today showing what appears to be evidence of Iranian hackers having broken into DigiNotar's servers, and one page by alleged Turkish hackers back in 2009.

Hyponnen weighed in on DigiNotar's statement as well. "It raises more questions than answers. Diginotar indeed was hacked, on the 19th of July, 2011. The attackers were able to generate several fraudulent certificates, including possibly also EVSSL certificates. But while Diginotar revoked the other rogue certificates, they missed the one issued to Google. Didn't Diginotar think it's a tad weird that Google would suddenly renew their SSL certificate, and decide to do it with a mid-sized Dutch CA, of all places?" Hypponen, chief research officer of F-Secure blogged. "And when Diginotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement discussed above?"


Another problem is that revocation isn't a sure thing. The rogue certs could be used for one-off, targeted attacks, and therefore would be tough to pinpoint, experts say.

"Additionally, there are ways to bypass revocation notices. So currently, we're depending on browser updates to fully protect us," Kaspersky's Schouwenberg says. "The average turnaround time is rather suboptimal. Let's hope Apple will be faster than with the Comodo case."

He says it also appears that not all of the CAs have been revoked, either: A separate DigiNotar CA handles the EV-SSL certs, and Chrome currently appears to be still accepting that CA, he says.

APT: Breaching Defense Contractor Data

Via AviationWeek (August 30, 2011) -

A couple of years back, it was reported that hackers had compromised the Joint Strike Fighter program’s internal information system. The reports were partially correct, but were not denied by the Pentagon because official sources could then state that the JSF program had not suffered extensive data loss. That was because JSF was not the target.

The hack had been aimed at a classified program. Not only could intruders extract data—they could become invisible witnesses to online meetings and technical discussions. After the break was discovered, the program had to be halted and was not restarted until a new—and costly—security system was in place.

Announcing the Defense Department’s new cyberwarfare strategy in July, Deputy Defense Secretary William Lynn noted that “a foreign intelligence agency” had hit a major defense contractor in an exploit discovered in March, and exfiltrated 24,000 files concerning a developmental system. The Pentagon was still reviewing whether the system (which Lynn did not identify) will need to be redesigned. That could be necessary if the compromised information will not only help the intruder develop similar systems, but also methods of attack and defense.

Meanwhile, China’s unveiling of the Chengdu J-20 stealth fighter prototype at the end of 2010 took Western observers by surprise (DTI February, p. 32). Then-Defense Secretary Robert Gates’s prediction in 2009 that China would have no stealth aircraft in 2020 and only a handful in 2025 had started to look optimistic—but was contradicted by U.S. Air Force Vice Chief of Staff Gen. Phillip Breedlove’s Senate testimony in July. China, he said, can close the technology gap faster than expected because of “the way they’re intruding into the nets of our manufacturers and our government.” Breedlove added: “When they say they’re going to build 300 [J-20s] in the next five years, they will build 300 in the next five years.”

China has made rapid progress in other areas. Images appearing on the Internet show that the updated J-10B single-engine fighter probably has an active, electronically scanned array (AESA), in addition to an infrared search-and-track system and updated defensive avionics.

Other pictures show J-11B fighters (bootlegged versions of the Sukhoi family) with Chinese engines, indicating that China is making progress toward overcoming a critical limitation on its fighter industry—dependence on Russian propulsion. And as a J-10B with a domestically developed engine appeared, China announced its intention to supply Pakistan with such aircraft (DTI July/August, p. 8).

These advances are emerging 5-6 years after cybersecurity professionals detected what came to be dubbed the advanced persistent threat, or APT—in other words, reducing the time taken from conceptual design of a military system to prototyping.

The APT was barely mentioned in public until last year (DTI May 2010, p. 16). Even now, few people in industry or government call it what it is—a massive campaign of cybernetwork exploitation (CNE) originating in China.


The direct damage caused to the target is hard to assess. Was a contract lost due to a rival’s inside knowledge, or other factors? In the case of technical data, [Dmitri] Alperovitch [of McAfee] notes, “it may be several years before stolen schematics turn up in a product, but by then it might be too late.” Compromised information could also help a development in ways that are invisible—for example, the ability to pick one of several technical approaches without testing all of them, or avoiding blind-alley concepts.

Cyberespionage, experts note, is different from classic spycraft. Software agents are expendable. The result is that a classic dilemma of intelligence—the risk that acting on it or disseminating it widely will compromise sources and methods—is absent, as are barriers between intelligence operatives and end users. It’s entirely possible to conceive of a defense manufacturer having its own intelligence operation, combining open-source and CNE methods, accepting direct tasking from program leaders.


There are two big issues, Alperovitch says. One is the “sheer scale and magnitude” of the operation, “a wholesale transfer of intellectual property . . . They are using our resources for their R&D.” That, and the ability to compromise bid data, can cause “a direct loss of jobs.” The other is the potential for “escalation from espionage to cybernetwork warfare. The difference between escalation and attack may be a click of a button.”

Fake Facebook Page Targets Pro-Revolution Syrian Users

Via Information Warfare Monitor -

The Information Warfare Monitor (IWM) has uncovered an attempt to use a fake URL and login page to lure Facebook users into providing their login credentials. Given the nature of the content being linked to, this appears to be an attempt to target pro-revolution Syrian Facebook users. The link (hxxp:// attempts to mimic the URL and login page of Facebook, as seen in Figure 1. It has been distributed through multiple Syrian Twitter accounts, which describe the content as a “fascinating video clip showing an attack on Syrian regime”. The use of Twitter accounts to distribute malicious links is a common tactic and has been documented by past Information Warfare Monitor research.

IWM researchers were able to login to this Facebook page using newly created login credentials, at which point we were re-directed to the legitimate Facebook login page. Tweets from August 29, 2011 have added a note explaining “you will be asked to login twice as an extra security measure”. This is likely an attempt to mask the suspicious URL by immediately re-directing to a legitimate one.

The source code of the fake Facebook page contains a description in Arabic which reads “An excellent operation by Khalid brigade that killed 6 Shabiha in the Syrian city Homs.” Shabiha is an Arabic term used by Syrian opposition groups to describe the regime’s militias. This message provides further evidence that this page was indeed set up to target pro-revolution Syrian users.


Previous research of the Information Warfare Monitor has documented activities of the pro-regime Syrian Electronic Army, which included compromising several Facebook pages run by Syrian opposition groups. However, we are not able to determine who is behind this particular attempt to harvest Facebook credentials.

DigiNotar: Attackers Obtain Valid Cert for Google Domains, Vendors Move to Revoke It

Via -

A fraudulent SSL certificate for "*" issued by Dutch certificate authority (CA) DigiNotar, possibly to the Iranian government or its agents, has triggered a wave of updates from software makers to stop applications trusting the CA. The certificate was issued on 10 July to unknown persons in Iran.

Several security experts, such as Moxie Marlinspoke, confirmed that the SSL certificate came from DigiNotar; one pastebin entry detailed the contents of the suspicious certificate, while another called for the "internet death sentence" because the company's "carelessness may have resulted in deaths in Iran". The Electronic Frontier Foundation said in a blog posting that it believes the attacks have been used to intercept searches and private email. It is unknown who the certificate was actually issued to and whether or not any other bogus certificates were issued.

The attack was initially noticed by Google Chrome users because Chrome 13 and later implements certificate pinning which ensures that the browser will only accept certificates for Google from a whitelist of certificate authorities; DigiNotar was not a CA on the whitelist and users of Chrome were alerted that something was amiss with the certificate they were being presented. The certificate was revoked yesterday, 29 August, at 16:59 GMT, but because many browsers do not check for revoked certificates by default, software vendors have had to take action to prevent the continued exploitation of the bogus certificate. It is also currently unknown if any other bogus certificates were issued by DigiNotar, therefore the vendors are opting to block all certificates signed by the CA.

Microsoft has released a security advisory and updates for all supported Windows operating systems – including Vista SP3, Server 2008 SP2 and Windows 7 SP1 – which revoke trust in the CA's root certificate. Windows XP SP3 and Server 2003 SP2 will receive separate updates as these systems do not use the centrally managed Microsoft Certificate Trust List.

Mozilla has announced that it is releasing updates for Firefox (3.6.21, 6.0.1, 7, 8 and 9) and Firefox Mobile (6.0.1, 7, 8 and 9), Thunderbird (3.1.13 and 6.0.1) and SeaMonkey (2.3.2), which will also revoke trust in DigiNotar's root certificate. Mozilla has also released instructions on how to delete the DigiNotar Root CA certificate from Firefox manually.

Google is also disabling DigiNotar's certificate in Chrome "while investigations continue" even though Chrome detected the fraudulent certificate. The Chrome browser was only able to do that for subdomains and if there are other fraudulent certificates for other domains Chrome would be unable to detect the deceit.

This is the second fraudulent certificate incident this year: in March, SSL certificates for, Yahoo, Skype, Microsoft Live and Google were created by an intruder into a Comodo reseller.


Additional Resources:

Based on this photo in THN, the fraudulent certificate was issued on 7/10/2011.

Monday, August 29, 2011

IPv6: Some Chinese Surf Freely, for Now

Via VOA News (August 22, 2011) -

A new web technology being championed by China is allowing a short-term gap in its so-called “Great Firewall,” which blocks Chinese Internet users from sites blacklisted by the government in Beijing. Experts say how the gap is closed could have ramifications for the entire world.


To answer the [IPv4] shortage, China has been a leader in rolling out IPv6. But it’s only available to a small slice of the population, mainly in the big cities and around large universities. At least some of these users seem to be able to surf without blocking or filtering.

“We have been testing IPv6 connectivity to China for the past year, and so far, it seems like the Chinese government is not paying attention to it at all,” said Andrew Lewman, the executive director of the TOR Project, an open network that helps people protect their identity online.


Lewman said the number of people using IPv6 is probably in the “tens of thousands,” but he expects China to start paying attention as soon as those numbers reach a critical mass.

Another reason there’s no IPv6 firewall is the hardware is not plentiful.

“There are just not enough vendors selling the equipment to use on an IPv6 Great Firewall,” Lewman said. “Basically [the Chinese government] just has to say to vendors that there are billions of dollars to be made here.”

Once this happens, things could get very interesting.


Hal Roberts, a fellow at the Berkman Center for Internet & Society at Harvard University and an expert on Internet filtering circumvention and Internet surveillance, said IPv6 could present a double-edged sword.

On one hand, the creation of a nearly infinite number of new IP addresses could be a boon to anonymity, which largely relies on the ability of an anonymous surfer to quickly change IP addresses on the fly to avoid detection.

On the other hand, Roberts said there’s a movement, pushed largely by U.S. law enforcement agencies and the Recording Industry Association of America to build a strong association between hardware and IP addresses.

In other words, since there would be so many IPv6 addresses, it would be possible to hardwire every computer, cell phone or any other type of hardware that connects to the Internet with an IP address, making anonymity virtually impossible.

“That’s a debate that’s still happening,” said Roberts. “We don’t know which way that will go.”

APT: A Geopolitical Problem

Via A Fistful of Dongles (AFoD) Blog -

An important thing to understand when thinking about advanced persistent threat (APT) is that it’s a much bigger problem than any one of us individually as organizations can handle because it's ultimately a geopolitical issue. We're talking about nation-states who are engaging in attacks against the confidentiality of sensitive data that belongs to other nation-states, their industrial base, academic institutions, and non-profit organizations. In other words, China isn't going to stop using cyber attacks as an active tool for its national security and economic development efforts until someone forces them to do so or their government changes radically.

Being targeted by a nation-state actor is a daunting thing to consider. Matt Olney, who is still the reigning champion of the pithy APT definition, wrote, "APT: There are people smarter than you, they have more resources than you, and they are coming for you. Good luck with that." Matt wasn't kidding when he said they have more resources that you. A nation-state has the ability to levee taxes and print money. I don't care what your organization’s profit margins and revenues were last year, they can't compete when it comes to outspending these people. Nation-states can have tremendous resources when it comes to personnel, intelligence gathering, education, and research and development capabilities. Jonathan Abolins made a fine point in response to my last blog post when he stated that if your organization is targeted by a nation-state for cyber attacks, it's almost certainly being targeted by more traditional physical data collection methods. Nation-states have comprehensive intelligence collection strategies where information warfare is just one piece of their strategy.


So what can you do? The first thing you should do is to educate yourself about the nature of the threat so that you can cut through the noise and properly educate your organizational leadership.


You should also maintain at least a working knowledge of the business and geopolitical world around you. Since advanced persistent threat is a nation-state issue, it's important to understand what is happening in the world and how it connects to your daily life as an information security professional. There are resources such as The Wall Street Journal, The Economist, Brookings, Council on Foreign Relations, and Foreign Policy that all have robust and convenient online presences complete with mobile applications.


Eric makes a very serious point, one that is often overlooked in APT discussions. These nation-states are conducting espionage operations (both cyber and physical) for a purpose.

Looking at the world through a geopolitical lens can often lead to insight and deeper understanding of that purpose - this understanding is key to defending against it.

The convergence of global geopolitical and local political realities with cyber-attacks will only increase. Those information security professionals not willing to embrace (or at the very least accept) that truth are desired to fall behind in the fight.

Saturday, August 27, 2011

Senior al Qaeda Leader Reportedly Killed

Via The Long War Journal -

Atiyah Abd al Rahman, a top al Qaeda leader who long served Osama bin Laden, was reportedly killed on Aug. 22 in Waziristan, Pakistan, according to multiple press reports. Both the Associated Press and Reuters cite US officials as saying that Rahman has been killed. Matt Apuzzo of the AP reports that a US official would not confirm how Atiyah had been killed, but the AP story notes that on same day, the CIA launched a drone strike in Waziristan.

US intelligence officials contacted by The Long War Journal would neither confirm nor deny Atiyah's reported death. One senior US intelligence official observed that verifying the deaths of top terrorists is difficult and the US has gotten it wrong in the past. Atiyah himself, the official pointed out, was reportedly killed in 2010. Still, this official said, it is certainly possible that the new reports of Atiyah's demise are accurate.

Al Qaeda typically releases martyrdom statements for its top leaders after they have been killed. No such statement has been released to commemorate Atiyah. But martyrdom statements can also take days and sometimes weeks for al Qaeda to produce. It is possible that al Qaeda simply has not released its commemoration of Atiyah yet.

If Atiyah is dead, then it is another major blow to al Qaeda's central leadership. Documents recovered during the May 2 raid on Osama bin Laden's compound revealed that Atiyah was involved in planning a spectacular terrorist attack against the US. Atiyah and bin Laden wanted the strike to coincide with the 10th anniversary of the Sept. 11, 2001 attacks, according to the Wall Street Journal.

Atiyah has been described as al Qaeda's "operations chief" in some press reports, and his role in plotting terrorist attacks has been repeatedly noted. But according to one senior US intelligence official contacted by The Long War Journal, Atiyah was al Qaeda's "general manager" and also served as Osama bin Laden's "chief of staff."

While Atiyah was involved in plotting attacks, the official said, he was not really the "operational commander." In the nascent plot to attack the US on the 10th anniversary of 9/11, for example, Atiyah would pass messages back and forth between Osama bin Laden and operatives elsewhere, but the tactical details of the plot were left to other al Qaeda commanders.

Atiyah was also given a senior role in managing al Qaeda's finances, the official said. Only the most loyal and trustworthy terrorists would be given such a role.

In July, the US Treasury Department designated as terrorists six members of an al Qaeda network based inside Iran. [See LWJ report, Treasury targets Iran's 'secret deal' with al Qaeda.] One member of the network named in the designation is Atiyah.


After the 9/11 attacks, Atiyah sought refuge inside Iran, along with other senior al Qaeda operatives. By some accounts, the Iranian government held Atiyah under a loose form of house arrest beginning in 2003. The details of the house arrest are murky, however, and other accounts note that the al Qaeda leaders continued to operate.

The Iranians ultimately allowed Atiyah to leave for northern Pakistan, where he assumed a senior leadership position and was reportedly killed.


NYT - C.I.A. Drone Is Said to Kill Al Qaeda’s No. 2
A drone operated by the Central Intelligence Agency killed Al Qaeda’s second-ranking figure in the mountains of Pakistan on Monday, American and Pakistani officials said Saturday, further damaging a terrorism network that appears significantly weakened since the death of Osama bin Laden in May.


American officials described Mr. Rahman’s death as particularly significant as compared with other high-ranking Qaeda operatives who have been killed, because he was one of a new generation of leaders that the network hoped would assume greater control after Bin Laden’s death.


The C.I.A. almost never consults Pakistani officials in advance of a drone strike, and a Pakistani government official said Saturday that the United States had told Pakistan’s government that Mr. Rahman had been the target of the strike only after the spy agency confirmed that he had been killed.

Friday, August 26, 2011

DARPA Releases Video of Failed HTV-2 Flight

Via -

DARPA says it does not know yet what caused the August 11 second flight of its HTV-2 hypersonic glider to end after just 9min, but it's pretty sure it was not the same anomaly that caused the first flight on April 22 last year to end prematurely, also after just 9min.

The agency has released video of the second flight, captured with a handheld camera by a crewmember on the first telemetry-tracking vessel to catch sight of the HTV-2 as it was released from its Minotaur IV booster to begin what was planned as a 30min, Mach 20 flight across the Pacific to splash down off Kwajalein.

DARPA says the second HTV-2 was in stable, controlled Mach 20 flight for 3min before the anomaly -- longer than was achieved by the first vehicle. But the anomalies on both flights occurred in the same phase of flight -- after release from the booster, when the aerodynamic and reaction controls were guiding the vehicle through atmospheric re-entry and into a pull-up maneuver to control speed and altitude for the glide.

The agency says it appears changes made after the first flight were successful. Center of gravity was adjusted, angle of attack reduced and the reaction control system used to augment aerodynamic control flaps. These changes were made to reduce the vehicle's natural roll-yaw coupling, which on the April flight caused the autonomous flight-termination system to activate when roll exceeded limits.

Changes after Flight 1 were designed to reduce the uncertainty regarding when hypersonic flow over the vehicle would transition from laminar to turbulent, increasing drag and changing flight characteristics. They appear to have been successful in that goal, as initial data "indicates that our pre-flight models successfully predicted transition to within 10 seconds of actual transition point," says DARPA.

If it proves out, that better understanding of laminar to turbulent flow -- achieved through the detail investigation that followed the first failure -- may yet prove to be the major product of the HTV-2 program. It may not sound like much, but DARPA says it will provide a better idea of how far a prompt global strike weapon can fly, and how accurate it will be.

Thursday, August 25, 2011

China SignPost: A Smoking Cursor? New Window Opens on China’s Potential Cyberwarfare Development

Amid growing U.S. concerns of ongoing Chinese cyberattacks, attribution remains the most complex issue. At the open source level at least, it has been hard to find a “smoking cursor.” That is, until the broadcast of a recent cyberwarfare program on the military channel of China’s state television network. It appeared to show dated computer screenshots of a Chinese military institute conducting a rudimentary type of cyberattack against a United States-based dissident entity. However modest, ambiguous—and, from China’s perspective, defensive—this is possibly the first direct piece of visual evidence from an official Chinese government source to undermine Beijing’s official claims never to engage in overseas hacking of any kind for government purposes. Clearly, Washington and Beijing have much to discuss candidly here if they are to avoid dangerous strategic tension.


Great analysis of the recent Chinese military documentary program titled "Military Technology: Internet Storm is Coming", which included camera footage of Chinese government systems launching attacks against a U.S. target.

As it turned out, the documentary program was recently removed from the CCTV 7 website. As noted by F-Secure, the removal of the program by the authorities is only likely to increase the controversy.

New Trojan Ice IX Written Over Zeus’ Ruins

Via RSA FraudAction Research Labs -

In May 2011 the RSA Research Lab blogged about the leak of the Zeus Trojan’s source code. Since the most coveted source code was leaked, one of the predictions security researchers were convinced of was that the exposed code would attract the attention of independent code writers who will explore it and write their own offspring versions of the Old Zeus as they saw fit.

That day was not late to come as a new commercial Trojan, initially introduced to cybercriminals in the Russian-speaking underground, was briefly presented to cybercriminals in late April 2011 (v1.0.0). The coder who wrote the new Trojan, and named it “Ice IX” openly declared that he developed his new Trojan based on the Zeus v2 source code, supposedly ‘perfecting’ whatever flawed functions he believed needed revamping or could make his buyers’ lives easier.

The new Trojan possesses improved Zeus capabilities as well as several additional features that did not exist in the original Zeus. Apparently, the feature considered most valuable by Ice IX’s coder is the implementation of a defense mechanism designed to evade Tracker sites, which he managed to implement in version 1.0.5 of the Trojan.

Repeatedly stressed by Ice IX’s coder, his buyers will finally be able to sidestep what has apparently become quite the hurdle for cybercriminals – Zeus and SpyEye trackers. The two main tracker sites are operated by a Swiss-based organization which monitors and reports malicious C&C servers to web users, service providers and law enforcement agencies (ISPs, CERTs and police cyber units).

Ice IX’s coder claims that the evasion mechanism will further allow cybercriminals to host their malware using standard hosting servers (with legitimate service providers), as opposed to having to use cybercrime-themed bulletproof servers. This change is intended to save Ice IX Trojan operators considerable hosting expenses they would otherwise have to pay for hosting on bulletproof infrastructures.


Ice IX, The First Crimeware Based on the Leaked ZeuS Sources

FAIL: Ice IX Boasts of Eluding Tracker Services
Is Ice IX a new threat? Not really. It has the same functionality as ZeuS, but it tries to evade ZeuS Tracker & Co (but royally fails).

Monday, August 22, 2011

Hong Kong Authorities Arrest Man Over Stock Exchange Attack

Via InfoSec Island (August 22, 2011) -

Authorities in Hong Kong have arrested a man on suspicion of conducting a cyber attack against the Hong Kong Exchange (HKEx) nearly two weeks ago.

The man was detained late last week and police seized five computers, several mobile phones, and other items, according to reports.

"He is being investigated under the offence of access to a computer with criminal or dishonest intent," the police spokesman said, adding that the man was being held for questioning.

The attack against HKEx trading system websites had forced the exchange to suspend some trading for half a day.

After a preliminary investigation, the source of the disruption was acknowledged to be a hacker attack that was preventing investors from having access to important corporate announcements used to make trading determinations.

Without access to the important lunch hour announcements, HKEx officials decided to implement an emergency half-day trading contingency.

Officials indicate that critical systems involved in the actual trades themselves were not affected by the attack. Nonetheless, the event was a first for the Hong Kong exchange.

"It was the first time for a suspension due to such a kind of technical problem and one involving so many companies," said Alfred Chan, the chief dealer at Cheer Pearl Investment in Hong Kong.

While the attack is considered to be an unsophisticated operation targeting "low hanging fruit" - vulnerabilities that are common and easily exploited - there should be significant concern that such a major disruption could so easily be undertaken.

The attack demonstrates that financial systems remain highly susceptible to interruptions from cyber attacks.


Background story....

DDoS Attack Forces Hong Kong Exchange Site Offline for Second Day (Aug 12, 2011)

Al Qaeda's Challenge

Via New York Times (Op-Ed by William McCants) -

Osama bin Laden’s long-sought revolutions in the Arab world are finally happening, and the upheaval would seem to give Al Qaeda a rare opportunity to start building the Islamic states it has long sought.

Ideally, these states would not have parliaments (human lawmaking usurps God’s role as lawgiver) and would be hostile to U.S. interests. But so far at least, the revolutions have defied bin Laden’s expectations by empowering not jihadists but Islamist parliamentarians — Muslims who engage in parliamentary politics to increase the influence of Islamic law but who refuse to violently oppose U.S. hegemony in the region.


Good piece on the current movements and it's potential impact on AQ.

Slip-Up in Chinese Military TV Show Reveals More Than Intended

Via The Epoch Times (August 21, 2011) -

A standard, even boring, piece of Chinese military propaganda screened in mid-July included what must have been an unintended but nevertheless damaging revelation: shots from a computer screen showing a Chinese military university is engaged in cyberwarfare against entities in the United States.

The documentary itself was otherwise meant as praise to the wisdom and judgment of Chinese military strategists, and a typical condemnation of the United States as an implacable aggressor in the cyber-realm. But the fleeting shots of an apparent China-based cyber-attack somehow made their way into the final cut.

The screenshots appear as B-roll footage in the documentary for six seconds—between 11:04 and 11:10 minutes—showing custom-built Chinese software apparently launching a cyber-attack against the main website of the Falun Gong spiritual practice, by using a compromised IP address belonging to a United States university.

The screenshots show the name of the software and the Chinese university that built it, the Electrical Engineering University of China's People's Liberation Army—direct evidence that the PLA is involved in coding cyber-attack software directed against a Chinese dissident group.

The software window says "Choose Attack Target." The computer operator selects an IP address from a list—it happens to be—and then selects a target. Encoded in the software are the words "Falun Gong website list," showing that attacking Falun Gong websites was built into the software.

A drop-down list of dozens of Falun Gong websites appears. The computer operator chooses, the main website of the Falun Gong spiritual practice.

The IP address belongs to the University of Alabama in Birmingham (UAB), according to an online trace.


Quite unfortunate to see a budding documentary director’s career take a turn for the worse like that. ;)

Sunday, August 21, 2011

Laser Advances in Nuclear Fuel Stir Terror Fear

Via New York Times -

Scientists have long sought easier ways to make the costly material known as enriched uranium — the fuel of nuclear reactors and bombs, now produced only in giant industrial plants.

One idea, a half-century old, has been to do it with nothing more substantial than lasers and their rays of concentrated light. This futuristic approach has always proved too expensive and difficult for anything but laboratory experimentation.

Until now.

In a little-known effort, General Electric has successfully tested laser enrichment for two years and is seeking federal permission to build a $1 billion plant that would make reactor fuel by the ton.

That might be good news for the nuclear industry. But critics fear that if the work succeeds and the secret gets out, rogue states and terrorists could make bomb fuel in much smaller plants that are difficult to detect.

Iran has already succeeded with laser enrichment in the lab, and nuclear experts worry that G.E.’s accomplishment might inspire Tehran to build a plant easily hidden from the world’s eyes.

Backers of the laser plan call those fears unwarranted and praise the technology as a windfall for a world increasingly leery of fossil fuels that produce greenhouse gases.

But critics want a detailed risk assessment. Recently, they petitioned Washington for a formal evaluation of whether the laser initiative could backfire and speed the global spread of nuclear arms.

“We’re on the verge of a new route to the bomb,” said Frank N. von Hippel, a nuclear physicist who advised President Bill Clinton and now teaches at Princeton. “We should have learned enough by now to do an assessment before we let this kind of thing out.”


Wikipedia: Separation of Isotopes by Laser Excitation (SILEX)

Los Alamos National Lab - Enrichment Separative Capacity for SILEX

Australian DSD - Top 35 Mitigation Strategies

At least 85% of the targeted cyber intrusions that the Defence Signals Directorate (DSD) responded to in 2010 could have been prevented by following the first four mitigation strategies listed in our Top 35 Mitigation Strategies:
  • Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers.
  • Patch operating system vulnerabilities.
  • Minimise the number of users with administrative privileges.
  • Use application whitelisting to help prevent malicious software and other unapproved programs from running.

The Top 35 Mitigation Strategies are ranked in order of overall effectiveness. Rankings are based on DSD’s analysis of reported security incidents and vulnerabilities detected by DSD in testing the security of Australian Government networks.

IBM's New Chips Compute More Like We Do

Via MIT Technology Review -

A microchip with about as much brain power as a garden worm might not seem very impressive, compared with the blindingly fast chips in modern personal computers. But a new microchip made by researchers at IBM represents a landmark. Unlike an ordinary chip, it mimics the functioning of a biological brain—a feat that could open new possibilities in computation.


The IBM researchers have built and tested two demonstration chips that store and process information in a way that mimics a natural nervous system. The company says these early chips could be the building blocks for something much more ambitious: a computer the size of a shoebox that has about half the complexity of a human brain and consumes just one kilowatt of power. This is being developed with $21 million in funding from the Defense Advanced Research Projects Agency, in collaboration with several universities.

The company's researchers and their academic collaborators will present two papers next month at the Custom Integrated Circuits conference in San Jose, California, showing that the chip designs have very low power requirements and work with neural-circuit-mimicking software. In one experiment, a "neural core," as the new chips are called, learns to play Pong; in another, it learns to navigate a car on a simple race track; and in another it learns to recognize images.


So far the IBM team has demonstrated only very basic software on these chips, but they have laid the foundation for running more complex software on simpler computers than has been possible in the past. In 2009, Modha's group ran simulations of a neural network as complex as a cat's brain on a supercomputer. "They cut their teeth on massive simulations," says Michael Arbib, director of the USC Brain Project. "Now they've come up with chips that may make it easier to [run cognitive computing software]—but they haven't proven this yet," he says.

Modha's group started by modeling a system of mouse-like complexity, then worked up to a rat, a cat, and finally a monkey. Each time they had to switch to a more powerful supercomputer. And they were unable to run the simulations in real time, because of the separation between memory and processor that the new chip designs are intended to overcome. The new hardware should run this software faster, using less energy, and in a smaller space. "Our eventual goal is a human-scale cognitive-computing system," Modha says.


Step 1 = Run complex simulations with best-of-breed hardware
Step 2 = Learn lessons from completed simulations > knowledge
Step 3 = Identify hardware limitations & methods to improve process > knowledge
Step 3 = Design & implement knowledge / identified improvements into new hardware
Step 4 = Run [more] complex simulations with [newly designed] best-of-breed hardware
Step 5 = Goto Step 2

Saturday, August 20, 2011

Exploit Pack Intelligence: An Overview of Exploit Packs (Update 13)

Mila Parkour (@snowfl0w) has released her latest update to the Exploit Pack spreadsheet.

It includes the latest exploit intelligence on 53 different packs (in alphabetical order):
  1. Best Pack
  2. Blackhole Exploit 1.0
  3. Blackhole Exploit 1.1
  4. Bleeding Life 2.0
  5. Bleeding Life 3.0
  6. Bomba
  7. CRIMEPACK 2.2.1
  8. CRIMEPACK 2.2.8
  9. CRIMEPACK 3.0
  10. CRIMEPACK 3.1.3
  11. Dloader
  12. EL Fiiesta
  13. Eleonore 1.3.2
  14. Eleonore 1.4.1
  15. Eleonore 1.4.4 Moded
  16. Eleonore 1.6.3a
  17. Eleonore 1.6.4
  18. Eleonore 1.6.5
  19. Fragus 1
  20. Icepack
  21. Impassioned Framework 1.0
  22. Incognito
  23. iPack
  24. JustExploit
  25. Katrin
  26. Merry Christmas Pack
  27. Liberty 1.0.7
  28. Liberty 2.1.0*
  29. LinuQ pack
  30. Lupit
  31. Mpack
  32. Mushroom/unknown
  33. Open Source Exploit (Metapack)
  34. Papka
  35. Phoenix 2.0
  36. Phoenix 2.1
  37. Phoenix 2.2
  38. Phoenix 2.3
  39. Phoenix 2.4
  40. Phoenix 2.5
  41. Phoenix 2.7
  42. Robopak
  43. Salo pack
  44. Sava Pack
  45. SEO Sploit pack
  46. Siberia
  47. T-Iframer
  48. Unique Pack Sploit 2.1
  49. Webattack
  50. Yes Exploit 3.0RC
  51. Zero Pack
  52. Zombie Infection kit
  53. Zopack

Friday, August 19, 2011

Inside an APT Covert Communications Channel

For many years, hackers operating out of China have been attacking a myriad of commercial and government systems here in the US and abroad. The term “APT” or Advanced Persistent Threat has often been used to describe these attackers. While HBGary is primarily a product company selling an enterprise incident response product, the team has been deep into APT analysis for over five years. Most of the analysis work is in direct support of Digital DNA – an automated system for detection of unknown malware and APT intrusions. I presented a technical description of how this attribution works, what is solves and what it doesn’t, at the BlackHat Conference last year. The work is about tracking threat groups – that is, tracking the humans and the human factors behind the digital artifacts we see. There are many hacking groups involved in these intrusions. One such group has often been called “Comment Crew” for their use of HTML comments as a means of command and control. This group has been associated with the recent “Shady RAT” intrusion revealed by McAfee. For this article I am going to give you a technical in-depth tour of how such a group operates.


CyberESI - Trojan.Letsgo Analysis

This is malware captured during an ongoing APT attack which utilized various techniques (i.e. Targeted Spear-phishing, HTML Comment Base64 C2, Encoded Binaries in GIFs, etc.) to bypass standard enterprise perimeter-based security measures (e.g. Proxy/Network Reputation Checking, Proxy AV, Proxy File Type Blocking, Firewalls). This attack also included "interaction with the host" by the attacker.

The CyberESI's blog is full of these types of analysis...another example:

Cyber ESI - The PNG Trojan AcroRD32.exe

Again, this is malware using the techniques outlined above (i.e. HTML Comment Based64 C2, Encoded Binaries in PNGs, etc.). Again, the attacker interactions with the host using basic commandline 'administration' command.

Thursday, August 18, 2011

The Buffer Between Mexican Cartels and the U.S. Government

Via STRATFOR (Security Weekly) -

It is summer in Juarez, and again this year we find the Vicente Carrillo Fuentes organization (VCF), also known as the Juarez cartel, under pressure and making threats. At this time in 2010, La Linea, the VCF’s enforcer arm, detonated a small improvised explosive device (IED) inside a car in Juarez and killed two federal agents, one municipal police officer and an emergency medical technician and wounded nine other people. La Linea threatened to employ a far larger IED (100 kilograms) if the FBI and the U.S. Drug Enforcement Administration (DEA) did not investigate the head of Chihuahua State Police intelligence, whom the VCF claimed was working for the Sinaloa Federation.

La Linea did attempt to employ another IED on Sept. 10, 2010, but this device, which failed to detonate, contained only 16 kilograms of explosives, far less than the 100 kilograms that the group had threatened to use.

Fast-forward a year, and we see the VCF still under unrelenting pressure from the Sinaloa Federation and still making threats. On July 15, the U.S. Consulate in Juarez released a message warning that, according to intelligence it had in hand, a cartel may be targeting the consulate or points of entry into the United States. On July 27, “narcomantas” — banners inscribed with messages from drug cartels — appeared in Juarez and Chihuahua signed by La Linea and including explicit threats against the DEA and employees of the U.S. Consulate in Juarez. Two days after the narcomantas appeared, Jose Antonio “El Diego” Acosta Hernandez, a senior La Linea leader whose name was mentioned in the messages, was arrested by Mexican authorities aided by intelligence from the U.S. government. Acosta is also believed to have been responsible for planning La Linea’s past IED attacks.

As we have discussed in our coverage of the drug war in Mexico, Mexican cartels, including the VCF, clearly possess the capability to construct and employ large vehicle-borne improvised explosive devices (VBIEDs) — truck bombs — and yet they have chosen not to. These groups are not averse to bloodshed, or even outright barbarity, when they believe it is useful. Their decision to abstain from certain activities, such as employing truck bombs or targeting a U.S. Consulate, indicates that there must be compelling strategic reasons for doing so. After all, groups in Lebanon, Pakistan and Iraq have demonstrated that truck bombs are a very effective means of killing perceived enemies and of sending strong messages.

Perhaps the most compelling reason for the Mexican cartels to abstain from such activities is that they do not consider them to be in their best interest. One important part of their calculation is that such activities would remove the main buffer that is currently insulating them from the full force of the U.S. government: the Mexican government.

Read more: The Buffer Between Mexican Cartels and the U.S. Government | STRATFOR

US State Department - Country Reports on Terrorism 2010

Country Reports on Terrorism 2010 is an annual Congressionally mandated report that provides an assessment of trends and events in international terrorism that transpired from January 1 to December 31, 2010. Besides filling a Congressional requirement, this publication aims to enhance the public’s understanding of the international terrorist threat. The report focuses on policy-related assessments, country-by-country breakdowns of foreign government counterterrorism cooperation, and contains chapters on WMD terrorism, State Sponsors of Terrorism, Terrorist Safe Havens, and Foreign Terrorist Organizations.

The report also includes a statistical annex prepared by the National Counterterrorism Center. The statistics show more than 11,500 terrorist attacks occurred in 72 countries during 2010, resulting in more than 13,200 deaths. Although the number of attacks rose by almost 5 percent from the previous year, the number of deaths declined for a third consecutive year, dropping 12 percent from 2009. For the second consecutive year, the largest number of reported attacks occurred in South Asia and the Near East, with more than 75 percent of the world’s attacks and deaths occurring in these regions.

The report can be found on the State Department website at

Personal Security: Anti-Hacking Jammer for Medical Implants

Via MIT Technology Review -

Many medical implants, such as insulin pumps and pacemakers, are equipped with wireless radios that let doctors download data about the patient's condition and adjust the behavior of the implant. But these devices are vulnerable to hackers who can eavesdrop on stored data or even reprogram the implant, causing, for example, a pacemaker to shock a heart unnecessarily. While it may be possible to engineer new, more secure implants, millions of people are walking around with vulnerable devices that can't be replaced without surgery. An anti-hacking device presented this week at the annual SIGCOMM communications conference in Toronto may offer them a solution.

Created by researchers from MIT and the University of Massachusetts, Amherst, the laptop-sized device, called "the shield," emits a jamming signal whenever it detects an unauthorized wireless link being established between an implant and a remote terminal (which can be out of sight and tens of meters away). Although no attack of this kind is known to have occurred , "it's important to solve these kinds of problems before the risk becomes a tenable threat," says Kevin Fu, an associate professor of computer science at UMass and one of the developers of the shield. Fu was Technology Review's Young Innovator of the Year in 2009 for his work in uncovering the previously unsuspected danger that hackers pose to implant wearers.

The key innovation is the new radio design that the shield uses for jamming. "If you just do simple jamming [broadcasting radio noise on a given frequency], then the attacker doesn't get the information, but the doctor doesn't either," says Dina Katabi, another developer of the shield and an associate professor of electrical engineering and computer science at MIT. Instead, the shield allows a jamming signal to be broadcast while it simultaneously receives data signals from the implant and relays them over a secure link. So doctors can still download data and confirm adjustments even while the shield is jamming an attacker.


Blackhat 2011: Diabetic Black Hat Researcher Hacks Insulin Pump
Security researcher Jay Radcliffe set out to find out if proprietary wireless communications could be reverse engineered to manipulate a diabetic's insulin pump and potentially kill the patient. Radcliffe had a very compelling reason to do this research: he is a diabetic.


During his Aug. 4 "Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System" session, Radcliffe discussed how an attacker could intercept wireless signals emitted by medical devices and broadcast a stronger signal to interfere with regular operation. The malicious commands can change the blood-sugar level readout on an insulin pump to misinform the patient of the blood sugar levels or just disable the device. If done repeatedly, the attacker could kill a person because of improper insulin dosages, Radclifee suggested.

Wednesday, August 17, 2011

Biclique Cryptanalysis of the Full AES

Since Rijndael was chosen as the Advanced Encryption Standard, improving upon 7-round attacks on the 128-bit key variant or upon 8-round attacks on the 192/256-bit key variants has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a decade. In this paper we present a novel technique of block cipher cryptanalysis with bicliques, which leads to the following results:
  • The first key recovery attack on the full AES-128 with computational complexity 2126.1.
  • The first key recovery attack on the full AES-192 with computational complexity 2189.7.
  • The first key recovery attack on the full AES-256 with computational complexity 2254.4.
  • Attacks with lower complexity on the reduced-round versions of AES not considered before, including an attack on 8-round AES-128 with complexity 2124.9.
  • Preimage attacks on compression functions based on the full AES versions.
In contrast to most shortcut attacks on AES variants, we do not need to assume any related-keys. Most of our attacks only need a very small part of the codebook and have small memory requirements, and are practically verified to a large extent. As our attacks are of high computational complexity, they do not threaten the practical use of AES in any way.

The biclique cryptanalysis successfully applies to all full versions of AES and compared to brute-force provides an advantage of about a factor 3 to 5, depending on the version. Also, it yields advantages of up to factor 15 for the key recovery of round-reduced AES variants with numbers of rounds higher than those cryptanalyed before.

Bitcoin Mining with Trojan.Badminer

Via Symantec Über Security Response Blog -

Bitcoins have been in the news in recent months and there has been much discussion on them, as part of public discourse. In terms of how bitcoins are being targeted by malware, we’ve seen past attempts by Trojan.Cointbitminer to “mine” bitcoins on compromised computers, using up precious CPU cycles in the process. We’ve even seen other malware groups take a more direct and perhaps easier route by stealing bitcoins instead.

Now we are seeing another new Trojan on the bitcoin mining trail, which we are calling Trojan.Badminer. Instead of packing a pick axe and shovel like previous bitcoin mining Trojans, this makes use of heavy machinery to do its job. That way the flow of bitcoins can be mined much faster than before.

When it comes to mining, Badminer contains functionality to deal with all eventualities. It detects the type of computer that it is running on and then activates the appropriate “machinery” to dig through the hashes to reach the hidden treasures. If it determines the computer has a high-spec graphics card with a fast enough graphics processing unit (GPU), it uses the appropriate packages to leverage the immense processing power of the GPU to literally move through the mountains of hashes to reach the valuable bitcoins. Conversely if a low-spec computer is found, then it will wheel out the basic bitcoin mining tools, which will result in much slower throughput. To perform the mining functions, the Trojan contains both the RPC miner and Phoenix miner programs. The latter can take advantage of the extra power of the GPU for bitcoin mining.


Based on these numbers we can arrive at an earnings potential for some of the graphics cards that we have previously detailed. An AMD Radeon 6750 card is reportedly capable of 167.5 Mhash/s whereas a higher-end card like the AMD Radeon 6990 is capable of 758.82 Mhash/s.

In an ideal situation, we could expect to uncover 13.71 bitcoins with the high-end graphics card example, which in turn would be worth $156.84 per month. Not a huge amount of money in isolation, but when combined with hundreds or thousands of other compromised computers, all generating a few bitcoins each, the numbers begin to add up.


In a previous blog by Peter Coogan, it was surmised that renting a botnet to perform bitcoin mining was not an economically viable idea. The price of renting the botnet versus the CPU-based throughput of the bitcoin mining software did not justify this. With the advent of Trojan.Badminer and common usage of fast graphics cards, it may well begin to make economic sense to rent botnets in order to carry out distributed bitcoin mining and run the process on an industrial scale.

Sunday, August 14, 2011

U.S. Aides Believe China Examined Stealth Copter

Via NY Times -

In the days after the raid that killed Osama bin Laden, Pakistan’s intelligence service probably allowed Chinese military engineers to examine the wreckage of a stealth American helicopter that crashed during the operation, according to American officials and others familiar with the classified intelligence assessments.

Such cooperation with China would be provocative, providing further evidence of the depths of Pakistan’s anger over the Bin Laden raid, which was carried out without Pakistan’s approval. The operation, conducted in early May, also set off an escalating tit-for-tat scuffle between American and Pakistani spies.

American spy agencies have concluded that it is likely that Chinese engineers — at the invitation of Pakistani intelligence operatives — took detailed photographs of the severed tail of the Black Hawk helicopter equipped with classified technology designed to elude radar, the officials said. The members of the Navy Seals team who conducted the raid had tried to destroy the helicopter after it crashed at Bin Laden’s compound in Abbottabad, but the tail section of the aircraft remained largely intact.

American officials cautioned that they did not yet have definitive proof that the Chinese were allowed to visit to Abbottabad. They said that Pakistani officials had denied that they showed the advanced helicopter technology to other foreign governments. One military official said Sunday that Pakistani officials had been directly confronted about the American intelligence.

One person with knowledge of the intelligence assessments said that the American case was based mostly on intercepted conversations in which Pakistani officials discussed inviting the Chinese to the crash site. He characterized intelligence officials as being “certain” that Chinese engineers were able to photograph the helicopter and even walk away with samples of the wreckage. The tail has been shipped back to the United States, according to American officials.


Noah Shachtman notes in Wired's Danger Room Blog the design principles for stealth (low radar / noise signatures) helicopters are pretty widely known. The possibility that China acquired a sample of the physical skin of the helicopter is of most concern - as it could boost China in their own stealth technology development projects.

Friday, August 12, 2011

Trojaned Update Blamed in Massive South Korean Attack

Via The Register UK -

A devastating attack that exposed the personal information of 35 million South Koreans was perpetrated after hackers breached the security of popular software provider ESTsoft and planted malicious code on one of its update servers, it was widely reported Thursday.

Attackers with Chinese IP addresses uploaded malware to a server used to update ESTsoft's ALZip compression application, South Korean news outlets said. The upgrades eventually caused the compromise of 62 PCs at SK Communications that used the program. Attackers then tapped the machines to steal the names, user IDs, hashed passwords, birthdates, genders, telephone numbers, and street and email addresses contained in a database connected to the same network.

It was South Korea's biggest theft of personal information ever. With about 49 million people living in South Korea, the breach is believed to have affected the majority of the nation's population.

After hijacking the SK Communication PCs with the fake ALZip update, the attackers used the machines to access databases containing user information for the telecom's Cyworld social networking website and the Nate web portal. The publications cited investigators from Korea's National Police Agency.


South Korea Government Plans to Scrap Online Real-name System

The South Korea government will push ahead with plans to scrap the current real-name system for Internet users in the wake of the country's worst online security breach, local media reported Thursday.

The Ministry of Public Administration and Security is set to report to ruling party lawmakers about comprehensive measures to protect personal information online, including abolishing the real- name registration system, Yonhap news agency said.

The real-name system, introduced in 2007, requires people to use their real names and resident registration numbers when making online postings on websites with more than 100,000 visitors per day.


For user not familiar with the original story...

Hack of South Korean Sites Affects Up to 35 Million Users

DDoS Attack Forces Hong Kong Exchange Site Offline for Second Day

Via -

Trading on Hong Kong’s stock market, Hong Kong Exchanges & Clearing, remains suspended today following a "coordinated and sustained" distributed denial of service attack on one of the exchange’s websites Wednesday. Several companies, including HSBC, China Power International and Cathay Pacific found their shares unavailable late Wednesday following the attack according to a report from BBC.

A Web site usually used for company announcements was forced offline in the attack on Wednesday. The attacks continued on Thursday, despite efforts to filter malicious traffic. A subsequent investigation by the Exchange's Information Technology team and outside security experts identified an attack stemming from a botnet located outside Hong Kong and intended to "intentionally interrupt the operation of the HKExnews website."

The Exchange did not give any indication of who the hackers are or what their motive is.


Security experts have warned that the financial services sector and, in particular, stock exchanges are vulnerable to hacking and are of interest to both criminal groups and state based actors who wish to use access for illicit profit, promote local firms or sow chaos - possibly as a prelude to a larger kinetic or cyber attack.


HKEx News Release: Further Information about the Organised Attack on the HKExnews Website and Mitigation Measures


This is freaking awesome....but freaking awesome in a scary bad way.

The DDoS isn't actually affecting the trading platform, it is hitting an Internet-facing website used to release (i.e make public) announcements from corporations. I believe, these announcements have to be public for the stock to trade per legal requirements - meaning nothing can trade until public has access.

Therefore, the HKEx is looking to expand their publication of these announcements via newspapers, e-mail and even other on-line portals.

At its core, this is a DDoS aimed at the business logic of the HKEx platform.

Weather the attackers knew that killing the publication website would stop trading is unknown. But I think we have to assume they did.

Thursday, August 11, 2011

DARPA: Hypersonic Glider Lost over Pacific

Via -

USA Today is reporting that DARPA lost contact with its unmanned Falcon Hypersonic Technology Vehicle-2 during a test flight launched earlier today.

The Falcon is an unmanned craft that uses a rocket booster to accelerate before gliding at hypersonic speeds of up to Mach 22 (or about 13,000 mph) through the Earth’s atmosphere. The goal of the project is to eventually enable the US military to strike anywhere in the world in less than an hour.

The Falcon launched from Vandenberg Air Force Base and successfully separated from the booster and entered the mission’s glide phase when telemetry was lost.

DARPA released no further details.


Very unfortunate. This is a pretty serious setback to the development of global nonnuclear strike capability, which will be critical in the [long-term] future of the DoD.

Let's hope this isn't the end of the hypersonic jet/strike research.

Continued Targeted Attacks Against Personal Gmail Accounts

Via Contagio Dump Blog (Mila Parkour) -

I am posting this only to highlight the fact that once compromises happen and are covered in the news, they do not disappear and attackers don't give up or stop. They continue their business as usual. Here is a small update to the post dated Feb 17, 2011 Targeted attacks against personal accounts of military, government employees and associates. This post was mentioned a few times in the news thanks to Google mention in their blogpost in June 2011.

I received a phishing email sample indicating that the attackers described in the above post continue their efforts with a very slight modifications to the original themes and I must note that this incident is even more simple than the previous one. I don't know if any accounts were compromised this time, I hope the public disclosure of the previous attacks along with the notifications on Forward rules and two-factor authentication in Gmail helped prevent most if not all compromises.

P.S. Google are aware of this, there is not much they can do to prevent these from coming in but I am sure they are trying. If you are concerned about your account safety, please use two-factor authentication and change your passwords often.


Excellent detailed update by Mila on the ongoing personal web-based e-mail attacks.

As Mila outlines, these attackers have purpose. While the media has moved on the the next "big story", these [persistent] attackers continue their targeted hacking campaign...grinding away to fulfill their objectives.

China Launches First Aircraft Carrier on Maiden Sea Trial

Via Reuters -

China launched its first aircraft carrier for a maiden run on Wednesday, a step likely to boost patriotic pride at home and jitters abroad about Beijing's naval ambitions.


The carrier "left its shipyard in Dalian Port in northeast Liaoning province on Wednesday morning to start its first sea trial," said the official Xinhua news agency, describing the trip as a tentative test run for the unfinished ship.

The aircraft carrier, which is about 300 meters (984 feet) long, plowed through fog and sounded its horn three times as it left the dock, Xinhua said on its military news microblog.


Retired Chinese navy Rear Admiral Yin Zhuo told state-run television that his country intended to build an air carrier group, but the task would be long and difficult.

"As for forming a carrier group, I think that will take at least ten years," he told a Chinese television broadcast on the carrier launch.


Last month, China confirmed that it was refitting the old, unfinished Soviet carrier hull bought from Ukraine's government, and sources told Reuters it was also building two of its own carriers.

"China has had a longstanding fascination with the national prestige attached to aircraft carriers, and this first sea trial may be seen as a crucial step toward the goal of achieving great naval power status," said Chengxin Pan, an expert on China at Deakin University in Australia.

If Beijing is serious about having a viable carrier strike group, however, it will need three carriers, Ashley Townshend at the Lowy Institute for International Policy in Sydney told Reuters in an interview before the debut of the vessel.

China would also have to develop support ships and aircraft for any carrier group, Townshend said.

In China's neighborhood, India and Thailand already have aircraft carriers, and Australia has ordered two multi-purpose carriers. The United States operates 11 carriers.

Before the launch, a Pentagon spokesman played down the likelihood of any immediate leaps from China's carrier program. U.S. experts on the Chinese navy agreed.

"A newly-wed couple wants a 'starter home', a new great power wants a 'starter carrier'," Andrew Erickson of the U.S. Naval War College and Gabriel Collins, a security analyst, wrote in a note about the carrier launch (

"China's 'starter carrier' is of very limited military utility, and will primarily serve to confer prestige on a rising great power, to help the military master basic procedures, and to project a bit of power," they wrote.


STRATFOR: Dispatch: China's First Aircraft Carrier (April 2011)
Carrier operations are not something that’s easy to do, it’s going to take a very long time for the Chinese to be able to work through the various technicalities of this. It’s also not something they’re going to be able to learn from other people. The Russians haven’t done carrier operations a very long time and United States is certainly not going to be training them. So this is going to be years before the Chinese really have the coordination to be able to move large carrier battle groups anywhere. And that assumes also that China builds more carriers. A single carrier gives you almost no capability. It’s got to be in port, it’s got to be in for refit, it can only go to one location. Until they have about three carriers, they really don’t even have the opportunity to maintain a single carrier on station at any given point in time.

This is really more about politics rather than about military capabilities at this moment. Certainly, the Chinese will use this to learn, to train, to be able to develop new capabilities. But it’s about giving the sense that China has emerged, that China really is no longer just a second-tier country, but economically, politically and militarily, China is one of the big boys now.

Pentagon’s Mach 20 Missile Ready for Ultimate Test

Via (Threat Level) -

The Pentagon has been working for nearly a decade on an audacious plan to strike anywhere on the planet in less than an hour. Thursday could prove to be the do-or-die moment for that plan.

At approximately 7 a.m. PDT, a three-stage Minotaur IV Lite rocket is scheduled to lift off from Vandenberg Air Force Base in California. It will puncture the atmosphere, and then release an experimental aircraft. That aircraft, known as the Falcon Hypersonic Technology Vehicle 2, will then come hurtling back to Earth at nearly 20 times the speed of sound, splashing down near the Kwajalein Atoll in the Pacific Ocean, approximately 4,100 miles away. Total flight time: about 30 minutes.


The stakes are huge for the upcoming flight. Darpa has no plans to build a third vehicle. And, unless this test goes well, it’s unlikely that the Air Force or any other branch of the military will pick up on the agency’s work.

“More than 20 land, air, sea and space test assets” will be collecting data during the flight, Darpa contends. All that information will inform “future hypersonic flight vehicle performance, ultimately leading toward the capability of reaching anywhere in the world in under an hour.”

UN: Al-Shabab Weakened, Fragmented

Via VOA News -

The U.N.'s top diplomat for Somalia said Wednesday that there are significant improvements in the security situation in Mogadishu after the surprise withdrawal on Saturday by al-Shabab insurgents from the city. Augustine Mahiga said the fighters have been weakened by national and African Union forces, and that they have split up as they pull back from the Somali capital.

Ambassador Mahiga told reporters via a teleconference from Mogadishu that al-Shabab's so-called tactical retreat has fragmented the fighters into three groups.

"One column going southwards, another going westwards, and another going northwards - and they are still on the move," said Mahiga. "This already weakens their consolidated strength."

Mahiga said the Islamist militants are also being starved of financial support from individual benefactors, mainly in the Middle East and Arabian Gulf region. They also have lost vital revenue from the Bakaara market, which is the economic hub of the capital and had been under the insurgent's control until last week.

The U.N. envoy also credited Security Council sanctions targeting al-Shabab for taking a toll on their military and economic strength.

Mahiga said the territorial gains by the Transitional Federal Government forces, with support from African Union troops, known as AMISOM, translate to about 95 percent of the capital no longer in insurgent hands.

Earlier Wednesday, Mahiga briefed the U.N. Security Council via teleconference, saying that the improved security situation means the United Nations will be able to expand its presence in the country sooner than expected.

"We originally had anticipated that Mogadishu would be stabilized within roughly a year, but we are now revising our planning to focus on the immediate," added Mahiga. "We are now actively planning for an expanded U.N. presence inside Somalia, rather than a 'light footprint' we had envisaged."


Support UNICEF: Crisis in the Horn of Africa

Russia's Top Court Upholds Sentence for U.S. Spy Ring 'Traitor'

Via RIA Novosti (Russia) -

Russia's Supreme Court on Tuesday upheld the 25-year sentence handed down in absentia to Foreign Intelligence Service colonel Alexander Poteyev, who had betrayed a U.S. spy ring in 2010.

A Moscow military district court found 59-year-old Poteyev guilty of high treason in June.

Poteyev, who was recruited by the CIA in the 1990s, fled to the United States with his family shortly before the arrest of the sleeper agents was made public.

The Supreme Court's military board hearings were held in a closed session, as were those of the Moscow military district court.

The ten Russian nationals were arrested by U.S. law enforcement on June 27, 2010 on suspicion of being part of an espionage ring spying for Russia. They were quickly tried and flown out of the United States in an exchange for four people convicted of spying in Russia for the West.

Prime Minister Vladimir Putin, a 16-year veteran of the KGB service, said last year that "traitors" always "end up badly, taking to drink or drugs, or in a gutter."

However Putin refused to say whether Russia was planning to take revenge, saying secret services lived by their own laws and it was up to them to resolve these issues.


May 2011: FSB charges Russian who betrayed U.S. spy ring
Ten Russians, including media star Anna Chapman, were arrested in the United States in June 2010 on suspicion of espionage. They plead guilty to conspiring to act as unregistered foreign agents and were returned to Russia in exchange for four men accused by the Kremlin of spying for Britain's MI6 and the CIA.


Poteyev fled to the United States with his family shortly before the arrest of the sleeper agents was made public. His case will be heard in absentia.