Monday, October 31, 2011

Operation Ghost Stories: FBI Releases Russian Spy Ring Papers, Video

Via Fox News -

The FBI on Monday released surveillance tapes, photos and hundreds of pages of documents that shed new light on operation "Ghost Stories," the bureau's investigation of a ring of Russian sleeper agents that ended after more than a decade in the biggest spy swap since the Cold War.

Called illegals because they took civilian jobs instead of operating inside Russian embassies and military missions, the spies, including New York real estate agent Anna Chapman, mostly settled into quiet lives in middle-class neighborhoods.

Their long-range assignment from Moscow: burrow deep into U.S. society and cultivate contacts with academics, entrepreneurs and government policymakers on subjects from defense to finance.

The heavily-edited files provide a glimpse into the intensive surveillance the deep cover agents were under, in some cases for almost a decade, showing the middle-class spies with their children, shopping or in one case attending a graduation ceremony.

The code name Ghost Stories appears to refer to the ring's efforts to blend invisibly into the fabric of American society. An FBI spokesman said the decision to release the material on Halloween was coincidental.


The U.S. swapped the 10 deep cover agents for four Russians imprisoned for spying for the West at a remote corner of a Vienna airport on July 9, in a scene reminiscent of the carefully-choreographed exchange of spies at Berlin's Glienicke Bridge during the Cold War.

While freed Soviet spies typically kept a low profile after their return to Moscow, Chapman became a lingerie model, corporate spokeswoman and television personality. Donald Heathfield, whose real name is Andrey Bezrukov, lists himself as an adviser to the president of a major Russian oil company on his LinkedIn account. President Dmitry Medvedev awarded all 10 of the freed deep-cover operatives Russia's highest honors at a Kremlin ceremony.


FBI: Operation Ghost Stories - Inside the Russian Spy Case
The arrests of 10 Russian spies last year provided a chilling reminder that espionage on U.S. soil did not disappear when the Cold War ended. The highly publicized case also offered a rare glimpse into the sensitive world of counterintelligence and the FBI’s efforts to safeguard the nation from those who would steal our vital secrets.

Our case against the Russian Foreign Intelligence Service (SVR) operatives—dubbed Operation Ghost Stories—went on for more than a decade. Today we are releasing dozens of still images, surveillance video clips, and documents related to the investigation as part of a Freedom of Information Act request.

Libya's Prime Minister Confirms Presence of Chemical Weapons

Via Fox News (Oct 30, 2011) -

Libya's interim prime minister has confirmed the presence of chemical weapons in Libya and says foreign inspectors would arrive later this week to deal with the issue.

Prime Minister Mahmoud Jibril said Sunday that Libya has no interest in keeping such weapons.

Last week, Ian Martin, the top U.N. envoy to Libya, told the U.N. Security Council that undeclared chemical weapons sites have been located in Libya.

Jibril did not provide any details about the chemical weapons.

In August, Fox News interviewed Rep. Mike Rogers, R.-Mich., who said he saw a chemical weapon stockpile in the country during a 2004 trip. At the time, he said the U.S. was concerned about "thousands of pounds of very active mustard gas."

He also said there is some sarin gas that is unaccounted for.

A Russian-drafted U.N. resolution, to be voted on this week, calls on Libyan authorities to destroy stockpiles of chemical weapons in coordination with international authorities.

In February, the U.S. State Department told reporters that some chemical weapons remained in the country and the U.S. government was encouraging the Libyans to secure the sites.

Read more:

Sunday, October 30, 2011

CSIS Report: Canada Spy Agency Warned Gov Weeks Before Crippling Cyber Attack

Via The Globe and Mail (Canada) -

Canada's spy agency warned the government that federal departments were under assault from rogue hackers just weeks before an attack crippled key computers.

A newly released intelligence assessment, prepared last November, sounded a security alarm about malicious, targeted emails disguised as legitimate messages — the very kind that shut down networks two months later.

“The systems and networks used by various Canadian government departments have been attacked directly or indirectly,” says the Canadian Security Intelligence Service report.

A declassified copy of the top secret intelligence assessment, Cyberattacks on Canadian Government Departments: An Overview, was obtained by The Canadian Press under the Access to Information Act.

Extensive portions of the Nov. 4, 2010, report — including what are likely direct references to foreign suspects — have been excised due to ongoing sensitivity of the material.

“Canada has been engaged in detecting, monitoring and mitigating a series of ongoing and evolving ... cyberattacks directed against the computer systems and networks used by Canadian government departments,” says the CSIS document.


Employee Internet access at the Treasury Board and Finance departments — whose systems are shared — was cut off in January after what officials called “an unauthorized attempt” to break into the networks.

A routine evaluation of both departments last year revealed they had not been following all of the government's information technology security requirements.

Records previously released under the access law show government employees in a number of departments were advised last January of attempts to break into their systems, only days before one of the attempts succeeded.

The CSIS assessment notes the “tools and techniques used in these attacks are in a constant state of development and incorporate new computer-related technologies and Internet-related capabilities.”


In its annual public report last June, the spy service said cyberattacks launched through the Internet were the fastest growing form of espionage.

Attackers target computer systems in search of technology, intellectual property, military strategy and commercial or weapons-related information, the annual report said.

Why a Cybersecurity Treaty Is a Pipe Dream

Via Council on Foreign Relations (Op-Ed for CNN) -

With companies and governments seemingly incapable of defending themselves from sophisticated cyber attacks and infiltration, there is almost universal belief that any durable cybersecurity solution must be transnational. The hacker – a government, a lone individual, a non-state group – stealing valuable intellectual property or exploring infrastructure control systems could be sitting in Romania, China, or Nigeria, and the assault could transit networks across several continents. Calls are therefore growing for a global treaty to help protect against cyber threats.

As a step in that direction, the British government is convening next week the London Conference on Cyberspace to promote new norms of cybersecurity and the free flow of information via digital networks. International diplomacy like this among states and private stakeholders is important and will bring needed attention to these issues. But the London summit is also likely to expose major fault lines, not consensus, on the hardest and most significant problems. The idea of ultimately negotiating a worldwide, comprehensive cybersecurity treaty is a pipe dream.

Read more: Why a Cybersecurity Treaty Is a Pipe Dream

Saturday, October 29, 2011

Anonymous Threatens to Expose Zeta Cartel's Secrets

Via Houston Chronicle (Oct 28, 2011) -

An international group of online hackers is warning a Mexican drug cartel to release one of its members, kidnapped from a street protest, or it will publish the identities and addresses of the syndicate's associates, from corrupt police to taxi drivers, as well as reveal the syndicates' businesses.

The vow is a bizarre cyber twist to Mexico's ongoing drug war, as a group that has no guns is squaring off against the Zetas, a cartel blamed for thousands of deaths as well as introducing beheadings and other frightening brutality.


He also implies that the group will expose mainstream journalists who are somehow in cahoots with the Zetas by writing negative articles about the military, the country's biggest fist in the drug war.

"We demand his release," says the Anonymous spokesman, who is wearing a mask like the one worn by the shadowy revolutionary character in the movie V for Vendetta, which came out in 2006. "If anything happens to him, you sons of (expletive) will always remember this upcoming November 5."

The person reportedly kidnapped is not named, and the video does not share information about the kidnapping other than that it occurred in the Mexican state of Veracruz during a street protest.

Anonymous draws its roots from an online forum dedicated to bringing sensitive government documents and other material to light.

If Anonymous can make good on its threats to publish names, it will "most certainly" lead to more deaths and could leave bloggers and others open to reprisal attacks by the cartel, contends Stratfor, an Austin-based global intelligence company.

"In this viral world on the Internet, it shows how much damage could be done with just one statement on the Web," said Fred Burton of Stratfor, which published a report Friday that probes the implications of the cartel drawing the activists' ire.

Mike Vigil, the retired head of international operations for the Drug Enforcement Administration, said the Zetas must take Anonymous seriously.

"It is a gutsy move," Vigil said. "By publishing the names, they identify them to rivals, and trust me, they will go after them."

The Nitro Attacks: Stealing Secrets from the Chemical Industry


This document discusses a recent targeted attack campaign directed primarily at private companies involved in the research, development, and manufacture of chemicals and advanced materials. The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks. As the pattern of chemical industry targets emerged, we internally codenamed the attack campaign Nitro.

The attack wave started in late July 2011 and continued into mid-September 2011. However, artifacts of the attack wave such as Command and Control (C&C) servers are also used as early as April 2011 and against targets outside the chemical industry. The purpose of the attacks appears to be industrial espionage, collecting intellectual property for competitive advantage.


The attackers have changed their targets over time. From late April to early May, the attackers focused on human rights related NGOs. They then moved on to the motor industry in late May. From June until mid-July no activity was detected. At this point, the current attack campaign against the chemical industry began. This particular attack has lasted much longer than previous attacks, spanning two and a half months.

A total of 29 companies in the chemical sector were confirmed to be targeted in this attack wave and another 19 in various other sectors, primarily the defense sector, were seen to be affected as well. These 48 companies are the minimum number of companies targeted and likely other companies were also targeted. In a recent two week period, 101 unique IP addresses contacted a command and control server with traffic consistent with an infected machine. These IPs represented 52 different unique Internet Service Providers or organizations in 20 countries.

Companies affected include:

  • Multiple Fortune 100 companies involved in research and development of chemical compounds and advanced materials.
  • Companies that develop advanced materials primarily for military vehicles.
  • Companies involved in developing manufacturing infrastructure for the chemical and advanced materials industry.



The attacks were traced back to a computer system that was a virtual private server (VPS) located in the United States. However, the system was owned by a 20-something male located in the Hebei region in China. We internally have given him the pseudonym of Covert Grove based on a literal translation of his name. He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school.

Covert Grove claimed to have the U.S.-based VPS for the sole purpose of using the VPS to log into the QQ instant message system, a popular instant messaging system in China. By owning a VPS, he would have a static IP address. He claims this was the sole purpose of the VPS. And by having a static IP address, he could use a feature provided by QQ to restrict login access to particular IP addresses. The VPS cost was RMB200 (US$32) a month. While possible, with an expense of RMB200 a month for such protection and the usage of a U.S.-based VPS, the scenario seems suspicious. We were unable to recover any evidence the VPS was used by any other authorized or unauthorized users. Further, when prompted regarding hacking skills, Covert Grove immediately provided a contact that would perform ‘hacking for hire’. Whether this contact is merely an alias or a different individual has not been determined.

We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role. Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.


Here is a little gem (missed by many) in Symantec's Nitro Attacks Report....

Page 3:
"Figure 2 shows the country of origin of the organizations targeted by these attacks. While the US and UK again figure highly here, overall the geographical spread is different. This means that the infected computers are rarely located within the organizations’ headquarters or country of origin."
In attempting to explain this, Symantec misses one another option: attackers like to target people that share their native language - making for easier social engineering attacks.

Friday, October 28, 2011

Android Orphans: Visualizing a Sad History of Support

The announcement that Nexus One users won’t be getting upgraded to Android 4.0 Ice Cream Sandwich led some to justifiably question Google’s support of their devices. I look at it a little differently: Nexus One owners are lucky. I’ve been researching the history of OS updates on Android phones and Nexus One users have fared much, much better than most Android buyers.

I went back and found every Android phone shipped in the United States1 up through the middle of last year. I then tracked down every update that was released for each device - be it a major OS upgrade or a minor support patch - as well as prices and release & discontinuation dates. I compared these dates & versions to the currently shipping version of Android at the time. The resulting picture isn’t pretty - well, not for Android users....


This is one case where Apple's full vertical market control of their phone product is a positive.

Carriers have never been good about applying OS patches on mobile phones. It was less important when each carrier had a different OS, but as they increasingly converge toward Android...the bad guys are watching the number of mobile devices that can be exploited with one attack plan increasing in front of them very quickly - all thanks to the carriers themselves.

STRATFOR: Dissecting a Mexican Cartel Bombing in Monterrey

Via STRATFOR (Security Weekly) -

Early Oct. 20, a small sedan apparently filled with cartel gunmen rapidly pulled in front of a military vehicle, drawing the military patrol into a car chase in downtown Monterrey, Mexico. After a brief pursuit, the vehicle carrying the cartel gunmen turned at an intersection. As the military vehicle slowed to negotiate the turn, an improvised explosive device (IED) concealed in a parked car at the intersection detonated. The incident appears to have been intended to lure the military patrol into a designated attack zone. While the ambush did not kill any soldiers, it did cause them to break off their chase.

Though this IED ambush is interesting in itself for a number of reasons, we would like to use it as a lens to explore a deeper topic, namely, how STRATFOR analyzes a tactical incident like this.

Read more: Dissecting a Mexican Cartel Bombing in Monterrey | STRATFOR


STRATFOR Dispatch: Implications of a Mexican Drug Lord's Capture
Vice President of Tactical Intelligence Scott Stewart discusses the arrest of Rafael Cardenas Vela and what it means for the Gulf Cartel and for security in Mexico’s northeast.

Thursday, October 27, 2011

U.S. Drone Base in Ethi­o­pia is Operational

Via Washington Post -

The Air Force has been secretly flying armed Reaper drones on counterterrorism missions from a remote civilian airport in southern Ethi­o­pia as part of a rapidly expanding U.S.-led proxy war against an al-Qaeda affiliate in East Africa, U.S. military officials said.

The Air Force has invested millions of dollars to upgrade an airfield in Arba Minch, Ethi­o­pia, where it has built a small annex to house a fleet of drones that can be equipped with Hellfire missiles and satellite-guided bombs. The Reapers began flying missions earlier this year over neighboring Somalia, where the United States and its allies in the region have been targeting al-Shabab, a militant Islamist group connected to al-Qaeda.


The Washington Post reported last month that the Obama administration is building a constellation of secret drone bases in the Arabian Peninsula and the Horn of Africa, including one site in Ethi­o­pia. The location of the Ethio­pian base and the fact that it became operational this year, however, have not been previously disclosed. Some bases in the region also have been used to carry out operations against the al-Qaeda affiliate in Yemen.

The Air Force confirmed Thursday that drone operations are underway at the Arba Minch airport. Master Sgt. James Fisher, a spokesman for the 17th Air Force, which oversees operations in Africa, said that an unspecified number of Air Force personnel ­are working at the Ethio­pian airfield “to provide operation and technical support for our security assistance programs.”

The Arba Minch airport expansion is still in progress but the Air Force deployed the Reapers there earlier this year, Fisher said. He said the drone flights “will continue as long as the government of Ethi­o­pia welcomes our cooperation on these varied security programs.”

China's Internet Users Targeted in Online Rumour Probes

Via BBC -

China is intensifying restrictions on internet use after official reports revealed that three people have been "punished for spreading false rumours" online.

Authorities say they are carrying out inquiries into other suspected cases.

The news comes just over a week after Communist Party leaders agreed a list of "cultural development guidelines".

They include increased controls over social media and penalties for those spreading "harmful information".

The Xinhua news agency quotes regulators as saying that efforts will be stepped up "to stop rumours and punish individuals and websites spreading rumours".

It says a university student was detained after being accused of posting a fake news story about a man killing eight village chiefs in the south-western province of Yunnan.

It goes on to report that a website editor was issued with a warning after publishing a story about an air force fighter crash without confirming the facts.

And it says that a Shanghai resident was held in police custody for 15 days after accusations he had posted a falsified income tax document online.

The agency says China has 485 million registered web users.

"We have seen a tightening of control under the Hu Jintao government," said Sarah McDowall, Asia-Pacific regional manager at IHS Global Insight.

"Officials are particularly worried by the rise in popular protests and will have observed the fall of Gaddafi last week. With China facing a leadership change next year, the government feels it cannot soften its stance."

SecureWorks: Duqu Trojan Questions and Answers

The Dell SecureWorks Counter Threat UnitSM (CTU) research team has been analyzing an emerging malware threat identified as the Duqu trojan. This Trojan horse has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010. This report includes answers to questions about this threat. CTU researchers have put countermeasures in place to detect Duqu C2 traffic, and they continue to monitor for new Duqu samples and update protections as needed.

Chinese Military Suspected in Hacker Attacks on U.S. Satellites

Via Bloomberg BusinessWeek -

Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway, according to a congressional commission.

The intrusions on the satellites, used for earth climate and terrain observation, underscore the potential danger posed by hackers, according to excerpts from the final draft of the annual report by the U.S.-China Economic and Security Review Commission. The report is scheduled to be released next month.

“Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions,” according to the draft. “Access to a satellite‘s controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite’s transmission.”

A Landsat-7 earth observation satellite system experienced 12 or more minutes of interference in October 2007 and July 2008, according to the report.

Hackers interfered with a Terra AM-1 earth observation satellite twice, for two minutes in June 2008 and nine minutes in October that year, the draft says, citing a closed-door U.S. Air Force briefing.

The draft report doesn’t elaborate on the nature of the hackers’ interference with the satellites.


Hackers Targeted U.S. Government Satellites

Wednesday, October 26, 2011

Google Funded Project Confirms Vast Potential for Geothermal Energy

Via Forbes -

When people talk about alternative energy, they typically discuss the potential of wind and solar projects. Don’t get me wrong – there’s a vast potential in those technologies. But often left out of the discussion is the vast potential for geothermal energy – using the natural heat under the Earth’s surface to produce electricity. Harnessing that energy is one of the cleanest, sustainable ways to produce electricity, and it also has the benefit of being more space efficient than, say, a wind farm.

Of course, like any natural resource, the question becomes – where best to build geothermal plants? To answer that question, researchers at Southern Methodist University, funded by, compiled data from over 35,000 sites to build a complete picture of geothermal potential in the United States. Their findings? There is a vast potential for geothermal energy that can be tapped with technology existing today. You can check out the mapping for yourself on Google Earth by going here and downloading the info.

How much energy? you ask. Well, the researchers based their estimates on what current technology is able to extract – not any hypothetical future advances. Even so, it turns out that there is three million megawatts of potential geothermal energy below the surface of the United States. That’s ten times the energy of every coal plant in the United States online today.

That’s an enormous potential for much cleaner energy than what we use today.

Mitsubishi Heavy Industries Admits Hackers May Have Snatched Secrets

Via Computerworld (Oct 25, 2011) -

Japan's largest defense contractor backpedaled yesterday, saying it's possible some secrets had been stolen by hackers who broke into the company's network and planted malware in August. The acknowledgement came several weeks after Mitsubishi Heavy Industries, confirming that scores of its servers and PCs had been infected, denied any information had been pilfered.

Previously, a U.S.-based Mitsubishi Heavy spokesman had said that although attackers had uncovered company IP (Internet Protocol) addresses, the attack "was caught at an early stage." But yesterday the company changed its tune, saying that more investigation had revealed a possible loss of information.

"The company recently confirmed unintended transferring of some information on the company's products and technologies between servers within the company," said Mitsubishi Heavy in a statement. "Based on the finding, the company investigated the incident further and recognized the possibility of some data leakage from the server in question."

The company declined to confirm that any diversion of data related to defense or nuclear technologies took place. Mitsubishi Heavy's admission came on the same day that the Japanese newspaper Asahi Shimbun cited unnamed sources who said data on company-built fighter jets, helicopters and nuclear power plants had apparently been stolen during the attack.

Tuesday, October 25, 2011

McAfee Says Duqu No Threat To Utilities

Via CRN -

Security vendor McAfee has told utilities that the Duqu malware posed no threat, a concern raised by its similarities to the Stuxnet worm that attacked industrial control systems in Iran’s nuclear facility last year.

In a conference call Monday, David Hatchell, utilities account manager for McAfee, said there was “nothing to worry about at this point.”

“It (Duqu) is not targeting industrial control systems that we know of, and it’s not targeting any energy (companies) as far as we know,” Hatchell said.


“We can clearly see that this is used for espionage,” Peter Szor, senior director of research at McAfee Labs, said during the conference call. Very different industries have been targeted, including a hotel chain. While there was no confirmation from Iran, military industries in the country also could have been targeted. “Basically the goal of the malware is speculation at this point,” he said.


Szor said the company believes the drivers for Duqu were compiled in November 2010. The keylogger portion of Duqu, which records keyboard strokes, was compiled three months earlier. Szor believes earlier variants of Duqu may have been used to steal data in preparation for the Stuxnet attack. “That’s why I think personally that Duqu was a bit earlier than Stuxnet,” he said.

Variations of Duqu have been confirmed in England, Iran and the U.S., with reports of the Trojan in Austria, Hungary and Indonesia, McAfee said. Similarities to Stuxnet include the same malware-hiding rootkit, use of a stolen certificate authority from Taiwan to enable installation and a set timeframe for operation. Duqu was timed to delete itself after 36 days and the certificate was stolen from C-Media Electronics, according to McAfee.


McAfee Labs: Duqu – Threat Research and Analysis

Hackers Likely Have Japanese Warplane, Nuclear Data

Via InformationWeek -

Hackers targeting Japan's defense industry likely obtained sensitive information relating to military warplanes, missiles, as well as design and safety information for nuclear power plants.

On Monday, sources close to the Japanese defense ministry said that while data relating to confidential national security matters didn't appear to have been breached, sensitive information had been stolen, reported the Japan Times.


Earlier this month, both Mitsubishi Heavy and Kawasaki Heavy Industries suffered attacks after hackers stole email addresses for senior executives at defense contractors, reported the Daily Yomiuri. The email addresses were stolen earlier this year from the Society of Japanese Aerospace Companies (SJAC), an industry association that counts numerous Japanese aeronautics, space, and defense-related import businesses as members and partners.

The recent attack against Mitsubishi Heavy and Kawasaki Heavy Industries followed attacks against numerous Japanese defense contractors over the summer. They came to light when Mitsubishi Heavy filed a complaint to Tokyo police in September, saying that its website had been breached by an attack that targeted 45 company servers, resulting in 38 computers in 11 locations being infected with more than 50 different types of viruses.

Those viruses apparently enabled the attackers to steal data from Mitsubishi Heavy relating to warplanes, nuclear plants, as well as Japan's Type 80 ASM-1 missile, which can be used against ships. Notably, the locations infected by the viruses included the Kobe and Nagasaki shipyards, which build submarines and destroyers, as well a facility in Nagoya that's building a guided missile system, reported Asahi Shimbun.

Meanwhile, in the most recent attack--involving SJAC--the attacker used the industry association as a stepping stone to the defense contractors. "The hacker targeted the industry association, which has inadequate security. We assume the hacker attempted to use it to spread computer viruses throughout the nation's defense industry," a senior Japanese police official told the Daily Yomiuri. Similar attacks were launched against Kawasaki Heavy Industries, and the attacker appeared to have stolen at least some of that company's emails.

But police said that before breaching SJAC, the attacker first exploited a PC at an international telephone service company located in Tokyo. The attacker used that PC to send an email--presumably with a malicious attachment--to someone at SJAC. The malicious attachment was opened, and a PC at SJAC compromised. From there, the attacker used the PC to access an internal server containing the names and email addresses for senior executives at Japanese defense contractors.

Next, the attacker sent one or more emails from the exploited PC at SJAC, supposedly from an SJAC executive, to defense contractors. In the case of Kawasaki Heavy Industries, the email subject line read, "Prior distribution of documents," and the message included a malicious file attachment titled "Comments on lump sum procurement." Interestingly, the email's subject line and contents were virtually identical to a message that the executive had sent, just 10 hours prior.

Japan's defense contractors aren't the only institutions being targeted by attackers. On Tuesday, Asahi Shimbun reported that a Trojan application sent as an email attachment to Japanese legislators had enabled attackers to spy on lawmakers for at least a month. Once the Trojan application had infected a targeted PC, it downloaded malware from a server in China, enabling the attackers to steal usernames and passwords.


Sophos: Japanese Parliament Hit By Cyber Attack

STRATFOR: Mexican Cartel Smuggling Routes


Linux 'Tsunami' Backdoor Ported to Target OS X Systems

Via ESET Blog -

We’ve just come across an IRC controlled backdoor that is enables the infected machine to become a bot for Distributed Denial of Service attacks. The interesting part about it is that it’s a Mach-O binary – targeting Mac OS X.

ESET’s research team compared this to samples in our malware collection and discovered that this code is derived from something we’ve seen before. It is actually an OS X port of the Linux family of backdoors that we have been detecting since 2002 as Linux/Tsunami.

The analyzed sample contains a hardcoded list of IRC servers and channel that it attempts to connect to. This client then listens and interprets commands from the channel.


In addition to enabling DDoS attacks, the backdoor can enable a remote user to download files, such as additional malware or updates to the Tsunami code. The malware can also execute shell commands, giving it the ability to essentially take control of the affected machine.

In terms of functionality, the Mac variant of the backdoor is similar to its older Linux brother, with only the IRC server, channel and password changed and the greatest difference being that it’s a 64-bit Mach-O binary instead of an ELF binary.

Monday, October 24, 2011

Tunisia's Voters Go to the Polls in Arab Spring's First Election

Via The Guardian UK -

People queue to vote as candidates from 110 political parties and scores of independents bid to join Tunisia's new 217-seat government. Turnout in the first free election in Tunisian history was thought to have been high. The Islamist An-Nahda party is expected to win the biggest share of the vote.


CFR: Tunisia at the Crossroads

"In many ways, the election process may be just as important as the results. A free and fair election would be a first in Tunisia, and strong voter turnout will signal public support for the transition process. As long as voting proceeds without significant irregularities, the international community should applaud the elections as a significant step toward democracy."

Sunday, October 23, 2011

SpyEye Changes Phone Numbers to Hijack Out of Band SMS Security

Via Trusteer Blog (Oct 5, 2011) -

The Trusteer research team recently uncovered a stealth new attack carried out by the SpyEye Trojan that circumvents mobile SMS (short message service) security measures implemented by many banks. Using code we captured while protecting a Rapport user, we discovered a two-step web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm the transactions without the user’s knowledge.


Out-of-Band is not a Panacea

This latest SpyEye configuration demonstrates that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of MITB (man in the browser injection) technology and social engineering, fraudsters are not only able to bypass OOBA but also buy themselves more time since the transactions have been verified and fly under the radar of fraud detection systems. The only way to defeat this new attack once a computer has been infected with SpyEye is using endpoint security that blocks MITB techniques. Without a layered approach to security, even the most sophisticated OOBA schemes can be made irrelevant under the right circumstances.

Suspected Russian Spy Couple Arrested in Germany

Via New York Post -

A married couple were arrested in Germany accused of spying for Russia's foreign intelligence service for more than 20 years.

German federal police arrested the two suspected spies in Marburg, central Germany, and Balingen, southwestern Germany, last Tuesday, German magazine Der Spiegel reported Saturday.

Police, who believe the alleged spies had been working in Germany since the KGB was still in operation, reportedly walked in on the woman while she was listening to encoded radio transmissions. Both suspects deny the allegations.

Authorities began investigating the couple after the FBI busted a Russian spy ring in the US last year.


According to a rough translation of the original Der Spiegel article, the couple are suspected SVR 'illegals', just like the spy ring busted by the FBI in June 2010.,1518,793325,00.html (German)

Friday, October 21, 2011

STRATFOR: Reflections on the Iranian Assassination Plot

Via STRATFOR (Security Weekly) -

On Oct. 11, the U.S. Department of Justice announced that two men had been charged in New York with taking part in a plot directed by the Iranian Quds Force to kill Saudi Arabia’s ambassador to the United States, Adel al-Jubeir, on U.S. soil.

Manssor Arbabsiar and Gholam Shakuri face numerous charges, including conspiracy to use a weapon of mass destruction (explosives), conspiracy to commit an act of terrorism transcending national borders and conspiracy to murder a foreign official. Arbabsiar, who was arrested Sept. 29 at John F. Kennedy International Airport in New York, is a U.S. citizen with both Iranian and U.S. passports. Shakuri, who remains at large, allegedly is a senior officer in Iran’s Quds Force, a special unit of the Islamic Revolutionary Guard Corps (IRGC) believed to promote military and terrorist activities abroad.

Between May and July, Arbabsiar, who lives in the United States, allegedly traveled several times to Mexico, where he met with a U.S. Drug Enforcement Administration (DEA) confidential informant who was posing as an associate of the Mexican Los Zetas cartel. The criminal complaint charges that Arbabsiar attempted to hire the DEA source and his purported accomplices to kill the ambassador. Arbabsiar’s Iranian contacts allegedly wired two separate payments totaling $100,000 in August into an FBI-controlled bank account in the United States, with Shakuri’s approval, as a down payment to the DEA source for the killing (the agreed-upon total price was $1.5 million).

Much has been written about the Arbabsiar case, both by those who believe the U.S. government’s case is valid and by those who doubt the facts laid out in the criminal complaint. However, as we have watched this case unfold, along with the media coverage surrounding it, it has occurred to us that there are two aspects of the case that we think merit more discussion. The first is that, as history has shown, it is not unusual for Iran to employ unconventional assassins in plots inside the United States. Second, while the DEA informant was reportedly posing as a member of Los Zetas, we do not believe the case proves any sort of increase in the terrorist threat emanating from the United States’ southern border.

Read more: Reflections on the Iranian Assassination Plot | STRATFOR


While many foreign policy and terrorism experts look at the recent alleged Iranian plot with skepticism, STRATFOR outlines similarities between the recent plot and previous Iranian assassination plots in both the US and Europe.

ETA Declares Peace. Is Spain Ready to Believe It?

Via (World) -

The words Spaniards have waited 43 years to hear finally came on Thursday evening. In a video sent to a handful of media outlets, three masked figures wearing the typical beret of the Basque country appeared on screen and declared, "ETA has decided to bring its armed activity to a definitive cessation." And with that, the separatist violence that has plagued Spain for more than four decades — and left 829 people dead — appeared to end.

It was, in many ways, a death foretold. In the past several years, ETA, which was formed in 1959 to fight for an independent Basque homeland and committed its first attack in 1968, has grown progressively weaker, while the demands for peace have only increased, spreading even to the group's historical allies. But the news still left Spaniards debating the reasons for the declaration and, perhaps more significantly for the peace process, wondering if they could trust it.

It's no surprise that this happened," says Ignacio Sánchez-Cuenca, political scientist at Madrid's Juan March Institute and author of several books about ETA. "I'm simplifying here, but you can see two basic causes: the fact that as ETA has diminished, it has been easier for the police to control, while at the same time, the support for a political solution among the Basque nationalist left has grown."

Cooperation between Spanish, French, and Portuguese authorities has decimated ETA's leadership in recent years, leaving the band with what experts estimate are only 50 active members. Seven hundred convicted members of the separatist group are currently serving prison sentences, and ETA has staged no attacks since March 2010, and none on Spanish soil since June 2009.

For security expert Ignacio Cosidó, member of parliament for the opposition Popular Party, those efforts explain why ETA has said it is abandoning violence. "The declaration is due above all to the efficiency of police and security forces," he says. "ETA finds itself so weak that it really had no other choice."

Read more:,8599,2097522,00.html


ETA or Euskadi Ta Askatasuna ("Basque Homeland and Freedom") is an armed Basque nationalist and separatist organization. The group was founded in 1959 and has since evolved from a group promoting traditional Basque culture to a paramilitary group with the goal of gaining independence for the Greater Basque Country. ETA is the main organisation of the Basque National Liberation Movement and is the most important participant in the Basque conflict. ETA declared ceasefires in 1989, 1996, 1998 and 2006, but subsequently broke them. However, on 5 September 2010, ETA declared a new ceasefire that is still in force — moreover, on 20 October 2011 ETA announced a "definitive cessation of its armed activity".

The European Union and the United States list ETA as a terrorist organization in their relevant watch lists. The United Kingdom lists ETA as a terrorist group under the Terrorism Act 2000. The Canadian Parliament listed ETA as a terrorist organization in 2003.

Symantec: Duqu Status Update #1

Via Symantec Security Response Blog -

As mentioned in our previous blog, W32.Duqu was first brought to our attention by a research lab who had been investigating a targeted attack on another organization. This research was conducted by the Laboratory of Cryptography and System Security (CrySyS) in the Department of Telecommunications, Budapest University of Technology and Economics. CrySyS identified the infection and observed its similarity to W32.Stuxnet. They stated that no data was leaked as part of this attack.

We are grateful to CrySyS—sharing their findings allowed us to identify further attacks taking place. We have now determined that the originally targeted organization was one of a limited number of targets which include those in the industrial infrastructure industry. CrySyS has issued a statement regarding their analysis here:

The latest version of our white paper includes new information, such as details on further components we observed being downloaded onto a compromised machine. We will continue to provide updates to our white paper as further information comes to light.

Thursday, October 20, 2011

School of Economic Warfare: Spies like them

Via Canadian Business -

Most business schools offer a variety of specialities, from marketing and accounting to corporate finance. But there is a school in Europe with an MBA program in what faculty members call “defence against the dark arts.” The institution in question is well-known to its stated enemies—greedy corporate executives who attempt to dominate the business world via evil means—but is nearly invisible to the general public. Tucked away in the bowels of Paris, down a side street near where Napoleon once studied the finer points of waging war, its entrance is an unmarked storefront. Window blinds are typically drawn to keep out prying eyes. As a result, most people on the street tend to stroll by without ever gaining awareness of the powerful forces being taught inside.

Don’t be fooled by the reference to fighting dark arts. This isn’t a graduate program offered by Harry Potter’s beloved Hogwarts. The institution out to conquer evil in this case is the deadly serious École de Guerre Économique, known in English circles as the School of Economic Warfare, where students are equipped with a unique and controversial set of skills that school founders insist are required to successfully lead modern corporations on the battlefield of capitalism, 24 hours a day, seven days a week.

When most people talk about industrial espionage in the West, the finger wagging is typically aimed at China and Russia. In emerging markets, more than a few people insist that Uncle Sam somehow manages aggressively to deploy the CIA to steal trade secrets for select U.S. corporations without raising a legal peep from other American companies. But what those concerned talk about when not tossing accusations at China or the United States is France—an aggressive collector of industrial intelligence since the mid-1700s, when the British naively invited French operatives to inspect their mines, smelters and foundries. The British Board of Longitude even foolishly let French operatives examine John Harrison’s revolutionary marine clocks.

Intelligence experts around the world warn the business community not to underestimate the French. But faculty members at the School of Economic Warfare have little time for corporate Boy Scouts. They’re more concerned with warning executives not to underestimate the risks associated with always playing fair. “All is fair in love, war and business” isn’t the school’s official motto, but it fits the bill, insists faculty member Jean-François Bianchi, a specialist in information engineering who teaches courses on the theory and strategy of influence and counter-influence.


Furthermore, as pointed out by Richard Bejtlich, chief security officer with Mandiant, an information security company based in Washington, D.C., playing defence all the time can be “a losing strategy in more than just hockey.”


Bejtlich says most unethical acts of corporate espionage are still conducted by governments, or state organs, working on behalf of national champions. But he thinks more and more companies are being tempted to cross the line. And the security expert sees a growing desire to fight back in a far more aggressive manner. Whenever Bejtlich deals with a company that has been attacked, he says executives always want to know, “What can we do to get back at these guys?” Those conversations, he adds, never go anywhere because lawyers quickly get involved. “You will be hard-pressed to find any company with a legal department that allows them to do anything more than defend themselves,” he says.


The School of Economic Warfare—which charges tuition of between €10,000 and €15,000 per year (depending on support from an employer)—was clearly founded to help French companies get a leg up on the competition. But it is open to students from around the world, although some nationalities can be blacklisted if the school suspects an untrustworthy government behind the application. It offers a one-year program that requires about 800 hours of study and exercises, aimed at the same audience that would undertake a traditional MBA. There is also a part-time program for working professionals, which requires about 350 hours a year. The school attracts students from all sectors, but the student body is typically weighted toward hyper-competitive industries such as energy, auto making and finance.

Wednesday, October 19, 2011

Flashback Trojan Now Disabling Mac XProtect

Via -

Mac-based malware is still a relatively rare occurrence when compared to the flood of malicious programs aimed at Windows. But, it appears that the attackers who are creating the more recent Mac malware either have experience writing Windows-based malware or are simply paying close attention to what's been working for Windows malware for all of these years. The latest evidence of this being the discovery that the Flashback Mac Trojan has the ability to overwrite the Mac's built-in antimalware component and prevent it from updating.


Now, researchers have found that a recently discovered piece of Mac malware known as the Flashback Trojan is using a similar technique to hamper the XProtect antimalware system that's included in newer versions of OS X. Once resident on a newly infected Mac, the Flashback malware will decrypt a specific XProtect file and then decrypt the path of the XProtectUpdater binary, according to an analysis by researchers at F-Secure. The next step is for Flashback to unload the XProtectUpdater daemon and then overwrite certain components.

"The action described above wipes out certain files, thus, preventing XProtect from automatically receiving future updates," the analysis says.


For some reason, Apple is failing to learn the lessons of the last 10+ years. They only need to look back of how malware started out and then dominated the Windows world.

Apple has been increasing their use of anti-expoitation mitigations (i.e. ASLR, sandboxing) in each verison of OS X released, but as long the malware authors contiune to see a positive cost benefit in attacking OS X, they will contiune to go after Mac users.

I use Sophos' free home edition (at home of course) and haven't had any issues wth it on MBP.

Sophos Anti-Virus for Mac Home Edition (It's Free)

Tuesday, October 18, 2011

GTISC: Cybersecurity Threats to Pick Up Steam in 2012

Via Scientific American -

This year has had its share of cybersecurity bombshells. Cybersecurity vendor McAfee revealed widespread theft of government data over the past five years. Now the hacker group Anonymous has threatened to take down the New York Stock Exchange's computers .

Expect more of the same in 2012, maybe even worse. So says a new report (pdf) from the Georgia Tech Information Security Center.

So-called search poisoning will emerge. That's where a cyber attacker inserts a virus or spyware into your search results.

Beware of Mobile Web-based attacks as well. Mobile phones have always been relatively insecure. Now that so many people use them to surf the Web and store sensitive data, they've become a prime target for hackers.

The Georgia Tech report also cautions against the use of hijacked computers, called botnets, to steal personal information from your online accounts and then sell that info to marketers.

Your best defense is common sense. Update your passwords and antivirus software regularly. And play it safe when surfing the Web from your phone. Stick with app stores and other sites you know and trust.


GTISC: Emerging Cyber Threats Report 2012

Analysis: Duqu Targets Certificate Authorities

Via -

With virus researchers scrambling to decode a new piece of malware that is based on the code of the Stuxnet worm, an analyst at McAfee is speculating that the new worm, Duqu, may have been created to target certificate authorities.

Writing on McAfee's research blog, Guilherme Venere and Peter Szor say that an analysis of the Duqu code by McAfee experts suggests that the worm was created "for espionage and targeted attacks against sites such as Certificate Authorities (CAs)." The McAfee analysis, if accurate, is the first to explicitly mention the type of organization that the Duqu worm targeted, and would suggest that those behind the worm intended to use it as a precursor to subsequent, targeted attacks.

Certificate authorities have been prominent targets of hackers in recent months.


McAfee said that the Duqu worm has been identified in "professional, targeted attacks" against CAs in parts of Europe, the Middle East, Asia and Africa. The researchers speculate that a digital certificate belonging to the firm C-Media, based in Taipei, was not stolen, but forged by a compromised CA.

The McAfee analysis fills in some details omitted from a longer analysis released by Symantec Corp on Tuesday. That research declined to name the kind of firm targeted by the worm, but provided a detailed analysis of the Duqu code, which bears a close resemblance to Stuxnet, with shared code used for the injection attack and several encryption keys and techniques that were used in Stuxnet.

Like Symantec's report, the analysis from McAfee says that it knows of only a few infections linked to Duqu, and says the worm doesn't appear to be designed to attack industrial control systems, as Stuxnet was.

Java Updates and the BEAST

Oracle Java SE Critical Patch Update Advisory - October 2011

Oracle released JRE 6 Update 29 and Java 7 Update 1 today. Along with fixing six very serious vulnerabilities (CVSS 10.0), these updates include a fix for CVE-2011-3389 as well.

Beyond the fact that some of those CVSS 10.0 vulnerabilities will end up in exploit kits quickly, the CVE-2011-3389 fix addresses the Same Origin Policy (SOP) bypass used by Rizzo/Duong in their chosen plain text attack on SSL/TLS 1.0, also known as "BEAST".

Of couse, this fix by Oracle does not totally fix weakness in the SSL/TLS 1.0 protocol...therefore it is important for the security industry to keep pushing toward wider adoption of TLS v1.1+.

W32.Duqu: The Precursor to the Next Stuxnet

Via Symantec Security Response Blog -

On October 14, 2011, a research lab with strong international connections alerted us to a sample that appeared to be very similar to Stuxnet. They named the threat "Duqu" [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided us with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet, which we were able to confirm. Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.


Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.

You can find additional details in our paper here. The research lab that originally found the sample has allowed us to share their initial report as an appendix. We expect to make further updates over the coming days.

Key points:
  • Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
  • The executables are designed to capture information such as keystrokes and system information.
  • Current analysis shows no code related to industrial control systems, exploits, or self-replication.
  • The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
  • The exfiltrated data may be used to enable a future Stuxnet-like attack.


Whitepaper - W32.Duqu: The Precursor to the Next Stuxnet

W32.Duqu - Summary

Monday, October 17, 2011

U.S. Debated Cyberwarfare in Attack Plan on Libya

Via NY Times -

Just before the American-led strikes against Libya in March, the Obama administration intensely debated whether to open the mission with a new kind of warfare: a cyberoffensive to disrupt and even disable the Qaddafi government’s air-defense system, which threatened allied warplanes.

While the exact techniques under consideration remain classified, the goal would have been to break through the firewalls of the Libyan government’s computer networks to sever military communications links and prevent the early-warning radars from gathering information and relaying it to missile batteries aiming at NATO warplanes.

But administration officials and even some military officers balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own, and questioning whether the attack could be mounted on such short notice. They were also unable to resolve whether the president had the power to proceed with such an attack without informing Congress.

In the end, American officials rejected cyberwarfare and used conventional aircraft, cruise missiles and drones to strike the Libyan air-defense missiles and radars used by Col. Muammar el-Qaddafi’s government.

This previously undisclosed debate among a small circle of advisers demonstrates that cyberoffensives are a growing form of warfare. The question the United States faces is whether and when to cross the threshold into overt cyberattacks.


“We don’t want to be the ones who break the glass on this new kind of warfare,” said James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies, where he specializes in technology and national security.

That reluctance peaked during planning for the opening salvos of the Libya mission, and it was repeated on a smaller scale several weeks later, when military planners suggested a far narrower computer-network attack to prevent Pakistani radars from spotting helicopters carrying Navy Seal commandos on the raid that killed Osama bin Laden on May 2.

Again, officials decided against it. Instead, specially modified, radar-evading Black Hawk helicopters ferried the strike team, and a still-secret stealthy surveillance drone was deployed.

“These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there,” said one Obama administration official briefed on the discussions.

The debate about a potential cyberattack against Libya was described by more than a half-dozen officials, who spoke on the condition of anonymity because they were not authorized to discuss the classified planning.

In the days ahead of the American-led airstrikes to take down Libya’s integrated air-defense system, a more serious debate considered the military effectiveness — and potential legal complications — of using cyberattacks to blind Libyan radars and missiles.

“They were seriously considered because they could cripple Libya’s air defense and lower the risk to pilots, but it just didn’t pan out,” said a senior Defense Department official.

After a discussion described as thorough and never vituperative, the cyberwarfare proposals were rejected before they reached the senior political levels of the White House.

Police Find Matching Modus Operandi in Mitsubishi Heavy, Kawasaki Heavy Cases

Via Daily Yomiuri Online (Japan) -

Police increasingly believe the same hacker was responsible for the recent cyber-attacks on Mitsubishi Heavy Industries Ltd. and Kawasaki Heavy Industries Ltd.

A computer virus found in the attack on Kawasaki Heavy Industries, which was sent by e-mail through a computer at the Society of Japanese Aerospace Companies (SJAC), forced infected personal computers to access a Web site in the United States, sources close to the issue said Saturday. Police have found that infected PCs at Mitsubishi Heavy Industries were made to access the same Web site.

The police suspect the hacker used the U.S. site as a so-called springboard, via which the attacker manipulated computer terminals from the outside. Springboards refer to PCs and computer servers used as communication relay points by cyber-attackers to prevent their originating port from being identified.


According to the sources, Kawasaki Heavy Industries received e-mails whose senders posed as SJAC officials and member company employees at least three times from June to August. Police analyzed viruses hidden in the e-mails and found they contained programs that force infected PCs to access Web sites and exchange data.

The police discovered the Web site involved in this case had an Internet protocol address registered in California.

The virus confirmed to have been used in the attacks against Mitsubishi Heavy Industries performed the same function. In addition to the California-registered site, infected computers had communicated with Web sites in Japan and other countries including China and India.

The U.S. site was likely to have been infected with viruses and manipulated by someone from the outside, investigators said.

The Web site in question appears to have been closed as early as mid-September, when the cyber-attacks on Mitsubishi Heavy Industries came to light.

Information security experts said hackers use such contacts with outside Web sites to have viruses placed in targeted companies' servers send information or to instruct the viruses to reproduce themselves.

Attackers usually abandon such sites once they achieve their goals or their attacks are discovered, the experts said.

The police suspect the person who attacked Mitsubishi Heavy Industries and Kawasaki Heavy Industries used the U.S. Web site to steal information from the companies and then transmitted it to other Web sites.

"In the past, unrelated hacker groups have coincidentally used the same servers as springboards," said Norihiko Maeda, a researcher at Kaspersky Lab Japan, a manufacturer of antiviral software. "Usually, hackers use different springboards for individual attacks, so the same server is rarely used by two or more criminal groups."

"[However, because the police investigation revealed that] the same attacker likely targeted the two companies, it's become clearer that the attacker aimed to steal Japanese defense secrets. Authorities must quickly investigate communication records and other data from the springboards," he said.

Sunday, October 16, 2011

Secure Android Kernel Could Make for 'Classified' Smart Phones

Via GCN -

A research team from Google, George Mason University and the National Security Agency have developed a hardened kernel for the Android 3.0 operating system that could solve the problem of using smart phones in military operations and emergency response.

The kernel, which is in the final stages of certification testing, opens the way for the Army to begin issuing smart phones or tablet-type wireless devices to troops in combat operations.

The White House also is interested because the hardened kernel could help fulfill a government plan to create a secure national wireless network for first responders, Michael McCarthy, operations director of the Army’s Brigade Modernization Command’s Mission Command Complex, said at the AUSA Annual Meeting and Exposition in Washington on Oct. 10. McCarthy also heads the service’s Connecting Soldiers to Digital Applications (CSDA) program, the lead organization involved in selecting handheld wireless technologies for military use.


There were delays in getting the operating system accredited until NSA came forward several months ago and offered to expedite the approval process, McCarthy said. The new effort kicked off with a series of meetings with CSDA program personnel and representatives from NSA and the National Institute of Standards and Technology.

The Android kernel is now being tested for a Federal Information Processing Standard 140-2 certification, which is expected by mid-October. “That’s the first level of security that we’ve got to get before we start moving onto being able to ultimately do secret [communications],” he said.


After the testing is complete, it is just a matter of filling out the certification paperwork, McCarthy said. “That is a game-changer for the security business because it then sets the conditions so that in the second quarter [late March 2012] they can do the certification of the Secure Sockets Layer, which then gives us the ability to operate at the classified levels,” he said.

In addition to the Army’s plans to provide troops with smart phones, the Obama administration was attracted to the technology to support two of its initiatives. One is an effort by the White House Communications Office to move the executive branch from BlackBerry devices to Android-based phones. The reason is because Android devices with the new kernel can be secured at a higher clearance level than BlackBerry devices, McCarthy said.


One of the concerns behind the government’s drive is that the radio communications networks used by federal, state and local response agencies are not very secure. This is a special concern for law enforcement and emergency response organizations’ operational channels, which could be subject to interception, spoofing and jamming. “They’re looking at replacing radio with a smart phone,” he said.

U.S. Sending More Contractors to Secure Libya’s Weapons Stockpile

Via NY Times -

The State Department is sending dozens of American contractors to Libya to help that country’s fledgling efforts to track down and destroy heat-seeking antiaircraft missiles looted from government stockpiles that could be used against civilian airliners.

The contractors, weapons and explosives specialists, are part of a growing $30 million American program to secure Libya’s conventional weapons arsenal, which was ransacked during the fall of the government of Col. Muammar el-Qaddafi.

American and other Western officials are especially concerned that as weapons slip from state custody, they can be easily sold through black markets to other countries, fueling regional wars or arming terrorist groups. Analysts are particularly worried about the dispersal of the SA-7, an early-generation, shoulder-fired missile in the same family as the more widely known Stinger.

“We are very concerned about the threat that’s posed,” Andrew Shapiro, the assistant secretary of state for political-military affairs, told reporters on Friday after meetings in Brussels.

Mr. Shapiro said he had no estimate as to how many of the roughly 20,000 shoulder-fired antiaircraft missiles that had been in Libya were unaccounted for since the fall of Colonel Qaddafi, but added, “In the wrong hands these systems could pose a potential threat to civil aviation.”

The State Department so far has sent 14 unarmed civilian contractors, many with military experience, to be part of teams led by Libya’s Transitional National Council, according to David I. McKeeby, a department spokesman. Mr. McKeeby said that an additional two to three dozen contractors would join the effort over the coming weeks.

The teams have surveyed and secured 20 of the former government’s 36 known ammunition depots, encompassing several hundred bunkers at each site, and have destroyed or disabled hundreds of the shoulder-fired missiles, he said. The deployment of the American contractors was reported on Friday by The Washington Post.


FAS: Man-Portable Air Defense System (MANPADS) Proliferation

Saturday, October 15, 2011

Piracy: Prepare to Repel Boarders

Via The Economist -

SomaliS pirates can be persistent. They have attacked the Maersk Alabama, a container ship owned by an American subsidiary of Denmark’s Maersk Line, no fewer than five times, most recently in May. In the first attack, in 2009, the captain was held hostage until the US Navy rescued him. Then Maersk put private armed guards on the ship. Since then, it has successfully repelled all boarders.

Maersk says it is only arming a few ships plying the pirate-infested waters off East Africa. But the practice is spreading rapidly among shipping firms despite the cost, which can run to $100,000 per voyage for a four-man team. That is because the number of attacks, off Somalia and elsewhere, has kept growing despite the strengthening of naval patrols (see chart). The European Union’s NAVFOR task-force, NATO warships and other navies patrol the waters off Somalia, but this has only pushed the pirates out into the open ocean, extending their attack zone towards India’s coast and as far south as Mozambique’s. This has forced the shipping industry, its insurers, and the national and international authorities that oversee them to accept that private armed guards are a necessity.


Until February the International Chamber of Shipping (ICS), which represents the world’s merchant shipowners, opposed the use of armed guards—even as some members were discreetly hiring them. Since the chamber changed its line, the number of owners tooling up has accelerated. Now, says Simon Bennett, its spokesman, perhaps 20% of all ships passing through the risky parts of the Indian Ocean have armed guards aboard—typically retired marines or the like.

In recruiting armed security men, some shipowners have defied the laws of the countries where their vessels are registered. But governments, unable to provide the naval cover the shipowners want, are one by one legalising the practice. Spain, one of the earliest to let its fishing-boats carry armed guards, said on September 27th that they would now be allowed to use machineguns and other heavy weapons against the pirates’ AK-47s.

Some countries, such as America and Denmark, have introduced licensing schemes for owners who want to arm their ships. Britain is among those still considering legalisation, and Greece’s shipping industry is pressing its government to do likewise. The UN’s International Maritime Organisation (IMO), while still not endorsing the practice, last month asked Somalia’s neighbours to let armed merchant ships call at their ports. The ICS says it understands Egypt is to lift its ban on armed merchant ships’ passage through the Suez canal. But the Indian government is still said to disapprove of armed merchant ships calling at its ports: their guards either have to go elsewhere or dump their weapons overboard.


There do not yet seem to have been any claims, or lawsuits, over the use of armed ship guards, says Tom Heinan of International Registries (which runs the Marshall Islands’ shipping register). But shipowners using them could face legal action in various places: their own country, the flag state of their ship, the home countries of injured crewmen, and so on. All the more reason to ensure that the guards are competent and well-insured.

Speedy Neutrino Mystery Likely Solved, Relativity Safe After All

Via (Syfy Network) -

Those weird faster-than-light neutrinos that CERN thought they saw last month may have just gotten slowed down to a speed that'll keep them from completely destroying physics as we know it. In an ironic twist, the very theory that these neutrinos would have disproved may explain exactly what happened.

Back in September, physicists ran an experiment where they sent bunches of neutrinos from Switzerland to Italy and measured how long the particles took to make the trip. Over 15,000 experiments, the neutrinos consistently arrived about 60 nanoseconds early, which means 60 nanoseconds faster than the speed of light. Einstein's special theory of relativity says this should be impossible: nothing can travel faster than light.

The fact that the experiment gave the same result so many times suggested that one of two things was true: either the neutrinos really were speeding past light itself and heralding a new era of physics, or there was some fundamental flaw with the experiment, which was much more likely. It's now looking as though the faster-than-light result was a fundamental flaw, and appropriately enough, it's a flaw that actually helps to reinforce relativity rather than question it.


Faster-than-Light Neutrino Puzzle Claimed Solved by Special Relativity

Friday, October 14, 2011

Austin's Power: The Texas Capital Is A Model For Clean Power Adoption

Via Fast Company -

How do you get people to use renewable energy when it’s more expensive than fossil-fueled power?

For answers to that question, you might want to look at places with high adoption rates for renewables. Austin, for instance.

This month, Texas’s capital became the largest municipality in the country to use only renewable energy. That's 100% of all of its energy. All the city’s public buildings, including its airport and water treatment plants, are now powered using wind from West Texas. In the last nine years, Austin Energy, the city’s publicly-owned utility, has produced more renewable energy than any in the country. And, the city is well on the way to sourcing 35% of all energy from renewables by 2020.

And yet Austin's consumers sometimes pay 15 to 25% more for electricity under the utility’s Greenchoice program than other customers. And the city government has paid $9 million a year extra to make the switch (from a total of bill of about $28 million). How come they’re willing to pay such a premium?

Well, not everyone has been that willing. Some voters and businesses have decried the move, saying it adds to living costs at a time when people can't afford expensive choices.

But Ed Clark, a spokesperson for Austin Energy, points to a long history of green activity, and the city’s high number of tech companies as supportive. “Austin has a tremendous emphasis on quality of life. There is not a single significant polluting industry in this entire community,” he says.


Read more of the story @ Fast Compnay

Thursday, October 13, 2011

US Air Force: Flying Operations of Remotely Piloted Aircraft Unaffected by Malware

To correct recent reporting, the malware detected on stand-alone systems on Creech Air Force Base, Nev., in September, has not affected Remotely Piloted Aircraft operations.

On 15 September, 24th AF first detected and subsequently notified Creech AFB regarding the malware on their portable hard drives approved for transferring information between systems. It was detected and isolated by the 24th Air Force using standard tools and processes for monitoring and protecting Air Force computer systems and networks. The Air Force then began a forensic process to track the origin of the malware and clean the infected systems.

The malware was detected on a stand-alone mission support network using a Windows-based operating system. The malware in question is a credential stealer, not a keylogger, found routinely on computer networks and is considered more of a nuisance than an operational threat. It is not designed to transmit data or video, nor is it designed to corrupt data, files or programs on the infected computer. Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach.

The infected computers were part of the ground control system that supports RPA operations. The ground system is separate from the flight control system Air Force pilots use to fly the aircraft remotely; the ability of the RPA pilots to safely fly these aircraft remained secure throughout the incident.

"It's standard policy not to discuss the operational status of our forces," said Colonel Kathleen Cook, spokesperson for Air Force Space Command. "However, we felt it important to declassify portions of the information associated with this event to ensure the public understands that the detected and quarantined virus posed no threat to our operational mission and that control of our remotely piloted aircraft was never in question."

"We continue to strengthen our cyber defenses, using the latest anti-virus software and other methods to protect Air Force resources and assure our ability to execute Air Force missions. Continued education and training of all users will also help reduce the threat of malware to Department of Defense systems."


Some of the recent reporting, they were looking to correct....

New Mac Trojan Variant is VMware-Aware

Via Virus Bulletin -

Researchers at F-Secure have found a variant of the 'Flashback' trojan for Mac (a fake Adobe Flash Player update) that is capable of detecting whether it is run in a virtual environment.

Virtualization is a technique commonly used by malware researchers as it allows them to run the malware in a safe environment. To frustrate researchers and to avoid detection, malware authors regularly build in anti-virtualization techniques: the malware tries to detect whether it is running in a virtual environment and does not run if this is the case, thus hiding its malicious activity.

While such techniques are commonly seen in Windows malware, Mac malware using anti-virtualization techniques had not hitherto been seen. This is yet another example that shows that Mac malware is not only becoming more prevalent but also more advanced.

More at F-Secure's blog here.


While anti-virutalization is nothing new for Windows malware, it is a new development for Mac malware....and thus resembles an evolution in the complexity and the feature set of Mac malware.

Similar to Android malware research recently conducted by Symantec, we should expect malware authors to continue to incorporate features from the Windows malware world into the Mac malware world. They will continue to explore the capabilities of this emerging malware ecosystem, especially if the revenue-per-infection ratio improves.

STRATFOR: Increased Cartel Violence in Mexico City

Vice President of Intelligence Fred Burton examines two recent violent incidents in Mexico City that could indicate a tactical shift in cartel strategy.

Top Zetas Drug Cartel Leader Accused in Deadly Casino Attack Arrested

Via CNN -

A top Zetas drug cartel leader -- who allegedly ordered the attack and arson at a casino that killed 52 -- has been captured, Mexican defense officials said Thursday.

Carlos Oliva Castillo, alias "La rana," or frog, was arrested Wednesday at a safehouse without a single shot being fired, the country's Ministry of Defense said.

Possibly the No. 3 man in the criminal organization, Oliva Castillo allegedly oversaw criminal operations for the cartel in three Mexican states. He was captured in Saltillo, Mexico.

Though he was arrested without incident, the cartel tried to distract troops by attacking security forces in different parts of the city, the defense ministry said.

The Zetas' rescue ploy failed.

According to officials, Oliva Castillo was "the principal manager" of the ruthless Zetas in the states of Coahuila, Nuevo Leon and Tamaulipas. He was also described as a confidant of Zetas boss Heriberto Lazcano Lazcano.

Oliva Castilo began working for the Zetas in 2005 in Tamaulipas, the defense ministry said, and rose through the ranks quickly. By 2009 he was in charge of the cartel's finances in Nuevo Leon, before taking charge of all operations in that state, the ministry said. This year he assumed a wider role, the ministry said.

The three northeastern states that Oliva Castillo allegedly oversaw are some of the Zetas' strongest-held territory. Authorities say that much of the violence registered in these states is the result of the Zetas fighting rival groups such as the Gulf cartel and Sinaloa cartel, for access to lucrative smuggling routes.

But the Zetas -- especially in their strongholds -- have branched out from drug trafficking and into extortion of businesses, kidnappings, and human smuggling.


This follows last week's arrest of Jose Alberto Loera Rodriguez, nicknamed "el Voltaje," (the Jock).

Wednesday, October 12, 2011

Operation Hackerazzi: Scarlett Johansson Hacker Used ‘Publicly Available Data' To Target Celebrities

Via International Business Times (Entertainment & Stars) -

The FBI held a press conference Wednesday announcing the arrest of Christopher Chaney, a 35-year-old Jacksonville, Fla., man arrested on hacking and wiretapping charges in connection with the Scarlett Johansson nude photo scandal in September.

The arrest was the result of an investigation dubbed "Operation Hackerazzi."

The press conference doubled as something of a public safety seminar, with FBI officials warning celebrities and mortals alike how easy it is for hackers to get access to private, personal information and turn it around for profit or gain.

One FBI official called technology hacking "a disturbing and rising trend," adding that "celebrity information is highly marketable."

The FBI also posted a visual aid titled "The Anatomy of a Hack," which explained the steps a hacker takes to infiltrate personal accounts. Among these steps are using open source information to reset passwords, breaching an account and changing the password, communicating with contacts in the account holder's address book, and using the contact list to harvest new targets.

Cheney allegedly "mined through publicly available data" to figure out passwords and security information on his targets.

An FBI spokesperson insisted that Chaney's was a singular arrest, but added that the FBI is following other leads.

According to The Associated Press, Chaney began hacking into Google, Apple and Yahoo email accounts November and December, then used the forwarding feature to ensure that every email received was sent, "virtually instantaneously," to an email account he controlled, according to an indictment handed by a federal grand jury in Los Angeles.

Chaney allegedly used the hacker names "trainreqsuckswhat," ''anonygrrl" and "jaxjaguars911".


FBI: Florida Man Arrested in “Operation Hackerazzi” for Targeting Celebrities with Computer Intrusion, Wiretapping, and Identity Theft

US: Treasury Designates Iranian Commercial Airline Linked to Iran's Support for Terrorism

The U.S. Department of the Treasury announced today the designation of Iranian commercial airline Mahan Air pursuant to Executive Order (E.O.) 13224 for providing financial, material and technological support to the Islamic Revolutionary Guard Corps-Qods Force (IRGC-QF). Based in Tehran, Mahan Air provides transportation, funds transfers and personnel travel services to the IRGC-QF.

“Mahan Air’s close coordination with the IRGC-QF – secretly ferrying operatives, weapons and funds on its flights – reveals yet another facet of the IRGC’s extensive infiltration of Iran’s commercial sector to facilitate its support for terrorism,” said Under Secretary for Terrorism and Financial Intelligence David S. Cohen. “Following the revelation about the IRGC-QF’s use of the international financial system to fund its murder-for-hire plot, today’s action highlights further the undeniable risks of doing business with Iran.”

Mahan Air provided travel services to IRGC-QF personnel flown to and from Iran and Syria for military training. Mahan Air also facilitated the covert travel of suspected IRGC-QF officers into and out of Iraq by bypassing normal security procedures and not including information on flight manifests to eliminate records of the IRGC-QF travel.

Mahan Air crews have facilitated IRGC-QF arms shipments. Funds were also transferred via Mahan Air for the procurement of controlled goods by the IRGC-QF.

In addition to the reasons for which Mahan Air is being designated today, Mahan Air also provides transportation services to Hizballah, a Lebanon-based designated Foreign Terrorist Organization. Mahan Air has transported personnel, weapons and goods on behalf of Hizballah and omitted from Mahan Air cargo manifests secret weapons shipments bound for Hizballah.

As a result of today’s action, U.S. persons are prohibited from engaging in commercial or financial transactions with Mahan Air and any assets it may hold under U.S. jurisdiction are frozen.

Identifying Information:

Entity: Mahan Air
AKA: Mahan Travel Company
Address: Mahan Air Tower, 21st Floor, Azadeghan Street, Karaj Highway, P.O. Box 14515-411, Tehran, Iran
Alt. Address: Mahan Air Tower, Azadegan St., Karaj Highway, Tehran 1481655761, Iran P.O. Box 411-14515

CFR: Backgrounder - Iran's Revolutionary Guards (IRGC)


Iran's Revolutionary Guard Corps (IRGC) was founded in the aftermath of the 1979 Islamic Revolution to defend the regime against internal and external threats, but has since expanded far beyond its original mandate. Today, the Guards has evolved into a socio-military-political-economic force with influence reaching deep into Iran's power structure. The Guards' involvement in politics has grown to unprecedented levels since 2004, when IRGC veterans won at least 16 percent of the 290 seats. Analysts say the organization, with its control of strategic industries, commercial services, and black-market enterprises, has evolved into one of the country's most influential domestic institutions.

Crackdowns on protestors in the wake of the disputed June 2009 presidential elections have brought new scrutiny of the Guards' role. Some analysts believe IRGC influence in the political arena amounts to the irreversible militarization of Iran's government (NYT). Others, like Abbas Milani, director of Iranian studies at Stanford University, suggest the Guards' power has grown to exceed (New Republic) that of Supreme Leader Ayatollah Khamenei, who legally has final say on all state matters. But Frederic Wehrey, an adjunct senior policy analyst at the RAND Corporation and the co-author of a study on the IRGC, notes that the Revolutionary Guard is far from a cohesive unit of likeminded conservatives. Instead, he says, it's a heavily factionalized institution with a mix of political aspirants unlikely to turn on their masters.


International Adventurism

Military analysts say the Guards began deploying fighters (NPR) abroad during the Iran-Iraq War of 1980 to 1988, "export[ing] the ideals of the revolution throughout the Middle East." The Quds Force, a paramilitary arm of the Revolutionary Guard with less than a thousand people, emerged as the de facto external-affairs branch during the expansion. Its mandate was to conduct foreign policy missions--beginning with Iraq's Kurdish region--and forge relationships with Shiite and Kurdish groups. A Quds unit was deployed to Lebanon in 1982, where it helped in the genesis of Hezbollah. Another unit was sent to Bosnia to back Bosnian Muslims in their civil war in the early and mid-1990s. Some experts say the Quds Force has shipped weapons to Lebanon-based Hezbollah, Gaza-based Hamas, and Palestinian Islamic Jihad, and is also supplying munitions to the Taliban in Afghanistan and Shiite militias in Iraq. In the wake of anti-government protests throughout the Middle East in 2011, the United States and the European Union accused the Quds Force of providing equipment and support to help the Syrian regime suppress revolts in Syria. In October 2011, Washington accused the Quds Force of plotting the assassination of the Saudi ambassador (NYT) to the United States, and plotting to bomb the Israeli Embassy in Washington and the Saudi and Israeli Embassies in Argentina. Tehran denied the accusations.

The Guards' alleged involvement in Iraq has been a particular point of contention between Washington and Tehran. Former President Bush accused Iran in February 2007 of providing roadside bombs to "networks inside Iraq." A month later, coalition forces captured Ali Musa Daqduq, a Lebanese-born member of Hezbollah operating in Iraq, and Pentagon officials said Daqduq was working with the Quds Force to train Iraqi extremists in logistics, firearms, and explosives. General David Petraeus, then the top U.S. commander in Iraq, told lawmakers in September 2007 that the Quds Force was aiding militias in Iraq to "serve its interests and fight a proxy war" with coalition forces. And in a September 2007 interview with military reporters, former Multi-National Force-Iraq spokesman Major General Kevin J. Bergner said six operatives with Quds Force links had been arrested in 2007. Despite repeated Iranian denials, U.S. congressional leaders in late 2007 designated the Guards as a foreign terrorist organization, cutting off Iranian companies and individuals from the U.S. financial system.

Yet, not everyone is convinced Iran's role in Iraq is as direct as U.S. officials suggest, or its pursuit of nuclear technology is as clear-cut, as this Backgrounder explains. Likewise, some experts see the Guards' role in Afghanistan as exaggerated. While U.S. military officials have accused Iran of supplying the Afghan Taliban with weapons, CFR International Affairs Fellow George Gavrilis says there is a lack of evidence to support the charges. "Iran has a vested interest in a stable, well-governed Afghanistan," Gavrilis writes, "an interest that it has protected since the fall of the Taliban."