Sunday, November 27, 2011

Phone Hacking Tied to Terrorists

Via NY Times -

Four people in the Philippines hacked into the accounts of AT&T business customers in the United States and diverted money to a group that financed terrorist attacks across Asia, according to police officials in the Philippines.

A statement from the Philippines Criminal Investigation and Detection Group, a law enforcement agency, said three men and one woman had been arrested in raids across the capital, Manila, last week.

According to the agency, the men were working with a group called Jemaah Islamiyah, a terrorist group linked to Al Qaeda and responsible for the 2002 bombings in Bali, which killed 202 people.

The group has been held responsible for several other terrorist attacks in Southeast Asia, mostly in Indonesia but including the Philippines.

If the new accusation holds up, it would point to a troubling connection between hackers and terrorist cells.

The Federal Bureau of Investigation said on Saturday that it was working with the police in the Philippines on the investigation into the telephone hacking effort, which apparently began as early as 2009.

The suspects remotely gained access to the telephone operating systems of an unspecified number of AT&T clients and used them to call telephone numbers that passed on revenues to the suspects.


Jemaah Islamiah (JI) is a Southeast Asian militant Islamic organization dedicated to the establishment of a Daulah Islamiyah (regional Islamic caliphate) in Southeast Asia incorporating Indonesia, Malaysia, the southern Philippines, Singapore and Brunei. JI was added to the United Nations 1267 Committee's list of terrorist organizations linked to al-Qaeda or the Taliban on 25 October 2002 under UN Security Council Resolution 1267.

After the 2002 Bali bombings, the U.S. State Department designated Jemaah Islamiah as a Foreign Terrorist Organization.

Saturday, November 26, 2011

UK Cyber Security Strategy: Protecting & Promoting the UK in a Digital World

Executive Summary

The internet is revolutionising our society by driving economic growth and giving people new ways to connect and co-operate with one another. Falling costs mean accessing the internet will become cheaper and easier, allowing more people in the UK and around the world to use it, ‘democratising’ the use of technology and feeding the flow of innovation and productivity. This will drive the expansion of cyberspace further and as it grows, so will the value of using it. Chapter 1 describes the background to the growth of the networked world and the immense social and economic benefits it is unlocking.

As with most change, increasing our reliance on cyberspace brings new opportunities but also new threats. While cyberspace fosters open markets and open societies, this very openness can also make us more vulnerable to those – criminals, hackers, foreign intelligence services – who want to harm us by compromising or damaging our critical data and systems. Chapter 2 describes these threats. The impacts are already being felt and will grow as our reliance on cyberspace grows.

The networks on which we now rely for our daily lives transcend organisational and national boundaries. Events in cyberspace can happen at immense speed, outstripping traditional responses (for example, the exploitation of cyberspace can mean crimes such as fraud can be committed remotely, and on an industrial scale). Although we have ways of managing risks in cyberspace, they do not match this complex and dynamic environment. So we need a new and transformative programme to improve our game domestically, as well as continuing to work with other countries on an international response.

Chapter 3 sets out where we want to end up – with the Government’s vision for UK cyber security in 2015.

NASA's Mars Science Laboratory Launched with New Curiosity Rover


NASA has launched its next Mars rover, kicking off a long-awaited mission to investigate whether the Red Planet could ever have hosted microbial life. The car-size Curiosity rover blasted off atop its Atlas 5 rocket at 10:02 a.m. ET Saturday, streaking into a cloudy sky above Cape Canaveral Air Force Station here. The huge robot's next stop is Mars, though the 354-million-mile (570-million-kilometer) journey will take eight and a half months.

Joy Crisp a deputy project scientist for the rover at NASA's Jet Propulsion Laboratory in Pasadena, Calif., called the liftoff "spectacular." "This feels great," she said as she watched the rocket lift off from Cape Canaveral.


NASA Mars Science Laboratory (MSL) Homepage
Signal Acquired: Mars Science Laboratory Makes First Contact
Sat, 26 Nov 2011 11:00:43 AM EST

A signal from NASA's Mars Science Laboratory spacecraft, including the new Curiosity rover, has been received by officials on the ground. The spacecraft is flying free and headed for Mars after separation from the United Launch Alliance Atlas V rocket that started it on its journey to the Red Planet. Liftoff was on time at 10:02 a.m. EST from Space Launch Complex 41 on Cape Canaveral Air Force Station in Florida.

Video: MSL Launch

Video: MSL Separation & Heading Toward Mars


You can even follow the Mars Curiosity Rover on Twitter - @MarsCuriosity

Thursday, November 24, 2011

TEDxBrussels: Mikko H. Hypponen - Defending the Net

"Privacy is implied. Privacy is not up for discussion. This is not a question between privacy against security. It is a question of freedom against control. And while we might trust our governments, right now, right here in 2011. Any rights we give away will be given away for good. And do we we blindly trust any future government, a government we might have 50 years from now. And these are the questions that we have to worry about for the next 50 years."
-Mikko H. Hypponen

Ai Weiwei - 'Shame on Me',1518,799302,00.html

The Chinese artist Ai Weiwei speaks about the changes in his life since the end of his detention in June and shows himself moved and surprised by a new culture of protest in his country.


Ai Weiwei is a Chinese contemporary artist. Ai collaborated with Swiss architects Herzog & de Meuron as the artistic consultant on the Beijing National Stadium (Bird's Nest) for the 2008 Olympics. As political activist, he has been highly and openly critical of the Chinese Government's stance on democracy and human rights. He has investigated government corruption and cover-ups, in particular the Sichuan schools corruption scandal following the collapse of so-called "tofu-skin schools" in the 2008 Sichuan earthquake.

Such an awesome interview by Der Spiegel.

Wednesday, November 23, 2011

NCIX: Foreign Spies Stealing US Economic Secrets in Cyberspace

Executive Summary

Foreign economic collection and industrial espionage against the United States represent significant and growing threats to the nation’s prosperity and security. Cyberspace—where most business activity and development of new ideas now takes place—amplifies these threats by making it possible for malicious actors, whether they are corrupted insiders or foreign intelligence services (FIS), to quickly steal and transfer massive quantities of data while remaining anonymous and hard to detect.


Pervasive Threat from Adversaries and Partners

Sensitive US economic information and technology are targeted by the intelligence services, private sector companies, academic and research institutions, and citizens of dozens of countries.
  • Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the IC cannot confirm who was responsible.
  • Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.
  • Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence (HUMINT) tactics. Some of these states have advanced cyber capabilities.


Because the United States is a leader in the development of new technologies and a central player in global financial and trade networks, foreign attempts to collect US technological and economic information will continue at a high level and will represent a growing and persistent threat to US economic security. The nature of the cyber threat will evolve with continuing technological advances in the global information environment.
  • Over the next several years, the proliferation of portable devices that connect to the Internet and other networks will continue to create new opportunities for malicious actors to conduct espionage. The trend in both commercial and government organizations toward the pooling of information processing and storage will present even greater challenges to preserving the security and integrity of sensitive information.
  • The US workforce will experience a cultural shift that places greater value on access to information and less emphasis on privacy or data protection. At the same time, deepening globalization of economic activities will make national boundaries less of a deterrent to economic espionage than ever.

We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.

The relative threat to sensitive US economic information and technologies from a number of countries may change in response to international economic and political developments. One or more fast-growing regional powers may judge that changes in its economic and political interests merit the risk of aggressive cyber and other espionage against US technologies and economic information.

Monday, November 21, 2011

ZeroAccess Rootkit Launched by Signed Installers

Via McAfee Labs -

Digital certificates and certificate authorities have been much in the news recently. Attacks–such as those used by Stuxnet, Duqu, and other malware–involving stolen certificates show an increasingly worrisome new security trend.

Certificate authorities have been targeted several times in the recent past with some success. There is a large chunk of known malware signed by apparently legitimate companies that appear to have authored malware, adware, and/or potentially unwanted programs. As a matter of fact, a very significant percentage of recent malware executables (as high as 5 percent) purport to be, or are, signed with some sort of certificate. Even in the case of mobile malware, signed executables have appeared because issuers have failed to see the malware in the files before approving them. This attention to certificates by malware authors seems to validate that they are indeed the “keys to the kingdom.”

A few days ago, we first saw a new attack that turned out to be variants of the infamous ZeroAccess rootkit, launched by digitally signed installers and uninstallers.


ZeroAccess is known to be very difficult to remove from system. It has a variety of techniques to fight against antivirus and security products, and can do so generically. Previously, we discussed how the rootkit can generically kill AV and security products, using user mode APC calls from kernel mode. This attack is very serious, and successful against most targets.

This version of ZeroAccess uses another neat trick to also generically target certain security products. Once ZeroAccess is loaded, it prevents the execution of several security products by mimicking a load error.


Several installers and uninstallers have been observed, with variants of ZeroAccess. Those that we are aware of can be cleaned with the free McAfee Labs tool RootkitRemover, which is available for download.


Free ZeroAccess removal tool from McAfee Labs, RootkitRemover, available at

Saturday, November 19, 2011

Underworld - Born Slippy (Dubstep Remix) by Filth-Er

"Born Slippy" is a single by Underworld originally released in 1995, which has never appeared on an album by the group.

This dubstep remix is by Filth-Er, based out of Romania.

Friday, November 18, 2011

China's Great Firewall Tests Mysterious Scans On Encrypted Connections

Via Forbes (Andy Greenberg) -

In the cat-and-mouse game between Chinese censors and Internet users, the government seems to be testing a new mousetrap–one that may be designed to detect and block tunnels through its Great Firewall even when the data in those tunnels is aimed at a little-known computer and obscured by encryption.

In recent months, administrators of services with encrypted connections designed to allow users secure remote access say they’ve seen strange activity coming from China: When a user from within the country attempts to reach a server abroad, a string of seemingly random data hits the destination computer before he or she can connect, sometimes followed by that user’s communication being mysteriously dropped.

The anti-censorship and anonymity service Tor, for instance, has found that many of its “bridge nodes”–privately-placed servers around the world designed to connect users to the rest of Tor’s public network of traffic re-routing computers–have become inaccessible to Chinese users within hours or even minutes of being set up, according to Andrew Lewman, the project’s executive director. Users have told him that other censorship circumvention services like Ultrasurf and Freegate have seen similar problems, he says. “Someone will try to connect, then there’s a weird scan, and the bridge stops working,” says Lewman. “We see weird things all the time, but this is a semi-consistent weird thing, and it’s only coming from China.”

Lewman believes that China’s internet service providers may be testing a new system that, rather than merely block IP addresses or certain Web pages, attempts to identify censorship circumvention tools by preceding a user’s connection to an encrypted service with a probe designed to reveal something about what sort of service the user is accessing. “It’s like if I tell my wife I’m going bowling with my friends, and she calls the bowling alley ahead of time to see if that’s what I’m really doing,” says Lewman. “It’s verifying that you’re asking for what you seem to be asking for.”

But so far, Lewman says Tor’s developers haven’t determined how that probe is able to see what’s an encrypted connection to a Tor server and what’s merely a connection to an encrypted banking or ecommerce site, which in theory should both look to a snooping government like indecipherably scrambled web traffic. The Chinese government after all, wouldn’t be likely to block all encrypted connections, such as corporate VPNs, Lewman points out. “If Foxconn were disconnected from Apple, that would be big problem,” he says.

In the mean time, only a small fraction of Tor’s Chinese users are experiencing the issue, implying that it may be just a subset of Chinese broadband providers experimenting with the new tool, says Lewman.

APT: Norway's Critical Infrastructure Target of Ongoing Phishing Campaign

Via -

Norwegian news agencies report that several top companies have been targeted in an ongoing phishing campaign and could be one of the largest cases of data theft in the country.

Few details have been released so far but online 'Views and News from Norway' reports that 'National security unit NSM (Nasjonal sikkerhetsmyndighet) and police intelligence unit PST (Politiets sikkerhetstjeneste) believe the goal of the computer spies is to gather information on secret contracts, industrial drawings, user names and passwords' according to their source the newspaper 'Aftenposten'.

Top executives in organizations at the heart of Norway's critical infrastructure are said to have been targeted in a long running phishing attack. Malicious programs that locate and extract senstive information are thought to have entered computer systems by tricking key employees into clicking on attachments to emails sent by the data spies in a sophisticated and ongoing campaign.

None of the companies in the attacks have been named and investigations are continuing into the latest attack that happened earlier this month.


From the AP:
Data from Norway's oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country's history, security officials said Thursday.

Industrial secrets from companies were stolen and "sent out digitally from the country," the Norwegian National Security Authority said, though it did not name any companies or institutions that were targeted.

At least 10 different attacks, mostly aimed at the oil, gas, energy and defense industries, were discovered in the past year, but the agency said it has to assume the number is much higher because many victims have yet to realize that their computers have been hacked.


The agency said in a statement that this type of data-theft was "cost-efficient" for foreign intelligence services and that "espionage over the Internet is cheap, provides good results and is low-risk." Veire would not elaborate, but said it was not clear who was behind the attacks.

The attacks often occurred when companies were negotiating large contracts, the agency said.

Related blog entries...

May 23, 2011 - Targeted Attack: Norway Army Says Faced Cyber Attack After Libya Bombing

Thursday, November 17, 2011

U.S.-China Economic and Security Review Commission Annual Report 2011

On behalf of the U.S.-China Economic and Security Review Commission, we are pleased to transmit the Commission’s 2011 Annual Report to the Congress—the ninth major Report presented to Congress by the Commission—pursuant to Public Law 106–398 (October 30, 2000), as amended by Public Law No. 109–108 (November 22, 2005). This report responds to the mandate for the Commission "to monitor, investigate, and report to Congress on the national security implications of the bilateral trade and economic relationship between the United States and the People’s Republic of China." In this Report, the Commission reached a broad and bipartisan consensus; it approved the Report unanimously, with all 12 members voting to approve and submit it.


The "Computer Network Exploitation" section starting on Page 182 discusses the RSA SecurID attack, Operation Shady RAT, Night Dragon, and Targeted Gmail attacks. Here is a little gem from the top of Page 183....
The perpetrators then used information about the compromised RSA security product in order to target a number of the firm’s customers, including at least three prominent entities within the U.S. defense industrial base. Those intrusions and intrusion attempts, according to some reports, also originated in China and appeared to be state sponsored.

Pentagon: Cyber Offense Part of U.S. Strategy

Via Washington Post -

The Pentagon is prepared to launch cyberattacks in response to hostile actions that threaten the government, military or U.S. economy, according to a new policy document submitted to Congress this week.

The report, obtained by The Washington Post, is the most detailed document so far from the government on its emerging cyberwarfare program, and it warns that adversaries attempting cyberattacks against the United States “would be taking a grave risk.”


The report is more explicit than the Pentagon’s cyberstrategy released in July, which focused on the importance of deterring attacks by building defenses that would “deny” adversaries the benefits of success. In the latest report, the Pentagon states directly that it “has the capability to conduct offensive operations in cyberspace to defend our nation, allies and interests.”

When defense-based deterrence fails to stop a hostile act, the report says, the Pentagon “maintains, and is further developing, the ability to respond militarily in cyberspace and in other domains.”

James E. Cartwright, the recently retired vice chairman of the Joint Chiefs of Staff, said the report “is a good start at documenting how the U.S. will both defend our interests in this vital domain and deter those who would threaten those interests.” Cartwright had publicly stated in July that a strategy dominated by defense would fail.

In May, the White House released an international cyberstrategy declaring that the United States reserves the right to use all necessary means — diplomatic, military and economic — to defend the nation against hostile acts in cyberspace. But it said that the United States will “exhaust all options prior to using force whenever we can” in response to a hostile act in cyberspace.

This week’s report was issued in response to a congressional requirement to answer key cyberwarfare policy questions by March 1, 2011. There was no explanation in the report for why it was months overdue.


DoD Cyberspace Policy Report: A Report to Congress Pursuant to the National Defense Authorization Act for Fiscal Year 2011, Section 934 (Nov 2011)

Tuesday, November 15, 2011

Stolen Malaysian Government Certificate Signed Malware

Via H-Online -

A governmental digital certificate has been used to sign malware. According to a report by F-Secure, the certificate was used to sign a piece of malware which has been spread through malicious PDF files, dropped after an Acrobat Reader 8 exploit had taken place. It has been signed by "" – is the Malaysian Agricultural Research and Development Institute. To steal a certificate capable of signing, an attacker would need not just the certificate but also a passphrase; this could have been stolen by use of a key-logger.

The Malaysian authorities told F-Secure that the certificate had been stolen "quite some time ago"; it was valid from 29 September 2009 to 29 September 2011 and has therefore now expired, removing the advantage gained by the malware in being digitally signed in the first place – unsigned applications produce a warning when the user downloads them from the web, but valid signed applications do not. However, it is still very rare to find malware signed with a key that officially belongs to a government.


With the growth of code-signing technologies and requirements in modern operating system (e.g. Windows 7 64-bit), it is likely that the use of stolen or fraudulent certificates to sign malware will increase.

CCSS Forum - Digital Certificates Used by Malware

Hat-tip to @diocyde for the CCSS Forum link.

APT: Anatomy of a Zero Day Attack

Pacific Northwest National Laboratory (PNNL) CIO, Jerry Johnson, provides some lessons learned from the attacks on his organization in July -- a highly publicized attack on an organization that provides cyber security services for the Dept. of Energy.


It is a long interview, but it is very insightful into these types of ongoing APT attacks.

STRATFOR Dispatch: Countering Iran in the Covert World

Director of Analysis Reva Bhalla examines how a recent chain of Iran-related events sheds light on the geopolitical environment in which Iran’s adversaries are operating.

Read more: Dispatch: Countering Iran in the Covert World | STRATFOR

Monday, November 14, 2011

McAfee Labs: Duqu - Consolidated Threat Report

McAfee Labs Consolidated Threat Reports bring together all the verified and corroborated intelligence on highly relevant and publically critical threats and events. Our researchers and engineers continually monitor the global threat landscape and provide relevant data to both our direct customers and to the public at large. We do this to assist in risk assessment and mitigation, as well as to “serve the greater good” as we cooperate and conduct research with other agencies and communities. Our Consolidated Threat Reports combine all the up-to-the-minute information from various sources (Global Threat Intelligence, blog entries, podcasts, whitepapers, presentations, and more.)

Sunday, November 13, 2011

Iran Says Has Detected Duqu Computer Virus


Iran said on Sunday it had detected the Duqu computer virus that experts say is based on Stuxnet, the so-called "cyber-weapon" discovered last year and believed to be aimed at sabotaging the Islamic Republic's nuclear sites.

The head of Iran's civil defense organization told the official IRNA news agency that computers at all main sites at risk were being checked and that Iran had developed software to combat the virus.

"We are in the initial phase of fighting the Duqu virus," Gholamreza Jalali, was quoted as saying. "The final report which says which organizations the virus has spread to and what its impacts are has not been completed yet.

"All the organizations and centers that could be susceptible to being contaminated are being controlled," he said.

News of Duqu surfaced in October when security software maker Symantec Corp said it had found a mysterious virus that contained code similar to Stuxnet.

While Stuxnet was aimed at crippling industrial control systems and may have destroyed some of the centrifuges Iran uses to enrich uranium, experts say Duqu appeared designed to gather data to make it easier to launch future cyber attacks.


Iran said in April it had been targeted by a second computer virus which it identified as "Stars." It was not immediately clear if Stars and Duqu were related but Jalali described Duqu as the third virus to hit Iran.

Tehran said Stuxnet had not inflicted serious damage before it was detected and blamed the United States and Israel for the virus which appeared to be aimed at crippling the nuclear program they say is aimed at making atomic weapons, a charge Iran denies.

The International Atomic Energy Agency issued a report last week that contained what it called credible evidence pointing to military dimensions to Iran's atomic activities, fueling demands in Washington and Europe for further sanctions.

Beyond Nuclear: North Korea’s Other Weapons Threat

Via The Diplomat (Nov. 12, 2011) -

North Korea’s latent nuclear weapons program is rightfully the main point of concern for its neighbors and the international community. But far less publicized is Pyongyang’s ongoing efforts to build upon its capabilities to produce and maintain chemical and biological weapons (CBW).

North Korea’s expansion of these programs is no secret to intelligence agencies around the world, and there are a number of reports detailing sites across the country dedicated to the production of CBW. The question, though how, is has Pyongyang been able to circumvent the international CBW regime so easily?

On the question of chemical weapons, this problem is easier to understand – North Korea isn’t a state party to the Chemical Weapons Convention (CWC) and has never been subject to inspections of its chemical industry facilities or sites believed associated with its CW program. Regardless, there’s little debate about the existence of the North’s CW program, with intelligence assessments from Russia, Britain, the United States and South Korea all indicating that Pyongyang continues to produce CW stocks.

Much less clear is the scope of the CW program and its level of advancement. Most assessments concur that the North has produced all of the main chemical agents such as nerve (including VX gas), blood, blister and choking agents. There’s less certainty regarding the amount of chemical agents stockpiled by the regime, although estimates range from 1,000 to 5,000 tons. However, even if the North’s program is at the low end of estimates, its capacity is bolstered by the fact that its military has a variety of sophisticated delivery vehicles for CW attacks including missiles, artillery and airborne bombs.

While Pyongyang publicly denies the need for transparency on its CW program, its production of biological weapons is muddied and concealed by weak international non-proliferation standards. Unlike the Organization for the Prohibition of Chemical Weapons (OPCW), which has robust verification standards, the Biological Weapons Convention (BWC) is plagued by the failure of its members to agree on a universal verification mechanism that would adequately ensure that all state parties are held to account for their treaty commitments.


The CBW threat emanating from Pyongyang isn’t limited to the Korean Peninsula either. North Korea is widely known for its horizontal proliferation of WMD and related materials to autocratic regimes around the world, such as Syria and Burma. There’s also the terrifying possibility that the government may – or already has – traded chemical or biological agents and suitable delivery vehicles to terrorist groups, which could weaponize them to use in an asymmetric attack. The improved ability of intelligence agencies around the world to determine weapons forensics would in theory deter such an illicit transfer, but it can’t be guaranteed – especially with a desperate leadership starved of cash.


Seoul’s new biodefense strategy has three central prongs. The first relies on detection, and has been supported by the government’s planned implementation of scanning technology at ports of entry that will be able to detect ten separate disease threats. The second pillar focuses on deterrence, which is based on South Korea’s continued investment in its hard power resources, such as medium and long range surface-to-air missiles. The final ingredient is the much needed investment in protecting South Koreans in the event of a biological attack through the development and stockpiling of vaccines.

South Korea’s CBW policy seems to be focused primarily on containment, which is of course entirely rational. However, it’s lacking a driver that can morph the North’s calculus away from producing and maintaining CBW. Beginning a serious dialogue on CBW with North Korea is necessary, and could facilitate an opening for a smoother resumption to the stalled Six Party Talks on the regime’s nuclear weapons program.

Still, Seoul must be cautious – Kim Jong-il’s regime has displayed its insincerity and belligerence on several previous occasions when such talks resumed. Attempting to include CBW in the Six Party Talks would be counterproductive and would give Pyongyang more avenues to stall and launch salvos against Korea and the United States. Instead, South Korea should dangle the CBW carrot to its neighbor and hope for dialogue, while at the same time maintaining its three-pronged strategy to keep the pressure on.

Friday, November 11, 2011

Report: FTC Nears Deal with Facebook For Opt-In Privacy Changes

Via -

The deal will settle an FTC case alleging privacy violations on the social network by forcing users to opt in to any changes to default privacy settings, according to a report in the Wall Street Journal.

The FTC inquiry dates back more than two years, and followed changes to the default privacy settings that pushed some formerly private user information into the public domain, the Wall Street Journal reported. Despite efforts to quell controversy over its privacy policies since then, the company has repeatedly ired consumer advocates and some members of Congress since then. In September, Facebook pushed out changes to its 800 million members that made it easier to share information with their Facebook network and made it easier for applications that run on the platform to track and share users activities, as well.

Following the change, users noticed that the company was collecting data not only when users were logged on, but also when they were visiting other sites online, by way of a Facebook plug-in that continued to operate even when there was no active Facebook session. Congressmen Ed Markey (D-MA) and Joe Barton (R-TX), co-Chairs of the Congressional Bi-Partisan Privacy Caucus, sent a letter in September to the FTC to investigate the company's use of tracking cookies.

The exact terms of the rumored settlement aren't known, but reports suggest it would go a long way towards ending those kinds of practices. For one, Facebook would submit to independent privacy audits for 20 years settlement and to get user consent before making retroactive policy changes to its privacy. The agreement will not require users to expressly agree to all changes and feature additions on the site.


Opt-in = good (for changes that might negatively impact your privacy level on FB).
Opt-in = bad (for changes that would improve user security, e.g. Default SSL Enabling).

Thursday, November 10, 2011

Music: The Troublemakers - Get Misunderstood


Quality lounge from Supperclub presents Vol. 3 - La Salle Neige.

The Rising Threat from Nigeria's Boko Haram Militant Group

Via STRATFOR (Security Weekly) -

The U.S. Embassy in Abuja, Nigeria, issued a warning Nov. 5 indicating it had received intelligence that the Nigerian militant group Boko Haram may have been planning to bomb several targets in the Nigerian capital during the Muslim holiday of Eid al-Adha, also known as Eid al-Kabir, celebrated Nov. 6-8. The warning specifically mentioned the Hilton, Nicon Luxury and Sheraton hotels as potential targets.

The warning came in the wake of a string of bombings and armed attacks Nov. 4 in the cities of Maiduguri, Damaturu and Potiskum, all of which are located in Nigeria’s northeast. An attack also occurred in the north-central Nigerian city of Kaduna. The sites targeted in the wave of attacks included a military base in Maiduguri and the anti-terrorism court building in Damaturu. Militants reportedly attacked these two sites with suicide vehicle-borne improvised explosive devices (VBIEDs). The Nigerian Red Cross reported that more than 100 people were killed in the attacks, while some media reports claimed the death toll was at least 150.

According to AFP, a spokesman for Boko Haram claimed responsibility for the attacks Nov. 5 and threatened more attacks targeting the Nigerian government until “security forces stop persecuting our members and vulnerable civilians.” On Nov. 7, a Boko Haram spokesman claimed that his group employed only two suicide operatives in the attacks and not 12 as reported by some media outlets.

Though Eid al-Kabir passed without attacks on Western hotels in Abuja, a deeper examination of Boko Haram is called for, with a specific focus on its rapidly evolving tactical capabilities.

Read more: The Rising Threat from Nigeria's Boko Haram Militant Group | STRATFOR


CFR Backgrounder: Boko Haram

Boko Haram, an Islamist religious sect, has targeted Nigeria's police, rival clerics, politicians, and public institutions with increasing violence since 2009.

Deloitte: Cyber Intelligence - Tech Trends 2011

In 2010, security and privacy graduated from IT department concerns. C-suites and boardrooms took notice of highly visible incidents, ranging from malware-infected motherboards from top-tier PC manufacturers, to information theft from a leading cloud provider, to the manipulation of the underlying routing tables of the internet redirecting traffic to Chinese networks. At the same time, the regulatory environment around sensitive data protection has become more rigorous, diverse and complex. Organizations are aware of the shifting threat profile and are working to deal with technical barriers as well as sophisticated criminal elements. Incidents are increasingly originating in the trust vector – due to inadvertent employee behavior via the sites they visit, the posts they access on social media sites or even the devices they bring with them to the workplace. A “protect-the-perimeter and respond-when-attacked” mentality is no longer sufficient.

Yet the vast majority of businesses in 2011 have only limited capabilities to detect and react to point-in-time breaches. Vulnerabilities are understood based on past events – not based on emerging cyber threats or on the actual risk profile of the organization.

Cyber intelligence represents a vastly more sophisticated and full set of threat management tactics, providing tools to move to a more proactive "over the horizon" threat awareness posture. Cyber analytics looks to detect patterns across systems, networks, physical security logs and external cyber-threat intelligence analysis to predict future attacks. Cyber forensics is moving beyond root-cause analysis to include tracking of where attacks came from and detailed tracing of what they were doing after the infiltration. Cyber logistics adopts an outside-in view of security, protecting against compromises in the value chain – from upstream suppliers to personnel sourcing. Powerful tools can allow advanced incident response, triaging “how” and “from where” attacks originated. And cyber security remains a key component – creating identity, access and control frameworks to safeguard assets, while embedding enforcement policies and procedures throughout the organization.

In 2011, security incidents remain nearly unavoidable. By building cyber intelligence capabilities, the impact of incidents can be contained, the source of threats understood and learnings codified into controls that can help prevent future incidents. But beyond developing broader disciplines, organizations must embrace security and privacy as foundational to their business. Cyber intelligence efforts need to be championed by the C-suite, funded as a strategic priority and empowered to become part of the operational genome of the company.

Wednesday, November 9, 2011

Your Questions: Kenya's Campaign Against Al-Shabab

Via Voice of America (VOA) News -

Kenya sent troops into Somalia last month in pursuit of al-Shabab, which it blames for a series of cross-border kidnappings. Since then, Kenya has faced the threat (and reality) of retaliation, confusion has emerged over which countries are supporting the military operation, and Eritrea has come under suspicion of arming al-Shabab. Most recently, Kenya said it is moving in on key militant areas in Somalia.

VOA's East Africa correspondent Gabe Joselow answered your questions about Kenya's pursuit of al-Shabab in a live Q&A Wednesday (Video).

Operation Ghost Click - International Cyber Ring That Infected Millions of Computers Dismantled

Six Estonian nationals have been arrested and charged with running a sophisticated Internet fraud ring that infected millions of computers worldwide with a virus and enabled the thieves to manipulate the multi-billion-dollar Internet advertising industry. Users of infected machines were unaware that their computers had been compromised—or that the malicious software rendered their machines vulnerable to a host of other viruses.

Details of the two-year FBI investigation called Operation Ghost Click were announced today in New York when a federal indictment was unsealed. Officials also described their efforts to make sure infected users’ Internet access would not be disrupted as a result of the operation.

The indictment, said Janice Fedarcyk, assistant director in charge of our New York office, “describes an intricate international conspiracy conceived and carried out by sophisticated criminals.” She added, “The harm inflicted by the defendants was not merely a matter of reaping illegitimate income.”

Beginning in 2007, the cyber ring used a class of malware called DNSChanger to infect approximately 4 million computers in more than 100 countries. There were about 500,000 infections in the U.S., including computers belonging to individuals, businesses, and government agencies such as NASA. The thieves were able to manipulate Internet advertising to generate at least $14 million in illicit fees. In some cases, the malware had the additional effect of preventing users’ anti-virus software and operating systems from updating, thereby exposing infected machines to even more malicious software.

“They were organized and operating as a traditional business but profiting illegally as the result of the malware,” said one of our cyber agents who worked the case. “There was a level of complexity here that we haven’t seen before.”


The six cyber criminals were taken into custody yesterday in Estonia by local authorities, and the U.S. will seek to extradite them. In conjunction with the arrests, U.S. authorities seized computers and rogue DNS servers at various locations. As part of a federal court order, the rogue DNS servers have been replaced with legitimate servers in the hopes that users who were infected will not have their Internet access disrupted.

It is important to note that the replacement servers will not remove the DNSChanger malware—or other viruses it may have facilitated—from infected computers. Users who believe their computers may be infected should contact a computer professional. They can also find additional information in the links on this page, including how to register as a victim of the DNSChanger malware.


Trend Micro: Esthost Taken Down – Biggest Cybercriminal Takedown in History

On November 8, a long-living botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with Trend Micro and a number of other industry partners. Two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia.

Open Source Duqu Analysis Tool Sharing Update

Via NSS Labs -

Last Friday, NSS researchers announced their findings on Duqu on a blog post We also pointed to our open source tool that we've shared with the security research community. Since posting, the tool has been viewed over 18,000 times and 45 different forks have been created from the github repository in the few days it has been up.

We've set out to make a positive contribution to the community by giving code because we felt that taking action would yield the most positive results and would help others take action as well.

Today, CrySyS labs has released a great toolkit to detect duqu It is open source and has compiled binaries ready for usage. They are taking action by helping the community and kudos to them for their contributions to detection for the community.


CrySyS Duqu Detector Toolkit

We developed a detector toolkit that combines simple detection techniques to find Duqu infections on a computer or in a whole network. The toolkit contains signature and heuristics based methods and it is able to find traces of infections where components of the malware are already removed from the system.

The intention behind the tools is to find different types of anomalies (e.g., suspicious files) and known indicators of the presence of Duqu on the analyzed computer. As other anomaly detection tools, it is possible that it generates false positives. Therefore, professional personnel is needed to elaborate the resulting log files of the tool and decide about further steps.

Tuesday, November 8, 2011

U.N. Report Cites Secret Nuclear Research by Iran

Via Washington Post -

The United Nation’s nuclear watchdog said Tuesday it has “serious concerns” that Iran is secretly working toward building a nuclear bomb, citing documents pointing to extensive and possibly ongoing research by Iranian scientists on mastering the technology needed for atomic weapons.

The International Atomic Energy Agency cited “credible” intelligence--provided by 10 countries and extensively vetted over many months--that directly contradicts Iran’s claims that its nuclear intentions are entirely peaceful.

“The information indicates that Iran has carried out activities relevant to the development of a nuclear device,” the IAEA said in report prepared for the U.N. agency’s 35-nation board of directors.

It said Iran’s nuclear research appears to have been conducted through 2003 under a formal, structured program that addressed technical challenges such as warhead design and testing of nuclear detonators. While much of the research was halted that year by order of the country’s top leaders, “some activities may still be ongoing,” the report said.

Iran dismissed the allegations as a politically driven attempt to further isolate the Islamic republic, and said the documents cited by U.N. officials were forgeries.

While the IAEA has previously confronted Iran over alleged weapons research, the agency took the unusual step of releasing a 14-page dossier that describes in sometimes minute detail how Iranian scientists pursued highly specific information, skills and materials used in nuclear warhead design. The dossier was drawn form more 1,000 pages of Iranian documents and reports that were judged by U.N. inspectors to be “sufficiently comprehensive and complex . . . that it is not likely to have been the result of forgery or fabrication,” the report said.

The documents enabled the IAEA to reconstruct what the report describes as a secret command structure overseeing work in technical areas ranging from uranium-metal fabrication to designing an underground chamber where tests could be conducted. Iran appears to have procured parts and critical technical help from weapons experts from other countries, the report said.


IAEA: Implementation of the NPT Safeguards Agreement and relevant provisions of Security Council resolutions in the Islamic Republic of Iran (Nov 8, 2011)


CFR: IAEA Iran Report Decoded

Sunday, November 6, 2011

Microsoft Malware Protection Center Threat Report - Poison Ivy

This Microsoft® Malware Protection Center (MMPC) Threat Report provides an overview of the Win32/Poison (Poison Ivy) family of malware. The Report examines the background and functionality of Poison Ivy, and provides telemetry data and analysis. This Report also discusses how Poison Ivy is detected and removed by Microsoft antimalware products and services.


Poison Ivy has been identified in a number of APT attacks against corporations (e.g RSA and Chemical Industry Nitro Attacks) and human right organizations. ZXShell is another favorite backdoor.

In one case study, outlined by Mandiant in 2010, they found 10 different Poison Ivy variants (along with other malware, including some custom) on an attack of a smaller enterprise (2000 systems) - all attributed to a single APT group. (Case Study starts on Page 44)

Saturday, November 5, 2011

Operation Odysseus: Leader Dies in Colombian Military Operation

Via CNN -

The leader of Colombia's main leftist rebel group -- the Revolutionary Armed Forces of Colombia -- died in a military operation in the country's southwest, President Juan Manuel Santos said Saturday.

"I confirm the death of Alfonso Cano. The No. 1 of FARC is dead," Santos said. "This is the most overwhelming blow given to the FARC in all of Colombia's history."

The military operation that took place Friday in the state of Cauca also killed Cano's communications chief, a female friend and members of his security team, Defense Minister Juan Carlos Pinzon told reporters. Cano's chief of security was captured.

"The death of Alfonso Cano is the most important historical mark of our military forces and our national police in our fight against the FARC organization," Pinzon said. "He was part of the organization for over 33 years. He was their ideologue, their political figure and most importantly, he was a despised terrorist ready to act in a radical way ..."

Cano, an alias for Guillermo Leon Saenz, took over the FARC's top spot in March 2008 after an apparent heart attack killed the former leader, Manuel Marulanda.


STRATFOR Dispatch: FARC Leader Killed in Colombia

The Revolutionary Armed Forces of Colombia (FARC or FRAC-EP) is a Marxist–Leninist revolutionary guerrilla organization based in Colombia which is involved in the ongoing Colombian armed conflict. FARC is a violent non-state actor (VNSA), described as a terrorist group by the Colombian government, the United States Department of State, the Canadian government, the Chilean government, the New Zealand Government, and the European Union.

FARC receives most of its funding—which has been estimated to average some $300 million per year—from taxation of the illegal drug trade, ransom kidnappings, bank robberies, and extortion of large landholders, multinational corporations, and agribusiness. Human Rights Watch estimates that the FARC has the majority of child combatants in Colombia, estimating that approximately one quarter of the guerrillas are under 18 years of age.

NSS Labs: Duqu Analysis & Detection Tool

NSS engineers have developed a scanning tool that can be used to detect all DuQu drivers installed on a system. This tool was developed in the hopes that additional drivers can be discovered to allow us to learn more about the functionality, capabilities and ultimate purpose of DuQu.

Based on layout of the drivers discovered so far, the NSS tool is capable of detecting 100% of drivers with zero false positives. Because it is using advanced pattern recognition techniques, it is also capable of detecting new drivers as they are discovered. Two new drivers were discovered after the tool was completed, and both were detected by the NSS tool with no updates required.

Thursday, November 3, 2011

In Report, U.S. Accuses China, Russia of Cyber Espionage

Via Threatpost -

In its most blunt statement to date, the U.S. government accused both China and Russia of conducting far flung cyber espionage campaigns against U.S. and other Western firms in an effort to promote domestic interests.

The report, "Foreign Spies Stealing US Economic Secrets in Cyberspace" was prepared by the Office of the National Counterintelligence Executive. It found that cyber espionage on the part of China and Russia - and even from U.S. allies - is a "pervasive threat" to U.S. interests that surpasses even the threat posed by traditional forms of spying.


"We judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace," the report says.

Foreign governments engaged in cyber espionage are interested in a wide range of information, including information and communications technologies, information on the location of scarce natural resources that can benefit foreign firms, as well as military and civilian technologies.

The report, part of an annual assessment of foreign economic data collection and industrial espionage, accumulates the work of a slew of military branches as well as the FBI, Department of Energy, State Department, and intelligence agencies like the NSA and CIA. It is a departure from earlier reports in that it focuses on cyber espionage. The advent of the Internet and digital technology has made it easy for foreign entities to collect enormous quantities of data quickly and with little risk, the report concludes.

While foreign entities use malicious software and Web- and network based attacks to gain a foothold on sensitive networks, cyber is by no means the only vector used. Foreign governments have been known to use Requests for Information (RFI), solicitation of marketing, conferences and joint research projects to gather information.



Wednesday, November 2, 2011

Supercomputers Used to Analyze Stockpile-to-Target Sequence in Nuclear Weapons

Via Washington Post -

A group of nuclear weapons designers and scientists at the Lawrence Livermore National Laboratory conducted a what-if experiment several years ago, deploying supercomputers to simulate what happens to a nuclear weapon from the moment it leaves storage to the point when it hits a target.

They methodically worked down a checklist of all the possible conditions that could affect the B-83 strategic nuclear bomb, the most powerful and one of the most modern weapons in the U.S. arsenal, officials said. The scientists and designers examined how temperature, altitude, vibration and other factors would affect the bomb in what is called the stockpile-to-target sequenceSuch checks typically have been carried out by taking bombs and warheads apart; scrutinizing them using chemistry, physics, mathematics, materials science and other disciplines; and examining data from earlier nuclear explosive tests. This time, however, the scientists and designers relied entirely on supercomputer modeling, running huge amounts of code.

Then came a surprise. The computer simulations showed that at a certain point from stockpile to target, the weapon would “fail catastrophically,” according to Bruce T. Goodwin, principal associate director at Livermore for weapons programs. Such a failure would mean that the weapon would not produce the explosive yield expected by the military — either none at all, or something quite different than required to properly hit the target.

“So we went in and thoroughly investigated that, and determined that the way the weapon is handled by the military had to be changed, or you would be susceptible to having the weapons fail catastrophically when, God forbid, they should ever be used,” Goodwin said. He added that the fault occurred in the “real dynamics of the vehicle” — a term describing the weapon’s trajectory and behavior — and could not have been revealed by underground explosive testing or by examining the components.

Following the discovery and a multi-year effort, the B-83 bombs and the military’s handling procedures for the weapons have been fixed, officials said.

Tuesday, November 1, 2011

Duqu: Status Updates Including Installer with Zero-Day Exploit Found

Via Symantec Security Response Blog -

The group that initially discovered the original Duqu binaries, CrySyS, has since located an installer for the Duqu threat. Thus far, no-one had been able to recover the installer for the threat and therefore no-one had any idea how Duqu was initially infecting systems. Fortunately, an installer has recently been recovered due to the great work done by the team at CrySyS.

The installer file is a Microsoft Word document (.doc) that exploits a previously unknown kernel vulnerability that allows code execution. We contacted Microsoft regarding the vulnerability and they're working diligently towards issuing a patch and advisory. When the file is opened, malicious code executes and installs the main Duqu binaries.


The Word document was crafted in such a way as to definitively target the intended receiving organization. Furthermore, the shell-code ensured that Duqu would only be installed during an eight-day window in August. Please note that this installer is the only installer to have been recovered at the time of writing—the attackers may have used other methods of infection in different organizations. Unfortunately, no robust workarounds exist at this time other than following best practices, such as avoiding documents from unknown parties and utilizing alternative software. Fortunately, most security vendors already detect and block the main Duqu files, thereby preventing the attack.

Once Duqu is able to get a foothold in an organization through the zero-day exploit, the attackers can command it to spread to other computers. In one organization, evidence was found that showed the attackers commanding Duqu to spread across SMB shares. Interestingly though, some of the newly infected computers did not have the ability to connect to the Internet and thereby the command-and-control (C&C) server. The Duqu configuration files on these computers were instead configured not to communicate directly with the C&C server, but to use a file-sharing C&C protocol with another compromised computer that had the ability to connect to the C&C server. Consequently, Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies.

While the number of confirmed Duqu infections is still limited, using the above techniques we have seen Duqu spread across several countries. At the time of writing, Duqu infections have been confirmed in six possible organizations in eight countries.

The confirmed six possible organizations and their countries of presence include:
  • Organization A - France, Netherlands, Switzerland, Ukraine
  • Organization B - India
  • Organization C - Iran
  • Organization D - Iran
  • Organization E - Sudan
  • Organization F - Vietnam

Note that some organizations are only traceable back to an ISP and therefore all six may not be separate organizations. Furthermore, due to grouping by IP addresses, we cannot definitively identify the organizations.

Other security vendors have reported infections in the following countries:
  • Austria
  • Hungary
  • Indonesia
  • United Kingdom
  • Iran - infections different from those observed by Symantec


You can find our updated whitepaper (version 1.3) here. In addition to further technical details we have added a 'Diagnostics' appendix for system administrators, which contains Duqu traces that may indicate an infection.

Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage


A political figure in Hong Kong continuously receives spear-phishing emails that encourage clicking on shortcuts or opening attachments with file extensions, such as .pdf, .doc(x), .xls(x), .chm, and so on. He suspects that such emails were actively sent from seemingly known parties during the pre- and postelection periods. The emails and samples were sent to us for investigation, and two nearly identical samples were chosen for the case study. These malwares appear to be the first Advanced Persistent Threat (APT) incident to undergo detailed study in Hong Kong. APT is defined by MANDIANT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target or entity for a prolonged period. The malware performs the following functions similar to those of “Operation Shady RAT”, it attempts to hide itself from known anti-virus programs, downloads and executes additional binaries, enumerates all file information in the hard disk, gathers email and instant messaging passwords from victims, collects screen captures, establishes outbound encrypted HTTP connections, sends all gathered intelligence to a Command and Control, and deletes all temporary files of the collected information from the victims’ machine after uploading. The forensic findings lead us to believe that APT is a real threat in Hong Kong.

Frankie Li, Anthony Lai, DDL
Valkyrie-X Security Research Group