Monday, January 31, 2011

Egypt: Al Jazeera English on YouTube

http://www.youtube.com/aljazeeraenglish

Al Jazeera English can be watched live here. Sadly, Adobe Flash crashes VERY often, to the extend the page needs to be reloaded.

------------------------------------------------------------------------------------------------------------------------------

STRATFOR Dispatch: Regime Change in Egypt and a Radicalizing Region
http://www.stratfor.com/analysis/20110131-dispatch-regime-change-egypt-and-radicalizing-region
The instability in Egypt comes at a time when the region is already in the throes of shifts. But contrary to popular fears, the region is not necessarily headed toward an Iranian led radicalization. Instead a new and still emerging complex situation is something that the United States and the region and the rest of the world will have to deal with.

Egypt is in a situation of flux, and it is really too early to say what will be the outcome of all the unrest and instability. There are all sorts of options. One option, one likelihood, is that the current regime rejiggers itself, reinvents itself, sends Mubarak a continuation of the old order. Another option is that there are elections and some form of coalition government emerges, and that’s where it gets tricky because the Muslim brotherhood, the country’s largest and oldest Islamist movement, is the single largest organized political force. In any such scenario the brotherhood is expected to play a large part and that raises a whole lot of fears in the region around the world of what will be the outlook, the policy outlook of Cairo in that situation.
------------------------------------------------------------------------------------------------------------------------------

CFR: Egypt's Need for Presidential Change
http://www.cfr.org/publication/23958/egypts_need_for_presidential_change.html

------------------------------------------------------------------------------------------------------------------------------

Twitter: Speak To Tweet
http://twitter.com/speak2tweet
This evening, a jointly-made product by Google and Twitter has allowed Egyptians to tweet...using their voices. In light of the Internet blackout, the service allows Egyptians to call an international number from any phone and leave a message for the world.

Click the link in each tweet to hear a voice tweet from folks inside Egypt. Call +16504194196 or +390662207294 or +97316199855 to leave a tweet and hear tweets.
------------------------------------------------------------------------------------------------------------------------------

Global Voices: Egypt
http://globalvoicesonline.org/-/world/middle-east-north-africa/egypt/

Saturday, January 29, 2011

How Facebook Ships Code

Via FrameThink Blog -

I’m fascinated by the way Facebook operates. It’s a very unique environment, not easily replicated (nor would their system work for all companies, even if they tried). These are notes gathered from talking with many friends at Facebook about how the company develops and releases software.

STRATFOR Agenda: With George Friedman on Egypt

http://www.stratfor.com/analysis/20110128-agenda-george-friedman-egypt

For more than 30 years, the geopolitics of the Middle East has been built on the American-Egyptian-Israeli relationship. STRATFOR founder Dr. George Friedman contemplates current events in Egypt and the prospect of the end of an era.

------------------------------------------------------------------------------------------------------------------

Red Alert: Hamas and the Muslim Brotherhood
http://www.stratfor.com/analysis/20110129-red-alert-hamas-and-muslim-brotherhood

The following is a report from a STRATFOR source in Hamas. Hamas, which formed in Gaza as an outgrowth of the Egyptian Muslim Brotherhood (MB), has an interest in exaggerating its role and coordination with the MB in this crisis. The following information has not been confirmed. Nonetheless, there is a great deal of concern building in Israel and the United States in particular over the role of the MB in the demonstrations and whether a political opening will be made for the Islamist organization in Egypt.
The Egyptian police are no longer patrolling the Rafah border crossing into Gaza. Hamas armed men are entering into Egypt and are closely collaborating with the MB. The MB has fully engaged itself in the demonstrations, and they are unsatisfied with the dismissal of the Cabinet. They are insisting on a new Cabinet that does not include members of the ruling National Democratic Party.

Security forces in plainclothes are engaged in destroying public property in order to give the impression that many protesters represent a public menace. The MB is meanwhile forming people’s committees to protect public property and also to coordinate demonstrators’ activities, including supplying them with food, beverages and first aid.

Friday, January 28, 2011

Microsoft Warns of MHTML Bug in Windows

Via Threatpost.com -

Microsoft is warning its users about a dangerous flaw in the way that Windows handles certain MHTML operations, which could allow an attacker to run code on vulnerable machines. The bug affects all of the current versions of Windows, from XP up through Windows 7 and Windows Server 2008.

Microsoft issued an advisory about the MHTML vulnerability, which has been discussed among security researchers in recent days. There is some exploit code available for the bug, as well. In addition to the advisory, Microsoft has released a FixIt tool, which helps mitigate attacks against the vulnerability in Windows.


---------------------------------------------------------------------------------------------

SRD: More information about the MHTML Script Injection vulnerability
http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspx

Wednesday, January 26, 2011

Hawaii Man Sentenced for Providing Defense Information to People’s Republic of China

Via infozine.com -

Noshir S. Gowadia, 66, of Maui, Hawaii, was sentenced late yesterday to 32 years in prison for communicating classified national defense information to the People’s Republic of China (PRC), illegally exporting military technical data, as well as money laundering, filing false tax returns and other offenses.

The sentence, handed down by Chief U.S. District Judge Susan Oki Mollway in the District of Hawaii, was announced by David Kris, Assistant Attorney General for National Security, and Florence T. Nakakuni, U.S. Attorney for the District of Hawaii.

On Aug. 9, 2010, following six days of deliberation after a trial spanning nearly four months in Honolulu, a federal jury found Gowadia guilty of five criminal offenses relating to his design for the PRC of a low-signature cruise missile exhaust system capable of rendering a PRC cruise missile resistant to detection by infrared missiles.

The jury also convicted Gowadia in three counts of illegally communicating classified information regarding lock-on range for infrared missiles against the U.S. B-2 bomber to persons not authorized to receive such information. The B-2 bomber is one of America’s most critical defense assets, capable of utilizing its stealth characteristics to penetrate enemy airspace and deliver precision guided weapons on multiple targets. Gowadia was also convicted of unlawfully exporting classified information about the B-2, illegally retaining information related to U.S. national defense at his home, money laundering and filing false tax returns for the years 2001 and 2002.

Facebook Beefs Up Security With Full-Time HTTPS & Social Captchas

Via techcrunch.com -

Facebook is introducing two new measures to beef up security: expanding HTTPS connections as an all-the-time option and using social captchas to authenticate users who have lost passwords. Let’s take these one at a time.

HTTPS is a secure connection (more secure than plain-vanilla HTTP connections), and Facebook already uses HTTPS for when you log into an outside site through Facebook Connect and send your passwords back to Facebook. But now you will have the option to set HTTPs as the default connection for everything you do on Facebook itself.

[...]

Some app developers will need to use a new “Secure Canvas URL” so that their apps can also be accessed over HTTPS.

The social captcha feature is pretty clever. It will replace regular captchas (those slightly warped letters you are asked to re-enter to prove you are human) with a picture of one of your friends. You will need to identify the person to authenticate yourself when you are trying to retrieve a lost password or Facebook detects suspicious login activity on your account. You do know what all your “friends” look like, don’t you?


---------------------------------------------------------------------------------

Overall, I think this is a very positive step, but one of my friends said it best - "a security feature that has to be enabled will never be used by the masses. A for effort, but C for implementation."

Long story short, he is correct. When security is opt-in, people are less likely to do it, for various reasons.

Hopefully this is just the first step.

Google rolled out SSL to Gmail users in the same way. First it was an option, then it become default.

Let's hope Facebook will follow suit...and just in case that isn't in their roadmap, the security community should applause this change, but contiune to push for more.

Sunday, January 23, 2011

Black Hat DC 2011 - Papers & Slides

The Black Hat Conference is a computer security conference that brings together a variety of people interested in information security. Black Hat DC is an event dedicated to the Federal Agencies in Washington, D.C.

http://www.blackhat.com/html/bh-dc-11/bh-dc-11-archives.html

Friday, January 21, 2011

Organized Crime in Central America - The Rots Spreads

Via The Economist -

Battlefields aside, the countries known as “the northern triangle” of the Central American isthmus form what is now the most violent region on earth. El Salvador, Guatemala and Honduras, along with Jamaica and Venezuela, suffer the world’s highest murder rates (see map). The first two are bloodier now than they were during their civil wars in the 1980s.

Organised crime is now the main cause of the bloodshed. Central America forms a bridge between Colombia, the world’s biggest cocaine producer, and Mexico, which is the staging post for the world’s biggest market for the drug—the United States. As pressure has mounted on the mobs, first in Colombia and now in Mexico, Central America has attracted more traffic. Ten years ago it had fewer cocaine seizures than either Mexico or the Caribbean; by 2008 it accounted for three times more than both combined. Over the same period the murder rate rose across the region, doubling in some countries.

“Central America is entering an extraordinarily critical phase” in which its peace and security are threatened by “the onslaught of the drug-trafficking organisations”, an official from the International Narcotics Control Board, a United Nations agency, warned this month.

Much of the blame lies with the arrival of the Mexican mafias, mainly the Zetas and the Sinaloa “cartel”. The assassination of Honduras’s top anti-drugs official in 2009 seems to have been a Sinaloa hit. Zeta training-camps and recruitment banners have sprung up in Guatemala. The Mexican mobs are also contracting out their work, taking advantage of Central America’s competitive narco-labour market. They recruit trained hitmen from the pool of soldiers laid off by several countries’ armies, slashed since the end of the civil wars 20 years ago. Guatemala has cut its army’s nominal strength by two-thirds since 1996. Now former members of its notorious Kaibiles special forces are said to have close links with the Zetas, themselves a former Mexican special-forces unit.

[...]

Most Central American governments are ill-equipped to tackle the mayhem. The countries of the “northern triangle” are among the poorest in the Americas, with income per head of around $2,700, less than a third that of Mexico. The $2.1 billion of drugs, arms and cash recovered in Guatemala during the first six months of last year was equivalent to 5% of the country’s GDP. Yet despite its poverty, Central America receives little outside help: of the $1.6 billion so far allocated under the Mérida Initiative, a United States drug-fighting programme for Mexico and Central America, Mexico received 84%.

[...]

Though Central America offers a new base for Mexican traffickers, it could yet be their undoing. Mexico’s cartels, now the most powerful in Latin America, began as runners for the Colombians and were paid in product. They promptly seized control of distribution in the United States, and turned the Colombians into mere suppliers. The maras of Central America, which have close ties to inner-city gangs in el norte, could yet pull off the same trick. Roy David Urtecho, Honduras’s attorney-general, recently warned that the maras were seeking “to establish themselves as legitimate traffickers instead of street-level thugs”. The battleground in the war on drugs may be about to shift again.

The Sound of a Credit Card

Via ESET Threat Blog -

A recent article at Thinq.co.uk describes how an attack against Android based phones might be able to capture you credit card information even when you speak it into the phone. The interesting thing about this proof of concept is not that the application can capture voice details, but rather that it uses a second application to transmit the captured information.

Google designed Android so that certain communications were limited between applications, but the researchers found a way around that. Instead of directly sending the information from one program to another, they use a clever form of Morse code. Morse code was probably the first widely accepted binary form of communications. Dots and dashes are no different than ones and zeros. One application changes something like the screen brightness and another reads the screen brightness. Let’s say that full illumination is a dot, and anything less is a dash. By making minor modifications in how bright the screen is a lot of data can be transferred between programs without the user probably noticing it.

It will be interesting to see if this attack can be used against other smart phones as well.

Thursday, January 20, 2011

Chinese Espionage and French Trade Secrets

Via STRATFOR (Security Weekly) -

Paris prosecutor Jean-Claude Marin on Jan. 14 began an inquiry into allegations of commercial espionage carried out against French carmaker Renault. The allegations first became public when Renault suspended three of its employees on Jan. 3 after an internal investigation that began in August 2010. Within days, citing an anonymous French government source, Reuters reported that French intelligence services were looking into the possibility that China played a role in the Renault espionage case. While the French government refused to officially confirm this accusation, speculation has run wild that Chinese state-sponsored spies were stealing electric-vehicle technology from Renault.

The Chinese are well-known perpetrators of industrial espionage and have been caught before in France, but the details that have emerged so far about the Renault operation differ from the usual Chinese method of operation. And much has been learned about this MO just in the last two years across the Atlantic, where the United States has been increasingly aggressive in investigating and prosecuting cases of Chinese espionage. If Chinese intelligence services were indeed responsible for espionage at Renault it would be one of only a few known cases involving non-Chinese nationals and would have involved the largest amount of money since the case of the legendary Larry Wu-Tai Chin, China’s most successful spy.

[...]

China takes a mosaic approach to intelligence, which is a wholly different paradigm than that of the West. Instead of recruiting a few high-level sources, the Chinese recruit as many low-level operatives as possible who are charged with vacuuming up all available open-source information and compiling and analyzing the innumerable bits of intelligence to assemble a complete picture. This method fits well with Chinese demographics, which are characterized by countless thousands of capable and industrious people working overseas as well as thousands more analyzing various pieces of the mosaic back home.

[...]

The new Renault case, however, is very different from most Chinese espionage cases. First, it involved recruiting three French nationals with no ethnic ties to China, rather than first-generation Chinese. Second, the alleged payments to two of three Renault employees were much larger than Chinese agents usually receive, even those who are not ethnic Chinese. The one notable exception is the case of Larry Chin, who is believed to have received more than $1 million in the 30 years he spied for China as a translator for U.S. intelligence services. Renault executives would also be paid as much or more in salaries than what was found in these bank accounts, though we don’t know if more money was transferred in and out of the accounts. This may not be unprecedented, however; STRATFOR sources have reported being offered many millions of dollars to work for the Chinese government.

Another problem is the alleged use of a Chinese state-owned company to funnel payments to the Renault executives. Using a company traceable not only to China but to the government itself is a huge error in tradecraft. This is not likely a mistake that the Chinese intelligence services would make. In Chin’s case, all payments were made in cash and were exchanged in careful meetings outside the United States, in places where there was no surveillance.

Thus, STRATFOR doubts that the Renault theft was perpetrated by the Chinese. The leak suggesting otherwise was likely an assumption based on China’s frequent involvement in industrial espionage. Still, it could be a sign of new methods in Chinese spycraft.

[...]

There is little indication that the Chinese have switched from the high-quantity, low-quality mosaic intelligence method, and cyber-espionage activities such as hacking Google demonstrate that the mosaic method is only growing. The Internet allows China to recruit from its large base of capable computer users to find valuable information in the national interest. It provides even more opportunities to vacuum up information for intelligence analysis. Indeed, cyber-espionage is being used as another form of “insurance,” a way to ensure that the information collected by the intelligence services from other sources is accurate.

If China is responsible for the Renault penetration, the case would represent a change in the Chinese espionage MO, one aiming at a higher level and willing to spend more money, even though most of the cases prosecuted in the United States pointed to a continuation of the mosaic paradigm. Nevertheless, counterintelligence officers are likely watching carefully for higher-level recruits, fearing that others like Chin and Shriver may have remained undetected for years. These cases may be an indication of new resources made available to Western counterintelligence agencies and not new efforts by the Chinese.

One thing is certain: Chinese espionage activities will continue apace in 2011, and it will be interesting to see what targets are picked.

Advanced Persistent Threat (APT) Defeated by Marketure

Via Securosis Blog -

Officials today revealed that the "Advanced Persistent Threat" (APT) has been completely defeated by vendor marketure, analyst/pundit tweets, and PowerPoint presentations.

"APT is dead. Totally gone. The term APT is meaningless now" revealed a senior official under the condition of anonymity, as he was not authorized to discuss the issue with the press -- as if anyone believes that anymore.

"Advanced Persistent Threat" was a term coined by members of the military, intelligence, and defense industries to define a series of ongoing attacks originating from state and non-state actors primarily located in China, first against military targets, and later against manufacturing and other industries of interest. It referred to specific threat actors, rather than a general type of advanced attacks. Revealed through major breaches at Google and reports from Lockheed-Martin, APT quickly entered the Official Industry Spin Machine and was misused to irrelevance.

[...]

Self-proclaimed independent security pundit Rob Robson stated, "The APT isn't dead until I say it is. I will continue to use APT in my presentations and press quotes until I stop getting invited to RSA parties".

When asked in an unrelated press conference whether this means China is no longer hacking foreign governments and enterprises, Cybergeneral Johnson replied, "We have seen no decrease in activity." Johnson continued, "If anything, we've seen even more successful breaches due to agencies and companies believing the latest security product they purchased will stop the APT. We are still in the middle of a long-term international conflict with a complex political dynamic that could materially affect our military and economic capabilities in the future. I don't think a new firewall will help".


----------------------------------------------------------------------------------------------------------

Man, am I glad that is over... ;)

Chinese Malware Takes Aim at the Cloud-based AV

Via Microsoft MMPC Blog -

The Microsoft Malware Protection Center has been tracking a recent threat that attacks cloud-based antivirus technology provided by popular major antivirus software vendors in China. The malware is named Win32/Bohu (TrojanDropper:Win32/Bohu.A).

The Bohu malware is native to the China region. Bohu attracts user installation by social engineering techniques, for example, using attractive file names and dropping a fake video player named “Bohu high-definition video player”. The more interesting part of Bohu is that the malware blocks cloud-based services now commonly featured in major Chinese antivirus products. Specifically, Bohu uses a number of different techniques in order to attempt to thwart Cloud-based AV technologies.

[...]

Cloud-based virus detection generally works by client sending important threat data to the server for backend analysis, and subsequently acquiring further detection and removal instruction. The process can take seconds to minutes, and is designed to remove malware not handled by the traditional on-the-box signature approach.

Bohu tries to sever the communication between cloud client and server, and constantly modify file content of its components, in order to evade detection from cloud-based scanning. Bohu is part of the first wave of malware that specifically targets cloud-based antivirus technology.

Wednesday, January 19, 2011

OECD Study: An Actual Pure Cyberwar is Improbable

Via H-Online.com -

Conducted on behalf of the Organisation for Economic Co-operation and Development (OECD), a study has found that a cyberwar conducted solely via the internet between states is very improbable. The authors believe that most crucial systems are simply too well protected. While attacks on systems such as the one involving Stuxnet can be successful, they have to be carefully targeted and limited – and the effects have to be calculated exactly.

The study finds that the term "cyberwar" is now "overhyped" as it is used for all kinds of things, including activities that used to fall under the category of espionage or sabotage. Indeed, Denial of Service (DoS) attacks related to WikiLeaks have also been called cyberwar even though they only constituted blockades.

Conducted by the University of Oxford and the London School of Economics, the study explains that cyberwar is properly understood as targeted attacks on critical infrastructures in combination with conventional attacks. And the best protection from such attacks is careful system design and setup.

The authors do, however, believe that it would be hard to take a purely military approach in protecting systems. After all, the targets are generally found in the private sector: transport, energy and water supply, and financial markets. Furthermore, the threat of counterattacks will hardly scare off attackers because it is generally hard to know who the attackers are.

Tuesday, January 18, 2011

China CERT: We Missed Report On SCADA Hole

Via Threatpost.com -

China's Computer Emergency Response Team (CERT) admitted that it missed a September e-mail message from a researcher at NSS Labs that pointed out a critical vulnerability in a commonly used SCADA (Supervisory Control And Data Acquisition) software package. The lapse resulted in a gap of almost four months before the hole was patched.

Threatpost first wrote about the heap overflow in software produced by Wellintech on Monday, after researcher Dillon Beresford wrote that his efforts to inform the company about the hole - one of many he has uncovered in Chinese SCADA packages - had hit a wall. In an unsigned e-mail to Threatpost.com, the Chinese CERT said the organization missed Beresford's September e-mail identifying the remotely exploitable hole, and only became aware of the vulnerability in the Kingview Version 6.5.3 in late November, after a senior member of the vulnerability analysis team at U.S. CERT contacted the organization.

"After tracing back all email history based on the content of the report, we found that the email from Dillon Beresford on Sep.28 had been missed by the duty staff," the e-mail reads. Apparently, the Chinese CERT (CNCERT) is struggling to stay on top of the volume of e-mail reports it is receiving. "Our public incident report email box receives thousands of emails everyday. It's a big pity, as well as a mistake that our duty staff have not notice such an important email," CNCERT acknowledged.

The acknowledgement suggests that China's main clearinghouse for information on software security issues may be experiencing growing pains. According to a time line provided by CNCERT, after learning of the hole from U.S. CERT member Art Manion in late November, CNCERT verified the hole and notified vendor, Wellintech, of the hole. The company verified its existence, as well, and provided a report on it to the China National Vulnerability Database (CNVD), according to protocol. CNCERT and the CNVD worked with the company towards a patch. That patch was completed and published on December, 15, according to the timeline, but no notice of that was sent back to CNVD and CNCERT appears to have been unaware that it was issued.

The organization has since coordinated with Wellintech and issued an official notice of the hole on Thursday.

F-Secure Wrap-up on Case Stuxnet



Stuxnet means cyber sabotage is here. Mikko Hyppönen, Chief Research Officer at F-Secure, says Stuxnet is probably the most significant malware of the decade.

Sunday, January 16, 2011

Internet 2010 in Numbers

Via Pingdom.com -

How many websites were added? How many emails were sent? How many Internet users were there? This post will answer all of those questions and many, many more. If it’s stats you want, you’ve come to the right place.

We used a wide variety of sources from around the Web to put this post together. You can find the full list of source references at the bottom of the post if you’re interested. We here at Pingdom also did some additional calculations to get you even more numbers to chew on.

[...]

Websites

  • 255 million – The number of websites as of December 2010.
  • 21.4 million – Added websites in 2010.
Web servers
  • 39.1% – Growth in the number of Apache websites in 2010.
  • 15.3% – Growth in the number of IIS websites in 2010.
  • 4.1% – Growth in the number of nginx websites in 2010.
  • 5.8% – Growth in the number of Google GWS websites in 2010.
  • 55.7% – Growth in the number of Lighttpd websites in 2010.
[...]

Internet users
  • 1.97 billion – Internet users worldwide (June 2010).
  • 14% – Increase in Internet users since the previous year.
  • 825.1 million – Internet users in Asia.
  • 475.1 million – Internet users in Europe.
  • 266.2 million – Internet users in North America.
  • 204.7 million – Internet users in Latin America / Caribbean.
  • 110.9 million – Internet users in Africa.
  • 63.2 million – Internet users in the Middle East.
  • 21.3 million – Internet users in Oceania / Australia.
Social media
  • 152 million – The number of blogs on the Internet (as tracked by BlogPulse).
  • 25 billion – Number of sent tweets on Twitter in 2010
  • 100 million – New accounts added on Twitter in 2010
  • 175 million – People on Twitter as of September 2010
  • 7.7 million – People following @ladygaga (Lady Gaga, Twitter’s most followed user).
  • 600 million – People on Facebook at the end of 2010.
  • 250 million – New people on Facebook in 2010.
  • 30 billion – Pieces of content (links, notes, photos, etc.) shared on Facebook per month.
  • 70% – Share of Facebook’s user base located outside the United States.
  • 20 million – The number of Facebook apps installed each day.

---------------------------------------------------------------------------------------------------------

Internet 2009 in Numbers (Jan 23, 2010)
http://djtechnocrat.blogspot.com/2010/01/internet-2009-in-numbers.html

Friday, January 14, 2011

Secret Service Study Probes Psyche of U.S. Assassins

Via Wired.com (Wired Science) -

With public speculation mounting about what motivated a 22-year-old man to attempt to kill a congresswoman, a little-known study by the Secret Service suggests the truth may be frighteningly mundane.

The study of U.S. assassinations over the last 60 years debunks some key myths about the miscreants behind the attacks. The Exceptional Case Study Project, completed in 1999, covers all 83 people who killed or attempted to kill a public figure in the United States from 1949 to 1996.

“We approached a number of people, many in prison,” says forensic psychologist Robert Fein, who co-directed the study with Bryan Vossekuil of the Secret Service. “We said you’re an expert on this rare kind of behavior. We’re trying to aid prevention of this kind of attack. We’d welcome your perspectives.”

The First Combined Zeus/SpyEye Toolkit

Via McAfee Blog -

In our recent 2011 Threats Predictions report, McAfee Labs predicted that the recent merger of Zeus with SpyEye would produce more sophisticated bots due to improvements in bypassing security mechanisms and law enforcement monitoring. Both Zeus and SpyEye were prevalent and dangerous malware separately, the combination of their functionality certainly takes this threat to a new level.

Here we are just in mid-January and it seems that the first version of this toolkit has arrived on the black market, which means we can expect to see the malware it produces shortly. This version, v1.4.1, seems to have been published on January 11th, 2011:

[...]

Functionality updates include:
1. Brute force password guessing
2. Jabber Notification
3. VNC module
4. Auto-spreading
5. Auto-update
6. Unique Stub Generator for FUD and evasion
7. New Screenshot System

Price:
300$ without VNC and FF Inject
$800 all inclusive.

Thursday, January 13, 2011

STRATFOR Dispatch: 2011 Annual Forecast

Vice President of Strategic Intelligence Rodger Baker previews STRATFOR’s in-depth 2011 Annual Forecast by focusing on China, Russia and the United States.

http://www.stratfor.com?video_uuid=gtk0z970&v=gtk0z970&aid=574455

Wednesday, January 12, 2011

Disgruntled TSA Data Analyst Sentenced for Sabotage Attempt

Via The Register UK -

A former data analyst for the Transportation Security Administration was sentenced to two years in prison for planting code in a terrorist screening database server after he was told his position was going to be eliminated.

Douglas James Duchak, 46, received the sentence on Tuesday after admitting he planted the sabotage code in the terrorist screening database on October 23, 2009, eight days after supervisors told him his position would be terminated at the end of the month. The code was set to disable the TSA's system for vetting individuals given access to sensitive information and secure areas of airports on November 3 of that year by overwriting a crucial computer file.

The employee of government contractor InfoZen, who had 25 years of experience in information systems, tried to cover his tracks by logging on to the workstation of an employee who was assuming Duchak's responsibilities. Using the fellow employee's credentials, Duchak copied the code onto the employee's machine.

Video surveillance in the secure area of the TSA's Colorado Springs Operations Center captured Duchak planting the code after hours. A subsequent investigation caught the code before it could disrupt operations. The TSA spent $85,539 responding to the offense.

In October, Duchak pleaded guilty to one count of intentionally trying to damage a protected computer, a charge that carries a maximum penalty of up to 10 years in prison and a $250,000 fine. He was also ordered to pay restitution of $60,587 for repairs to the TSA system. He will be required to undergo mental health treatment.

NASA: Thunderstorms Make Antimatter

Via NASA Science News (Jan 11, 2011) -

Scientists using NASA's Fermi Gamma-ray Space Telescope have detected beams of antimatter produced above thunderstorms on Earth, a phenomenon never seen before.

Scientists think the antimatter particles were formed inside thunderstorms in a terrestrial gamma-ray flash (TGF) associated with lightning. It is estimated that about 500 TGFs occur daily worldwide, but most go undetected.

"These signals are the first direct evidence that thunderstorms make antimatter particle beams," said Michael Briggs, a member of Fermi's Gamma-ray Burst Monitor (GBM) team at the University of Alabama in Huntsville (UAH). He presented the findings Monday, during a news briefing at the American Astronomical Society meeting in Seattle.

Fermi is designed to monitor gamma rays, the highest energy form of light. When antimatter striking Fermi collides with a particle of normal matter, both particles immediately are annihilated and transformed into gamma rays. The GBM has detected gamma rays with energies of 511,000 electron volts, a signal indicating an electron has met its antimatter counterpart, a positron.

Although Fermi's GBM is designed to observe high-energy events in the universe, it's also providing valuable insights into this strange phenomenon. The GBM constantly monitors the entire celestial sky above and the Earth below. The GBM team has identified 130 TGFs since Fermi's launch in 2008.

[...]

Scientists long have suspected TGFs arise from the strong electric fields near the tops of thunderstorms. Under the right conditions, they say, the field becomes strong enough that it drives an upward avalanche of electrons. Reaching speeds nearly as fast as light, the high-energy electrons give off gamma rays when they're deflected by air molecules. Normally, these gamma rays are detected as a TGF.

But the cascading electrons produce so many gamma rays that they blast electrons and positrons clear out of the atmosphere. This happens when the gamma-ray energy transforms into a pair of particles: an electron and a positron. It's these particles that reach Fermi's orbit.

The detection of positrons shows many high-energy particles are being ejected from the atmosphere. In fact, scientists now think that all TGFs emit electron/positron beams. A paper on the findings has been accepted for publication in Geophysical Research Letters.

"The Fermi results put us a step closer to understanding how TGFs work," said Steven Cummer at Duke University. "We still have to figure out what is special about these storms and the precise role lightning plays in the process."

Sunday, January 9, 2011

Music: War of the Worlds (Dubstep Mix)

A dubstep mix by erwtenpeller retelling Jeff Wayne's musical version of war of the worlds, sampling the original narratives by Richard Burton, Phil Lynott and David Essex.

Full MP3 (86.9 MB / 192 bit rate)
http://student-kmt.hku.nl/~niels7/files/Musica/erwtenpeller_WaroftheWorlds.mp3

CHAPTER 1: The Arrival
1. Starkey - Drip (Creative Space)
2. Actraiser - Treasures Of The Deep (Unreleased)
3. Quantum Soul - Babylon I keep down (Z Audio)
4. Sykotic - Sykotic Stomp (Unreleased)
5. Distance - Fallen (Planet Mu)

CHAPTER 2: Massacre of Mankind
6. Bullet Bill - Within Range (Unreleased)
7. LeBelgeElectrod - Three Pitting of Syringe (www.electrobel.be)
8. Substep Infrabass - Voices from God (Bass Punch Records)
9. Rakoon - Cloacking Device (Bass Punch Records)
10. 16 bit - PCP (Urban Essential Records)
11. LeBelgeElectrod - Because they don't exist (www.electrobel.be)

CHAPTER 3: The Earth belonged to the martians
12. Distance - Loosen My Grip (Planet Mu)
13. Reso - Holograms (Pitch Black)
14. Black Sun Empire - Cold Crysis (Shadows of the Empire)
15. Netrik - Slime Factory (Unreleased)
16. Distance - Ska (Planet Mu)
17. Suspect & DoomTrooper - Feral Child (Prime Audio)
18. Genetic Krew - Stone (Bass Punch Records)

CHAPTER 4: Brave New World
19. Distance - Skeleton Grin (Planet Mu)
20. LeBelgeElectrod - Life is a Wobble Bass (www.electrobel.be)
21. Suspicious Stench - I am what I am (Suspicious Stench)
22. Bar 9 - Pussyhole (Juno Records)
23. Caspa - I beat my robot (subsoldiers)
24. Disonata - Alpha & The Omega (Unreleased)
25. rdubz - Danger (Bass Punch Records)

Saturday, January 8, 2011

Project Lightning: Building NIPRNet's DMZ

Via DefenseSystems.com (Jan 7, 2011) -

The Defense Information Systems Agency (DISA) has created a "demilitarized zone" for unclassified applications to help manage access between the public internet and Unclassified but Sensitive IP Router Network (NIPRNet), according to Dave Mihelcic, DISA's CTO.

The DMZ also protects against cyberattacks, he said. In the case of a cyber attack, the DMZ would allow increased security while still leaving critical servers open to the internet as necessary.

DISA has taken a leadership role to lock down military cybersecurity, and the DMZ is one of two programs that are emerging as key components to maintaining the security of DOD’s most sensitive data, officials have said.

We have to share information safely,” said Richard Hale, DISA chief information assurance executive. “If we break sharing, we’ve broken a lot of things…but we still have to keep things secret.” Hale and Mihelcic spoke as part of a DISA panel at a luncheon held in Arlington, Va., and sponsored by the DC chapter of AFCEA.

The DMZ is “a collection of services to secure both inbound and outbound traffic, and control what is exposed and what isn’t,” Mihelcic said.

According to Hale, the DMZ concept – which he said will be re-named "Project Lightning" because “DMZ is the worst name possible” – emerged from combatant commanders’ need to take mission risks without putting other commands and leaders at risk.

“This will let us improve sharing; no more one-size-fits-all NIPRNet, and no one-size-fits-all reactions to problems on NIPRNet,” Hale said. He said the design and network restructure plans for Project Lightning/DISA DMZ have been agreed upon and will take about two years to roll out across all DOD networks.

Videos: 27th Chaos Communication Congress (27C3)

This year’s Chaos Communication Congress was held from Monday December 27 to Thursday December 30, 2010 in Berlin, Germany.

----------------------------------------

Audio & Video
http://mirror.fem-net.de/CCC/27C3/

Geinimi Trojan Technical Teardown

http://blog.mylookout.com/_media/Geinimi_Trojan_Teardown.pdf

Introduction

Geinimi is a Trojan affecting Android devices that has come to Lookout’s attention as emerging through third-party application sources (markets and app-sharing forums), primarily in China. Geinimi is noteworthy as it represents a reasonable jump in capabilities and sophistication over existing Android malware observed to date. The word Geinimi (Ghay-knee-mē) is derived from the name of the first repackaged application it was discovered in. Geinimi is Mandarin Chinese for “give you rice”, essentially slang for “give you money”. The Trojan was originally injected using the package “com.geinimi” but as it spread, subsequent variants took on an obfuscated
package scheme.

In this document, we outline how the Trojan starts, what obfuscation is employed, how the command and control system works, and what commands we are able to observe in action. To simplify the discussion, we will focus primarily on an infected sample of a game called “Monkey Jump 2”:

File: MonkeyJump2.apk
Md5: e0106a0f1e687834ad3c91e599ace1be
Sha1: 179e1c69ceaf2a98fdca1817a3f3f1fa28236b13
Geinimi SDK: 10.7

[....]

Conclusion

Geinimi is certainly not the first piece of mobile malware to exhibit many of its traits. It does, however, represent a significant jump in sophistication and capabilities from its
predecessors on the Android platform. It represents the first piece of Android malware
to employ a bytecode obfuscator and internal encryption to obfuscate its purpose. It is
the first case of Android malware grafted onto a legitimate application and, though the
most sophisticated Spyware applications have come close, Geinimi is accepting the
broadest array of commands from a server under the control of an unknown party that
we have seen to date.

There has been much speculation as to the intent of Geinimi. It could be nothing more than a Trojan advertising platform with overbearing promotional hooks by our standards. At the extreme, the array of capabilities under 3rd party control could amount to an attempt to build a botnet. These are widely different assessments thatrely on knowing the intent of Geinimi’s authors, a perspective that we don’t have available to analyze. What is clear, however, is that Geinimi is something that nobody in their right mind wants installed on their mobile device.

Microsoft: Assessing the Risk of Public Vulnerabilities

Via Microsoft's SRD Blog (Security Research & Defense) -

At Microsoft, as at most large software vendors, we are likely to have publicly known issues under investigation at any given time. This is what we do on the Security Research & Defense team. Recently we’ve seen confusion from folks trying to make sense of some of the current public issues. To help clear that up, we offer this table of information to help customers make a risk assessment for their particular environment. Note that applying the Microsoft-recommended workaround for any issue in the table removes the risk posed by the issue entirely.

-----------------------------------------------------------------------------------------------------------------

Kudos to Microsoft for putting the list together.

According to the table presented by the SRD team, Microsoft is tracking five public vulnerabilities....but eEye shows six open Microsoft vulnerabilities in their Zero-Day tracker.

It would seem the SRD is focusing on the remotely exploitable issues, which is understandable. But locally exploitable (i.e. privilege escalation) issues should not be overlooked, as their use by malware has been seen and is only expected to increase in the future.

The vulnerabilities missing from the Microsoft SRD list?
Microsoft Windows Fax Services Cover Page Memory Corruption
http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20101227
Microsoft Windows RtlQueryRegistryValues Local Privilege Escalation
http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20101124
Of course, the list over at eEye isn't totally complete either. It is lacking the WMI Administrative Tools ActiveX control vulnerability...
http://www.kb.cert.org/vuls/id/725596

Wednesday, January 5, 2011

Pakistan Releases Top Al Qaeda-linked Terrorist Leader

Via The Long War Journal (Jan 4, 2011) -

A senior Pakistani terrorist linked to al Qaeda and the country's intelligence service has been released from "protective custody."

Qari Saifullah Akhtar, the leader of the Harkat-ul-Jihad-al-Islami (HUJI, or the Movement of Islamic Holy War), was released in early December after being taken into protective custody in August 2010. HUJI is closely linked to al Qaeda and the Taliban. Ilyas Kashmiri, the operational commander for HUJI, also serves as al Qaeda's military commander and is a senior leader on al Qaeda's external operations council. HUJI is also supported by Pakistan's military and the Inter-Services Intelligence Directorate.

Akhtar's release was first reported in The News on Dec. 28, 2010. US intelligence officials contacted by The Long War Journal said that they believe the report is accurate.

Pakistani intelligence officials took Akhtar into custody in August after he was supposedly wounded in a US Predator strike in North Waziristan, The News reported.

[...]

A US intelligence official told The Long War Journal that it is thought that Akhtar was was not arrested, but "placed in protective custody so he can be treated for his injuries and debriefed."

Akhtar was placed into custody at the same time that five Americans who were recruited by the HUJI leader were convicted in a Pakistani court of attempting join al Qaeda to carry out attacks for the terror network. The five Americans were recruited by Akhtar via the Internet and traveled to Pakistan in November 2009. They were arrested by police in Sargodha before they could travel to North Waziristan to join al Qaeda. [See LWJ report, Top al Qaeda leader linked to 5 Americans on trial in Pakistan.]

Another US intelligence official said that the timing of Akhtar's detention and the conviction of the five American jihadis was "no coincidence."

"Pakistan's ISI often brings in its top assets when the heat is turned up; they are placed in safehouses to avoid being targeted, or to get them out of the limelight," the official told The Long War Journal.

"This has happened in the recent past, with LeT [Lashkar-e-Taiba] emir Hafiz Saeed and JeM [Jaish-e-Mohammed] emir Masood Azhar after Mumbai in 2008," the official said, referring to the deadly terror assault on the Indian city of Mumbai that killed more than 170 people.

Both Saeed and Azhar were identified by the Indian government as being involved in the Mumbai attacks. Both were placed under house arrest and freed months later by the Pakistani government.

Dubai Assassination of Al-Mabhouh Followed Failed Attempt by Same Team

Via Wired.com (Threat Level) -

The successful assassination of a high-ranking member of Hamas early last year in Dubai followed an unsuccessful attempt by the same hit team two months earlier, according to a magazine story out this month.

The elite team suspected of orchestrating the kill tried to poison Mahmoud al-Mabhouh in November 2009 in Dubai, according to GQ magazine. The unknown toxin, possibly slipped into a drink or placed on fixtures in a hotel room, left al-Mabhouh mysteriously ill but not fatally so. Al-Mabhouh recovered from the illness without knowing he’d been poisoned, only to be killed by the same team about two months later on Jan. 19, 2010.

The article, written by Ronen Bergman, an Israeli investigative journalist and author, leaves no question that Israel’s Mossad intelligence agency was behind the attack. The agency’s code name for al-Mabhouh was Plasma Screen.

Most of the details in the article have been previously reported, but the piece does add some new information.

Israeli spies, for example, had been monitoring al-Mabhouh’s e-mail and online activities via a Trojan horse planted on his computer, and therefore knew when he’d be arriving in Dubai, according Bergman. They did not, however, know which hotel he’d be staying at, which forced the well-prepared hit squad to improvise a bit.

Surveillance teams staked out every hotel their target was known to have stayed at during previous visits to Dubai, and another team waited at the airport and followed him to the Al Bustan Rotana Hotel, where he ended up taking a room. As previously disclosed, in order to kill al-Mabhouh, who was reportedly in Dubai to arrange shipments of weapons to Hamas, the team reprogrammed the electronic lock on his hotel room door while he was out for a four-hour meeting.

[...]

But most important, Bergman writes, they failed to anticipate the meticulous and efficient way Dubai authorities would piece together hundreds of hours of surveillance camera footage to identify more than two dozen suspects and track their movements throughout Dubai over many months.

“The laughable attempts of the Mossad operatives to disguise their appearance made for good television coverage, but the more fundamental errors committed by the team had less to do with cloak-and-dagger disguises than with a kind of arrogance that seems to have pervaded the planning and execution of the mission,” he writes.

Their activities were tracked in part through transactions on prepaid debit cards, which made connecting them to each other fairly easy. Several of the team members used the same type of card issued through MetaBank in Iowa. The payroll-style cards were issued by the U.S.-based company Payoneer, whose CEO, Yuval Tal, is an Israeli-American businessman and a former Israeli Special Forces commando.

[...]

Although none of the operatives has been captured or identified by a real name, most members of the team suspected of masterminding the attack belong to a secretive Mossad unit known as Caesarea, Bergman writes.

Caesarea, also known as Kidon, reportedly consists of only about 30 members. According to Bergman, they’re trained in a separate facility from other Mossad operatives to protect their identities and are “forbidden from ever using their real names, even in private conversations.”

“If the Mossad is the temple of Israel’s intelligence community,” a longtime member of Caesarea told Bergman, “then Caesarea is its holy of holies.”

“Holy of holies” refers to the inner sanctum where the tablets containing the Ten Commandments were said to have been stored in the ancient Jewish Temple in Jerusalem.

[...]

But the mistakes made by the Dubai hit team — such as using forged passports from Britain and other Western countries to enter Dubai — brought political repercussions to Israel. Last March, Britain expelled an Israeli diplomat over the passport fiasco. [Meir] Dagan [head of the Mossad] was replaced last month by Tamir Pardo, the Mossad’s deputy director for the last three years.

He reportedly opposed the use of forged British, Irish and Australian passports for the assassination, but his protests were ignored by Dagan.

Although Israel has never acknowledged or denied responsibility for the assassination, Pardo reportedly planned to apologize in private to British authorities for the hit team’s use of British passports and intended to promise that Israeli agents would never use fake British documents again.

Tuesday, January 4, 2011

Operation eMule: DHS Goes After Vietnamese Hackers, Identity Thieves

Via Computerworld.com -

The U.S. Department of Homeland Security is cracking down on an international criminal ring, based in Vietnam, that is thought to have stolen hundreds of millions of dollars from online merchants using hacking and identity theft.

Last month, agents from the DHS's Immigration and Customs Enforcement (ICE) investigations unit raided the home of two Vietnamese exchange students at Minnesota's Winona State University, seizing documents and computer equipment.

According to an affidavit filed in support of the search warrant in this case, the students, Tram Vo and Khoi Van, made more than $1.2 million selling software, video games and Apple gift cards on eBay, and then shipping buyers products that they'd purchased with stolen credit card numbers.

The scam that Vo and Van are accused of has become a big problem for U.S. merchants, according to the affidavit, which was unsealed last week.

[...]

The law enforcement operation, run out of ICE's Cyber Crimes Center in Washington, D.C., has been investigating the Vietnamese crime ring since Sept. 2009 in an action called Operation eMule, according to the affidavit, which is signed by DHS Special Agent Daniel Schwarz. "The criminal ring makes online purchases from e-commerce merchants using stolen credit card information and then utilizes an elaborate network of mules based in the United States," he wrote. The criminals get stolen credit or bank card numbers by hacking PCs or databases. In some cases, they simply buy the stolen personal information from underground online marketplaces.

The criminals involved in this operation get their orders via a secured Web site that is available only to "vetted members,' Schwartz said. The money at play in this criminal enterprise is "estimated to exceed hundreds of millions of dollars," he said.

ICE and the Computer Crimes Center did not respond to calls Monday. PayPal and eBay were unable to comment immediately.

Iranian Nuclear Scientist 'Tortured on Suspicion of Revealing State Secrets'

Via The Guardian UK -

An Iranian nuclear scientist who claimed to have been abducted by the CIA and who returned to a hero's welcome in Tehran last July, has since been imprisoned and tortured on suspicion of giving away state secrets, according to an opposition website.

Iranbriefing.net - run by a US-based group which normally reports on political prisoners and the activities of Iran's revolutionary guard - said the scientist, Shahram Amiri, had been interrogated intensively for three months in Tehran and then spent two months in solitary confinement, where his treatment had left him hospitalised for a week.

The Tehran authorities would not confirm or deny the account.

Amiri has not been seen in public in the six months since his much-publicised homecoming from America, where he claimed to have been held against his will. State media portrayed him at the time as a daring patriot who had escaped from his alleged CIA captors with critical information about US covert operations against Iran.

US officials, surprised by Amiri's unexpected return to Iran, insisted he had gone to the US willingly. There was concern in US intelligence circles however that his original "defection" in Saudi Arabia in 2009 could have been a trap to embarrass the CIA and trick its officials into revealing how much the US knows about the Iranian nuclear programme.

The evidence is contradictory. During his time in the US, he appeared to have made three videos - one saying he had decided to continue his studies in the US, another saying he was being held captive and a third claiming to be on the run from the CIA. He then presented himself to the Iranian interest section at the Pakistani embassy in Washington, asking to go home.

Independent but unverified reports from inside Iran said Amiri's family had been stripped of their passports and placed under close scrutiny after the scientist went missing on his pilgrimage to Mecca.

Western observers said that his disappearance from public view since last summer strengthened their view that he had been forced to return by threats to his relatives.

DOD Report Says Spying Focused on Naval Technology

Via Threatpost.com -

The U.S. Department of Defense in a new report covering espionage for 2009 said that attempts by foreign spies to obtain classified or restricted U.S. technology increased and that foreign governments are focusing their spying efforts on naval and marine technology that could provide the foundation for a next generation "blue water" navy.

The revelation comes in the 2010 edition of "Targeting U.S. Technologies: A Trend Analysis of Reporting from Defense Industry," (PDF) an annual publication by the Defense Security Services (DSS), part of the U.S. Department of Defense. The report concludes that Internet based spying and targeted attacks from what the report refers to as "entities" from "East Asia and the Pacific region" continued to be a major problem for the U.S. military and military contractors.

However, foreign entities interested in acquiring classified or restricted technology didn't limit themselves to remote, Internet based attacks. For the fourth year in a row, DSS reported an increase in inquiries about business partnerships and R&D agreements. While some of those may be due to increased commercial links between the U.S. and nations seeking classified technology, the DSS concluded that many of those inquiries were linked to efforts to obtain sensitive technology. In fact, commercial spying far outweighed more traditional types of government-to-government espionage when it came to the acquisition of sensitive technology, the DSS report concludes. Front companies, foreign visits and public venues where technology was on display all provided opportunities for nations to circumvent U.S. export control and collect information and technology inconspicuously, the report says.

"This represents, in part, an apparent shift on the part of foreign governments to mask officially-sponsored collection efforts as seemingly less alerting inquiries," the report says.

Many of the conclusions for the latest report, which summarizes reports of suspicious activity collected during the 2009 fiscal year, echoes that of previous reports. Information systems technology was of particular interest, especially technology related to modeling and simulation software that can be used in military modernization programs.

Monday, January 3, 2011

Accidental Leak Reveals Chinese Hackers Have IE ZeronDay

Via DarkReading.com -

A renowned Google researcher who this week released a new free fuzzer that so far has found around 100 vulnerabilities in all browsers says Chinese hackers appear to have gotten their hands on one of the same bugs he discovered with the tool.

Google's Michal Zalewski unleashed the so-called cross_fuzz tool on New Year's Day and announced the fuzzer to date uncovered more than 100 vulnerabilities, many of them exploitable, in all browsers.

In a bizarre twist, Zalewski says an accidental leak of the address of the fuzzer prior to its release helped reveal some unexpected intelligence, namely that "third parties in China" apparently also know about an unpatched and exploitable bug he found in IE with the fuzzer. It all started when one of cross_fuzz's developers, who was working on crashes in the open-source WebKit browser engine used in Chrome and Safari, inadvertently leaked the address of the fuzzer in one of the crash traces that was uploaded. That made the fuzzer's directory, as well as the IE test results from the fuzzer indexed by GoogleBot, he says.

Zalewski says he was able to confirm afterward that there were no downloads or discoveries of the tool. But on Dec. 30, he says, an IP address in China queried keywords included in one of the indexed cross_fuzz files, specifically two DLL functions, BreakAASpecial and BreakCircularMemoryReferences, associated with and unique to the zero-day IE flaw he found with the fuzzer.

"The person had no apparent knowledge of cross_fuzz itself, poked around the directory for a while, and downloaded all the accessible files; suggesting this not being an agent one of the notified vendors, but also being a security-minded visitor," Zalewski explained in his blog post. "The pattern is very strongly indicative of an independent discovery of the same fault condition in MSIE by unrelated means; other explanations for this pair of consecutive searches seem extremely unlikely."


------------------------------------------------------------------------------------------------------------------------

Announcing cross_fuzz, a potential 0-day in circulation, and more
http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html

Cross_fuzz tool - http://lcamtuf.coredump.cx/cross_fuzz/

Report Strengthens Suspicions That Stuxnet Sabotaged Iran’s Nuclear Plant

Via Wired.com (Threat Level) -

A new report appears to add fuel to suspicions that the Stuxnet superworm was responsible for sabotaging centrifuges at a uranium-enrichment plant in Iran.

The report, released Thursday by the Institute for Science and International Security, or ISIS, indicates that commands in the Stuxnet code intended to increase the frequency of devices targeted by the malware exactly match several frequencies at which rotors in centrifuges at Iran’s Natanz enrichment plant are designed to operate optimally or are at risk of breaking down and flying apart.

The frequencies of the Natanz rotors were apparently not a secret and were disclosed to ISIS in mid-2008 — the earliest samples of Stuxnet code found so far date back to June 2009, a year after ISIS learned about the frequencies. They were disclosed to ISIS by "an official from a government that closely tracks Iran’s centrifuge program."

The unnamed government official told ISIS that the nominal frequency for the IR-1 centrifuges at Natanz was 1,064 Hz, but that Iran kept the actual frequency of the centrifuges lower to reduce breakage. According to another source, Iran often ran its centrifuges at 1,007 Hz.

The information would have been gold to someone looking to sabotage the centrifuges since, as ISIS notes, it provided both confirmation that Iran’s centrifuges were prone to an unusual amount of breakage and that they were subject to breakage at a specific frequency of rotation.

[...]

It’s known that Iran decommissioned and replaced about a thousand IR-1 centrifuges at its Natanz plant between November 2009 and February 2010. It’s not known if this was due to Stuxnet or due to a manufacturing defect or some other cause, but the ISIS report increases plausibility that Stuxnet could have played a role in their demise.

[...]

According to an examination of Stuxnet by security firm Symantec, once the code infects a system, it searches for the presence of two kinds of frequency converters made by the Iranian firm Fararo Paya and the Finnish company Vacon, making it clear that the code has a precise target in its sights. Once it finds itself on the targeted system, depending on how many frequency converters from each company are present on that system, Stuxnet undertakes two courses of action to alter the speed of rotors being controlled by the converters. In one of these courses of action, Stuxnet begins with a nominal frequency of 1,064 Hz — which matches the known nominal frequency at Natanz but is above the 1,007 Hz at which Natanz is said to operate — then reduces the frequency for a short while before returning it back to 1,064 Hz.

In another attack sequence, Stuxnet instructs the speed to increase to 1,410 Hz, which is "very close to the maximum speed the spinning aluminum IR-1 rotor can withstand mechanically," according to the ISIS report, which was written by ISIS president David Albright and colleagues.

"The rotor tube of the IR-1 centrifuge is made from high-strength aluminum and has a maximum tangential speed of about 440-450 meters per second, or 1,400-1,432 Hz, respectively," according to ISIS. "As a result, if the frequency of the rotor increased to 1,410 Hz, the rotor would likely fly apart when the tangential speed of the rotor reached that level."

[...]

ISIS notes that the Stuxnet commands don’t guarantee destruction of centrifuges. The length of the frequency changes may be designed simply to disrupt operations at the plant without breaking rotors outright, and the plant could conceivably have secondary control systems in place to protect centrifuges and that are not affected by Stuxnet’s malicious commands.

There are still a lot of unanswered questions about both Stuxnet and the Natanz facility.

[...]

If Stuxnet was indeed aimed at Natanz, and if its goal was to quickly destroy all of the centrifuges at Natanz, ISIS notes that it failed at this task.

"But if the goal was to destroy a more-limited number of centrifuges and set back Iran’s progress in operating the FEP, while making detection difficult, it may have succeeded, at least temporarily," according to the report.

The authors close their report with a warning to governments that using tools like Stuxnet "could open the door to future national security risks or adversely and unintentionally affect U.S. allies."

"Countries hostile to the United States may feel justified in launching their own attacks against U.S. facilities, perhaps even using a modified Stuxnet code,” they write. “Such an attack could shut down large portions of national power grids or other critical infrastructure using malware designed to target critical components inside a major system, causing a national emergency."

Saturday, January 1, 2011

ICSR Insight: New English-Language al-Qaeda Explosives Manual Released Online

Via ICSR (Dec 31, 2010) -

In the last few days, English-language jihadist forums have released a significant new book entitled The Explosives Course. Published in 2010 by al-Qaeda’s Global Islamic Media Front (GIMF) and apparently compiled by former students of the now deceased al-Qaeda explosives expert Abu Khabab al-Misri (also known as Midhat Mursi al-Sayid Umar), it is among the most comprehensive and sophisticated manuals of its kind. The introduction claims that “this is the first book from a series of books aimed on this subject”, noting that further editions and updates will be forthcoming.

Targeting English-speaking audiences, it capitalises on the rise of ‘homegrown’ extremism in the US and Britain. This manual is widely available within online extremist networks and seeks to arm potential self-starters and ‘lone-wolves’ with the knowledge they often lack on creating viable explosive devices, in particular those living in the West who are motivated to act but unable to join terrorist training camps abroad. Following a recent rise in incidents of attempted attacks by US nationals on American soil, the US Attorney General Eric Holder claimed earlier this month that the threat of ‘homegrown’ terror “keeps me up at night”. He also warned that “the threat is real, the threat is different, the threat is constant.”

For ICSR's full analysis and the front page of The Explosives Course, please click below.

The story is also covered in today's Daily Telegraph, please click here for full report

ICSR Insight - New AQ Explosives Manual

The Explosives Course Front Page


---------------------------------------------------------------------------------------------------------------------------

According to the Telegraph UK...
Al-Masri, who had a $5 million bounty on his head, was killed by a missile from an unmanned US drone in July 2008 but he had left behind a number of Arabic training manuals that have been widely used by al-Qaeda students.

However the latest version of the manual, as an English translation, marks a new departure for the terrorist group.

The books says that it is the first of a series and adds: “Though we have successfully performed these experiments and came up with new developments, the work of compiling these – more detailed editions of the book – are being delayed. Thus we decided to publish this work as a raw edition.”

[...]

The manual is the first detailed guidance produced in English by al-Qaeda “central” based in Pakistan (aka AQ Core) and follows some more basic instructions called “How to make a bomb in the kitchen of your mom” produced by al-Qaeda in the Arabian Peninsular as part of an English-language online magazine.

India, Pakistan Exchange Nuclear Installations Lists

Via The Hindu (India) -

India and Pakistan on Saturday exchanged lists of their nuclear installations and facilities as per Article-II of the Agreement on Prohibition of Attacks against Nuclear Installations and Facilities between them.

According to this Agreement – signed on December 31, 1988 – they have to exchange the lists at the start of every calendar year. The exchange of lists through diplomatic channels took place in New Delhi and Islamabad simultaneously; factoring in the time difference.

This is the 20th consecutive exchange of such lists after the Agreement came into force on January 27, 1991. The first exchange took place on January 1, 1992.

Pakistan also handed over to the Indian High Commission in Islamabad the list of Indian prisoners in Pakistani jails.

This list was given as per the Agreement on Consular Access signed on May 21, 2008. The lists of prisoners have to be exchanged on January 1 and July 1 every year as per the agreement.


---------------------------------------------------------------------------------------------------------------------------

According to Dawn.com (Pakistan)...
The agreement is known as one of the best Confidence Building Measures between the two sides that has continued to remain effective despite the status of their ties.

[...]

The agreement defines “nuclear installation or facility” as a facility including nuclear power and research reactors, fuel fabrication, uranium enrichment, isotopes separation and reprocessing facilities.