Wednesday, June 29, 2011

Hacker Attack Allegedly Cripples Al-Qaida Web Communications

Via MSNBC.com -

Computer hackers shut down al-Qaida's ability to communicate its messages to the world through the Internet, interrupting the group's flow of videos and communiqués, according to a terrorism expert.

Al-Qaida's online communications have been temporarily crippled, and it does not have a single trusted distribution channel available on the Internet," said Evan Kohlmann, of Flashpoint Global Partners, which monitors the group's communications.

The attack was carried out within the past few days by unknown hackers targeting al-Qaida's Internet communications systems. It was "well coordinated and involved the use of an unusual cocktail of relatively sophisticated techniques," Kohlmann said.

"My guess is that it will take them at least several days more to repair the damage and get their network up and functioning again," he said.

A year ago, al-Qaida's Internet communications suffered a similar hacker attack.

[...]

Kohlmann said the latest incident "once again appears to bear the telltale fingerprints of government-sponsored hackers."


--------------------------------------------------------------------------------------------------------

Here are several of Evan's previous tweets outlining the allegedly attacks...

http://twitter.com/#!/IntelTweet/status/85468524537057280
Hackers have hijacked the primary web domain used by the top-tier "Shamukh" chat forum, which disseminates propaganda on behalf of Al-Qaida.
27 Jun
http://twitter.com/#!/IntelTweet/status/85488197286637568
The ongoing hacking attack on the top-tier "Shamukh" jihadi web forum has dramatically escalated, with the entire website now unavailable.
27 Jun
http://twitter.com/#!/IntelTweet/status/86132506423853056
Even with the return of Atahadi and Ansar al-Muj, the ongoing jihadi web blackout is by now the most significant such event since June '10.
29 Jun
http://twitter.com/#!/IntelTweet/status/86133041696751616
At the present time, Al-Qaida has been left without a trusted operational channel on the Internet for distributing its media and propaganda.
29 Jun

Pwnie Awards 2011 - Nominations Open

http://pwnies.com/

It is time to open the nominations for the Pwnie Awards 2011. We invite all members of the security community to look back at the past year and nominate all great bugs, lame vendors, amazing research and of course, songs. The full list of award categories and the submission form can be found at the nominations page.

We will accept nominations until July 20th, after which the top five nominees in each category will be announced on this website. The winners will be determined by a vote of the Pwnie Award judges shortly before the award ceremony.

The Pwnie Awards ceremony will take place during the BlackHat USA reception on August 3, 2011, starting at 6:15pm. The Pwnie Award organizers thank BlackHat for their generous sponsorship.

Symantec: A Window Into Mobile Device Security

http://www.symantec.com/content/en/us/about/media/pdfs/symc_mobile_device_security_june2011.pdf

Executive Summary

The mass-adoption of both consumer and managed mobile devices in the enterprise has increased employee productivity but has also exposed the enterprise to new security risks. The latest mobile platforms were designed with security in mind—both teams of engineers attempted to build security features directly into the operating system to limit attacks from the outset. However, as the paper discusses, while these security provisions raise the bar, they may be insufficient to protect the enterprise assets that regularly find their way onto devices. Finally, complicating the security picture is the fact that virtually all of today’s mobile devices operate in an ecosystem, much of it not controlled by the enterprise—they connect and synchronize out-of-the-box with third-party cloud services and computers whose security posture is potentially unknown and outside of the enterprise’s control.

[...]

Summary of iOS Security


Overall, Symantec considers iOS’s security model to be well designed and thus far it has proven largely resistant to attack. To summarize:

  • iOS’s encryption system provides strong protection of emails and email attachments, and enables device wipe, but thus far has provided less protection against a physical device compromise by a determined attacker.
  • iOS’s provenance approach ensures that Apple vets every single publicly available app. While this vetting approach is not foolproof, and almost certainly can be circumvented by a determined attacker, it has thus far proved a deterrent against malware attacks, data loss attacks, data integrity attacks, and denial of service attacks.
  • iOS’s isolation model totally prevents traditional types of computer viruses and worms, and limits the data that spyware can access. It also limits most network-based attacks, such as buffer overflows, from taking control of the device. However, it does not necessarily prevent all classes of data loss attacks, resource abuse attacks, or data integrity attacks.
  • iOS’s permission model ensures that apps can’t obtain the device’s location, send SMS messages, or initiate phone calls without the owner’s permission.
  • None of iOS’s protection technologies address social engineering attacks such as phishing or spam.
[...]

Summary of Android’s Security

Overall, while we believe the Android security model is a major improvement over the models used by traditional desktop and server-based operating systems, it has two major drawbacks. First, its provenance system enables attackers to anonymously create and distribute malware. Second, its permission system, while extremely powerful, ultimately relies upon the user to make important security decisions. Unfortunately, most users are not technically capable of making such decisions and this has already led to social engineering attacks. To summarize:
  • Android’s provenance approach ensures that only digitally signed applications may be installed on Android devices. However, attackers can use anonymous digital certificates to sign their threats and distribute them across the Internet without any certification by Google. Attackers can also easily “trojanize” or inject malicious code into legitimate applications and then easily redistribute them across the Internet, signing them with a new, anonymous certificate. On the plus side, Google does require application authors wishing to distribute their apps via the official Android App Marketplace to pay a fee and register with Google (sharing the developer’s digital signature with Google). As with Apple’s registration approach, this should act as a deterrent to less organized attackers.
  • Android’s default isolation policy effectively isolates apps from each other and from most of the device’s systems including the Android operating system kernel, with several notable exceptions (apps can read all data on the SD card unfettered).
  • Android’s permission model ensures that apps are isolated from virtually every major device system unless they explicitly request access to those systems. Unfortunately, Android ultimately relies upon the user to decide whether or not to grant permissions to an app, leaving Android open to social engineering attacks. Most users are unequipped to make such security decisions, leaving them open to malware and all of the secondary attacks (for example DDoS attacks, Data Loss attacks) that malware can launch.
  • Android recently began offering built-in encryption in Android 3.0. However, earlier versions of Android (running on virtually all mobile phones in the field), contain no encryption capability, instead relying upon isolation and permissions to safeguard data. Thus, a simple jailbreak of an Android phone or theft of the device’s SD card can lead to a significant amount of data loss.
  • As with iOS, Android has no mechanism to prevent social engineering attacks such as phishing attacks or other (off-device) Web-based trickery.

Hackers Steal Info on Military, Defense Personnel

Via ComputerWorld -

Email addresses and names of subscribers to DefenseNews, a highly-regarded website that covers national and international military and defense news, were accessed by hackers and presumed stolen, Gannett announced yesterday. DefenseNews' subscribers include active and retired military personnel, defense contractors and others in both the U.S. and other countries' defense establishments.

"We discovered that the attacker gained unauthorized access to files containing information of some of our users," said Gannett Government Media, an arm of the media chain that publishes not only DefenseNews, but also the Military Times and Federal Times sites, as well as a number of military-specific magazines and journals, ranging from the Army Times to the Intelligence, Surveillance and Reconnaissance Journal.

In a message posted to its site Monday, Gannett acknowledged that the accessed information included first and last names, email addresses, account passwords, and duty status branch of service for military personnel.

One security expert said it was possible the attack against DefenseNews and the other sites Gannett operates was targeted, perhaps by state-backed hackers. "It's hard to know if this was just part of the general ransacking of sites, or an attempt to obtain valuable information for spear-phishing," said Anup Ghosh, the founder and CEO of Web security firm Invincea. Ghosh said it's likely the attack was deliberately after the names and email addresses of people in the defense industry and military.

"This is a pretty selective group," Ghosh said of the DefenseNews account holders, and would be restricted in scope to the military-industrial [establishment]. It would be very attractive from a nation-state point of view."

Monday, June 27, 2011

2011 CWE/SANS Top 25 Most Dangerous Software Errors

http://cwe.mitre.org/top25/index.html

Introduction

The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. It leverages experiences in the development of the SANS Top 20 attack vectors and MITRE's Common Weakness Enumeration (CWE). MITRE maintains the CWE web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities.

The 2011 Top 25 makes improvements to the 2010 list, but the spirit and goals remain the same. This year's Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence, importance, and likelihood of exploit. It uses the Common Weakness Scoring System (CWSS) to score and rank the final results. The Top 25 list covers a small set of the most effective "Monster Mitigations," which help developers to reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the hundreds of weaknesses that are documented by CWE.

Sunday, June 26, 2011

Chinese Minister Was Caught in a 'Honeytrap'

Via Telegraph UK -

When Jin Renqing stepped down in August 2007, it was for 'personal reasons' according to the Chinese government. Now, it appears that Mr Jin was caught in a 'honeytrap' operation by a woman employed by Taiwan's intelligence agency to discover sensitive secrets.

At the time, there was speculation in the Hong Kong media that Mr Jin had resigned after he was found to have been unknowingly sharing a mistress with other senior Chinese officials. But the confidential cable from the US government claims that the then 63-year-old and the other officials were victims of a 'honeytrap', in which a seductive young woman is used to compromise a man with access to secret information of interest to a rival state.

"The woman was introduced to these men as 'someone working with a Chinese military intelligence department'. However investigators now believe that she is a Taiwan intelligence operative," said the cable, which was released by WikiLeaks earlier this month. 'Honeytraps', which are also known as 'Honeypots', are as old as espionage itself, and have long been a staple of both intelligence agencies and Hollywood spy films.

While the KGB and former East German security services were especially adept at using 'honeytraps', ironically it is now China's spies who have enthusiastically adopted the technique.

In 2008, an aide to then Prime Minister Gordon Brown had his Blackberry stolen by a Chinese woman he met in a Shanghai nightclub.

A year later, a leaked MI5 report distributed to hundreds of UK companies warned of the dangers posed by charming young Chinese women in search of commercial secrets who approach British businessmen travelling in China.


------------------------------------------------------------------------------------------

Reminds me of one of the stickers on my refrigerator ....
http://www.flickr.com/photos/9teen87/5227974324/
"Beware of inquisitive women as well as prying men".

Saturday, June 25, 2011

The Triple Agent

Via Newsweek -

On Dec. 30, 2009, seven CIA operatives were killed at a U.S. base in Khost, Afghanistan, when a Jordanian double agent who claimed to have cracked Al Qaeda’s inner circle proved instead to be a suicide bomber—in other words, a triple agent.

The attack, the deadliest for the CIA in 25 years, was unlike any in the agency’s history. Over the decades, a multitude of CIA informants had lied, defrauded, betrayed, stolen money, or skipped town. But none had sought to lure his handlers into a trap with the aim of killing them, along with himself.

A 2010 internal CIA review identified a chain of failures that allowed 32-year-old physician Humam al-Balawi to gain access to the highly secure CIA base, breezing through checkpoints without a search until he came face to face with a large gathering of CIA officers anxious to meet him. Balawi had promised to deliver Ayman al-Zawahiri, deputy to Al Qaeda’s leader, Osama bin Laden. (Last week, in the wake of bin Laden’s death, Zawahiri emerged as the terrorist group’s new leader, though he was already in essence its operational commander.)

Balawi had backed his intelligence claims with evidence so electrifying that even President Obama had been briefed in advance. But the Jordanian was not what he seemed.

The warning signs, painfully obvious in hindsight, would be obscured by two singular forces that collided at Khost on that late-December day. One was the mind of Balawi, a man who flitted pre-cariously between opposing camps. The other was the eagerness of war-weary intelligence operatives who saw a mirage and desperately wanted it to be real.


------------------------------------------------------------------------

Excerpted from the forthcoming The Triple Agent by Joby Warrick.

China Opens String of Spy Schools

Via Telegraph UK -

Last week, China opened its eighth National Intelligence College on the campus of Hunan University in the central city of Changsha. Since January, similar training schools have opened inside universities in Beijing, Shanghai, Xian, Qingdao and Harbin.

The move comes amid growing worries in the West at the scale and breadth of Chinese intelligence-gathering, with MI5 saying that the Chinese government "represents one of the most significant espionage threats to the UK".

In February, China allegedly managed to penetrate the Foreign Office's internal communications network.

Until now, however, the bulk of Chinese foreign espionage is thought to have been conducted primarily by academics and students who are sent to the host countries only for a short period of time.

The new schools aim to transform and modernise the Chinese intelligence services, producing spies who are trained in the latest methods of data collection and analysis. Each school will recruit around 30 to 50 carefully-selected existing undergraduates each year.

The move echoes similar efforts by Western intelligence agencies, including MI5, to improve their analytical capabilities and use of technology.

The United States has a similar project, named the National Security Education Program, that was set up in the wake of the first Gulf war in order to boost language and culture training for US spies.

The Chinese programme began in 2008 with the founding of the first Intelligence College at Nanjing university. A second school was set up in the southern province of Guangdong at the end of last year, and the programme has now been dramatically accelerated.

"The establishment of an Intelligence college at Fudan is in response to the urgent need for special skills to conduct intelligence work in the modern era," said a spokesman for Shanghai's Fudan university.

"The college will use Fudan's existing computer science, law, management, journalism and sociology resources and then carry out special intelligence training," he added.

Syria's President Gives OK to Pro-Gov Cyber Attackers?

Via Committee to Protect Journalists (CPJ.org) -

On Monday [June 20, 2011], Syrian President Bashar al-Assad gave his third public address on the vast unrest that has roiled his nation. Reporters described him as nervous. He, the reporters, or perhaps both, may have been thinking about the significance of speech No. 3. Both Tunisia's Zine El Abidine Ben Ali and Egypt's Hosni Mubarak were overthrown shortly after they delivered their third addresses on tumult in their countries. My interest, however, was on a sentence buried near the end of his address. Here's the official translation:
The army consists of the brothers of every Syrian citizen, and the army always stands for honour and dignity. Young people have an important role to play at this stage, because they have proven themselves to be an active power. There is the electronic army which has been a real army in virtual reality. There were those who took part in the blood donation campaign, and other initiatives. I met a number of youth delegations from different sections of society and found that Syrian youth enjoy a high sense of patriotism, and this is self-evident because they belong to this country.
Those bolded italics include a direct reference to the Syrian Electronic Army, a pro-government hacking group. On Twitter, the group thanked al-Assad for the mention, and went on to say on its Facebook page:
Our message to the news agencies and reporters: If you have a shortage of professionals to report the correct news ... the hordes of the Syrian Electronic Army will not be forgiving with you.
The statement sits next to a screenshot of the army's most frequent and mildest tactic: encouraging followers to saturate online forums with pro-Assad commentary. The group has taken such actions on American and French politicians' sites, as well as news sites such as that of the BBC.

But the army also claims responsibility for more invasive attacks, including defacing websites by exploiting security holes. Their attacks appear aimed more at the lower-hanging fruit of unsecured sites rather those who write critically about Syrian affairs: Past targets have included local town councils in England, Israeli pizza shops, and Australian window sellers.

Nonetheless, to my knowledge this is the first time a head of state has explicitly approved of such actions. Governments are usually careful to distance themselves from nationalistic hacking groups, even if they tacitly permit it through lack of law enforcement. By mentioning the Electronic Army, al-Assad is signaling his support of computer sabotage and vigilante censorship in the name of his country. At least, that is how his online supporters are likely to interpret his words.


------------------------------------------------------------

Check out this great article by Information Warfare Monitor for background....

The Emergence of Open and Organized Pro-Government Cyber Attacks in the Middle East: The Case of the Syrian Electronic Army

Wednesday, June 22, 2011

Apple’s “Censoring” Patent Just a Sign of Things to Come

Via EFF Deeplinks -

Apple has been much maligned in the press recently for filing a patent application covering a camera system with infrared technology that could, among other things, allow the recording functionality to be shut off by a third party. For example, in its application, Apple shows how the technology could be used to "prevent illegal image capturing" at a rock concert.

[...]

To be clear, we should not fear this one patent application, but rather the larger technology that may be captured by governments and implemented in widespread standards that could have serious consequences, for example, by shutting down citizens’ ability to capture and disseminate video. The technology in this patent just may be a harbinger of that, and—for that reason—we will continue to watch it closely.

Friday, June 17, 2011

Analysis: Who Might Be Behind Attempted IMF Data Hacking?

Via Reuters (June 13, 2011) -

A national government is the most likely culprit in an apparent cyber attack on the International Monetary Fund, say experts, given the complexity of the assault and its targeting of the organization's secrets.

With the IMF leadership up for grabs as it mulls Eurozone bailouts and global financial reform, there are no shortage of states who might like to read its mail.

Any confirmation of a country's involvement would become a major diplomatic incident.

"For what we can tell, the aim ... appears to be to gather intelligence rather than cause disruption," said John Bassett, a former senior official at Britain's signals intelligence agency GCHQ and now a senior fellow at the Royal United Services Institute.

"The intrusion appears to be sophisticated and well executed at an operational level (suggesting) that it originates from or is sponsored by a state."

For many, China topped the list of suspects. Chinese hackers have been suspected of being behind several recent data theft attempts including one aimed at breaching the security of Google's Gmail on accounts belonging to activists, US officials and others. Beijing angrily denies any government link.

But experts say almost every sophisticated state indulges in electronic snooping, whilst independent hackers potentially working for militant groups or even banks or investment funds could also be in the frame.

Philip Blank, an expert on security, risk and fraud at San Francisco-based Javelin Strategy and Research said the IMF "would be an extraordinarily attractive target." Other financial industry insiders agreed.

"Given how central the IMF is at the moment, there are plenty of people who would like to know what it is thinking," said one London-based currency markets veteran, asking not to be named because of the sensitivity of the issue.

"They range from the world's largest reserve holders -- which are the key emerging economies like China -- to brokerages and funds to the Eurozone governments themselves."

Access to IMF files might give a hacker access to not only details of its own policy of thoughts and internal debates but also those of other major powers, he said.

[...]


Larry Wortzel, a commissioner on the congressionally created U.S.-China Economic and Security Review Commission, said he suspected Chinese authorities had sought to pierce IMF networks to get inside information before meetings in Beijing last week with French Finance Minister Christine Lagarde, the frontrunner to replace Strauss-Kahn.

The bipartisan commission has accused Chinese hackers of infiltrating both the US and other international computer systems to gain information for commercial and strategic gain.

"You don't have to be Inspector Clouseau to figure this out," Wortzel, a retired U.S. Army colonel who served two tours as a military attache in China, said in a telephone interview, referring to the fictional French police detective. Wortzel said he did not have any forensic information to back his speculation. "To me, this is just practical common sense."

[...]

But Alexander Klimburg, a cyber security expert at the Austrian Institute for International affairs, said the source of the attacks could just as likely be from Russia.

Some security experts say both Moscow and Beijing in particular deliberately turn a blind eye to the activities of hackers in their territory providing they only attack foreign targets outside their borders.

Such hackers are believed to occasionally carry out work on behalf of governments as well as trading information for cash.

During the brief 2008 war between Georgia and Russia over breakaway South Ossetia, attacks disabled and took offline websites in all the countries involved.

Global coordination was key to countering the attacks, Klimburg said.

"This is potentially a great opportunity to launch a "communal" investigation into an attack on a "communal" institution," he said. "If the fingers can be pointed, they should be pointed. The only way to stop such attacks is "naming and shaming" and in this case... there is a clear global interest at stake."

Exploit for MS11-50 Vulnerability in the Wild

Via Symantec Über Security Response Blog -

Symantec Security Response has confirmed that the Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Vulnerability (CVE-2011-1255) is being exploited in the wild. The vulnerability affects Internet Explorer versions 6, 7, and 8; however, the exploit we have acquired seems to only affect version 8. Microsoft has already released patches as part of the MS Tuesday release on June 14, so Symantec advises all users to install the patch. So far, we have only seen limited attacks taking advantage of this vulnerability and believe that the exploit is only being carried out in targeted attacks at present.

We have been able to confirm the existence of one such attack that involves a compromised website hosting content for a neighborhood restaurant. It appears that a duplicate of the top page of the website was either hacked to include a hidden iframe tag linking to an exploit page or was prepared from scratch, which, if run successfully, the included shell code downloads an encrypted malicious file from the same site. Interestingly, a link to cnzz.com, which is a site that offers statistical analysis, is included in the page to perhaps to provide the attackers with an idea of how the attack is progressing. The downloaded malware then contacts 323332.3322.org using the HTTP protocol and awaits further commands. 3322.org provides a type of dynamic DNS service and is known to be used for various malicious purposes, so it may not be a bad idea to block access to this domain and, if needed, whitelist the subdomains that you may need access to. It's likely that the attacker sends emails to targets with a link to the website with the intent to steal confidential information, which is a common method used in targeted attacks.

To protect themselves from attack, users should apply the latest patch for this vulnerability. They should also keep all other software on their computer up to date as well, including security software. Users should also be cautious when receiving emails with attachments and links they receive from both known and unknown sources.


------------------------------------------------------------------------

Threat Mitigation - Apply MS11-050
The vulnerability outlined above was patched in Microsoft's Security Bulletin MS11-050 - Cumulative Security Update for Internet Explorer (2530548)
http://www.microsoft.com/technet/security/Bulletin/MS11-050.mspx

Thursday, June 16, 2011

Jihadi Forum Watchers Beat Wires to Zawahri Story

Via The Atlantic Wire -

In the wee hours of Thursday morning, the news broke that al-Qaeda had officially tapped Ayman al-Zawahri, Osama bin Laden's former second-in-command, as its next leader. But how did the news break? It turns out that terrorism experts who monitor jihadi forums managed to beat the super-fast wire services to the story.

Here's how it all went down. At around 2 am EST, Aaron Zelin, who runs the website Jihadology, tweeted that al-Qaeda's General Command had announced its new leader, linking to a statement on the Islamist website Ansar al-Mujahideen (Followers of the Holy Warriors, pictured above). He told The Atlantic Wire that he was randomly checking Ansar's Arabic forum when he came across the statement, which had just been posted. Zelin, who is currently in an Arabic immersion program at Middlebury College, isn't allowed to speak English, so he tweeted the news in Arabic and sent the link via instant message to Daveed Gartenstein-Ross, the director of the Center for the Study of Terrorist Radicalization, for distribution to the wider world. Gartenstein-Ross swiftly did just that in between observations about his dissertation and rioting Vancouver Canucks fans. After seeing Gartenstein-Ross's tweet, Leah Farrall, who runs the blog All Things Counter Terrorism, quickly observed, "Reason number one thousand why you should always read AQ primary materials. Succession of al-Zawahiri as amir."

Minutes later, the analysts transitioned to fact-checking mode. J.M. Berger, who runs the site IntelWire, asked about the document's authenticity and Farrall noticed that the properties data on the file announcing the promotion was created on May 21 and modified on June 14, with six revisions, though she decided to "leave it to those with funkier toys to have a look around the data." Berger concluded that since Ansar was running the statement as a banner headline, it's "either authentic or a whole new class of forgery," adding that since many people expected al-Zawahri to succeed bin Laden, the probability that people would spend time and effort on a forgery was low. Within the hour, Al Arabiya television was reporting the news, which was picked up in a Reuters "FLASH" and soon covered by hundreds of other sources. Al Arabiya and Reuters, of course, may have also spotted the statement on jihadi forums this morning and simply been delayed in publishing the news by internal verification requirements. But the genesis of the story gives us another example, in the wake of the 'Gay Girl in Damascus' hoax, of how collaborative fact-checking and news breaking can work on Twitter.


--------------------------------------------------

Awesomeness. Nice work gentleman and lady ;)

Wednesday, June 15, 2011

TrustDefender Labs - Torpig: Back to The Future

http://www2.trustdefender.com/labs/2011/06/Torpig%20-%20Back%20to%20the%20Future%20-%20TrustDefender%20indepth%20report%20-%20June%202011%20-%20final.pdf

Executive Summary

We have seen many different examples how improvements in the security landscape have forced the bad guys to change tactics and achieve their results via different, potentially less useful, methods.

A prime example is the introduction of UAC in Windows 7 together with the default user not running as administrator. This poses a tricky question for malware developers: Do I ask for elevation (UAC) and risk that users get suspicious, or do I do whatever I can without administration privileges?

Well the answer has been given. We’ve analysed Zeus before and Zeus will not bring up the UAC and will only infect the currently logged in user.

In this TrustDefender Labs report we look at a new strain of the notorious Torpig Trojan that gained massive publicity in 2008 when it was distributed together with the Mebroot / MBR virus. In this report we look at a new variant that will do an impressive amount of things completely without administrator privileges.

On a positive note, the lack of privileges restricts the trojan’s ability to hide itself deep in the system and is much easier to detect and remove.


--------------------------------------------------------------------

As Windows 7 and the practice of running non-admin becomes more standard, malware will most likely adapt in the three following ways:

  • Some malware will run without admin privileges. Although per-user malware is not as dangerous as privileged malware (e.g., it can't infest the kernel to install a rootkit or keylogger), it can easily acquire and exfiltrate any data on the system that the user has access to. This is already happening, as noted in SecureWork’s March 2010 report on Zeus & and the Torpig report above.
  • Other malware will utilize exploit local privileges escalation vulnerabilities in Windows 7 to bypass UAC and acquire administrative privilege itself. This can only happen after the malware is already on the system, so it will require the malware to exploit two or three different vulnerabilities, which is pretty rare at this point. This type of attack would work, even if the user is only a standard user. This is already been seen in a couple of cases. In 2008, F-Secure noticed a worm that was using a public escalation of privileges (EoP) vulnerability to gain admin rights on system and install a rootkit. In 2010, Stuxnet used a local privilege escalation zeroday vulnerability to get admin privileges on both Windows 7 / 2008.
  • Protected Admin Users of Windows 7 (i.e. those running as Admin under UAC) might even see some malware attempting to trick the user into self-elevating, thru the use of social engineering techniques. Once the user self-elevates using UAC, the malware will have full run of the kernel. Foreseeing this, Microsoft has implemented a "Secure Desktop" in UAC.

Adobe Patches Flash Player 0-Day Used in Targeted Attacks

http://www.adobe.com/support/security/bulletins/apsb11-18.html

A critical vulnerability has been identified in Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.23 and earlier versions for Android. This memory corruption vulnerability (CVE-2011-2110) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.

Adobe recommends users of Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.26, available now. Adobe expects to make available an update for Adobe Flash Player 10.3.185.23 and earlier versions for Android before the end of the week of June 13, 2011.

Note: This issue does not affect the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.3) and earlier 10.x and 9.x versions for Windows and Macintosh operating systems.


------------------------------------------------------------------------------------------

Extremely Poor AV Detection on New Adobe Flash 0-Day - 2/41 (4.9%)
http://www.virustotal.com/file-scan/report.html?id=8d592113d251be2f3d2a96c53373df1b5c1d23e00397d295b60d809208ad3ab5-1308109907

Threat Mitigation - Verify Your Flash Player Version
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page. Verify the number in the "Version Information" box matches your current browser and operations system in the table below. If it doesn't, you should apply the latest version. If you use multiple browsers, perform the check for each browser you have installed on your system.

Pakistan Arrests C.I.A. Informants in Bin Laden Raid

Via NY Times -

Pakistan’s detention of five C.I.A. informants, including a Pakistani Army major who officials said copied the license plates of cars visiting Bin Laden’s compound in Abbottabad, Pakistan, in the weeks before the raid, is the latest evidence of the fractured relationship between the United States and Pakistan. It comes at a time when the Obama administration is seeking Pakistan’s support in brokering an endgame in the war in neighboring Afghanistan.

At a closed briefing last week, members of the Senate Intelligence Committee asked Michael J. Morell, the deputy C.I.A. director, to rate Pakistan’s cooperation with the United States on counterterrorism operations, on a scale of 1 to 10.

“Three,” Mr. Morell replied, according to officials familiar with the exchange.

The fate of the C.I.A. informants arrested in Pakistan is unclear, but American officials said that the C.I.A. director, Leon E. Panetta, raised the issue when he travelled to Islamabad last week to meet with Pakistani military and intelligence officers.

Some in Washington see the arrests as illustrative of the disconnect between Pakistani and American priorities at a time when they are supposed to be allies in the fight against Al Qaeda — instead of hunting down the support network that allowed Bin Laden to live comfortably for years, the Pakistani authorities are arresting those who assisted in the raid that killed the world’s most wanted man.

The Bin Laden raid and more recent attacks by militants in Pakistan have been blows to the country’s military, a revered institution in the country. Some officials and outside experts said the military is mired in its worst crisis of confidence in decades.

American officials cautioned that Mr. Morell’s comments about Pakistani support was a snapshot of the current relationship, and did not represent the administration’s overall assessment.

“We have a strong relationship with our Pakistani counterparts and work through issues when they arise,” said Marie E. Harf, a C.I.A. spokeswoman. “Director Panetta had productive meetings last week in Islamabad. It’s a crucial partnership, and we will continue to work together in the fight against Al Qaeda and other terrorist groups who threaten our country and theirs.”


----------------------------------------------------------------------------------

Why Has Pakistan Targeted Informants Who Helped Track Bin Laden?
http://www.time.com/time/world/article/0,8599,2077838,00.html
The move against the informants appears to be an attempt to stand up to what the ISI sees as American unilateralism and, in particular, an unauthorized expansion of the CIA's footprint in Pakistan.

Tuesday, June 14, 2011

Better 'Protected Mode' Support in Adobe Reader X (10.1)

According to the release notes for the just released Adobe Reader X (10.1), this version adds support for "Protected Mode" in cases where Reader is hosted on Citrix / Terminal Services and in cases where PDFs are embedded in Office Documents (OLE). Good news indeed!

This should enable users of those configurations to enable "Protected Mode" - which is a great defense-in-depth security strategy for mitigating and preventing security vulnerabilities.

See Page 5....
http://kb2.adobe.com/cps/837/cpsid_83708/attachments/Acrobat_Reader_ReleaseNote_10.1.pdf

Assessing the Risk of the Microsoft's June Security Updates

Terminology - Microsoft releases "bulletins" which contain fixes or patches for individual vulnerabilities. It isn't uncommon to see people call a single bulletin (MS11-050) a "patch", but it is important to remember that, most of the time, a single bulletin addresses many vulnerabilities.

----------------------------------------------------------------------------

This month, the number of bulletins rated critical was nine, which is the exact number outlined in the advanced notification.

However, the exploitability index number was divided into two separate numbers recently - 
  • Exploitability Index for Latest Software Release (Windows 7 & 2008 R2)
  • Exploitability Index for Older Software Releases (Windows XP)

According to today’s bulletin summary, CVE-2011-1262 (part of MS11-050) has an exploitability index of “2” for new operating systems and an exploitability index of “1” for older operation systems. New operating systems have more mitigation layers (Default DEP, ASLR, UAC, etc) and therefore are less vulnerable than older operating systems. The summary table list details for each vulnerability in each bulletin.

While the SRD table is just combining all the individual vulnerability data and listing the “max” severity rating and "max" exploitability rating (in this case, the lowest – since lower is more exploitable) for each bulletin as a whole.

Given all of this, I would say the numbers in the SRD table seems to be the safest route when assessing the risk.

Monday, June 13, 2011

US Blocks Ship Suspected of Carrying North Korean Arms

Via VOA News -

A senior U.S. official says the Navy intercepted a ship suspected of carrying banned weapons technology from North Korea to Burma and forced it to return home. U.S. officials say they received support from the Association of Southeast Asian Nations, including Burma, in putting pressure on Pyongyang to halt the ship.

The USS McCampbell, a Navy destroyer, intercepted the M/V Light in international waters on May 26, as it made its way from North Korea to Burma. The ship carries the Belize flag, and authorities in Belize had given permission for it to be boarded.

But the North Korean crew refused to be boarded, and after a few days of military confrontation and diplomatic pressure, turned toward home.

Gary Samore is the White House special assistant on arms control and weapons of mass destruction. He said in Seoul Monday that the ship came under suspicion because it has been involved in weapons exports to Burma and the Middle East in the past.

[...]

He says the United States met with its partners in the Association of Southeast Asia Nations, and "made the case" that the ship might be violating U.N. sanctions against North Korea and there were grounds for it to be inspected if it visited ASEAN ports. He said the ASEAN nations indicated their willingness to comply with the U.N. resolutions.

"The Burmese said in the meeting I was in that they would respect and honor their obligations under [U.N. Security Council Resolution] 1874. They never committed to doing inspections, but they said they would honor 1874," said Samore.

Security Council Resolution 1874 and an earlier one, 1718, bar North Korea from engaging in the arms trade. 1874 was imposed in 2009 after North Korea conducted its second nuclear-weapons test.

[...]

Washington also has been concerned with Burma's growing military contacts with North Korea. The two countries in recent years have resumed ties, which were severed after North Korean agents planted a bomb in Rangoon in 1983 that killed several visiting South Korean Cabinet members.

There have been numerous reports in the past two years that Burma's military aims to obtain sophisticated weaponry, including nuclear bombs. There has been no official confirmation of those reports.

The United States, like many developed nations, has imposed sanctions on Burma's leadership for human rights abuses.

APT: International Monetary Fund Reportedly Hacked

Via H-Online -

Although no statement has been released on the web site of the International Monetary Fund (IMF), it has been reported by the New York Times and Bloomberg that the IMF has been the victim of a "large and serious" cyber attack. The full extent of the attack has not been revealed, but it has been said that the attackers were able to plant software on a computer within the IMF which enabled them to have some level of external access to its network. The software may well have been planted as a result of a targeted spear phishing attack; the IMF’s chief information officer, Jonathan Palmer, sent out an email warning employees of “increased phishing activity”. The World Bank took the problem seriously and, as a precaution, severed the network connection that allows the two organisations to share data.

According to the Bloomberg report, the attack appears to have been mounted by a foreign government, although no specific country was named. The same report quoted an unnamed source as stating that the IMF lost a "large quantity" of data which included emails and other documents. Some of the information held by the IMF is highly sensitive, much of it dealing with countries suffering financial difficulties and the negotiations in which they are involved. Very large sums of money are involved in these negotiations, around £56 billion last year in emergency loans.


------------------------------------------------------------------------

What Defines an APT?
McAfee Labs summarized it well in their 2011 Threat Predictions whitepaper (PDF). The generally accepted definition of an APT is one that describes a targeted cyber espionage or cyber sabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than a pure financial/criminal reason or political protest. Not all APT attacks are highly advanced and sophisticated, just as not every highly complex and well-executed targeted attack is an APT. The motive of the adversary, not the level of sophistication or impact, is the primary differentiator of an APT attack from a cybercriminal or hacktivist one.

Suspected APT Attacks Against Other Financial Institutions
Other financial institutions such as the French Ministry of Finances and Canadian Finance Department and Treasury Board have also been the victim of hacks this year.

French Ministry of Finances
In December 2010, The French Ministry of Finance detected an attack, which appeared to target documents related to the G20 summit and the French G20 presidency. According to McAfee, over 150 computers in the ministry were infiltrated through targeted spear phishing emails containing a malicious attachments.

Canadian Finance Department and Treasury Board
A federal cabinet minister reported that, hackers, perhaps from China, compromised computers in two Canadian government departments in early January 2011. According to the CBC and other Canadian news organizations, a technique that is sometimes known as “executive spear phishing” was utilized. At the same time, other employees in the departments received e-mails that falsely appeared to come from the senior officials that included malicious Adobe PDF attachments. Reports indicate the attackers were targeting financial records.

Nissan LEAF Cars Leaks Speed, Position, Destination to RSS Feeds

Via H-Online -

A developer has found that the in-car electronics on the Nissan LEAF all-electric car leaks telemetry information to RSS feeds. The in-car electronics, CARWINGS, allows drivers to access their own selected RSS feeds which are then read to them.

But when Casey Halverson added his own feeds to the system, he found that his Apache server logs held more than just a request for the RSS data. The GET request for the RSS feed also included his latitude, longitude, speed, direction, and destination latitude and longitude.

"All of these lovely values are being provided to any third party RSS provider you configure" writes Halverson; there are no warnings that this information is being sent and it is not possible to disable it. The information is only provided when the RSS feed is requested, so it cannot be used as a vehicle tracker but it does offer real-time snapshots. The IP address shown for the request appears to belong to Hitachi Automotive Systems in Japan, which may indicate that the RSS request is being proxied by a Nissan data center; whether this will make the problem easier to fix is unclear.

Halverson has created a demonstration RSS feed for LEAF drivers which will read back the details that are being leaked. He has also created a "less evil" RSS feed which will give weather information for the car's current location. The issue is a good demonstration of the next generation of privacy problems.


---------------------------------------------------------------------

I think Nissan has some serious explaining to do...

Time to pull that Privacy officer out of HR / Marketing and get him/her into the engineering side of the house too ;)

Friday, June 10, 2011

Microsoft's Ten Immutable Laws of Security (v2.0)

http://blogs.technet.com/b/msrc/archive/2011/06/09/june-advance-notification-service-and-10-immutable-laws-revisited.aspx

Ten years ago, Microsoft penned the “Ten Immutable Laws of Security,” which debuted on TechNet. It was written before the rise of – among other technologies and trends – cloud computing, social networking, widespread smartphone adoption, and Windows XP, to name but a few landmarks along the way. Did a decade of change mutate the Immutables? How can understanding the Laws lead to smarter security for everyone from corporations to home users? We invite you to read “Ten Immutable Laws of Security 2.0” and see for yourself.

-----------------------------------------------------------------------

The 10 Immutable Laws

  • Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
  • Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
  • Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
  • Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
  • Law #5: Weak passwords trump strong security.
  • Law #6: A computer is only as secure as the administrator is trustworthy.
  • Law #7: Encrypted data is only as secure as its decryption key.
  • Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
  • Law #9: Absolute anonymity isn't practically achievable, online or offline.
  • Law #10: Technology is not a panacea.

Thursday, June 9, 2011

Bin Laden Documents Sharpen US Aim

Via Yahoo! News (AP) -

The U.S. is tracking possible new terror targets and stepping up surveillance of operatives previously considered minor al-Qaida figures after digging through the mountain of correspondence seized from Osama bin Laden's hideout, officials say. The trove of material is filling in blanks on how al-Qaida operatives work, think and fit in the organization, they say.

The new information is the result of five weeks of round-the-clock work by a CIA-led team of data analysts, cyber experts and translators who are 95 percent finished decrypting and translating the years of material and expect to complete the effort by mid-June, two U.S. officials say.


Al-Qaida operatives worldwide are feeling the heat, with at least two of them altering their travel plans in recent weeks in apparent alarm that they might become the targets of another U.S. raid, one official said.

[...]

There is nothing in the bin Laden files so far to indicate an imminent attack, three officials said. The U.S. has increased its vigilance regarding some of the targets bin Laden suggests to his operatives, from smaller U.S. cities to mass transport systems, to U.S. embassies abroad and even oil tankers in the Persian Gulf.

A law enforcement official briefed on the process said investigators have been analyzing raw digital data found on multiple hard drives and flash drives, and that some of it consists of sequences of numbers. Investigators were trying to discern potential bank account or phone numbers that might point to al-Qaida contacts in the United States or elsewhere, or codes that could produce other leads, said the official, who was not authorized to publicly discuss the analysis and spoke on condition of anonymity.


--------------------------------------------------------------------------------------

On June 8, 2011, Al-Qaida's As-Sahab Media Foundation released a new recorded message from Dr. Ayman al-Zawahiri, al-Qaida's longtime No. 2 and presumed operational head, mourning the death of Usama Bin Laden.

Flashpoint Partners has the full translation here [PDF].

Some Top Android Apps Put Data at Risk w/ Insecure Password Storage

via WSJ.com (Digits Blog) -

You’d think the spate of Internet security breaches this spring would have companies on their toes. But when it comes to wireless apps, some are still making rookie mistakes. Computer security firm viaForensics has found the applications for top Internet companies LinkedIn Corp., Netflix, Inc., Foursquare and Square, Inc. stored various forms of users’ personal data in plain text on a mobile device, putting sensitive information at risk to computer criminals.

The Android applications of LinkedIn, Netflix and Foursquare stored user names and passwords in unencrypted form on their Google-powered devices. Storing that data in plain text violates a commonly accepted best practice in computer security. Since many people tend to use the same usernames and passwords across any number of sites, the failing could help hackers penetrate other accounts.

ViaForensics also found the iPhone version of Square’s mobile payments app exposed a user’s transaction amount history and the most recent digital signature of a person who signed an electronic receipt on the app. A hacker would need skill and luck to exploit the vulnerabilities –- either via physical access to a person’s phone or through malicious software that is installed on the device — scenarios that could open bigger security risks than those created by the password problem alone.

Still, the opening is a concern. “Data should not be stored on a phone,” said Andrew Hoog, chief investigative officer of viaForensics, which is based in Chicago. If data is stored on a phone, he said, it should be encrypted.


----------------------------------------------------------------------

Earlier this year, OWASP announced a new "Mobile Security Project" with a new Mobile Top 10 Risks list (currently in draft). This “Top 10” initiative is intended to help organizations determine how to best apply development and security resources to better protect their mobile applications and data. This insecure storage of client-side data is the first risk in the list.

Mobile Code Security: Guide to Improving the Security of Your Mobile Application
http://www.veracode.com/security/mobile-code-security

Wednesday, June 8, 2011

EFF: How to Disable Facebook's Facial Recognition Feature & Control Photo Tagging



EFF shows you three ways to delete your facial fingerprint data from Facebook and shows you a privacy setting that lets you ensure that you are the only person who can see tags identifying you in photographs.

-----------------------------------------------------

As always Facebook would "love" for everyone to share everything with the world (and with them), therefore this new feature is enabled by default (aka opt-out).

Privacy advocates and security professionals [i.e. those paid to be paranoid] and Europe greatly prefer features which are disabled by default (aka opt-in).

Tuesday, June 7, 2011

Java SE Critical Patch Update - June 2011

http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 17 new security fixes across Java SE products.

---------------------------------------------------------

The updated version is Java SE/JRE 6 Update 26.

Verify Your Java Version (if enabled in your browser)
http://java.com/en/download/installed.jsp?detect=jre&try=1

You can update your Java by using the automatic update feature in the "Update" tab of the Java Control Panel in Windows.

Hackers Exploit Flash Bug in New Attacks Against Gmail Users

Via CSO Online -

Adobe today confirmed that the Flash Player bug it patched Sunday is being used to steal login credentials of Google's Gmail users.

The vulnerability was patched yesterday in an "out-of-band," or emergency update. The fix was the second in less than four weeks for Flash, and the fifth this year. A weekend patch is very unusual for Adobe.

"We have reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message," said Adobe spokeswoman Wiebke Lips in response to questions today. "The reports we received indicate that the current attacks are targeting Gmail specifically. However, we cannot assume that other Web mail providers may not be targeted as well."

According to Adobe's advisory, the Flash vulnerability is a cross-site scripting bug.

Cross-site scripting flaws are often used by identity thieves to hijack usernames and passwords from vulnerable browsers. In this case, browsers themselves are not targeted; rather, attackers are exploiting the Flash Player browser plug-in, which virtually every user has installed.

Adobe said that Google reported the Flash Player flaw to its security team.

Targeted attacks that try to steal account information are commonplace, but they've been prominent in the news since last Wednesday, when Google accused Chinese hackers of targeting senior U.S. government officials and others in a long-running campaign to pilfer Gmail usernames and passwords.

China has denied Google's allegations. The Federal Bureau of Investigation (FBI) is looking into Google's charges.


--------------------------------------------------------------------------

Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX / IE).

Verify Your Flash Player Version
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.

China's View Is More Important Than Yours

Via Tao Security (Richard Bejtlich) -

In my post Review of Dragon Bytes Posted I wrote the following to summarize analysis of Chinese thoughts on cyberwar, as translated from original Chinese publications:
The Chinese military sees Western culture, particularly American culture, as an assault on China, saying "the West uses a system of values (democracy, freedom, human rights, etc.) in a long-term attack on socialist countries...

Marxist theory opposes peaceful evolution, which... is the basic Western tactic for subverting socialist countries" (pp 102-3). They believe the US is conducting psychological warfare operations against socialism and consider culture as a "frontier" that has extended beyond American shores into the Chinese mainland.

The Chinese therefore consider control of information to be paramount, since they do not trust their population to "correctly" interpret American messaging (hence the "Great Firewall of China"). In this sense, China may consider the US as the aggressor in an ongoing cyberwar.
[...]

As you can see, the Chinese think an information war is already being waged. The US started it, and the US continues it (in the Chinese view) as demonstrated by turbulence in the Middle East.

China's view is more important than yours, because China is acting on its view while too many in the West and the US in particular argue about whether or not a cyberwar is happening. The Chinese believe cyberwar is ongoing, and that the US started it. From what I can tell, the Chinese intend to win it.


----------------------------------------------------------

Such good insight from the new CSO @ Mandiant.

Monday, June 6, 2011

Protective Intelligence Lessons from an Ambush in Mexico

Via STRATFOR (Security Weekly) -

On the afternoon of May 27, a convoy transporting a large number of heavily armed gunmen was ambushed on Mexican Highway 15 near Ruiz, Nayarit state, on Mexico’s Pacific coast. When authorities responded they found 28 dead gunmen and another four wounded, one of whom would later die, bringing the death toll to 29. This is a significant number of dead for one incident, even in Mexico.

According to Nayarit state Attorney General Oscar Herrera Lopez, the gunmen ambushed were members of Los Zetas, a Mexican drug cartel. Herrera noted that most of the victims were from Mexico’s Gulf coast, but there were also some Guatemalans mixed into the group, including one of the wounded survivors. While Los Zetas are predominately based on the Gulf coast, they have been working to provide armed support to allied groups, such as the Cartel Pacifico Sur (CPS), a faction of the former Beltran Leyva Organization that is currently battling the Sinaloa Federation and other cartels for control of the lucrative smuggling routes along the Pacific coast. In much the same way, Sinaloa is working with the Gulf cartel to go after Los Zetas in Mexico’s northeast while protecting and expanding its home turf. If the victims in the Ruiz ambush were Zetas, then the Sinaloa Federation was likely the organization that planned and executed this very successful ambush.

Photos from the scene show that the purported Zetas convoy consisted of several pickup trucks and sport utility vehicles (two of which were armored). The front right wheel on one of the armored vehicles, a Ford Expedition, had been completely blown off. With no evidence of a crater in the road indicating that the damage had been caused by a mine or improvised explosive device (IED), it would appear that the vehicle was struck and disabled by a well-placed shot from something like a rocket-propelled grenade (RPG) or M72 LAW rocket, both of which have been seen in cartel arsenals. Photos also show at least one heavy-duty cattle-style truck with an open cargo compartment that appears to have been used as a troop transport. Many of the victims died in the vehicles they were traveling in, including a large group in the back of the cattle truck, indicating that they did not have time to react and dismount before being killed.

[...]

Most of the victims were wearing matching uniforms (what appear to be the current U.S. Marine Corps camouflage pattern) and black boots. Many also wore matching black ballistic vests and what appear to be U.S.-style Kevlar helmets painted black. From the photos, it appears that the victims were carrying a variety of AR-15-variant rifles. Despite the thousands of spent shell casings recovered from the scene, authorities reportedly found only six rifles and one pistol. This would seem to indicate that the ambush team swept the site and grabbed most of the weapons that may have been carried by the victims.

A convoy of this size could have been dispatched by Los Zetas and CPS on a military raid into hostile Sinaloa territory, but there is also a possibility that the gunmen were guarding a significant shipment of CPS narcotics passing through hostile territory. If that was the case, the reason for the ambush may have been not only to kill the gunmen but also to steal a large shipment, which would hurt the CPS and could be resold by Sinaloa for a substantial profit.

Whether the objective of the ambush was simply to trap and kill a Zetas military team conducting a raid or to steal a high-value load of narcotics, a look at this incident from a protective intelligence point of view provides many lessons for security professionals operating in Mexico and elsewhere.

Read more: Protective Intelligence Lessons from an Ambush in Mexico | STRATFOR


---------------------------------------------------------------------------------------------------------

Recent examples of both huge weapon caches and armored vehicles seized by the Mexican Army:

Mexican Military Finds Huge Weapons Cache (June 4, 2011)
http://www.voanews.com/english/news/americas/Mexican-Military-Finds-Huge-Weapons-Cache-123155388.html
Authorities said they found more than 150 rifles and shotguns, 92,000 rounds of ammunition, four mortar shells, two rocket-propelled grenades and assorted other weaponry. The cache was found at a ranch near the industrial city Monclova in the northern state Coahuila that borders the United States. They believe the cache belonged to the Zetas cartel, which has been battling the Sinaloa cartel and other drug gangs for control of Coahuila.
Army Seizes Armored Vehicles in Northern Mexico (June 6, 2011)
http://www.laht.com/article.asp?ArticleId=396419&CategoryId=14091
Two armored trucks, known as “monsters,” outfitted with 2.5-centimeter (one-inch) steel plates, two other partially completed trucks and 23 tractor-trailers awaiting modification were found in the garage. The vehicles, which are used for patrols and smuggling drugs into the United States, have air conditioning, armored diesel engines and steel plates to protect occupants, the 4th Military Region said. The armored trucks, which can only be taken out with 20 mm anti-tank grenades, are being used in the war between the Gulf cartel and Los Zetas for control of the border region, the army said.

Sunday, June 5, 2011

Absolute Sownage: A Concise History of Recent Sony Hacks

http://attrition.org/security/rants/sony_aka_sownage.html

Over the last two months, the multi-national Sony Corporation has come under a wide range of attacks from an even wider range of attackers. The backstory about what event prompted who to attack and why will make a mediocre made-for-TV movie someday. This article is not going to cover the brief history of hacks; readers can find details elsewhere. Instead, the following only serves to create an accurate and comprehensive timeline regarding the recent breaches, a cliff notes summary for easy reference.

------------------------------------

Good concise list of recent attacks against Sony. They were happening so quickly recently, it has been hard to keep them separate sometimes.

Flash Player Patch Fixes Zero-Day Flaw

Via krebsonsecurity.com -

Adobe released an emergency security update today to fix a vulnerability that the company warned is being actively exploited in targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

The vulnerability — a cross-site scripting bug that could be used to take actions on a user’s behalf on any Web site or Webmail provider, exists in Flash Player version 10.3.181.16 and earlier for Windows, Macintosh, Linux and Solaris. Adobe recommends users update to version 10.3.181.22 (on Internet Explorer, the latest, patched version is 10.3.181.23). To find out what version of Flash you have, go here.


----------------------------------------------------------------------------------------

APSB11-13: Security Update Available for Adobe Flash Player
http://www.adobe.com/support/security/bulletins/apsb11-13.html
This universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

Ilyas Kashmiri: Drone Strike Kills Top Pakistani Terrorist

Via VOA News -

On Saturday, Pakistani intelligence sources said that senior al-Qaida leader Ilyas Kashmiri died along with eight other militants in an attack on a location in South Waziristan.

Kashmiri's own militant group, Harakat-ul-Jihad al-Islami, or HUJI, confirmed his death in a fax to news organizations, saying Kashmiri was "martyred" Friday.

The United States had designated Kashmiri a "Specially Designated Global Terrorist" and offered a $5 million reward for information leading to his capture.

Intelligence officials regarded Kashmiri as one of the most dangerous and highly trained terrorist operatives. Pakistani officials suspected him of masterminding last month's attack on a naval base in Karachi, in which a handful of militants held off Pakistani forces for about 17 hours.

Officials have also tied Kashmiri to the 2008 Mumbai terror attacks that killed 166 people. The U.S. blames Kashmiri's group for the March 2006 bombing of the U.S. consulate in Karachi that killed four people and wounded 48 others. A U.S. grand jury indicted Kashmiri in 2010 in connection with a plot to attack a Danish newspaper.


---------------------------------------------------------------

FYI, the Specially Designated Global Terrorist (SDGT) designation has been superseded by the similar Specially Designated Nationals (SDN) list, published by the US Treasury's Office of Foreign Assets Control (OFAC). Muhammad/Mohammad Ilyas Kashmiri is listed in the full OFC SDN list on page 233, near the bottom of the first column.

LWJ: Top al Qaeda Leader Ilyas Kashmiri Killed in US Predator Strike
http://www.longwarjournal.org/archives/2011/06/top_al_qaeda_leader_2.php
Kashmiri is said to be one of nine members of the al Qaeda-linked Harkat-ul Jihad Islami, or HUJI, who were killed in yesterday's Predator airstrike that leveled a compound in the Wana area of South Waziristan.
Strike two: Ilyas Kashmiri dead – again
http://tribune.com.pk/story/182727/strike-two-ilyas-kashmiri-dead--again/
“The strike took place in the Karikot area on the outskirts of Wana, the main town in South Waziristan, before midnight on Friday,” local sources said. “Some ‘guests’ were sitting in an apple orchard when a loud explosion took place.”

An intelligence official in Peshawar endorsed this version.

“Kashmiri was having tea with his men in the orchard when the strike took place. All nine militants, all of them from Punjab, were killed in the attack,” he told The Express Tribune.

[...]

Kashmiri and other militants were meeting an Afghan Taliban who worked in liaison with the Tehreek-i-Taliban Pakistan (TTP) when the drone missile struck, he added.
Aftermath Footage of Ilas Kashmiri's Drone Attack Site
http://tribune.com.pk/multimedia/videos/182884/

Saturday, June 4, 2011

Lockheed Says Hacker Used Stolen SecurID Data

Via New York Times (June 3, 2011) -

Lockheed Martin said Friday that it had proof that hackers breached its network two weeks ago partly by using data stolen from a vendor that supplies coded security tokens to tens of millions of computer users.

Lockheed’s finding confirmed the fears of security experts about the safety of the SecurID tokens and heightened concerns that other companies or government agencies could be vulnerable to hacking attacks.

The tokens, which are used to protect remote access to computer networks, are sold by the RSA Security Division of the EMC Corporation. RSA officials said Friday that they accepted Lockheed’s findings and were working with customers to offset the risks through other measures.

RSA disclosed in March that hackers had stolen data that could compromise a company’s SecurID system in a broader attack, and the breach of Lockheed, the nation’s largest defense contractor, is the first time that is known to have occurred.

A rash of prominent breaches has brought new attention to an increase in the frequency and sophistication of computer hacking. Google said this week that it believed an effort to steal hundreds of Gmail passwords for accounts of prominent people, including senior American government officials, had originated in China.

The Pentagon, which has long been concerned about efforts by China and Russia to obtain military secrets, announced separately that it would soon view serious computer attacks from foreign nations as acts of war that could result in a military response.

RSA officials noted that Lockheed said it planned to continue using the SecurID tokens, and they said they believed other customers would as well. But security experts said RSA’s reputation had most likely been seriously damaged, and many of its 25,000 customers, including Fortune 500 companies and government agencies around the world, could face difficult decisions about what to do next.

RSA’s prospects for holding on to some of those customers “certainly seems bleak,” said Harry Sverdlove, the chief technology officer at Bit9, a firm that provides other types of security products and does not compete with RSA.

He and other experts said RSA might need to reprogram many of its security tokens or create an upgraded version to rebuild confidence in its systems.

In response to questions on Friday, Lockheed said in an e-mail that its computer experts had concluded that the breach at RSA in March was “a direct contributing factor” in the attack on its network. Government and industry officials said the hackers had used some of the RSA data and other techniques to piece together the coded password of a Lockheed contractor who had access to Lockheed’s system.

Lockheed, which makes fighter planes, spy satellites and other confidential equipment, said it had detected the attack quickly and blocked it before any important data was compromised.


--------------------------------------------------------------

Impressive timeframe. This means the attackers weaponized the stolen data from RSA very very quickly and used it to target high-value target(s).

The stolen RSA (leading to cloned tokens) could have been used as an initial attack vector or as an alternative entry method to maintain persistence....or both (my guess).

While APT should be categorized as such based more on the motives and objectives of the attackers [and less on techniques used], this shows the actors have the capability to push beyond standard exploitation techniques to achieve their objectives.

This is industrial / military espionage.

Friday, June 3, 2011

China's Blue Army: When Nations Harness Hacktivists for Information Warfare

Via ZDNet Zero Day Blog (Dancho Danchev) -

China has recently announced the existence of the Blue Army, a government sponsored cyber warfare unit similar to those launched by the U.S, the United Kingdom, Australia and Israel.

Although the majority of the cyber warfare units have been established for defensive purposes, it’s the offensive cyber capabilities that are worth discussing in the context of establishing a borderline for offensive cyber operations. The methodology used in offensive cyber warfare operations is fairly simple - if you’re attacking us we reserve ourselves the rights to strike back at you.

[...]

It’s been a decade since the release of the Chinese “Unconventional warfare” book, and a lot has changed from a conceptual perspective. From symmetric to asymmetric shift in the concepts, to the currently in progress of implementation unrestricted warfare military doctrines, the Chinese has proven that they they’re not just able to keep up with the developing environment, but to dominate it with new concepts in cyberspace.

What constitutes unrestricted warfare in the cyberspace realm, really? Basically, it’s the reliance on civilians for executing government sponsored or government tolerated cyber operations, the so called people’s information warfare concept. The concept is fairly simple. Instead of establishing a dedicated cyber warfare unit, a country such as China is actively harnessing the potential of its hacktivist community for executing military operations and activities across the Web.

[...]

The Chinese underground and hacktivist community is developed well enough to manage the tasks of a fully operational cyber warfare unit, because it relies on the people not on the department.

MI6 Attacks Al-Qaeda in 'Operation Cupcake'

Via telegraph.co.uk -

The cyber-warfare operation was launched by MI6 and GCHQ in an attempt to disrupt efforts by al-Qaeda in the Arabian Peninsular to recruit “lone-wolf” terrorists with a new English-language magazine, the Daily Telegraph understands.

When followers tried to download the 67-page colour magazine, instead of instructions about how to “Make a bomb in the Kitchen of your Mom” by “The AQ Chef” they were greeted with garbled computer code.

The code, which had been inserted into the original magazine by the British intelligence hackers, was actually a web page of recipes for “The Best Cupcakes in America” published by the Ellen DeGeneres chat show.

[...]

By contrast, the original magazine featured a recipe showing how to make a lethal pipe bomb using sugar, match heads and a miniature lightbulb, attached to a timer.

The cyber attack also removed articles by Osama bin Laden, his deputy Ayman al-Zawahiri and a piece called “What to expect in Jihad.”

British and US intelligence planned separate attacks after learning that the magazine was about to be issued in June last year.

They have both developed a variety of cyber-weapons such as computer viruses, to use against both enemy states and terrorists.

A Pentagon operation, backed by Gen Keith Alexander, the head of US Cyber Command, was blocked by the CIA which argued that it would expose sources and methods and disrupt an important source of intelligence, according to a report in America.

However the Daily Telegraph understands an operation was launched from Britain instead.

Al-Qaeda was able to reissue the magazine two weeks later and has gone on to produce four further editions but one source said British intelligence was continuing to target online outlets publishing the magazine because it is viewed as such a powerful propaganda tool.

The magazine is produced by the radical preacher Anwar al-Awlaki, one of the leaders of AQAP who has lived in Britain and the US, and his associate Samir Khan from North Carolina.

Both men who are thought to be in Yemen, have associated with radicals connected to Rajib Karim, a British resident jailed for 30 years in March for plotting to smuggle a bomb onto a trans-Atlantic aircraft.

At the time Inspire was launched, US government officials said “the packaging of this magazine may be slick, but the contents are as vile as the authors.”

Bruce Reidel, a former CIA analyst said it was “clearly intended for the aspiring jihadist in the US or UK who may be the next Fort Hood murderer or Times Square bomber.”


-------------------------------------------------------------------------------------

The takedown question is one of the biggest when it comes to counter-radicalization operations in cyberspace. The enemy exposes themselves (both physically and virtually) to publish...is the benefit of the takedown worth losing the self-exposure?

Replacing the content is a nice middle ground ;)

However, the reverse is true as well....we expose ourselves to conduct the operation (mostly virtually)... does the benefit outweigh our own exposure?

These questions are tough to answer in many cases.

Gmail Hackers Phished Victims for Months

Via Threatpost.com -

An independent security researcher who was among the first to investigate a large scale phishing attack aimed at U.S. government and military personnel says that attackers controlled victim accounts for months and repeatedly phished victims during that time.

Mila Parkour, a Washington D.C. based independent says that victims of the account takeovers were repeatedly phished over almost a year by attackers believed to be located in China. Parkour said in an instant message conversation with Threatpost on Thursday that the group or individuals responsible for the attack controlled those accounts for more than a year and repeatedly targeted both the legitimate account owner and his or her associates during that time.

Victims of the attack included government and military personnel in the U.S. and Asian nations, as well as human rights activists and journalists in China and elsewhere, Google said on Wednesday.

Parkour is an IT administrator who lives in Washington D.C. She does malware research in her free time. Her blog, Contagiodump, was credited by Google with bringing the spear phishing e-mails to light. Parkour told Threatpost that she "collects samples from victims and other researchers" then posts them on the blog for sharing and analysis. She posted on the spear phishing e-mails in February not because they were unusual, but because of the sensitive nature of who they targeted.

According to Parkour, the attackers used spoofed e-mail addresses and information harvested from the victims' accounts to engage in "mini conversations" with their victims.

"They used personal knowledge for some phishes...they were very persistent and invasive," she said, tailoring the spoofed sender address to the recipient based on knowledge gleaned from the compromised accounts.

Among other things, the attackers continued to try to harvest other online credentials from victims - user names and passwords - using the same technique they used, successfully, to gain access to- and control over the users' Gmail accounts.

[...]

Google said in a blog post on Wednesday that it had disrupted the campaign, which it traced to Jinan, China. The campaign affected hundreds of Gmail users, using malware and phishing attacks to harvest user login credentials. The campaign appears to have been designed to monitor the content of users' email correspondence.

Parkour said she felt that Google did a good job unraveling the scheme and to find other victims of it. "It looks like they exhausted all the leads and found out as much as they could to address it before going public," she said.


-------------------------------------------------------------------------------

Related stories....

Thursday, June 2, 2011

Some Insight into Apple's Anti-Virus Signatures

Via SANS ISC Diary -

Now with Apple pushing out its first daily update to combat the latest MacDefender variant, its a good time to take a closer look at "XProtect", the Snow Leopard Anti Malware engine (or to use the Apple euphemism: "safe download list").

OS X heavily relies on XML files for configuration. These "plist" files are easy to read. The same is true for the XProtect configuration, which includes the currently valid signatures.


---------------------------------------------------------------

Nice and quick look into Apple's Anti-Malware XProtect feature (officially called File Quarantine) of OS X.

Apple to Malware Authors: Tag, you're It!

Via NakedSecurity.com (Sophos) -

Last night the malware authors behind the Mac Guard fake anti-virus changed their methods again to bypass the updates Apple released yesterday afternoon to protect OS X Snow Leopard users. Apple fired back shortly after 2 p.m. Pacific Daylight Time today with a new update to XProtect. Computers that have Apple update 2011-003 for Snow Leopard now check for updates every 24 hours.

As the cat-and-mouse game continues it will be interesting to see how the attackers proceed. The major change to bypass Apple's detection yesterday was to use a small downloader program to do the initial infection, then have that program retrieve the actual malware payload.

This approach may be successful as it will be easier for the malware authors to continually make small changes to the downloader program to evade detection while leaving the fake anti-virus program largely unchanged.

Why is this important? Apple's XProtect is not a full anti-virus product with on-access scanning. XProtect only scans files that are marked by browsers and other tools as having been downloaded from the internet.

If the bad guys can continually mutate the download, XProtect will not detect it and will not scan the files downloaded by this retrieval program. Additionally, XProtect is a very rudimentary signature-based scanner that cannot handle sophisticated generic update definitions.


---------------------------------------------------------------------------

These criminals behind the FakeAV scams are rapidly adapting in order to protect a real revenue stream, therefore it is highly unlikely they will walk away without a serious fight.

Apple is allowing itself to be pulled into a cat-and-mouse game of malicious whack-a-mole. A game which highlights the well-known weakness of pure signature-based detection. This is a lesson AV companies learned long long ago.

Apple's XProtect isn't up for the battle and in short order, updates every 24 hours won't be enough....a full-time scanning solution will be needed - enter on-access AV on Apple.

Wednesday, June 1, 2011

Apple Adds Daily Malware Updates to OS X, Attackers Adapt Quickly

Via Threatpost.com -

Apple on Tuesday shipped the promised update to help remove the MacDefender malware, and in a surprise move, also added functionality to Mac OS X that will now check for new malware definitions daily.

The move by Apple to add daily malware checks is a significant shift in the way that the company handles malware and potential infections of its customers. Until now, Apple has handled such incidents on a case by case basis and pushed OS changes when it needed to address a new problem. But now the company has essentially included an auto-updating anti-malware system with OS X.

The security update that Apple released Tuesday performs several specific tasks. It adds a new definition to the existing anti-malware checks in OS X, and also will automatically remove any instances of the MacDefender malware that it finds on the machine. But most significantly, security update 2011-003 adds the automatic daily checks for new malware signatures.


----------------------------------------------------------------------------

Apple's move to add daily update ability to its anti-malware XProtect List means it will be better suited to react to future variants of Apple malware.

However, there are now reports, the criminals adapted within hours and are now pushing out a new MacDefender FakeAV variant which bypasses the original signature protection from Apple.

The next move is on Apple - will it allow it to be pulled into a game of whack-a-mole with monetized crimeware or will it finally suggest all users install AV?