Friday, September 30, 2011

Yemen: Fingerprints Confirmed Identities of Awlaki and Khan

Via Los Angeles Times -

U.S. operatives on the ground in Yemen used fingerprint analysis to confirm that a joint CIA-military drone strike Friday killed American militants Anwar Awlaki and Samir Khan, according to a U.S. government official briefed on the operation.

“It was good to see the Yemen government actually allow us to go in,” the official said on the condition of anonymity because he was not authorized to speak on the record. “Allowing us to go on the property and get fingerprint analysis was a nice gesture of cooperation by the Yemeni government.”

Information about Awlaki’s location came from the interrogation of an operative of Al Qaeda in the Arabian Peninsula held in Yemeni custody. Samir Khan was not targeted in the strike, but fingerprint analysis after the fact confirmed he was killed as well, said the official.

“Samir Khan was a bonus. It was a twofer,” said Rep. Mike McCaul (R-Texas), who serves on the House Committee on Homeland Security. “It’s a pretty good hit.”

Mohammed Albasha, spokesman for the Yemeni Embassy in Washington, confirmed that Yemeni intelligence recently located Awlaki at a hideout in the town of Khashef, near the border with Saudi Arabia.

Awlaki was riding in a convoy of vehicles when the airstrike hit the motorcade, killing him, Khan and two other Al Qaeda in the Arabian Peninsula operatives, Albasha said in an email.


------------------------------------------------------------------------

Foreign Policy: Gone But Not Forgotten
The apparent killing of Yemeni-American cleric Anwar al-Awlaki by a U.S. drone on Friday, Sept. 30, is not the end of this unique figure, perhaps one of the most misunderstood men in the annals of terrorism. Many questions remain about his exact role within al Qaeda, in particular his status within al Qaeda in the Arabian Peninsula (AQAP). But even the most hyped descriptions of Awlaki's "operational" capabilities pale in comparison with the force of his personality. Ultimately, his legacy will not be a litany of bombs exploded and airplanes hijacked, but of hearts and minds moved to hate.

Organized Cybercrime: Nefarious Sophistication Featuring Zeus V2.1.0.10

Via RSA FraudAction Research Labs -

The RSA Research Lab investigates and monitors a large number of malicious cybercrime servers operating in the wild. One of the Lab’s most significant findings was kept under wraps as the Research team investigated its server-side and the general background of the gang standing behind this clandestine control central.

What our researchers discovered was nothing less than the robust mercenary workings of a virtual heist machine, one that has been operational on an ongoing basis, militating and robbing financial data from hundreds of thousands of infected users all over the world. The tool of choice—Zeus v2.1.0.10, the most advanced variant of Zeus to date. The end result: endless logs of compromised financial data and untold numbers of wire-fraud transactions.


---------------------------------------------------------------------

Lower in sophistication level (but still very dangerous) are the variants built from the leaked Zeus v2.0.9.8 code...

http://www.trustdefender.com/zeus-trojan-update-new-variants-based-on-leaked-zeus-source-code.html
When the source code of the Zeus Trojan (v.2.0.9.8) leaked into the public in April this year, it was clear that this will have some serious implication for the security industry? This in-depth report looks at three of the most recent variants in detail...

Thursday, September 29, 2011

Happy National Coffee Day!


---------------------------------

On National Coffee Day, Thursday, September 29th at 9PM ET/PT, CNBC presents “The Coffee Addiction,” a CNBC Original reported by Correspondent Scott Wapner. The documentary captures the extraordinary journey from coffee bean to coffee cup as Wapner takes viewers from the jungles of Peru to the frenzied commodity trading pit of lower Manhattan, to the Seattle headquarters of Starbucks, and finally, to the local coffeehouses across the country where a new breed of baristas fuels a national passion.

Wednesday, September 28, 2011

Cutting Through the Lone-Wolf Hype

Via STRATFOR (Security Weekly) -

Lone wolf. The mere mention of the phrase invokes a sense of fear and dread. It conjures up images of an unknown, malicious plotter working alone and silently to perpetrate an unpredictable, undetectable and unstoppable act of terror. This one phrase combines the persistent fear of terrorism in modern society with the primal fear of the unknown.

The phrase has been used a lot lately. Anyone who has been paying attention to the American press over the past few weeks has been bombarded with a steady stream of statements regarding lone-wolf militants. While many of these statements, such as those from President Barack Obama, Vice President Joseph Biden and Department of Homeland Security Director Janet Napolitano, were made in the days leading up to the 10th anniversary of the 9/11 attacks, they did not stop when the threats surrounding the anniversary proved to be unfounded and the date passed without incident. Indeed, on Sept. 14, the Director of the National Counterterrorism Center, Matthew Olsen, told CNN that one of the things that concerned him most was “finding that next lone-wolf terrorist before he strikes.”

Now, the focus on lone operatives and small independent cells is well founded. We have seen the jihadist threat devolve from one based primarily on the hierarchical al Qaeda core organization to a threat emanating from a broader array of grassroots actors operating alone or in small groups. Indeed, at present, there is a far greater likelihood of a successful jihadist attack being conducted in the West by a lone-wolf attacker or small cell inspired by al Qaeda than by a member of the al Qaeda core or one of the franchise groups. But the lone-wolf threat can be generated by a broad array of ideologies, not just jihadism. A recent reminder of this was the July 22 attack in Oslo, Norway, conducted by lone wolf Anders Breivik.

The lone-wolf threat is nothing new, but it has received a great deal of press coverage in recent months, and with that press coverage has come a certain degree of hype based on the threat’s mystique. However, when one looks closely at the history of solitary terrorists, it becomes apparent that there is a significant gap between lone-wolf theory and lone-wolf practice. An examination of this gap is very helpful in placing the lone-wolf threat in the proper context.

Read more: Cutting Through the Lone-Wolf Hype | STRATFOR

Exploit Kit Intelligence: Five Software Packages = 90%+ Of The Problem

Via CSIS -

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash. This is revealed by a survey conducted by CSIS Security Group A/S.

Basis of the Study
CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.

[...]

Most Vulnerable Programs
On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader / Acrobat, Adobe Flash and Microsoft Internet Explorer.

[...]

Vulnerabilities Abused
Among the vulnerabilities we have observed abused by the monitored exploit kits, we find:
  • CVE-2010-1885 - Microsoft Help & Support HCP
  • CVE-2010-1423 - Java Deployment Toolkit insufficient argument validation
  • CVE-2010-0886 - Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
  • CVE-2010-0842 - Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
  • CVE-2010-0840 - Java trusted Methods Chaining Remote Code Execution Vulnerability
  • CVE-2009-1671 - Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
  • CVE-2009-0927 - Adobe Reader Collab GetIcon
  • CVE-2008-2992 - Adobe Reader util.printf
  • CVE-2008-0655 - Adobe Reader CollectEmailInfo
  • CVE-2006-0003 - IE MDAC
  • CVE-2006-4704 - Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
  • CVE-2004-0549 ShowModalDialog method and modifying the location to execute code

The Reason Why Patching is Essential!
The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.


-------------------------------------------------------------------------

Great research by CSIS.

This builds on the body of knowledge presented by various researchers (e.g. Dan Guido & Mila Parkour), which suggest corporations should focus on the top 5 or 6 products at the desktop level as an effective method of combating exploit kits - at least in their current state.

The exploit kit authors will adapt their attacking method (i.e. technique, vulnerabilities used), as needed, to maintain levels of high infection rates. Therefore, we must adapt as well. This is only the beginning.

Tuesday, September 27, 2011

Operation b79: Targeting the Kelihos Botnet

Via Official Microsoft Blog -

Building on the recent successes of the Rustock (Operation b107) and Waledac (Operation b49) botnet takedowns, I’m pleased to announce that Microsoft has taken down the Kelihos botnet in an operation codenamed “Operation b79” using similar legal and technical measures that resulted in our previous successful botnet takedowns.

Kelihos, also known by some as “Waledac 2.0” given its suspected ties to the first botnet Microsoft took down, is not as massive as the Rustock spambot. However, this takedown represents a significant advance in Microsoft’s fight against botnets nonetheless. This takedown will be the first time Microsoft has named a defendant in one of its civil cases involving a botnet and as of approximately 8:15 a.m. Central Europe time on Sept. 26th, the defendants were personally notified of the action.

The Kelihos takedown is intended to send a strong message to those behind botnets that it’s unwise for them to simply try to update their code and rebuild a botnet once we’ve dismantled it. When Microsoft takes a botnet down, we intend to keep it down – and we will continue to take action to protect our customers and platforms and hold botherders accountable for their actions.

In the complaint, Microsoft alleges that Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22 of owning a domain cz.cc and using cz.cc to register other subdomains such as lewgdooi.cz.cc used to operate and control the Kelihos botnet. Our investigation showed that while some of the defendant’s subdomains may be legitimate, many were being used for questionable purposes with links to a variety of disreputable online activities.

[...]

On Sept. 22nd, Microsoft filed for an ex parte temporary restraining order from the U.S. District Court for the Eastern District of Virginia against Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22.

[...]

Naming defendants in this case marks a big step forward for Microsoft in making good on its commitment to aggressively protect its platform and customers against abuse from whomever and wherever it may originate. Naming these defendants also helps expose how cybercrime is enabled when domain providers and other cyber infrastructure providers fail to know their customers. Without a domain infrastructure like the one allegedly hosted by Mr. Piatti and his company, botnet operators and other purveyors of scams and malware would find it much harder to operate anonymously and out of sight. By taking down the botnet infrastructure, we hope that this will help deter and raise the cost of committing cybercrime.


-----------------------------------------------------------

http://www.pcworld.idg.com.au/article/402219/striking_domain_provider_microsoft_kills_off_botnet
Reached Tuesday, Piatti was unable to comment for this story. " I would be glad to give you my side of the story, but I feel that I should hire a lawyer first," he said in an email.

Monday, September 26, 2011

STRATFOR Dispatch: UAV Strikes Against al Shabaab

http://www.stratfor.com/analysis/20110926-dispatch-uav-strikes-against-al-shabaab

Analyst Mark Schroeder discusses the latest strategy to neutralize the transnational elements of al Shabaab by conducting unmanned aerial vehicle strikes against suspected terrorist training camps.

-----------------------------------------------

Noteworthy clip:
What is also interesting to note is that there are not strikes going on against other factions of the Somali jihadist network, such as those led by Mukhtar Robow in the Bay and Bakool regions of Somalia or the other known group called Hizbul Islam, led by Sheikh Hassan Dahir Aweys in the greater Mogadishu area. These two factions are not being targeted. So clearly there are efforts to neutralize the most threatening terrorist elements of al Shabaab, but on the other hand to more reach out to or accommodate nationalist factions.

Whitepaper: The "Lurid" Downloader (APT)

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/12802_trend_micro_lurid_whitepaper.pdf

ABSTRACT

This report investigates a campaign of targeted malware attacks that has successfully compromised 1465 computers in 61 different countries. Based on the project path embedded in the malware, we have named this specific campaign “Lurid Downloader” although the malware is typically known as “Enfal”. The majority of the victims are located in Russia and other members of the Commonwealth of Independent States (CIS). We were able to identify 47 victims that include numerous government ministries and diplomatic missions along with space-related government agencies, companies and research institutions in Russia and other members of the CIS along with a smaller amount of similar entities in Europe.

The threat actors behind “Lurid Downloader” launched 301 malware campaigns targeting entities in specific countries or geographic regions and tracked the success of each campaign by embedding a unique identifier in each instance of malware and associating it with specific victims. While some campaigns resulted in numerous victims, others were very specific and targeted resulting in only one or two victims. While previous Enfal activity has been typically associated with threat actors in China, it remains unclear who is behind the Lurid Downloader attacks.

Sunday, September 25, 2011

Russian Space Systems Hacked in Lurid Attack

Via ZDNet (UK) -

Over a thousand systems in the Commonwealth Independent States (CIS) were hacked in a search for documents, spreadsheets and archive files, the security company said on Friday. Organisations in 60 other countries, including Vietnam, India and Mongolia, were also targeted.

The hackers have compromised Russian central government computers, diplomatic missions and space-related government agencies in the attack. The main Russian institution associated with space research is the Russian Federal Space Agency.

"This has all the hallmarks of espionage-related activity, given the concentration of targets," Trend Micro solutions architect Rik Ferguson told ZDNet UK. "We are liaising with companies directly and talking to local computer emergency response teams."

The cyberattack is being referred to as the 'Lurid DownLoader' attack, after the malware used. Overall, it has compromised 1,465 unique hosts in 61 different countries, Trend Micro said in a blog post.

The Russian computer emergency response team (RU-CERT) said it was aware of the Trend Micro report, but had not received any other information from the security company.

"Next week I'll ask colleagues in law enforcement to look at this," RU-CERT deputy head Mikhail Ganev told ZDNet UK. "If government systems have been attacked, it's the duty of law enforcement to look at it."

-----------------------------------------------------------------------

In addition to the Lurid APT attack, Trend Micro also recently outlined ongoing attacks on several defense companies in Japan, Israel, India and the USA. It is unknown if this attack outlined by Trend Micro is connected to the attacks made public by Mitsubishi Heavy Industries (MHI). Trend Micro is a Japanese company.

Geographical User Base vs. APT Discussion and Disclosure Cases

It is interesting to see more and more AV vendors discussing in public about APT-type attacks. Each vendor has a unique install base, which is different than any other vendor. One vendor may have a huge install base in a geographical area where the others have very few. This install base (thus visibility into geographical areas) will naturally impact the type of attacks it can discover or discuss.

Saturday, September 24, 2011

Dubstep Dancing



How do you dance to dubstep? Here is your answer....

Friday, September 23, 2011

LURID: Attribution Isn’t Easy

Via Trend Micro Malware Labs -

Determining who is ultimately behind targeted attacks is difficult as it requires a combination of technical and contextual analysis and the ability to connect disparate pieces of information together over a period of time. Moreover, any one researcher typically does not necessarily have all these pieces of information and must interpret the available evidence. Too often, the determination of attribution is based solely on easily spoofed evidence such as IP addresses and domain name registrations. This post provides a follow up to the post we published yesterday. It presents some background information on the LURID attacks and the relationship with previous Enfal attacks in order to provide some context to this case.

Interestingly, while previous Enfal attacks have been attributed to China, in this case, the IP addresses of the command-and-control (C&C) servers were located in the United States and the United Kingdom. However, the registration information of the domain names used indicates that the owners are in China. In either case, this information is not difficult to manipulate. Neither of these two artifacts taken on their own is sufficient to determine attribution.

Determining who is ultimately behind targeted attacks is difficult as it requires a combination of technical and contextual analysis and the ability to connect disparate pieces of information together over a period of time. Moreover, any one researcher typically does not necessarily have all these pieces of information and must interpret the available evidence. Too often, the determination of attribution is based solely on easily spoofed evidence such as IP addresses and domain name registrations. This post provides a follow up to the post we published yesterday. It presents some background information on the LURID attacks and the relationship with previous Enfal attacks in order to provide some context to this case.

Interestingly, while previous Enfal attacks have been attributed to China, in this case, the IP addresses of the command-and-control (C&C) servers were located in the United States and the United Kingdom. However, the registration information of the domain names used indicates that the owners are in China. In either case, this information is not difficult to manipulate. Neither of these two artifacts taken on their own is sufficient to determine attribution.

The History of Enfal

The history of this malware combined with the nature of some of the targeted victims do provide some clues. The malware used in the “Lurid Downloader” attacks is commonly known as “Enfal” and it has been used in targeted attacks as far back as 2006. In 2008, Maarten Van Horenbeeck documented a series of targeted malware attacks that made use the Enfal Trojan to target governmental organizations, nongovernmental organizations (NGOs), as well as defense contractors and U.S. government employees.

In 2009 and 2010, researchers from the University of Toronto published reports on two cyber espionage networks known as “GhostNet” and “ShadowNet” that included malware and command and control infrastructure connected with the Enfal Trojan. Additionally, the domain names used by Enfal as C&C servers are, according to U.S. diplomatic cables, leaked to WikiLeaks, linked to a series of attacks known as “Byzantine Hades.” According to these leaked cables, the activity of this set of threat actors has been ongoing since 2002 and there are subsets of this activity known as “Byzantine Anchor,” “Byzantine Candor,” and “Byzantine Foothold.”

Notably, other than the use of Enfal itself, there appears to be several distinct sets of C&C infrastructure in use and the relationship among those operating these separate infrastructure remains unclear.

[...]

The use of Enfal, the malware family to which Lurid Downloader belongs, has been historically linked with threat actors in China. In this case, the attack vector (a malicious email and attached malicious file) that we were able to analyze was related to the Tibetan community, which many believe indicates an association with China. However, Chinese entities were also victims of Lurid Downloader.

We have a forthcoming report which will outline the background and context of the attacks alongside a thorough technical analysis but will not attribute these attacks to any particular entity. We cannot emphasize enough that it remains unclear who exactly is behind the Lurid Downloader attacks.

Attribution isn’t easy.

Thursday, September 22, 2011

Trend Micro Exposes LURID APT

Via TrendMicro Malware Labs Blog -

Trend Micro has discovered an ongoing series of targeted attacks, known as “LURID,” that have successfully compromised 1465 computers in 61 different countries. We have been able to identify 47 victims including diplomatic missions, government ministries, space-related government agencies and other companies and research institutions.

The countries most impacted by this attack are Russia, Kazakhstan and Vietnam, along with numerous other countries – mainly in the CIS (Commonwealth Independent States – or former Soviet Union).

This particular campaign comprised over 300 malicious, targeted attacks, monitored by the attackers using a unique identifier embedded in the associated malware. Our analysis of the campaigns reveals that attackers targeted communities in specific geographic locations as well as campaigns that targeted specific victims. In total, the attackers used a command and control network of 15 domain names associated with the attackers and 10 active IP addresses to maintain persistent control over the 1465 victims.

The “Lurid Downloader,” often referred to as “Enfal,” is a well-known malware family but it is not a publicly available toolkit that can be purchased by aspiring cybercriminals. This malware family has in the past been used to target both the U.S. government and non-governmental organizations (NGO’s). However, there appear to be no direct links between this particular network and the previous ones.

More and more frequently, targeted malware attacks such as these are being described as Advanced Persistent Threats. A target receives an email message that encourages him or her to open an attached file. The files sent by the attackers contain malicious code that exploits vulnerabilities in popular software programs such as Adobe Reader (e.g. .PDFs) and Microsoft Office (e.g. .DOCs). The payload of these exploits is malware that is silently executed on the target’s computer. This allows the attackers to take control of the computer and obtain data. The attackers may then move laterally throughout the target’s network and are often able to maintain control over compromised computers for extended periods of time. Ultimately, the attacks locate and ex-filtrate sensitive information from the victim’s network.

[...]

As is frequently the case, it is difficult to ascertain who is behind this series of attacks because it is easy to manipulate artifacts, e.g. IP addresses and domain name registration, in order to mislead researchers into believing that a particular entity is responsible.

Although our research didn’t reveal precisely which data was being targeted, we were able to determine that, in some cases, the attackers attempted to steal specific documents and spreadsheets.

Through the exposure of the “Lurid” network, we aim to enable a better understanding of the extent and frequency of such attacks as well as the challenges that targeted malware attacks pose for traditional defenses. Defensive strategies can be dramatically improved by understanding how targeted malware attacks work as well as trends in the tools, tactics and procedures of the threat actors behind such attacks. By effectively using threat intelligence derived from external and internal sources combined with security tools that empower human analysts, organizations are better positioned to detect and mitigate such targeted attacks.

-----------------------------------------------------------------------

http://www.theregister.co.uk/2011/09/22/russia_cyberespionage_attack/
Rik Ferguson, director of security research & communication EMEA at Trend Micro, told El Reg that some of the affected sites used Trend Micro's technology, which helped detect the attack. subsequent detective work led researchers back to two command and control servers, hosted by different ISPs (one in the US and one in the UK). Beyond saying the attack was likely to be motivated by cyberespionage, rather than profit, Ferguson was reluctant to speculate on who might be behind the attack or their motives.

Wednesday, September 21, 2011

Security Update Available for Adobe Flash Player (APSB11-26)

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.7 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.186.6 and earlier versions for Android. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that one of these vulnerabilities (CVE-2011-2444) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message. This universal cross-site scripting issue could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website.

http://www.adobe.com/support/security/bulletins/apsb11-26.html

----------------------------------------------------------------------------

Based on the limited information provided by Adobe above, I suspect this new vulnerability (CVE-2011-244) was used in a new series of targeted web e-mail (Gmail) attacks – just as was the case with the last Flash Universal XSS detected and patched out-of-band by Adobe in June 2011. Note in the Adobe advisory that CVE-2011-2444 is credited to Google. Coincidence?

According to Google, that June 2011 campaign against Gmail, appeared to originate from Jinan, China and affected what seem to be the personal Gmail accounts of hundreds of users including, among others, senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.

In the same June timeframe, TrendMicro noted that in addition to Gmail, Hotmail and Yahoo! Mail were also been targeted. While the attacks appear to have been separately conducted, these have some significant similarities.

Report: US Building Drone Bases in Africa, Arabian Peninsula

Via VOA News -

The United States is reported to be expanding a secret drone program in east Africa and the Arabian peninsula in order to gather intelligence and strike al-Qaida-linked militants in Somalia and Yemen.

Citing U.S. defense officials, The Washington Post reported that the U.S. is building a new military installation to host the unmanned aircraft in Ethiopia, where drones can more easily attack members of the militant group al-Shabab that is fighting for control of neighboring Somalia.

The report also said the U.S. has re-opened a drone base in the Seychelles, an island nation in the Indian Ocean, where a small fleet of "hunter-killer" drones resumed operations this month after a test mission determined that aircraft based there could patrol Somalia.

In addition, the report said the Central Intelligence Agency is building a secret airstrip somewhere in the Arabian subcontinent in order to carry out drone missions against al-Qaida in the Arabian Peninsula. U.S. officials say the group, based in Yemen, is al-Qaida's most active branch, and is responsible for several attempted attacks on U.S. targets.

The U.S. is reported to have already flown drones over Somalia and Yemen from installations in Djibouti.

[...]

Earlier this month, the commander of U.S. military operations in Africa said three African-based terrorist groups were working together to threaten U.S. interests in the region. General Carter Ham said al-Shabab, Algeria-based Al-Qaida in the Islamic Maghreb, and Boko Haram in Nigeria have said they intend to share training and operations in order to target Westerners, specifically Americans.

Adobe Announces Emergency Patch for Flash Player

Via H-Online.com -

Adobe has announced an emergency patch that is scheduled to be released some time later today (Wednesday 21 September). The update will address several previously unknown critical holes in Flash Player. The new version is also designed to close a universal cross-site scripting (XSS) hole that Adobe says is already being actively exploited. The company's security blog doesn't provide any further details.

----------------------------------------------------------------------

Nation-State Attackers Are Adobe's Biggest Worry
https://threatpost.com/en_us/blogs/nation-state-attackers-are-adobes-biggest-worry-092011
It's no secret that attackers have made Adobe's products key targets for the last couple of years, routinely going after bugs in Reader, Flash and Acrobat in targeted attacks and widespread campaigns alike. But it's not just the rank-and-file bad guys who are making Adobe a priority; it's more often nation-states, the company's top security official said.

[...]

"In the last eighteen months, the only zero days found in our software have been found by what Dave Aitel would call carrier-class adversaries," Arkin said in his keynote speech at the United Security Summit here Tuesday. "These are the groups that have enough money to build an aircraft carrier. Those are our adversaries."

[...]

Perhaps the most famous example of this kind of targeted attack is the one that hit RSA Security earlier this year.

[...]

"We have lots of friends in the places where people get attacked a lot and I don't think that RSA was the only target in that campaign," he said.

Chinese Characters Found in Japanese Mitsubishi Cyberattack

Via Daily Yomiuri Online (Japan) -

Chinese language was found in one of viruses used in the recent cyber-attacks on Mitsubishi Heavy Industries (MHI), Ltd., it was learned Tuesday.

A total of 83 servers and personal computers of the machinery maker have been infected with viruses in the cyber-attacks, which originated outside the company.

On a screen for an attacker to remotely control the infected PCs, simplified Chinese characters used in China were employed, sources said.

As the possible involvement of a person or people with deep knowledge of Chinese language is suspected, the Metropolitan Police Department now considers it an international espionage case. The MPD is investigating the case as a violation of the Law on the Prohibition of Unauthorized Computer Access, among other charges.

The viruses confirmed to have infected the MHI servers and PCs included a Trojan horse virus, which allowed senders to gain access to infected PCs. The sender can then transmit information from the infected machine to their computer.

According to the sources, an information security firm that copied and analyzed the virus discovered the simplified Chinese characters on screens used by the senders.

The Chinese characters include those for "automatic" (meaning automatic access), "catch" for the function to remotely control infected PCs, and two Chinese characters that mean "video" or "image," the sources explained.

As it would be very difficult for those who do not understand the Chinese language to control the virus, the MPD suspects involvement of a person or people well-versed in Chinese.

Regarding spear attacks, which target specific people or companies to steal information from them, the MPD analyzed 29 such e-mails reported between January and June. Of those, 14 had viruses forcing the infected PCs to access to servers in China.

However, a security specialist warned it is still not possible to conclude that China was involved in the attacks.

"The perpetrator or perpetrators may intentionally use Chinese to disguise the attacks as Chinese," said Prof. Motohiro Tsuchiya, an expert on information politics.

"However, the number of cyber-attacks from China targeting classified information have reportedly been increasing and the United States is also on alert. It is important for attacked companies to disclose the facts of attacks and share their experiences to allow others to share risk information," he said.

------------------------------------------------------

As one would expect, Chinese government officials are denying any knownledge or role in the attacks which targeted MHI.

Tuesday, September 20, 2011

Testing Web Servers for Slow HTTP Attacks

Via Qualys Security Labs -

Following the release of the slowhttptest tool, I ran benchmark tests of some popular Web servers. My testing shows that all of the observed Web servers (and probably others) are vulnerable to slow http attacks in their default configurations. Reports generated by the slowhttptest tool illustrate the differences in how the various Web servers handle slow http attacks.

[....]

Final Thoughts

Software configuration is all about tradeoffs, and it is normal to sacrifice one aspect for another. We see from the test results above that all default configuration files of the Web servers tested are sacrificing protection against slow HTTP DoS attacks in exchange for better handling of connections that are legitimately slow.


Because a lot of people are not aware of slow http attacks, they will tend to trust the default configuration files distributed with the Web servers. It would be great if the vendors creating distribution packages for Web servers would pay attention to handling and minimizing the impact of slow attacks, as much as the Web servers’ configuration allows it. Meanwhile, if you are running a Web server, be careful and always test your setup before relying on it for production use.

7 Lessons: Surviving A Zero-Day Attack

Via Information Week -

When Pacific Northwest National Laboratory detected a cyber attack--actually two of them--against its tech infrastructure in July, the lab acted quickly to root out the exploits and secure its network. PNNL then did something few other cyber attack victims have been willing to do. It decided to talk openly about what happened.

The lab's CIO, Jerry Johnson, last week provided a detailed accounting of the cyber attacks. Speaking at the IW500 Conference in Dana Point, Calif., Johnson described how intruders took advantage of a vulnerability in one of the lab's public-facing web servers to plant a "drive-by" exploit on the PCs of site visitors, lab employees among them. For weeks, the hackers then surreptitiously scouted PNNL's network from the compromised workstations.

Simultaneously, a spear-phishing attack hit one of the lab's major business partners, with which it shared network resources. This second group of hackers was able to obtain a privileged account and compromise a root domain controller that was shared by the lab and its partner. When the intruders tried to recreate and elevate account privileges, this action triggered an alarm, alerting the lab's cybersecurity team.

Within hours, the lab made the decision to disconnect its network in order to sever the hackers' communications paths and contain any further damage.

[...]

Johnson agreed to talk about it as a way of helping other organizations bolster their defenses. For that, he deserves a tremendous amount of credit. Secrecy is the norm in the wake of a cyber attack, but openness will lead to better preparedness.

----------------------------------------------------------

In case you need some background on the attack...
http://djtechnocrat.blogspot.com/search?q=PNNL

As Johnson outlines, the attackers didn't put all their eggs in one basket.

The attacker planted zero-day exploits on their public web servers (in hopes of catching some visiting employees) while simultaneously conducting spear-phishing attacks against business partners with network access to PNNL.

Japan, US Defense Industries Among Targeted Entities in Latest Attack

Via TrendMicro Malware Blog -

Trend Micro has uncovered a campaign of targeted attacks that have successfully compromised defense industry companies in Japan, Israel, India and the USA. We have been able to identify eight victims of this attack and are in the process of notifying them. In total, the attackers compromised 32 computers; however, there were multiple compromises at several locations. This network has been active since July 2011 and is continuing to send out malicious documents in an attempt to compromise additional targets.

We have analyzed a sample that connects to the same command-and-control (C&C) server in this targeted attack. We also analyzed the second stage malware used by the attackers that was built specifically for one of the targeted companies as well as a remote access Trojan (RAT) used by the attackers.

[...]

While this network has managed to compromise a relatively small number of victims, there is a high concentration of defense industry companies among the victims. Moreover, the fact that specific malware components are created for specific victims indicates a level of intentionality among the attackers.


--------------------------------------------------------------------------------------------

This investigation of an APT attack by TendMicro, may or *may not" be related to the recent reports of a suspected APT attack against Mitsubishi Heavy Industries (MHI) - Japan’s primary defense contractor.

The attack sequence outlined by TrendMicro seems to follow the common narrative of an APT attack in its initial stages....

  1. E-mails with malicious attachments (PDF), exploiting a vuln in specific versions of Adobe Flash and Reader are sent and opened by targeted vicitims.
  2. Dropped malware connects to C&C, and send some systeminfo then awaits commands.
  3. Attackers command malware to report back network information (local IP, subnet) and file names in specified directories.
  4. Attackers used foothold malware to download custom DLLs onto the comprised hosts of only certain target companies.
  5. Attackers issue commands for compromised computer to download tools which allow for lateral movement of the network using valid credentials (pass-the-hash tools).
  6. Once on the network, attackers drop a Remote Access Tool/Trojan (RAT) onto compromised system to allow real-time control of the compromised system.

Gang Used 3D Printers for ATM Skimmers

Via Krebs on Security -

An ATM skimmer gang stole more than $400,000 using skimming devices built with the help of high-tech 3D printers, federal prosecutors say.

[...]

In June, a federal court indicted four men from South Texas (PDF) who authorities say had reinvested the profits from skimming scams to purchase a 3D printer. According to statements by the U.S. Secret Service, the gang’s leader, Jason Lall of Houston, was sent to prison for ATM fraud in 2009. Lall was instrumental in obtaining skimming devices, and the gang soon found themselves needing to procure their own skimmers. The trouble is, skimmer kits aren’t cheap: They range from $2,000 to more than $10,000 per kit.

Secret Service agents said in court records that on May 4, 2011, their undercover informer engaged in a secretly taped discussion with the ring’s members about a strategy for obtaining new skimmers. John Paz of Houston, one of the defendants, was allegedly the techie who built the skimming devices using a 3-D printer that the suspects purchased together. The Secret Service allege they have Paz on tape explaining the purchase of the expensive printer.

[...]

The government alleges Paz also was the guy who encoded the stolen card data onto counterfeit cards. The feds say Albert Richard of Missouri City, Texas prepared ATMs at numerous banks where the skimming devices were installed, by covering the ATM cameras or spray-painting over them, and by acting as a lookout.

A fourth defendant, John Griffin, is alleged to have used the counterfeit cards to withdraw funds at different ATMs around Texas. Prosecutors allege the group stole more than $400,000 between Aug. 2009 and June 2011. Prior to their arrest this summer, the gang started making decent money but they split the profits between them. Federal prosecutors say the men stole $57.808.14 in month of April 2011 alone (yes, that’s an odd amount to have come out of ATMs, but I digress).

The court documents don’t say how much the men spent on the 3D printer, nor do they include pictures of the fraud devices. The Secret Service declined to offer more details, citing an ongoing investigation. But i.materialize’s Franky De Schouwer said a high quality 3D printer can be had for between $10,000 and $20,000.

Sunday, September 18, 2011

NRO's Newly Declassified GAMBIT and HEXAGON Programs

Via MSNBC -

Twenty-five years after their top-secret, Cold War-era missions ended, two clandestine American satellite programs were declassified Saturday, with the agency unveiling three of the United States' most closely guarded assets: the KH-7 GAMBIT, the KH-8 GAMBIT 3 and the KH-9 HEXAGON spy satellites.

The vintage National Reconnaissance Office (nro.gov) satellites were displayed to the public Saturday in a one-day-only exhibit here at the Smithsonian National Air & Space Museum's Udvar-Hazy Center at Dulles Airport, VA. The three spacecraft are the centerpiece of the NRO's invitation-only 50th Anniversary Gala celebration held at the center later that evening.


---------------------------------------------------------------------------------------------------------

NRO: GAMBIT and HEXAGON Programs
http://www.nro.gov/foia/declass/GAMBHEX.html

NRO: Declassified GAMBIT and HEXAGON Videos
http://www.nro.gov/foia/declass/GAMBHEX%20Videos.html

NRO: HEXAGON (KH-9) Fact Sheet
http://www.nro.gov/history/csnr/gambhex/Hex_fact_sheet.pdf

----------------------------------------------------------------------------------------------------------

After a late night on Friday and mid-morning breakfast with friends, I quickly made it over to Smithsonian National Air & Space Museum's Udvar-Hazy Center at Dulles Airport, Va at about 2:30pm. Luckily, the tent containing the KH-9 HEXAGON was still open and accessible in the parking lot.

The "HEXAGON - Sentinel of Liberty" video (link above) was playing in one corner of the tent on a big LCD TV. People seemed to get a kick out of the redacted photos and at least one cut which had redacted sound - most likely protecting the still classified program name of a re-entry vehicle. A good overview of the KH-9 HEXAGON satellite (and the various contractors used) is shown starting at 19:35 and the redacted program name (re-entry vehicle) is at 22:50. The HEXAGON's mapping camera is discussed at 30:30, where William P. Durbin states that the camera produced "coverage of high-mapping quality" of ~98% of the Eurasian land mass, 75% to 80% of Africa, and large southern portions of South America during the lifetime of the system.

Since I was rushing, I did not have time to run home and grab my nice camera, so I had to use my phone....









Thursday, September 15, 2011

The Evolution of a Pakistani Militant Network

Via STRATFOR (Security Weekly) -

For many years now, STRATFOR has been carefully following the evolution of “Lashkar-e-Taiba” (LeT), the name of a Pakistan-based jihadist group that was formed in 1990 and existed until about 2001, when it was officially abolished. In subsequent years, however, several major attacks were attributed to LeT, including the November 2008 coordinated assault in Mumbai, India. Two years before that attack we wrote that the group, or at least its remnant networks, were nebulous but still dangerous. This nebulous nature was highlighted in November 2008 when the “Deccan Mujahideen,” a previously unknown group, claimed responsibility for the Mumbai attacks.

While the most famous leaders of the LeT networks, Hafiz Mohammad Saeed and Zaki-ur Rehman Lakhvi, are under house arrest and in jail awaiting trial, respectively, LeT still poses a significant threat. It’s a threat that comes not so much from LeT as a single jihadist force but LeT as a concept, a banner under which various groups and individuals can gather, coordinate and successfully conduct attacks.

Such is the ongoing evolution of the jihadist movement. And as this movement becomes more diffuse, it is important to look at brand-name jihadist groups like LeT, al Qaeda, the Haqqani network and Tehrik-e-Taliban Pakistan as loosely affiliated networks more than monolithic entities. With a debate under way between and within these groups over who to target and with major disruptions of their operations by various military and security forces, the need for these groups to work together in order to carry out sensational attacks has become clear. The result is a new, ad hoc template for jihadist operations that is not easily defined and even harder for government leaders to explain to their constituents and reporters to explain to their readers.

Thus, brand names like Lashkar-e-Taiba (which means Army of the Pure) will continue to be used in public discourse while the planning and execution of high-profile attacks grows ever more complex. While the threat posed by these networks to the West and to India may not be strategic, the possibility of disparate though well-trained militants working together and even with organized-crime elements does suggest a continuing tactical threat that is worth examining in more detail.

Read more: The Evolution of a Pakistani Militant Network

Al Qaeda Figure Reported Killed in Pakistan

Via CNN -

U.S. officials reported the death of an al Qaeda figure identified as the terrorist network's chief of operations in Pakistan, the latest in what they called a series of significant blows to the terrorist network.

Abu Hafs al-Shahri helped coordinate anti-American plots in the region and worked closely with Pakistani Taliban operatives to carry out attacks there, a U.S. official, speaking on condition of anonymity, told CNN Thursday. His cause of death was not disclosed, but the United States frequently uses armed aerial drones to target al Qaeda operatives inside Pakistan.

Al-Shahri was seen as a possible successor to al Qaeda's second-in-command, Atiyah Abdul Rahman, who was killed in late August, the U.S. official said. Little else was immediately known about him.

A senior Obama administration official said al-Shahri was killed earlier this week in northwest Pakistan. Pakistani intelligence officials reported Sunday [the 10th tenth anniversary of 9/11] that a suspected drone strike in the tribal district of north Waziristan, near the rugged border with Afghanistan, had killed three people, but the targets of the strike were not immediately known.

It's the latest in a series of losses among the top ranks of the terrorist network since the U.S. commando raid that killed its founder, Osama bin Laden, in May.


--------------------------------------------------------------

According to the Dawn.com (Pakistan)...
[Al-Shahri] also served as the militant group’s coordinator with the main Pakistani Taliban group, known as the TTP, according to the official.

Microsoft's Binary Planting Clean-Up Mission

Via ACROS Security -

Since our presentation of COM server-based binary planting exploits at the Hack in the Box conference in May this year, Microsoft has introduced a number of relevant changes to Windows and Internet Explorer.

[...]

Conclusion

Microsoft is clearly putting an effort into removing binary planting bugs from their code and introducing mitigations that help block various binary planting attack vectors. While we know there's still a lot of cleaning up to do in their binary planting closet, our research-oriented minds remain challenged to find new ways of exploiting these critical bugs and bypassing new and old countermeasures. In the end, it was our research that got the ball rolling and it would be a missed opportunity for everyone's security if we didn't leverage the current momentum and keep researching.


----------------------------------------------------------------------

Secunia's Windows Applications Insecure Library Loading List
http://secunia.com/advisories/windows_insecure_library_loading/

According to that list, Microsoft seems to be making good progress. Adobe and other vendors seem to be moving a bit slower on addressing these DLL loading vulnerabilities.

Iran Blocks Tor; Tor Releases Same-day Fix

Via Tor Project -

Yesterday morning (in our timezones — that evening, in Iran), Iran added a filter rule to their border routers that recognized Tor traffic and blocked it. Thanks to help from a variety of friends around the world, we quickly discovered how they were blocking it and released a new version of Tor that isn't blocked. Fortunately, the fix is on the relay side: that means once enough relays and bridges upgrade, the many tens of thousands of Tor users in Iran will resume being able to reach the Tor network, without needing to change their software.

[...]

There are plenty of interesting discussion points from the research angle around how this arms race should be played. We're working on medium term and longer term solutions, but in the short term, there are other ways to filter Tor traffic like the one Iran used. Should we fix them all preemptively, meaning the next time they block us it will be through some more complex mechanism that's harder to figure out? Or should we leave things as they are, knowing there will be more blocking events but also knowing that we can solve them easily? Given that their last blocking attempt was in January 2011, I think it's smartest to collect some more data points first.

Wednesday, September 14, 2011

Mexican Navy Smashes Zetas Cartel Communications Network

Via BBC -

The navy said it seized mobile radio transmitters and encryption equipment that the gang was using to coordinate its criminal activities.

At least 80 suspects have been arrested over the past month.

Founded by former army commandos, the Zetas are considered one of Mexico's most violent cartels.

Last month, the gang was blamed for an arson attack on a casino in the northern city of Monterrey which killed 52 people.

The Mexican navy said the operation against the Zetas in Veracruz was carried out by marine special forces after months of work by naval intelligence officers.

It said the gang had installed secure radio communications systems in at least 10 towns in Veracruz.

The network was being used to coordinate drug trafficking, kidnap, extortion and murder across much of the state.
Map of Mexico showing Veracruz

The equipment seized included high-powered transmitters, computers, radio scanners, encryption devices and solar power cells.

The immediate result of the operation was the disruption of the Zetas' "chain of command and tactical coordination" in Veracruz, navy spokesman Jose Luis Vergara said.


--------------------------------------------------------------------------

Borderland Beat has several videos showing the seized equipment.

Tuesday, September 13, 2011

RSA: APT Summit Findings

http://www.rsa.com/innovation/docs/APT_findings.pdf

On July 13 and 14, 2011, RSA and TechAmerica hosted an Advanced Persistent Threats Summit in Washington, D.C. The Summit brought together senior leaders from government and business to address both the impact of APTs and strategies for defense and mitigation. During the Summit, detailed perspectives on protecting against today’s most menacing information security threats surfaced. These findings, which are highlighted below, will be expanded upon in an in-depth report, scheduled to be published in the coming months.

------------------------------------------------------------------------------

For those with some APT knowledge, there isn't too much in this report that is a surprise. It will be interesting to see what is in the in-depth report.

Kudos to RSA for putting the closed-door summit together and making the information available to the community - even if it was only after being inducted into “the club” by an APT attack themselves.

APT: State-Sponsored Spies Collaborate with Crimeware Gang

Via The Register UK -

Hackers sponsored by the Chinese government and other nations are collaborating with profit-driven malware gangs to infiltrate corporate networks storing government secrets and other sensitive data, researchers say.

In many ways, the relationship between state-sponsored actors and organized crime groups that target online bank accounts resembles the kind of mutually benefiting alliances found in nature every day. Just as human intestines create the ideal environment for certain types of bacteria – and in turn receive crucial nutrients and digestive assistance – crimeware operators often cooperate with government-backed spies perpetrating the kinds of APTs, or advanced persistent threats, that have pillaged Google, RSA Security, and other US companies.

To the potential benefit of state-sponsored hackers, profit-driven malware gangs frequently have control of large numbers of infected machines belonging to government contractors and Fortune 500 companies. Because most of the machines never conduct business online, they may not represent much of an asset to the criminal gangs, which often allow the infected machines to sit dormant for months or years.

The same machines, however, can be a goldmine to spies hoping to plant APTs that steal weapons blueprints or other sensitive government data from adversaries. So rather than build an exploit from scratch, the APT actors can simply use botnets controlled by the attackers to access an infected machine on a sensitive network the spies want to infiltrate.

"Almost always, it's cheaper for them to do the latter," said Darien Kindlund, a senior staff scientist at FireEye, a network security firm. "What this means is there's an actually symbiotic relationship here."

In exchange for access to already-infected machines inside government contractors, state-sponsored actors often give malware gangs attack code that exploits previously unknown flaws in Microsoft's Internet Explorer and other widely used applications. As these zero-day vulnerabilities become known to people defending government contractor networks, the exploits quickly lose their value to APT actors. The same code, however, often has plenty of currency among gangs preying on smaller businesses and mom-and-pop end users.

[...]

In exchange for passing along malware hand-me-downs that are no longer needed, Kindlund said, APT groups get access to botnets operated by the criminal malware operators. For support, he cited a recently presented research from computer scientist Stefan Savage of the University of California at San Diego, and articles such as this one from security journalist Brian Krebs.

[...]

He went on to say the cooperation between the groups is so common that brokers now exist to help make trades it more efficient.


-------------------------------------------------------------------

I have heard security professionals discuss this threat over the past few years...at Defcon, at bars....but the time is coming, we will need to start discussing it with management.

That ZeuS might just be a ZeuS, but the possibility exist that the humans controlling it aren't looking for online banking information.

SPITMO: First SpyEye Attack on Android Mobile Platform Now in the Wild

Via Net-Security.org -

The first SpyEye variant, called SPITMO, has been spotted attacking Android devices in the wild. According to Amit Klein, Trusteer’s chief technology officer, the threat posed by DriodOS/Spitmo has escalated the danger of SpyEye now that this malicious software has been able to shift its delivery and infection methods.

“We always said it was just a matter of time before the true potential of Spitmo was realized," says Klein. "When it first emerged [for the Symbian OS] back in April, F-Secure reported in its blog that it was targeting European banks. The trojan injected fields into a bank's webpage asking the customer to input his mobile phone number and the IMEI of the phone. The fraudster then needed to follow a cumbersome three stage sequence - get the IMEI number; generate a certificate; then release an updated installer. This process could take up to three days."

“We couldn’t believe fraudsters would go to that much effort just to steal a couple of SMSs - and it appears we were right," he says. "Information gathered by Trusteer's Intelligence Centre has discovered a new far more intuitive, and modern, approach of SPITMO for Android now active in the wild.”

[...]

Once the Trojan has successfully installed [on the Android device], all incoming SMS messages are intercepted and transferred to the attacker’s Command and Control server. A code snippet is run when an SMS is received, creating a string, which will later be appended as a query string to a GET HTTP request, to be sent to the attacker's drop zone.

[...]

What makes all of this so scary is that the application is not visible on the device’s dashboard, making it virtually undetectable, so users are not aware of its presence and will struggle to get rid of it."


-----------------------------------------------------------------------------------------------

Readers should keep in mind these Spitmo (SpyEye in the Mobile) and Zitmo (ZeuS in the Mobile) attacks are not purely mobile OS level attacks, they are really blended malware attacks.

Spimto & Zitmo: Attack Begins on the Desktop, But Increasingly Has Mobile Components

In the Spitmo case outlined by Trusteer above, the attack begins when the victim's PC is infected with this new variant of SpyEye. Once the victim visit their online banking website (on their PC), the malware injects a "new" security measure message on the website - which advises the user to download a Android application which is "mandatory in order to use its online banking service." The new measure pretends to be an Android application that protects the phone’s SMS messages from being intercepted and will protect the user against fraud.

The Zitmo attack outlined by Fortinet in September 2010 follows a similar pattern. The attack begins when the victim's PC is infected with this variant of ZeuS. It injects a message into the user's browser upon visiting the online banking website, asking for the user's phone number and phone model. Based on that info, it sends an SMS with a link to the appropriate version of the malicious package (a Symbian package for Symbian phones, a BlackBerry Jar for BlackBerry phones, etc).

Threat Mitigation Recommendations

With this deeper understanding of the Spimto/Zistmo attacks, it is clear desktop based protection is still critically important to mitigate these of blended desktop/mobile malware attacks. As always, multi-layered security system on the desktop is recommended to ensure a high-level of protection. However, it is likely, the mobile components of these blended attacks will grow more advanced (and perhaps more independent) as the mobile devices themselves grow more powerful and mobile banking becomes more common.

Monday, September 12, 2011

A New and Improved Moore's Law

Via MIT Technology Review -

Researchers have, for the first time, shown that the energy efficiency of computers doubles roughly every 18 months.

The conclusion, backed up by six decades of data, mirrors Moore's law, the observation from Intel founder Gordon Moore that computer processing power doubles about every 18 months. But the power-consumption trend might have even greater relevance than Moore's law as battery-powered devices—phones, tablets, and sensors—proliferate.

"The idea is that at a fixed computing load, the amount of battery you need will fall by a factor of two every year and a half," says Jonathan Koomey, consulting professor of civil and environmental engineering at Stanford University and lead author of the study. More mobile computing and sensing applications become possible, Koomey says, as energy efficiency continues its steady improvement.

The research, conducted in collaboration with Intel and Microsoft, examined peak power consumption of electronic computing devices since the construction of the Electronic Numerical Integrator and Computer (ENIAC) in 1956. The first general purpose computer, the ENIAC was used to calculate artillery firing tables for the U.S. Army, and it could perform a few hundred calculations per second. It used vacuum tubes rather than transistors, took up 1,800 square feet, and consumed 150 kilowatts of power.

Even before the advent of discrete transistors, Koomey says, energy efficiency doubled every 18 months. "This is a fundamental characteristic of information technology that uses electrons for switching," he says. "It's not just a function of the components on a chip."

[...]

In July, Koomey released a report that showed, among other findings, that the electricity used in data centers worldwide increased by about 56 percent from 2005 to 2010—a much lower rate than the doubling that was observed from 2000 to 2005.

While better energy efficiency played a part in this change, the total electricity used in data centers was less than the forecast for 2010 in part because fewer new servers were installed than expected due to technologies such as virtualization, which allowed existing systems to run more programs simultaneously. Koomey notes that data center computers rarely run at peak power. Most computers are, in fact, "terribly underutilized," he says.

[...]

"Everyone's familiar with Moore's law and the remarkable improvements in the power of computers, and that's obviously important," says Erik Brynjolfsson, professor of the Sloan School of Management at MIT. But people are paying more attention to the battery life of their electronics as well as how fast they can run. "I think that's more and more the dimension that matters to consumers," Brynjolfsson says. "And in a sense, 'Koomey's law,' this trend of power consumption, is beginning to eclipse Moore's law for what matters to consumers in a lot of applications."

To Koomey, the most interesting aspect of the trend is thinking about the possibilities for computing. The theoretical limits are still so far away, he says. In 1985, the physicist Richard Feynman analyzed the electricity needs for computers and estimated that efficiency could theoretically improve by a factor of 100 billion before it hit a limit, excluding new technologies such as quantum computing. Since then, efficiency improvements have been about 40,000. "There's so far to go," says Koomey. "It's only limited by our cleverness, not the physics."

DEFCON 19 - Presentations

https://www.defcon.org/html/links/dc-archives/dc-19-archive.html

Normally I put a small description of the conference here, but ultimately if you don't know what Defcon is...you most likley don't care to see these presentations ;)

Fighting Targeted Malware: Why Signatures, Behaviour Blocking and White-listing are Not Enough

http://afitc.gunter.af.mil/2011Presentations/SeminarSessions/Symantec%20-%20Fighting%20Targeted%20Malware.pdf

I believe the presentation makes several good points, once you look beyond the "Hey! Check out Symantec's new reputation push" propaganda...
  •  Malware authors have switched tactics...
    • From: a mass distribution of relatively few threats (e.g. Storm)
    • To: a micro distribution model (e.g. average Vundo variant is pushed to only 18 Symantec users).
This micro distribution model leads to low prevalence of malware (even more so for advanced targeted malware) which causes problems with standard blacklist / whitelist / signature-based & even reputation-based protection solutions.

Sunday, September 11, 2011

5 Coolest Features of One World Trade Center

http://dsc.discovery.com/tv/the-rising/ground-zero-info/5-coolest-features-wtc.html

In the wake of the wreckage that occurred on Sept. 11, 2001, there's been much talk of reconstruction — both emotional and physical. Now, solid, visual evidence of that reconstruction is beginning to rise like a phoenix from Ground Zero at New York City's southern tip. When completed, One World Trade Center (One WTC) will stand as North America's tallest building — a glass and steel symbol of resiliency, as well as scientific and architectural triumph.

One World Trade Center faced a few challenges along the way. Not only did the $3.1 billion-dollar structure need to be attractive, it had to be the most secure office building ever constructed. In addition, because One World Trade Center is part of the larger reconstruction effort taking place on the grounds of the former Twin Towers, the coordination with other onsite projects presented a logistics nightmare — especially since commuter trains run through the center of the construction at ground zero day and night.

The plans for Ground Zero are finalized, and from them a skyscraper is emerging that will dazzle the eyes and perhaps knock your socks off. Take a tour of One WTC with us and check out some of the coolest features from one of the most-watched construction projects in history.


------------------------------------------------------------------------

The technology, the materials, the security and the beauty of the building is just utterly amazing.

STRATFOR Dispatch: Somalia's Transitional Federal Government and al Shabaab

http://www.stratfor.com/analysis/20110907-dispatch-somalias-transitional-federal-government-and-al-shabaab

Analyst Mark Schroeder examines the limited governing ability of Somalia’s Transitional Federal Government even though African Union Peacekeeping Mission is providing robust security against al Shabaab in Mogadishu.

-------------------------------------------------------------------

Beyond the current status of the TFG, Mark outlines the three main factions that make up the collective al Shabaab...
The three main groups or factions that once contributed to al Shabaab are really separate entities right now. The leader of the transnationalist faction of al Shabaab, led by an individual named Godane Abu Zubayr, he continues to espouse jihadist rhetoric in calling for a continued fight against the TFG. The two other main factions that comprise al Shabaab: one is led by a Mukhtar Robow Abu Mansur; the other led by Sheikh Hassan Dahir Aweys. Aweys’ faction is more commonly known as Hezbollah Islam.

Each of these two groups are pulled back to their respective home areas. For Robow, that is around the city of Baidoa in the Bay and Bakool regions. For Aweys, it is in Afgoye in the greater Mogadishu area or Bandadir region. Those groups, while they are still making public appearances, public statements, carrying out occasional defensive-oriented clashes, are not really taking any fight whatsoever to the TFG.

Saturday, September 10, 2011

GlobalSign Says Web Server Was Hacked, But No Signs of CA Breach

Via Threatpost.com -

GlobalSign has found evidence that its main Web server was compromised recently, but has not discovered any indications that its certificate authority infrastructure was hacked, contrary to claims by the attacker responsible for the DigiNotar CA hack.

The company, which is one of the larger CAs in the world, has been investigating claims by the Comodohacker that he has penetrated the GlobalSign CA infrastructure. It has retained Fox-IT, the same company that did the forensics of DigiNotar's systems in the wake of its attack, and GlobalSign has suspended its issuance of digital certificates until at least Monday while it finishes the investigation.

However, the company said on Friday that it had not found any direct evidence of a breach of its certificate authority systems.

Today we found evidence of a breach to the web server hosting the www website. The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website. At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely. The investigation and high threat approach to returning services to normal continues," the GlobalSign statement said.

[...]

GlobalSign has said that it plans to bring some of its CA services back online on Monday. The fact that no evidence of a breach has been found so far clearly doesn't rule out the possibility that the attacker did indeed compromise the GlobalSign CA, but just means that the investigation hasn't turned up concrete evidence of an intrusion.

Friday, September 9, 2011

China Fears ‘Toxic’ Rumours

Via The Diplomat -

No governments have ever succeeded in banning rumours. But that hasn’t stopped many from trying. The latest to do so is Beijing. Irked by what it deems as malicious rumours spread through the Internet, and microblogs in particular, the Chinese government has recently announced a crackdown on the so-called ‘toxic’ Internet rumours.

The immediate triggers of China’s latest crackdown were most likely related to the outpouring of public outrage on the Internet over the crash of two high-speed trains in late July, and to the role played by the Internet in mobilizing the protest by residents of Dalian that forced the local government to promise to relocate a (truly) toxic petrochemical complex.

But the Chinese authorities also seem to have good reason to attempt the impossible – the advent of the Internet and microblogs has now greatly amplified the impact of rumours. On occasion, rumours have led to tragedies and riots. In one incident that occurred in the early hours of February 10 this year, for instance, rumours that a chemical plant in Xiangshui county in Jiangsu Province was about to explode sent more than ten thousand local residents into a panicked flight. Four people died and many were injured in the resulting traffic accidents.

Based on previous records of rumour-suppression, China’s latest crackdown doesn’t look promising. The reason isn’t that Beijing lacks the muscle or resolve – Chinese censors are hardworking servants of the state and can be counted on to devise ingenious measures to combat rumours. But fighting rumours in the Chinese social and political contexts requires much more than relentless censorship. First and foremost, Chinese leaders worried about the harmful effects of rumours must understand that the influence of rumours is directly and positively correlated with the lack of press freedom and the decline of government credibility. In other words, in a society ruled by an authoritarian regime that tolerates little freedom of the press, but which has an incentive structure that encourages its officials to fabricate critical data (such as GDP growth, inflation, and housing prices) and cover up accidents and communicable diseases, rumours are bound to flourish.

Indeed, when we compare how rumours fare in autocracies and democracies, the difference is huge. To be sure, rumours are concocted and spread in all societies. But those ruled by autocratic elites are far more vulnerable to their impact because these societies have no independent and free press that enjoys public confidence and can quickly discredit rumours through their fact-based reporting. In democracies, rumours can seldom cause mass panic or riots because a free press quickly acts as an antidote.

So a long-term and more effective measure to contain the harm of rumours in China is to allow greater press freedom. Sadly, that doesn’t seem to be in the cards.

DigiNotar Debacle: Apple Certificate Trust Policy Update

http://support.apple.com/kb/HT4920

Security Update 2011-005
Certificate Trust Policy

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.


-----------------------------------------------------------------

After remaining silence for more than a week, Apple has finally released an update for OSX to deal with the DigiNotar hack fallout. Now what about iOS??

Wednesday, September 7, 2011

HUJI Claims Bombing at Delhi High Court

Via The Long War Journal -

A Pakistan-based terrorist group that is closely linked to al Qaeda has claimed credit for a bombing today that killed 11 people and wounded scores more at a security checkpoint outside the Delhi High Court.

A bomb planted in a briefcase was detonated at a queue where lawyers and other visitors obtain security passes. Police said that 11 people have been killed so far and 76 more were wounded, some critically. The blast left a "deep crater" in the ground.

The Harkat-ul-Jihad-al-Islami, or HUJI, said it detonated the bomb to force India to repeal a death sentence of Afzal Guru, who has been placed on death row for the December 2001 terror assault on the Indian Parliament that killed six policemen, a civilian, and five members of the assault team. The Pakistan-based Lashakr-e-Taiba and Jaish-e-Mohammad carried out the 2001 attack in Delhi.

HUJI sent an email to Indian news agencies immediately after the attack to claim it.

"We owe the responsibility of todays blasts at high court delhi..... our demand is that Afzal Guru's death sentence should be repealede immediately else we would target major high courts & THE SUPREME COURT OF... [sic]," the email read, according to the Hindustan Times.

HUJI is an al Qaeda-linked group that operates in Pakistan, India, Afghanistan, and Bangladesh. The US designated HUJI as a terrorist entity in 2010, and its leader, Ilyas Kashmiri, was also added to the list of global terrorists.

Kashmiri has also been linked to Pakistan's Inter-Services Intelligence directorate, which has viewed him as an asset due to his prowess in fighting the Indians in Jammu and Kashmir.

The US believes Kashmiri was killed in a Predator airstrike in South Waziristan on June 3. But questions have emerged about Kashmiri's death, as the martyrdom statement is suspect and a photo of Kashmiri's purported corpse was actually that of a Lashkar-e-Taiba operative who was killed during the terror assault on Mumbai in November 2008. Indian intelligence officials now believe that Kashmiri faked his death in an attempt to dodge the Predators and the US special operations forces who entered Pakistan to kill bin Laden.

[For more information on problems with reports of Kashmiri's death, see LWJ report, Questions emerge over HUJI's statement on al Qaeda leader Ilyas Kashmiri's death, and Threat Matrix reports, Is Ilyas Kashmiri really dead? and Kashmiri faked death: Indian intelligence.]


------------------------------------------------------------------------------

Wikipedia - Harkat-ul-Jihad-al-Islami (HuJI)
http://en.wikipedia.org/wiki/Harkat-ul-Jihad_al-Islami
On August 6, 2010 the United States and the United Nations designated Harakat-ul Jihad al-Islami as a foreign terror group and blacklisted its commander Ilyas Kashmiri. State Department counterterrorism coordinator Daniel Benjamin asserted that the actions taken demonstrated the global community's resolve to counter the group's threat. "The linkages between HUJI and Al-Qaeda are clear, and today's designations convey the operational relationship between these organizations," Benjamin said.

MANPADS: Surface-to-Air Missiles Looted from Tripoli Arms Warehouse

Via CNN -

A potent stash of Russian-made surface-to-air missiles is missing from a huge Tripoli weapons warehouse amid reports of weapons looting across war-torn Libya.

They are Grinch SA-24 shoulder-launched missiles, also known as Igla-S missiles, the equivalent of U.S.-made Stinger missiles.

A CNN team and Human Rights Watch found dozens of empty crates marked with packing lists and inventory numbers that identified the items as Igla-S surface-to-air missiles.

[...]

Grinch SA-24s are designed to target front-line aircraft, helicopters, cruise missiles and drones. They can shoot down a plane flying as high as 11,000 feet and can travel 19,000 feet straight out.

Fighters aligned with the National Transitional Council and others swiped armaments from the storage facility, witnesses told Human Rights Watch. The warehouse is located near a base of the Khamis Brigade, a special forces unit in Gadhafi's military, in the southeastern part of the capital.

The warehouse contains mortars and artillery rounds, but there are empty crates for those items as well. There are also empty boxes for another surface-to-air missile, the SA-7.

Peter Bouckaert, Human Rights Watch emergencies director, told CNN he has seen the same pattern in armories looted elsewhere in Libya, noting that "in every city we arrive, the first thing to disappear are the surface-to-air missiles."

There was no immediate comment from NTC officials.

The lack of security at the weapons site raises concerns about stability in post-Gadhafi Libya and whether the new NTC leadership is doing enough to stop the weapons from getting into the wrong hands.

A NATO official, who asked to not be named because he was not authorized to speak publicly on the matter, said 575 surface-to-air missiles, radar systems and sites or storage facilities were hit by NATO airstrikes and either damaged or destroyed between March 31 and Saturday. He didn't elaborate on the specifics about the targets.

Gen. Carter Ham, chief of U.S. Africa Command, has said he's concerned about the proliferation of weapons, most notably the shoulder-fired surface-to-air missiles. He said there were about 20,000 in Libya when the international operation began earlier this year and many of them have not been accounted for.

"That's going to be a concern for some period of time," he said in April.


-------------------------------------------------------------------------------

According to a Bloomberg report...
There is evidence that a small number of Soviet-made SA-7 anti-aircraft missiles from Qaddafi’s arsenal have reached the black market in Mali, where al-Qaeda in the Islamic Maghreb (AQIM) is active, according to two U.S. government officials not authorized to speak on the record.

Tuesday, September 6, 2011

9/11: How The Twin Towers Were Built

The 110-storey landmarks that dominated the Manhattan skyline for nearly 30 years were reduced to rubble in the 9/11 suicide attacks of 2001. Thousands of people in the World Trade Center, and on the planes that crashed into them, lost their lives.

Designed by architect Minoru Yamasaki, the giant towers were conceived as part of an urban renewal project for Lower Manhattan - and when completed in the early 1970s, for a short time at least, were the world's tallest buildings.

Now - a decade since they were lost, and with new construction on the site well-advanced - take a look back at the life of New York's twin towers.

http://www.bbc.co.uk/news/magazine-14634600 (7 min video)

Microsoft Revokes Trust in Five DigiNotar Root Certs

Via Threatpost.com -

The fallout from the DigiNotar compromise continued on Tuesday, as Microsoft said it has now revoked its trust of all five of the certificate authority's root certificates. The update that makes this change is being pushed out to users on all supported versions of Windows.

The move by Microsoft effectively makes any certificate that has been issued by DigiNotar untrusted by Internet Explorer and other Windows applications. Any IE user who visits a site that presents a DigiNotar-issued certificate as proof of identity will get an error message telling him that the certificate isn't trusted. Microsoft's change applies to these root certificates from DigiNotar:
  • DigiNotar Root CA
  • DigiNotar Root CA G2
  • DigiNotar PKIoverheid CA Overheid
  • DigiNotar PKIoverheid CA Organisatie – G2
  • DigiNotar PKIoverheid CA Overheid en Bedrijven
The software giant said that it has continued to investigate the DigiNotar attack and work with other certificate authorities and software vendors as they all look for viable solutions to what has become a huge problem. Also on Tuesday, responding to claims by the hacker who has taken credit for the DigiNotar attack that he also has compromised several other high-level CAs, GlobalSign, one of the CAs mentioned, said it is aware of the claim and is looking into it.

The company posted a message on its corporate Twitter feed, saying: "We are aware of the Comodo hacker BLOG that claims access to a number of major CAs including GlobalSign. We are taking this claim seriously and are investigating."


-------------------------------------------------------------------------------------------------

MSRC: Microsoft updates Security Advisory 2607712
https://blogs.technet.com/b/msrc/archive/2011/09/06/microsoft-updates-security-advisory-2607712.aspx

Microsoft Security Advisory (2607712)
Fraudulent Digital Certificates Could Allow Spoofing
http://www.microsoft.com/technet/security/advisory/2607712.mspx

Monday, September 5, 2011

Operation Black Tulip Report: DigiNotar Certificate Authority Breach

http://www.rijksoverheid.nl/ministeries/bzk/documenten-en-publicaties/rapporten/2011/09/05/diginotar-public-report-version-1.html

Background

The company DigiNotar B.V. provides digital certificate services; it hosts a number of Certificate Authorities (CA‟s). Certificates issued include default SSL certificates, Qualified Certificates and „PKIoverheid‟ (Government accredited) certificates.

On the evening of Monday August 29th it became public knowledge that a rogue *.google.com certificate was presented to a number of Internet users in Iran. This false certificate had been issued by DigiNotar B.V. and was revoked1 that same evening.

On the morning of the following Tuesday, Fox-IT was contacted and asked to investigate the breach and report its findings before the end of the week.

Fox-IT assembled a team and started the investigation immediately. The investigation team includes forensic IT experts, cybercrime investigators, malware analysts and a security expert with PKI experience. The team was headed by CEO J.R. Prins directly.

It was communicated and understood from the outset, that Fox-IT wouldn't be able to complete an in- depth investigation of the incident within this limited timeframe. This is due to the complexity of the PKI environment and the uncommon nature of the breach.

Rather, due to the urgency of this matter, Fox-IT agreed to prepare an interim report at the end of the week with its preliminary findings, which would be published.


-------------------------------------------------------------------------------------

Diginotar Investigation:
Visualisation of OCSP requests for the rogue *.google.com certificate by Fox-IT
http://www.youtube.com/watch?v=wZsWoSxxwVY

-------------------------------------------------------------------------------------

Here are a couple of statements in the report that catch my eye:

  • Page 8 - "On August 4th the number of request rose quickly until the certificate was revoked on August 29th at 19:09. Around 300.000 unique requesting IPs to google.com have been identified. Of these IPs >99% originated from Iran."
  • Page 9 - "In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011."
  • Page 9 - "The list of domains and the fact that 99% of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran.
  • Page 9 - "The most critical servers contain malicious software that can normally be detected by anti-virus software."
  • Page 9 - " The software installed on the public web servers was outdated and not patched. No antivirus protection was present on the investigated servers."