Tuesday, January 31, 2012

China-Based Hackers Target Law Firms to Grab Secret Deal Data

Via BusinessWeek -

China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on offices on Toronto’s Bay Street, home of the Canadian law firms handling the deal.

Over a few months beginning in September 2010, the hackers rifled one secure computer network after the next, eventually hitting seven different law firms as well as Canada’s Finance Ministry and the Treasury Board, according to Daniel Tobok, president of Toronto-based Digital Wyzdom. His cyber security company was hired by the law firms to assist in the probe.

The investigation linked the intrusions to a Chinese effort to scuttle the takeover of Potash Corp. of Saskatchewan Inc. by BHP Billiton Ltd. as part of the global competition for natural resources, Tobok said. Such stolen data can be worth tens of millions of dollars and give the party who possesses it an unfair advantage in deal negotiations, he said.

Though the deal eventually fell apart for unrelated reasons, the incident illustrates the vulnerability of law firms. They are increasingly threatened with a loss of client business if they can’t show improved security as such attacks continue to escalate.

Stephen Surdu, vice president of professional services at Mandiant Corp., a cybersecurity firm that tracks industrial espionage, compared the risk of hacking in the mergers and acquisition arena to gambling.

“You’re playing poker, and there’s a mirror over the other guy’s shoulder,” Surdu said.


“As financial institutions in New York City and the world become stronger, a hacker can hit a law firm and it’s a much, much easier quarry,” said Mary Galligan, head of the cyber division in the New York City office of the U.S. Federal Bureau of Investigation.

Galligan’s unit convened a meeting with the top 200 law firms in New York City last November to deal with the rising number of law firm intrusions. Over snacks in a large meeting room, the FBI issued a warning to the lawyers: Hackers see attorneys as a back door to the valuable data of their corporate clients.

Monday, January 30, 2012

Attackers Moving Zeus Servers to Former Soviet Union TLD

Via Threatpost -

The groups of attackers that employ the Zeus toolkit for their scams and malware campaigns have long used sites in the .ru Russian TLD as homes for their botnet controllers. Security researchers and law enforcement agencies have had a difficult time making headway in getting these domains taken down, but now it seems that some changes in the way that the Russian organization in charge of the .ru domain is enforcing rules for fraudulent domains is forcing attackers to move to a long-forgotten TLD owned by the former Soviet Union.

Botherders tend not to be too picky about where they locate their command-and-control servers. Any domain and hosting provider that will leave them alone typically fits the bill. For the past few years, that description has fit many domains in the Russian TLD, as well as many others in smaller Eastern European countries that haven't dedicated a lot of resources to rooting out these C&C servers. Security researchers have known for a long time where the C&C servers are and have been exposing them online, and the attackers will change the location of those servers frequently in response to takedowns or other actions.

Now it appears that some of the Zeus attack crews are moving away from the .ru TLD altogether and migrating to the .su TLD, which was the property of the former Soviet Union. According to statistics on the Zeus Tracker site, three of the Zeus C&C servers with the longest uptimes are currently running on .su domains. Also, two of the C&Cs with the most files online are on .su domains.


Since the demise of the Soviet Union, the .su TLD has remained active and companies and organizations located in countried that were part of the Soviet Union are allowed to register domains using that TLD. But, because the Soviet Union no longer exists and there are a relatively small number of sites on the TLD, it has gone unnoticed. Attackers have shown a remarkable ability to find obscure TLDs and infest them with malware-serving domains or C&C servers in a short period of time, and the .su TLD is now having its moment in the sun.

Saturday, January 28, 2012

Lookout: Our Take on the ‘Apperhand’ SDK (aka ‘Android.Counterclank’)

Via Lookout Mobile Security Blog -

Today, news came out that claimed a particular family of malware, termed ‘Android.Counterclank’, had infected 5 million users. We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously.

This isn’t malware.
The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior. In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.

Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud.

Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware.

We’re researching ad networks closely.
We spend a significant amount of time looking not just at mobile apps, but also at SDKs that are commonly integrated into apps. We’ve recently been focusing heavily on the capabilities of various mobile advertising SDKs. We believe that ad networks are important for the overall mobile ecosystem; however, some advertising networks go beyond the commonly accepted behavior of ad networks with more aggressive tactics.

This particular ad network SDK, com.apperhand, bears similarities to one previously distributed in a number of apps in June of 2011 as the “ChoopCheec platform” or “Plankton”.


We’re continuing our investigation.
At this point, it appears that what we’re seeing is an example of an ad network that pushes the lines of privacy. Over the past few months we have been closely tracking this, and we are seeing a trend of this type of behavior. While this is not malware, we do think that consumers should take it seriously, and we’re actively working on a solution to help users understand whether applications have potentially undesirable behavior such as this while not creating unnecessary worry.

How Pakistan Helps the U.S. Drone Campaign

Via Reuters (Jan 22, 2012) -

The death of a senior al Qaeda leader in a U.S. drone strike in Pakistan's tribal badlands, the first strike in almost two months, signaled that the U.S.-Pakistan intelligence partnership is still in operation despite political tensions.

The Jan 10 strike -- and its follow-up two days later -- were joint operations, a Pakistani security source based in the tribal areas told Reuters.

They made use of Pakistani "spotters" on the ground and demonstrated a level of coordination that both sides have sought to downplay since tensions erupted in January 2011 with the killing of two Pakistanis by a CIA contractor in Lahore.

"Our working relationship is a bit different from our political relationship," the source told Reuters, requesting anonymity. "It's more productive."

U.S. and Pakistani sources told Reuters that the target of the Jan 10 attack was Aslam Awan, a Pakistani national from Abbottabad, the town where Osama bin Laden was killed last May by a U.S. commando team.


The Pakistani source, who helped target Awan, could not confirm that he was killed, but the U.S. official said he was. European officials said Awan had spent time in London and had ties to British extremists before returning to Pakistan.

The source, who says he runs a network of spotters primarily in North and South Waziristan, described for the first time how U.S.-Pakistani cooperation on strikes works, with his Pakistani agents keeping close tabs on suspected militants and building a pattern of their movements and associations.

"We run a network of human intelligence sources," he said. "Separately, we monitor their cell and satellite phones.

"Thirdly, we run joint monitoring operations with our U.S. and UK friends," he added, noting that cooperation with British intelligence was also extensive.

Pakistani and U.S. intelligence officers, using their own sources, hash out a joint "priority of targets lists" in regular face-to-face meetings, he said.

"Al Qaeda is our top priority," he said.

He declined to say where the meetings take place.

Once a target is identified and "marked," his network coordinates with drone operators on the U.S. side. He said the United States bases drones outside Kabul, likely at Bagram airfield about 25 miles north of the capital.

From spotting to firing a missile "hardly takes about two to three hours," he said.

It was impossible to verify the source's claims and American experts, who decline to discuss the drone program, say the Pakistanis' cooperation has been less helpful in the past.

U.S. officials have complained that when information on drone strikes was shared with the Pakistanis beforehand, the targets were often tipped off, allowing them to escape.

Friday, January 27, 2012

USS Ponce Being Refit to Become a "Mothership" in Middle East

Via Washington Post (Jan 27, 2012) -

The Pentagon is rushing to send a large floating base for commando teams to the Middle East as tensions rise with Iran, al-Qaeda in Yemen and Somali pirates, among other threats.

In response to requests from the U.S. Central Command, which oversees military operations in the Middle East, the Navy is converting an aging warship it had planned to decommission into a makeshift staging base for the commandos. Unofficially dubbed a “mothership,” the floating base could accommodate smaller high-speed boats and helicopters commonly used by Navy SEALs, procurement documents show.

Special Operations Forces are a key part of the Obama administration's strategy to make the military leaner and more agile as the Pentagon confronts at least $487 billion in spending cuts over the next decade.

Lt. Cmdr. Mike Kafka, a spokesman for the Navy’s Fleet Forces Command, declined to elaborate on the floating base’s purpose or to say where, exactly, it will be deployed in the Middle East. Other Navy officials acknowledged that they were moving with unusual haste to complete the conversion and send the mothership to the region by early summer.

Navy documents indicate that it could be headed to the Persian Gulf, where Iran has threatened to block the Strait of Hormuz, a crucial shipping route for much of the world’s oil supply. A market survey proposal from the Military Sealift Command, dated Dec. 22 and posted online, states that the floating base needed to be delivered to the Persian Gulf.

Other contract documents do not specify a location but say the mothership would be used to “support mine countermeasure” missions. Defense officials have said that if Iran did attempt to close the Strait of Hormuz, it would rely on mines to obstruct the waterway.


It's funny, as the term "mothership" is commonly found on his blog in terms of Somali pirates...

Thursday, January 26, 2012

Insight into Sykipot Operations

Via Symantec Security Response Blog -

The Sykipot campaign has been persistent in the past few months targeting various industries, the majority of which belong to the defense industry. Each campaign is marked with a unique identifier comprised of a few letters followed by a date hard-coded within the Sykipot Trojan itself.In some cases the keyword preceding the numbers is the sub-domain's folder name on the Web server being used.


These campaign markers allow the attackers to correlate different attacks on different organizations and industries.

The attackers also left additional clues allowing us to gain insight into what appears to be a staging server that is used prior to the delivery of new binaries to targeted users. In addition, we were able to confirm that the server was also used as a command and control (C&C) server for a period of time as well. The server is based in the Beijing region of China and was running on one of the largest ISPs in China. Furthermore, on one occasion one of the attackers connected from the Zhejiang province. The server has hosted over a hundred malicious files from the past couple of months, many of which were used in Sykipot campaigns.


The Sykipot attackers have a long running history of attacks against multiple industries. Based on these insights, the attackers are familiar with the Chinese language and are using computer resources in China. They are clearly a group of attackers who are constantly modifying their creation to utilize new vulnerabilities and to evade security products and we expect that they will continue their attacks in the future.

NASA: NPP's 'Blue Marble'


A 'Blue Marble' image of the Earth taken from the Visible Infrared Imager Radiometer Suite (VIIRS) instrument aboard NASA's most recently launched Earth-observing satellite - Suomi NPP. This composite image uses a number of swaths of the Earth's surface taken on January 4, 2012. The NPOESS Preparatory Project (NPP) satellite was renamed 'Suomi NPP' on January 24, 2012 to honor the late Verner E. Suomi of the University of Wisconsin.

The high-resolution version can be found here.

Wednesday, January 25, 2012

N. Korea Suspected of Trying to Hack into Seoul University

Via Yonhap News Agency (Jan 17, 2012) -

North Korea is suspected of masterminding last year's attempt to hack into the e-mail accounts of a Seoul university's graduate school alumni, school officials said Tuesday.

The Graduate School of Information Security at Korea University said it has conducted a joint investigation with intelligence authorities to track the origins of the hacking attempt, upon learning that an e-mail carrying malicious codes was sent to some of its graduates via its internal e-mail accounts last November.

"The e-mail was found to have been sent from a server based in Taiwan often used by North Korea," a school official said, declining to be identified.

"But no damage has been reported, as our graduates who received the e-mail never opened the file attached, and the codes did not work well from the first place," he added.

U.S. Military Raid in Somalia Frees Dane, American

Via USA Today -

The Navy Seals that rescued two aide workers in Somalia were not dealing with al-Qaeda-linked militant groups but pirate-gangs that have been terrorizing the region kidnapping people and holding them for ransoms.

The raid under cover of darkness on Wednesday freed American Jessica Buchanan and Poul Hagen Thisted, a Dane, who were "on their way to be reunited with their families," the Danish Refugee Council said Wednesday.

President Obama authorized the mission by SEAL Team 6, the same unit that was behind the operation in Pakistan last May that killed Osama bin Laden.

One official who spoke on the condition he would remain anonymous told the Associated Press that the team parachuted into the area before moving on foot to the target. Nine kidnappers were killed. The raid happened near the Somali town of Adado.

The SEAL raid shows the the United States is "more willing to confront pirates than it has in the past," says Derek Reveron, a professor at the Naval War College.

It also suggests a growing willingness to use its special operations forces, which is riskier than drone strikes.

"Clearly it was a good target of opportunity," Reveron says. "But it also strikes me as pretty significant, parachuting SEALs into Somalia."

As large ships at sea have increased their defenses against pirate attacks, gangs have looked for other money making opportunities like land-based kidnappings.

It is not clear what impact the raid will have on piracy in the region.

But the number of successful pirate hijackings on shipping has dropped dramatically in 2011 in the Horn of Africa region. The number of successful pirate attacks fell to 24 last year, from 45 in 2010, according to NATO.

Monday, January 23, 2012

Music: The Roots "Sleep"


Undun is the eleventh studio album by American hip hop band The Roots, released December 2, 2011, on Def Jam Recordings.

Star Wars Uncut - Episode IV: A New Hope (Director's Cut)


Finally, the crowd-sourced project has been stitched together and put online for your streaming pleasure. The "Director's Cut" is a feature-length film that contains hand-picked scenes from the entire StarWarsUncut.com collection.

SWU has been featured in documentaries, news features and conferences around the world for its unique appeal. In 2010 we won a Primetime Emmy for Outstanding Creative Achievement In Interactive Media.

We can't thank everyone enough for making this such a special project.

Thursday, January 19, 2012

A Hezbollah Threat in Thailand?

Via STRATFOR (Security Weekly) -

On Jan. 12, Thai authorities arrested a man they say was a member of the Lebanon-based Shiite militant group Hezbollah who was plotting an attack in Bangkok. In uncovering the plot, Thai police cite cooperation with the United States and Israel going back to December 2011. Bangkok is indeed a target-rich environment with a history of terrorist attacks, but today Hezbollah and other militant and criminal groups rely on the city as more of a business hub than anything else. If Hezbollah or some other transnational militant group were to carry out an attack in the city, it would have to be for a compelling reason that outweighed the costs.


While there are certainly plenty of U.S., Jewish and Israeli targets in Thailand in general and Bangkok in particular, other officials have given different accounts of the alleged plot that add more nuance. According to National Police Chief Priewpan Damapong, Hussein insisted that the materials seized were not intended for attacks in Thailand but were going to be transported to a yet-to-be-named third country (a Stratfor source has cited the Philippines as a logical destination). He also allegedly told authorities that, although he was a member of Hezbollah, he was not a member of the group's militant arm. A Hezbollah official in Beirut, Ghaleb Abu Zainab, told the Lebanese Broadcasting Corp. that Hussein was not a Hezbollah member, while Stratfor sources have told us that he was. Our sources also have confirmed Hussein's reported confession to police that he was on the business side of things -- likely involved in procurement and logistics -- rather than the militant side, which involves such things as bombmaking or operational planning. As a Swedish passport holder, Hussein would have much more access to business connections, so it makes sense that Hezbollah would want to compartmentalize his skills.


Thus, Hezbollah's profile and set of interests support Hussein's reported claims that the bombmaking materials that police found were being moved out of the country and were not intended for use in Bangkok or other tourist locations in Thailand.


Just as Bangkok is an attractive business hub in Southeast Asia for legitimate businessmen, it is also an attractive hub for illicit businessmen. In 2008, Thai police arrested Russian arms smuggler Viktor Bout after agents from the U.S. Drug Enforcement Administration, posing as members of the Revolutionary Armed Forces of Colombia guerrilla group trying to negotiate a deal to buy weapons, incriminated Bout during a meeting in Bangkok. It appears that Hussein's role in this case would have been an administrative one similar to Bout's: sourcing the fertilizer, finding a place to stockpile it and concealing it in innocent-looking fan boxes. This would not make him any less guilty of assisting a militant group, but it would deflate the theory that Hezbollah was plotting to use this material in an immediate attack in Bangkok.

This is not to say that Hezbollah or some other militant group will not conduct an attack in Bangkok in the future. But it would take a lot to convince group leaders that the financial pain of an attack in the city would be worth the ideological gain. And the recent alleged plot should remind investigators and policymakers to remember the financial bottom line as well as the ideological bottom line when assessing future terrorist threats.

Wednesday, January 18, 2012

Stop the Internet Blacklist Legislation

This is primarily for my visitors in the United States...but serves as a good example of how NOT to write Internet legislation for my international visitors. Let's keep it open and free folks.


The Internet blacklist legislation—known as PROTECT IP Act (PIPA) in the Senate and Stop Online Piracy Act (SOPA) in the House—invites Internet security risks, threatens online speech, and hampers innovation on the Web. Urge your members of Congress to reject this Internet blacklist campaign in both its forms! Read More

Sunday, January 15, 2012

Comprehensive Experimental Analyses of Automotive Attack Surfaces



Modern automobiles are pervasively computerized, and hence potentially vulnerable to attack. However, while previous research has shown that the internal networks within some modern cars are insecure, the associated threat model —requiring prior physical access— has justifiably been viewed as unrealistic. Thus, it remains an open question if automobiles can also be susceptible to remote compromise. Our work seeks to put this question to rest by systematically analyzing the external attack surface of a modern automobile. We discover that remote exploitation is feasible via a broad range of attack vectors (including mechanics tools, CD players, Bluetooth and cellular radio), and further, that wireless communications channels allow long distance vehicle control, location tracking, in-cabin audio exfiltration and theft. Finally, we discuss the structural characteristics of the automotive ecosystem that give rise to such problems and highlight the practical challenges in mitigating them.


To be clear, for every vulnerability we demonstrate, we are able to obtain complete control over the vehicle’s systems. We did not explore weaker attacks.

Saturday, January 14, 2012

False Flag

Via Foreign Policy -

Buried deep in the archives of America's intelligence services are a series of memos, written during the last years of President George W. Bush's administration, that describe how Israeli Mossad officers recruited operatives belonging to the terrorist group Jundallah by passing themselves off as American agents. According to two U.S. intelligence officials, the Israelis, flush with American dollars and toting U.S. passports, posed as CIA officers in recruiting Jundallah operatives -- what is commonly referred to as a "false flag" operation.

The memos, as described by the sources, one of whom has read them and another who is intimately familiar with the case, investigated and debunked reports from 2007 and 2008 accusing the CIA, at the direction of the White House, of covertly supporting Jundallah -- a Pakistan-based Sunni extremist organization. Jundallah, according to the U.S. government and published reports, is responsible for assassinating Iranian government officials and killing Iranian women and children.

But while the memos show that the United States had barred even the most incidental contact with Jundallah, according to both intelligence officers, the same was not true for Israel's Mossad. The memos also detail CIA field reports saying that Israel's recruiting activities occurred under the nose of U.S. intelligence officers, most notably in London, the capital of one of Israel's ostensible allies, where Mossad officers posing as CIA operatives met with Jundallah officials.

The officials did not know whether the Israeli program to recruit and use Jundallah is ongoing. Nevertheless, they were stunned by the brazenness of the Mossad's efforts.

"It's amazing what the Israelis thought they could get away with," the intelligence officer said. "Their recruitment activities were nearly in the open. They apparently didn't give a damn what we thought.

Interviews with six currently serving or recently retired intelligence officers over the last 18 months have helped to fill in the blanks of the Israeli false-flag operation. In addition to the two currently serving U.S. intelligence officers, the existence of the Israeli false-flag operation was confirmed to me by four retired intelligence officers who have served in the CIA or have monitored Israeli intelligence operations from senior positions inside the U.S. government.

The CIA and the White House were both asked for comment on this story. By the time this story went to press, they had not responded. The Israeli intelligence services -- the Mossad -- were also contacted, in writing and by telephone, but failed to respond. As a policy, Israel does not confirm or deny its involvement in intelligence operations.


According to one retired CIA officer, information about the false-flag operation was reported up the U.S. intelligence chain of command. It reached CIA Director of Operations Stephen Kappes, his deputy Michael Sulick, and the head of the Counterintelligence Center. All three of these officials are now retired. The Counterintelligence Center, according to its website, is tasked with investigating "threats posed by foreign intelligence services."

The report then made its way to the White House, according to the currently serving U.S. intelligence officer. The officer said that Bush "went absolutely ballistic" when briefed on its contents.

"The report sparked White House concerns that Israel's program was putting Americans at risk," the intelligence officer told me. "There's no question that the U.S. has cooperated with Israel in intelligence-gathering operations against the Iranians, but this was different. No matter what anyone thinks, we're not in the business of assassinating Iranian officials or killing Iranian civilians."


The debate over Jundallah was resolved only after Bush left office when, within his first weeks as president, Barack Obama drastically scaled back joint U.S.-Israel intelligence programs targeting Iran, according to multiple serving and retired officers.

The decision was controversial inside the CIA, where officials were forced to shut down "some key intelligence-gathering operations," a recently retired CIA officer confirmed. This action was followed in November 2010 by the State Department's addition of Jundallah to its list of foreign terrorist organizations -- a decision that one former CIA officer called "an absolute no-brainer."

Since Obama's initial order, U.S. intelligence services have received clearance to cooperate with Israel on a number of classified intelligence-gathering operations focused on Iran's nuclear program, according to a currently serving officer. These operations are highly technical in nature and do not involve covert actions targeting Iran's infrastructure or political or military leadership.

"We don't do bang and boom," a recently retired intelligence officer said. "And we don't do political assassinations."


Bombing Kills Iranian Nuclear Scientist
In response, the White House said it "had absolutely nothing to do'' with the blast that killed Roshan. White House spokesman Tommy Vietor said the U.S. strongly condemns the attack and all acts of violence.

In a joint press conference in Washington with the Qatari foreign minister, Hillary Clinton again denied U.S. involvement.

"I want to categorically deny any United States involvement in any kind of act of violence inside Iran," said Clinton.

Jundallah (Soldiers of God)

Thursday, January 12, 2012

APT Malware Attacks Smart Cards Used by DIB & Governments

Via NY Times (Bits Blog) -

Chinese hackers have deployed a new cyber weapon that is aimed at the Defense Department, the Department of Homeland Security, the State Department and potentially a number of other United States government agencies and businesses, security researchers say.

Researchers at AlienVault, a Campbell, Calif., security company, said on Thursday that they had uncovered a new variant of some malicious software called Sykipot that targets smart cards used by government employees to access restricted servers and networks. Traces of Sykipot malware have been found in cyberattacks dating back to 2006, but AlienVault’s researchers say this is the first time Sykipot has compromised smart cards.

The government uses smart cards to supplement employee passwords, which have proven easy to crack. By cracking smart cards, hackers eliminate the final hurdle between themselves and some of the government’s most sensitive information. Mandiant, a security firm, first outlined smart card weaknesses in a January 2011 report and said it had investigated several attacks in which hackers used smart cards to crack into companies. The latest Sykipot strain offers a look at how hackers are compromising smart cards and indicates who they are after.

Researchers say this strain specifically targets smart card readers that run ActivClient, a program made by ActivIdentity, an identity authentication company based in Fremont, Calif. ActivIdentity’s smart cards are used by employees at the Defense Department, Department of Homeland Security, Coast Guard, Social Security Administration, Treasury Department and other government agencies, along with businesses including Monsanto, BNP Paribas and Air France.


Exactly what Sykipot’s architects have stolen is still not known. But given ActivIdentity’s client list of defense agencies, security researchers say, it is now clear who the target is.


Mandiant M-Trends "When Prevention Fails" - Jan 2011
http://www.security.nl/files/M-trends2.pdf (Full Report)

It was this M-Trends paper (commonly called M-Trends 2) that first highlighted Smartcard Proxy Malware – Page 7-9.

At the time Mandiant suggested using hardware RSA tokens as a way of minimizing risk.
There are several ways to reduce the likelihood an attacker would be able to compromise hardware-based tokens. Removing smart cards when not in use is the easiest way to mitigate risks, however moving to other hardware based technologies such as RSA Tokens with time-based sync of passwords is an effective way to thwart this threat.

However, just two months later (March 2011), the RSA SecurID breach became public – rendering the advice moot.

Wednesday, January 11, 2012

Adversaries of Iran Said to Be Stepping Up Covert Actions

Via NY Times -

As arguments flare in Israel and the United States about a possible military strike to set back Iran’s nuclear program, an accelerating covert campaign of assassinations, bombings, cyberattacks and defections appears intended to make that debate irrelevant, according to current and former American officials and specialists on Iran.

The campaign, which experts believe is being carried out mainly by Israel, apparently claimed its latest victim on Wednesday when a bomb killed a 32-year-old nuclear scientist in Tehran’s morning rush hour.

The scientist, Mostafa Ahmadi Roshan, was a department supervisor at the Natanz uranium enrichment plant, a participant in what Western leaders believe is Iran’s halting but determined progress toward a nuclear weapon. He was at least the fifth scientist with nuclear connections to be murdered since 2007; a sixth scientist, Fereydoon Abbasi, survived a 2010 attack and was put in charge of Iran’s Atomic Energy Organization.

Iranian officials immediately blamed both Israel and the United States for the latest death, which came less than two months after a suspicious explosion at an Iranian missile base that killed a top general and 16 other people. While American officials deny a role in lethal activities, the United States is believed to engage in other covert efforts against the Iranian nuclear program.

The assassination drew an unusually strong condemnation from the White House and the State Department, which disavowed any American complicity. The statements by the United States appeared to reflect serious concern about the growing number of lethal attacks, which some experts believe could backfire by undercutting future negotiations and prompting Iran to redouble what the West suspects is a quest for a nuclear capacity.

“The United States had absolutely nothing to do with this,” said Tommy Vietor, a spokesman for the National Security Council. Secretary of State Hillary Rodham Clinton appeared to expand the denial beyond Wednesday’s killing, “categorically” denying “any United States involvement in any kind of act of violence inside Iran.”

“We believe that there has to be an understanding between Iran, its neighbors and the international community that finds a way forward for it to end its provocative behavior, end its search for nuclear weapons and rejoin the international community,” Mrs. Clinton said.

The Israeli military spokesman, Brig. Gen. Yoav Mordechai, writing on Facebook about the attack, said, “I don’t know who took revenge on the Iranian scientist, but I am definitely not shedding a tear,” Israeli media reported.

Tuesday, January 10, 2012

FBI: 'Gameover' Malware Targets Bank Accounts Via Phishing E-Mails


Cyber criminals have found yet another way to steal your hard-earned money: a recent phishing scheme involves spam e-mails—purportedly from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC)—that can infect recipients’ computers with malware and allow access to their bank accounts.

The malware is appropriately called “Gameover” because once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it’s definitely “game over.”

Gameover is a newer variant of the Zeus malware, which was created several years ago and specifically targeted banking information.


Created several days ago? Mmmmm, maybe this specific DDoS variant, but Gameover has been out for a while.

Oct 10, 2011: ZeuS Gets More Sophisticated Using P2P Techniques
You should watch out for the following strings in your web proxy logs, which are being used as dropzone for this ZeuS version (using HTTP POST):


Since I’ve started to track this ZeuS campaign, I’ve collected more than 270 unique config files.
Nov 2011: DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists

Jan 4, 2012: ZeuS – P2P+DGA Variant – Mapping Out and Understanding The Threat
In the autumn of 2011 we observed new malware infections, which looked similar to Zeus....In the new version of the Trojan, the authors focus on eliminating the weakest link – a centralized system of information distribution.

Monday, January 9, 2012

Florida Resident Charged with Plotting to Bomb Locations in Tampa

Via FBI Press Release (Tampa Division) -

A 25-year-old resident of Pinellas Park, Fla., has been charged in connection with an alleged plot to attack locations in Tampa with a vehicle bomb, assault rifle, and other explosives, announced Robert E. O’Neill, U.S. Attorney for the Middle District of Florida; Lisa Monaco, Assistant Attorney General for National Security; and Steven E. Ibison, Special Agent in Charge of the FBI Tampa Division.

Sami Osmakac, a naturalized U.S. citizen who was born in the former Yugoslavia (Kosovo), was arrested Saturday night. He is charged in a criminal complaint in the Middle District of Florida with one count of attempted use of a weapon of mass destruction (explosives) and is scheduled to make his initial appearance today at 2:00 p.m. EST, in federal court, before U.S. Magistrate Judge Anthony Porcelli, in Tampa. If convicted, Osmakac faces a maximum sentence of life in prison and a $250,000 fine.

The arrest of Osmakac was the culmination of an undercover operation during which Osmakac was closely monitored by law enforcement officials for several months. The explosives and firearms that he allegedly sought and attempted to use were rendered inoperable by law enforcement and posed no threat to the public.


According to the complaint affidavit, in Sept. 2011, the FBI received information from a confidential human source (CHS) indicating that Osmakac had asked for al Qaeda flags. In November 2011, Osmakac and the CHS discussed and identified potential targets, in Tampa, where Osmakac intended on carrying out violent attacks. Osmakac allegedly asked the CHS for help in obtaining firearms and explosives for the attacks. The CHS indicated that he/she knew someone who might be able to provide firearms and explosives and introduced Osmakac to an undercover FBI employee.


On Jan. 7, 2012, FBI agents arrested Osmakac after he took possession of the explosive devices and firearms that had been rendered inoperable by law enforcement. The complaint alleges that, shortly prior to his arrest, Osmakac made a video of himself explaining his motives for carrying out the planned violent attack.

This investigation is being conducted by the FBI Tampa Division and the Tampa Joint Terrorism Task Force. It is being prosecuted by Assistant U.S. Attorney Sara Sweeney from the U.S. Attorney’s Office for the Middle District of Florida, with assistance from Trial Attorney Clem McGovern of the Counterterrorism Section in the Department of Justice’s National Security Division.

Iran Starts Uranium Enrichment Underground

Via VOA News -

Diplomats in Vienna say Iran has started uranium enrichment at a facility where the material can be upgraded quickly for potential use in a nuclear bomb.

The diplomats close to the international monitoring of nuclear programs said Monday that Iranian centrifuges were refining uranium to a purity of 20 percent at the underground Fordo complex near the Shi'ite holy city of Qom. The report increases international concerns that Iran is developing an atomic weapons program. Iran says its nuclear ambitions are peaceful.

The Fordo complex is located beneath a mountain and is better protected from potential air strikes by nations opposed to the Iranian nuclear program. Iran said previously it was preparing to move its highest-grade enrichment work to Fordo from an above-ground complex in the central city of Natanz.

Iran says its nuclear program is designed only to generate electricity and material for medical research. Most of the work at the Natanz facility has involved refining uranium to a relatively low purity of 3.5 percent. Enrichment to the 20-percent level at the Fordo complex could reduce the time needed for Iran to further refine the material to the 90-percent purity required for nuclear weapons.


In a television interview broadcast Sunday, U.S. Defense Secretary Leon Panetta said Iran's nuclear program has not progressed to the stage of building a nuclear bomb. But he warned Iranian leaders that if they take such a step, the United States will stop them.

Panetta said Washington will continue what he called a "responsible" approach of putting diplomatic and economic pressure on Iran to abstain from developing nuclear weapons. He also advised Israel not to take unilateral action against Iran, saying a "better approach" is to "work together" with the United States on the issue.


On Monday IAEA spokesperson Gill Tudor said in a statement tha the agency could "confirm that Iran has started the production of uranium enriched up to 20%".

She added that "all nuclear material in the facility remains under the agency's containment and surveillance".

Friday, January 6, 2012

U.S. Rescues Iranian Ship Held by Pirates

Via CBS News -

A U.S. Navy destroyer has rescued an Iranian fishing boat that had been commandeered by suspected pirates just days after Tehran warned the U.S. to keep its warships out of the Persian Gulf.

American forces flying off the guided-missile destroyer USS Kidd responded to a distress call from the Iranian vessel, the Al Molai, which had been held captive for more than 40 days, the U.S. Navy said Friday. The Kidd was sailing in the Arabian Sea, after leaving the Persian Gulf, when it came to the sailors' aid.

A U.S. Navy team boarded the ship Thursday and detained 15 suspected Somali pirates. They had been holding the 13-member Iranian crew hostage and were using the boat as a "mother ship" for pirating operations in the Persian Gulf.

U.S. Defense Secretary Leon Panetta commented on the rescue in an interview scheduled to air Sunday on CBS' "Face the Nation."

"It's what we do. And it's what we do in that part of the world. We get a distress call, as we did in this case, even though it came from an Iranian ship. When the pirates went after them, we respond to those calls," Panetta said. "We did what we have to do in that situation. I think it just sends an important message to the world that the United States is going to abide by international rules and international order, and that's exactly what we did here."

In the same interview, Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, said the suspected pirates surrendered without incident.

"I think in the face of the overwhelming combat power that was presented the pirates made the right decision," he said.

Amid escalating tensions with Tehran, the Obama administration reveled in delivering the news.

"This is an incredible story. This is a great story," State Department spokeswoman Victoria Nuland said, explaining that the very same American ships the Islamic republic protested for recently traveling through the Strait of Hormuz were responsible for the Iranian vessel's recovery.

"They were obviously very grateful to be rescued from these pirates," Nuland said.


Iran welcomes U.S. rescue of Iranian fishermen
A spokesman for Iran's Foreign Ministry, Ramin Mehmanparast, had positive words about the rescue when he spoke Saturday to the Arabic news network Al-Alam.

"Rescuing Iranian sailors by the U.S. was a humanitarian act and we welcome such acts," he said. "The Iranian Navy also engages in such rescue operations. It is the responsibility of all nations to rescue nationals from other countries from pirates."