Japan's Reliance on U.S Spy Satellites and Early Warning Missile Systems

With China breathing down Japan's neck, and North Korea crying for attention by actively experimenting with symmetric and asymmetric warfare capabilities, Japan's need for better reconnaissance, and limiting of its imagery gathering dependence has been in the execution stage for years as Reliance on U.S. intelligence on missile launch shows need for improvement :

"The two spy satellites currently in operation are both polar orbiters circling the globe at altitudes of 400 to 600 kilometers. If the fourth, a SAR satellite, is launched in 2007 as planned, it will complete the four-satellite reconnaissance system, and the country will be able to monitor any point on Earth at least once a day, officials said. It will therefore become possible for Japan to monitor day-to-day changes in North Korean missile-launching sites. The problem, however, is if the system will be effective at the moment of a missile launch, which would depend on the weather and positions of the satellites at the time, officials said on condition of anonymity. In stark contrast with Japan, the United States has orbited more than 100 satellites, at least 15 of which are reportedly for intelligence-gathering purposes, they said. As experts put it, the U.S. satellites can identify objects as small as 8 to 9 centimeters in size if weather conditions are ideal. The United States has five early-warning satellites, including one for backup purposes, keeping watch over North Korea around the clock, they said."

They're definitely using open source IMINT on North Korea as well, or requesting detailed imagery on demand through commercial providers, in between further developing their early warning systems. Go through an article on Japan's Information Gathering Satellites Imagery Intelligence in case you're interested in their past efforts in this direction. However, I feel it's their neighbors' cyber warfare capabilities they should be also worried about.

Image courtesy of Northrop Grumman. Continue reading →

DVD of the Weekend - Path to War

As I've been busy catching up with way too many things to list them, I'd better finalize my creativity efforts and provide you with the results as they appear during the week. Meanwhile, current events being constantly streamed and brainwashed from every TV channel you try to watch -- remember how in 1984 only the party leaders had the privillege to turn off their 24/7 propaganda streams? Feel empowered nowadays -- made me think on how today's situation slightly represents the one filmed in the Path to War, especially the partisan warfare activities.You can never win a partisan war, what you'll end up with is your ego and nose bleeding, and your heroistic wings sort of broken. Feeling, or positioning yourself for powerful PSYOPS while destroying a country's infrastructure to eradicate the partisan fighters, is one of my favorite moments in the movie, especially when they realized how they've managed to destroy 140% of Vietnam's infrastructure and were still losing the war.

Even worse, having to power and diplomatic influence to make a change,while being a beauraucrat to win time as someone else's about to take care of your dirty laundry is such a bad example for the rest of the democratic world, yet a convenient one.

Great post at DefenseTech on autonomous warfare, destroy the oil resources to limit the movement of suppliers - have a dozen of grannies move them on bycicles or take it personally, destroy a bridge, and see a wooden one build within day or two, every war is an act of terrorism by itself, where the term "acceptable levels of casualties" constantly jumps from the military to the political dictionary.

Previous DVDs of the Weekend and related comments:
DVD of the Weekend - The Lone Gunmen
DVD of the Weekend - The Outer Limits - Sex And Science Fiction Collection
DVD of the Weekend - War Games
DVD of the Weekend - The Immortals
DVD of the Weekend - Lawnmower man - Beyond Cyberspace Continue reading →

The Beauty of the Surrealistic Spam Art

Given the volume of spam representing over 50% of the world's email traffic, obviously to some it represents a huge sample to draw sadness or anger out of, and of course, visualize the findings. One man's spam is Alex Dragulescu's art :

"He doesn't use Photoshop but simply writes code to create computer art. For the Spam Plants, he parsed the data within junk e-mail--including subject lines, headers and footers--to detect relationships between that data. Then he visually represents those relationships. For example, the program draws on the numeric address of an e-mail sender and matches those numbers to a color chart, from 0 to 225. It needs three numbers to define a color, such as teal, so the program breaks down the IP address to three numbers so it can determine the color of the plant. The time a message is sent also plays a role. If it's sent in the early morning, the plant is smaller, or the time might stunt the plant's ability to grow, Dragulescu said. The size of the message might determine how bushy the plant is. Certain keywords, such as "Nigerian," might trigger more branches. But Dragulescu did not inject any irony. Messages about Viagra do not grow taller, for example."

I feel that now every spammer can pretend about being a stylish art admirer, with his spamming historical performance hanging on the wall, or perhaps it's my surrealistic black humor.

Related posts on spam and visualization :
Fighting Internet's email junk through licensing
An Over-performing Spammer
Consolidation, or Startups Popping out Like Mushrooms?
Dealing with Spam - The O'Reilly.com Way

Visualization, Intelligence and the Starlight project
Visualization in the Security and New Media world Continue reading →

Splitting a Botnet's Bandwidth Capacity

Metaphorically speaking, I always say that the masssess of end users' bandwidth is reaching that of a mid size ISP, while the lack of incentives or plain simple awarenss is resulting in today's easily assembled botnets. Freaky perspective, but that's what I perceive the trade-off out of this major economic boost given the improved connectivity France Telecom is about to offer to its customers in 2007/2008 - Fiber at Home with 2.5Gbits/s download, and 1.2Gbits/s upload. As it looks like, an end user is gonna be worth a hundred more infected ones in the near future.

More on malware. Continue reading →

Latest Report on Click Fraud

Google does have countless features, and it's not even considering to stop rolling new ones, but the secret to its huge market capitalization and revenue stream remains its advertising model fully utilizing the Long tail's concept. Therefore, click fraud remains the key issue to deal with, if they want to continue beating Wall Street's expectations. Last week Google released a commissioned report evaluating their anti click fraud methods, here's an excerpt on the four lines of defense :

"Google has built the following four 'lines of defense' for detecting invalid clicks: pre-filtering, online filtering, automated offline detection and manual offline detection, in that order. Google deploys different detection methods in each of these stages: the rule-based and anomaly-based approaches in the pre-filtering and the filtering stages, the combination of all the three approaches in the automated offline detection stage, and the anomaly-based approach in the offline manual inspection stage. This deployment of different methods in different stages gives Google an opportunity to detect invalid clicks using alternative techniques and thus increases their chances of detecting more invalid clicks in one of these stages, preferably proactively in the early stages."

Despite Eric Schmidt's comments on click fraud as "self correcting" issue, Mark Cuban takes another perspective I find a very relevant one.The key remains the balance between Google's technologies and efforts to build awareness on the problem, very informative report. Pay-per-click is a powerful model forwarding the responsibility for eventual transactions to the advertiser's value added propostion, as compared to a Pay per action model. I doubt Google would have ever reached a stock split debate in its history if it were to use one.

Moreover, with the growing interest in a Pay-per-call model and the rise in voice phishing, it turns the trend into a hot one to keep an eye on for the upcoming future. Continue reading →

An Intergalactic Security Statement

Hell of a comment on the Malware Search Engine. Hackers crack secret Google malware search codes :

"Hidden malware search capabilities within Google which were reserved for antivirus and security research firms just weeks ago have been cracked by hackers, according to security industry sources. The key to finding malware in Google lies in having the signature for the specific malware program, according to researchers from enterprise IT security firm Secure Computing. However, the company reported that these previously hidden search capabilities have recently fallen into the hands of hackers. Why bother creating a new virus, worm or Trojan when you can simply find one and download it using Google? said Paul Henry, vice president of strategic accounts at Secure Computing. Unskilled hackers can use this previously unknown capability of Google to download malware and release it on the internet in targeted attacks as if they wrote it themselves."

Bothering to create a new piece of malware and ensuring its payload gets regularly updated to avoid AV detection is perhaps the most logical need compared to doing reconnaissance for known malware through Google. Looking for the signature means the piece of malware has already been detected somehow, somewhere, namely it's useless even to a script kiddie as I doubt one would do a favor to another, thus increasing the size of someone else's botnet. What you can actually use it for, is look for packed binary patterns, or known functions, and draw up better conclusions.

I really hope Secure Computing are more into harnessing the brand and product portfolio's power of CipherTrust, than they are into the dangers of known malware, not that there aren't exceptions of course!

Space wisdom courtesy of Doctor Fun. Continue reading →

Searching for Source Code Security Vulnerabilities

While Google was quick enough to censor the colourful Malware Search logo -- colourful branding -- here's another recently started initiative, Bugle - a google based source code bug finder :

"Bugle is a collection of search queries which can help to identify software security bugs in source code available on the web. The list at the moment is rather small (you get the idea though), hopefully people will start sending more queries. Source code review is not a straight forward operation , using the list you will get pinpoints and not definite results."

It could easily help you spot source code containing common bugs without the need of using a scientific model to predict vulnerabilities, but you should also consider the powerful source code search engine Koders which is currently searching 225,816,744 lines of code, and provides you with the option to segment your queries based on programming language.

Related resources:
SecureProgramming.com - latest update January, 2005, useful links through
An overview of common programming security vulnerabilities and possible solutions
Insecure Programming by example
Top 7 PHP Security Blunders Continue reading →

Detailed Penetration Testing Framework

This framework is simply amazing, as it takes you through the entire process of penetration testing, step-by-step in between references to the tools necessary to conduct a test -- wish experience was commodity as well. Best practices are prone to evolve the way experience does, so consider adding some of your know-how, and going through Fyodor's Top 100 Network Security Tools list in case you're looking for improved efficiency. It's not about the quality and diversity of tools, but about the quality of the approach, still the framework is a nice one to begin with.

Photo courtesy of IBM, featuring ethical hacker Nick Simicich. You may also find Secure DVD, a collection of the 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) handy. Continue reading →

Anti Virus Signatures Update - It Could Wait

It's a common myth that all AV vendors exchange the malware they come across in between themselves, whereas that's obviously not always the case. And even if they don't, you'd better achieve a higher state of security in respect to ensuring your PC or network are protected from the majority of known malware threats, trouble is the average end users whose Internet connection speed is reaching that of an average ISP (metaphor), doesn't seem to bother because of the following concerns :

- it could wait
- it takes decades to update
- it would influence their superman's productivity
- where's the update button by the way?

From the press release of a commissioned survey :

"Harris Interactive® fielded the online survey among a nationwide sample of 2,079 U.S. adult computer users 18 years of age or older. The survey reveals that: Despite 55 percent being very confident or confident in the protectionoffered by the antivirus program on their computer, 42 percent have been affected by malware. A surprising 65 percent have postponed updating their virus protection. Of these adults, their top reasons for not updating are:

It was too disruptive to what they were doing on the computer - 38%
They thought it was something that could wait - 32%
They thought it would take too long - 27%
They weren’t sure how to update the antivirus program - 14%"

These very same end users represent among the key factors for successful assembling of botnets these days. If you secure the entire population, you'll end up with a secure sample itself, but the novice user's lack of incentives is ruining the whole effect -- and driving the DDoS protection tools market segment of course. I also wonder how did Gartner manage to estimate Panda Software's revenues and market share, given that compared to the rest of the publicly traded companies it's free from the burden of having stakeholders breathing down their neck?

Failures in Detection courtesy of VirusTotal. Continue reading →

When Financial and Information Security Risks are Supposed to Intersect

Interesting security event at Morgan Stanley's NYC headquarters related to insider abuse, mostly interesting because the clients' list and charged fees weren't even uploaded on any removable media, but forwarded to the consultant's private email account :

"A former consultant to Morgan Stanley has been arrested and charged with stealing an electronic list of hedge funds and the rates the investment bank charges them. The hedge funds are clients in the company's prime brokerage business. According to court documents, Chilowitz is accused of sending a copy of the firm's administrative client list and its client rate list for the prime brokerage business in February from Morgan Stanley's offices in New York to his personal e-mail account at his home in Virginia."

I once said that nothing's impossible, the impossible just takes a little while, but given who Morgan Stanley is when it comes to risk management, assessment, let's don't say risk engineering -- psst, paying $15m in order not to pay $1.5B is such a sound investment -- they should have never allowed for this type of info to leave over the Web.

Meanwhile, the WSJ is reporting that Employers Increasingly Firing Staffers for E-mail Violations :

"The news comes from the 2006 Workplace E-Mail, Instant Messaging and Blog survey from the American Management Association and the ePolicy Institute, according to the Journal. The survey found that more than a quarter of the employers queried had fired an employee for violating company e-mail policy, up 9 percent from the 17 percent of employers who let employees go for similar violations in 2001, the Journal reports. On top of this finding, the survey also said that 2 percent of respondents had fired workers for instant-message correspondences that weren’t appropriate, and another 2 percent of employers said they’d fired a staffer for posting distasteful content on a Web log—or blog—be it their professional or personal page, according to the Journal."

Security policies are not the panacea of security, they are the basics, so consider developing and monitoring the effectiveness of one. My advise - think twice before feeling like a smart ass for exploiting your interns next time, and yes, fingerprint your most valuable IP assets as well. Continue reading →

Budget Allocation Myopia and Prioritizing Your Expenditures

Top management's empowerment - the dream of every CSO, or IT manager responsible for allocating the infosec budget, and requesting future increases. The biggest downsize of your current or future empowerment, is how easy it is to get lost in a budget allocating myopia compared to actual prioritizing of your expenditures. According to Gartner, security is all about percentage of budget allocation :

"Organizations that have reached a high level of IT security practice maturity can safely reduce spending to between 3% and 4% of the IT budget by 2008, according to research firm Gartner Inc. By contrast, organizations that are inefficient or have historically under invested in security may spend upwards of 8% of their IT budget on security. This means that many organizations will still be investing aggressively for the next few years. Rich Mogull, research vice president and conference chair of the Gartner IT Security Summit which starts in Sydney Tuesday, said that there are now solutions to most information security problems. It's just a matter of implementing the technology efficiently and effectively so resources can be focused on new threats," Mogull said. While information security has become a highly specialized branch of IT, commodity security functions are often being returned to IT operations. Organizations that are still impacted by everyday, routine threats must ramp up and become more mature in their approach."

I find this a wrong emphasis on higher spending as the corner stone of "better security", and even if it is so, who's your benchmark at the bottom line? In a previous in-depth post on Valuing Security and Prioritizing Your Expenditures, I discussed the currently hard to implement ROSI model, and pointed out the following key points on data security breaches and security investments :

- on the majority of occasions companies are taking an outdated approach towards security, that is still living in the perimeter based security solutions world

- companies and data brokers/aggregators are often reluctant to report security breaches evenwhen they have the legal obligation to due to the fact that, either the breach still hasn't been detected, or the lack of awareness on what is a breach worth reporting

- the flawed approaches towards quantifying the costs related to Cybercrime are resulting in overhyped statements in direct contradiction with security spending

- companies still believe in the myth that spending more on security, means better security, but that's not always the case

- given the flood of marketing and the never ending "media echo" effect, decision makers often find themselves living with current trends, not with the emerging ones, which is what they should pay attention to

There's also a rather simplistic explanation on the effect of industry convergence :

"Mogull also said that functional convergence in security products is occurring. For example, host firewalls, antivirus, antispam, and basic host intrusion prevention are combining into single, desktop agents. In the future, this will make security less complex, he said."

Wish the analyst has reached the potential TCO increase and the beneficial diversification of appliances/products trade-off concept stage, one that naturally depends on the perspective of course. Meanwhile, here's an article on how NOT to "sell security" to your CEO, they tend to understand the basics of ROI, it's just the RO(S)I they want to scientifically apply -- compliance is perhaps your best friend these days. It's not about the percentage of spending, but on what you're actually spending for, and when.

Go through a previous post on information security market trends to consider, and try to stay on the top of security, not in line with it. Continue reading →

Open Source North Korean IMINT Reloaded

Continuing the latest coverage on North Korea, and the Travel Without Moving series, yesterday I came across to an ongoing initiative on Google-Earthing the North Korean Military pointing out that :

"In fact, there are several military and intelligence employees, some retired and some active, who turn the defense job into a hobby, helping to point out and explain foreign military curiosities at the very civilian level of Google Earth. One current imagery analyst explained that, though he never divulges classified information, he often ‘identifies naval vessels at’ bases that ordinary Google Earth explorers have stumbled upon. Also, maps from sites such as Globalsecurity.org are overlayed onto the framework of Google Earth. Like an army of ants, the nearly 550,000-strong Google Earth community has voraciously explored the North Korean military installations, including : Musadan-ri/No-Dong missile test site, Pipa Got naval base, Cho Do naval base"

Given the powerful driving force and the size of the Google Earth's community it could definitely save tax payers' dollars, but high-resolution and timely imagery still remain a critical issue here. Open Source IMINT is gaining scale and I'm sure someone's watching the trend as well.

Related resources and posts :
GEOINT
Reconnaissance
The "threat" by Google Earth has just vanished in the air
Suri Pluma - a satellite image processing tool and visualizer
Security quotes : a FSB (successor to the KGB) analyst on Google Earth

Satellite Reconnaissance of the Future (1998)
Military Reconnaissance Satellites (IMINT)
Military Intelligence Satellites
North Korea Sightseeing
Shedding light on North Korea (330+ placemarks) Continue reading →

Malware Search Engine

While it seems that it takes a publicly traded Internet filtering company to come up with quite some creativity, it's always coming back to the community to break through the FUD and release a PoC Malware Search Engine.

The concept is great, excluding the dark web(closed behind authentication, and basic crawler blocking approaches), but what bothers me besides all the fuss is that it's a signature based approach taking advantage of the most recent Google's crawl of the Web. 0day malware naturally remains undetected, while it's a great way to sum up the percentage of infections with known malware on different domains/hosts, given you know what and where to look for. It's not the binary nature of a malware to emphasize on, but today's malware released under a GPL license, an issue I stated as a key factor for the future growth of malware at the beginning of 2006. I also came across to an article pointing out the same problem :

"Open tools and techniques have found favor among an unlikely community. Malware writers are using open-source ideas and tools to share malicious code, collaborate, and wreak online mayhem, the security firm McAfee said in a report issued Monday. Cyber criminals are making available source code with documentation so that it can be easily modified using popular open-source project management tools like Content Versioning System (CVS), thus giving malware creation a high degree of efficiency, said McAfee’s Global Threat Report for 2006."

To keep the discussion going by the time I release a summary of what I've been coming across for quite a while -- tons of bot source codes available on the public Web, barely any binaries -- go through previous posts related to the diverse topic as well.

UPDATE : eWeek has a nice article on the topic

Malware
Malware trends - Q1, 2006
What are botnet herds up to?
Why relying on virus signatures simply doesn't work anymore?
Skype to control botnets?!
The War against botnets and DDoS attacks
Master of the Infected Puppets
One bite only, at least so far!
Look who's gonna cash for evaluating the maliciousness of the Web
The anti virus industry's panacea - a virus recovery button
No Anti Virus Software, No E-banking For You
The Current State of Web Application Worms
Web Application Email Harvesting Worm
Unknowingly Becoming a Child Porn King
Real-Time PC Zombie Statistics
Malicious Web Crawling

Agobot configuration interface courtesy of Hakin9's "Robot Wars – How Botnets Work". Continue reading →

Weaponizing Space and the Emerging Space Warfare Arms Race

Satellites Jamming, Hijacking, Space SIGINT, Space Kill Vehicles are just the tip of the iceberg in the ongoing weaponization of Space. In previous posts "Who needs nuclear weapons anymore?", "EMP warfare - Electronic Domination in Reverse", and "Is a Space Warfare arms race really comming?" I expressed my opinion on the current and emerging efforts to install and experiment with space weapons, and mostly emphasized on the major problem - the arms race fear itself. What's also worth mentioning is how the original anti-missile defense system Star Wars, transformed from a defensive, to an offensive tool for warfare. SFAM at the CyberpunkReview.com made a good comment :

"Weaponizing space when there really isn't any competitor is a really bad idea. Truly though, the issue that obfuscates things is the US military's change from a threat-based acquisition system (where weapon systems were acquired to combat specific and verifyable threats) to a capability-based acquisition system is the problem. The switch to a capability-based system, being divorced from threats (since the Wall fell, most of the threats did as well), can find justification for new weapon systems even if there isn't a verifyable enemy or even a proven, irreplaceable need in warfare for the technology. Case in point - nobody is challenging the US for air surpremacy, yet we have massively expensive acquisitions underway for the F-22 (which should have been killed in 1991) and the F-35 (Joint Strike Fighter)."

Just came across to a great initiative aiming to act as a faciliator for debating the problem. The SpaceDebate.org aims to :

"expand the debate on the weaponization of space through a collaborative wiki-like tool for structured debate on a topic. You can learn more by taking the quick tour, reading the about page, or browsing our frequently asked questions. You can also jump into the debate by browsing our argument list or one of the positions"

I feel there's a more serious problem we should be discussing for the time being compared to the world's super powers waging wars in space, and it's called Near Earth Object Protection -- there's even a distributed client for tracking the hazard posed by NEOs. For instance, consider the following alternatives for combating the real threat in space - the universe itself :

"There’s been no shortage of ideas how to fend off unfriendly fire from the cosmos: laser beams, space tugboats, gravity tractor, and solar sails for example, as well as using powerful anti-NEO bombs, conventional as well as nuclear. Ailor, also Director of The Aerospace Corporation’s Center for Orbital and Reentry Debris Studies, told SPACE.com that creative ways to deflect Earth-harming NEOs are far from being exhausted. People have put a lot of concepts on the table over time, Ailor said. Now we’re beginning to try and develop an organized way of looking at those things and finding out which ones are really viable in the short-term, medium-term, and what technologies do we need to protect and develop for the long-term as well."

I've always thought the human race is an experiment of a super intelligent race trying to figure out how long it's gonna take us to self-destroy our kind. In case you're interested in the current situation on space warfare, you can also go through the Space Security 2006 book (111 pages), and previous editions as well. An excerpt from the executive summary :

"A growing number of states, led by China, Russia, the US, and key European states, increasingly emphasize the use of space systems to support national security. Dependence on these systems has led several states to view space assets as critical national security infrastructure. US military space doctrine has also begun to focus on the need for “counterspace operations” to prevent adversaries from accessing space. Building on existing trends, in 2005 actors that included the EU, India, Israel, and Japan placed more emphasis on the national security applications of space. Israel and Japan introduced plans to boost surveillance capabilities from space. India’s Air Force urged the government to set up a Strategic Aerospace Command to better develop military space capabilities."

Don't look for enemies where there aren't still any, but deal with the real space threat. Camouflage, Concealment, and Deception (CC&D) techniques table courtesy of FAS's "Threats to United States Space Capabilities"

Related resources:
Space
SPAWAR Continue reading →

Scientifically Predicting Software Vulnerabilities

I recently came across to a research on "Modeling the Vulnerability Discovery Process" discussing :

"A few models for the vulnerability discovery process have just been published recently. Such models will allow effective resource allocation for patch development and are also needed for evaluating the risk of vulnerability exploitation. Here we examine these models for the vulnerability discovery process. The models are examined both analytically and using actual data on vulnerabilities discovered in three widely-used systems. The applicability of the proposed models and significance of the parameters involved are discussed. The limitations of the proposed models are examined and major research challenges are identified."

A handy summary of the report emphasises on how :

"The Alhazmi-Malaiya Logistic model has already seen success in its predictions:

-- In 2005, it predicted the number of vulnerabilities discovered in Windows XP would grow rapidly. It has indeed grown from 88 in January 2005 to 173 by the latest count, making the vulnerability density of XP comparable to that of earlier version of Windows.

-- The model predicted that very few new vulnerabilities will be found in Red Hat Linux 6.2, and the number has stayed unchanged at 117.

-- It predicted that the number of vulnerabilities of Windows 2000 will eventually range from 294 to 410. At that time of the prediction, the number was 172; it now is 250, and vulnerabilities are still being found."

Remember the U.S DHS's $1.24M bug hunt funding, that came up with a single X11 vulnerability? Money well spent for sure.

HD Moore who's obviously getting efficient, the potential of contests, futures market models, and my speculation on "every day there's a new 0day in the wild" ruin the effect of any model. Assuming no external factors influence the process, and the rest remain static -- while they rarely do -- it's a great initiative, still, more of a scientifically shooting into the dark one, given the great deal of uncertanties, and decentralized model of discovering, reporting, using and abusing vulnerabilities. If historical performance matters and can act as a key indicator for predicting the future, I wonder would MACs lack of vulnerabilities continue to generate hype, it's more of a "lack of incentives to find some" type of issue. Today's vibrant vulnerability research intrigue is indeed capable of ruining any model.

I also came across to a great point, indicating that :

"After the first week of flaws were released, one online miscreant from Russia shot off an e-mail to Moore, complaining that he had outed a vulnerability the Russian had been exploiting, Moore said.
"The black hats don't like that the fact that this is public because they have been using these bugs," Moore said. "By dumping out the bugs on the community, I'm clearing the air and letting the good guys know what others are doing."

From my point of view, the existence and usefulness of Metasploit is precisely the same type of dilema whether citizens should be allowed to carry guns for self-protection or blindly rely on 500 police officers for 500,000 people. Hopefully, with initiatives like the Month of the Browser bug ones, we would inevitably break through the "yet another 0day, where's my patch dude? type of security issues to deal with. At the bottom line that's a single, efficient security researcher who's definitely working on building more awareness on what the corporate trolls are ignoring for the sake of their product portfolio diversification.

It's also interesting to mention on the emerging underground 0bay model for selling 0day vulnerabilities :

"Cyber crooks are not hesitant to make such open declarations of illicit intent because of the anonymity offered by the Internet. Some have had the gall to try and peddle their information on popular online auction sites such as eBay. Last December eBay pulled an ad that was selling vulnerability information about Microsoft's spreadsheet program Excel. That was a bold, if foolhardy, move on the part of the seller, because eBay is hardly blackmarket at all, said Ross Armstrong, senior analyst at technology consultancy firm Info-Tech Research Ltd. in London, Ont."

and its corporate form, on which Sergio Hernando was kind enough to point me to. The VulnDisco Pack Professional :

- contains more than 80 exploits
- each month about 5-10 new exploits are made available in the form of updates
- VulnDisco Pack Professional licenses are not limited to a number of seats

and you can actually see an OpenLDAP 0day exploit in action for yourself.

Metasploit image courtesy of Metasploit's blog.

Related resources and posts:
Vulnerabilities
0day
Was the WMF vulnerability purchased for $4000?!
0bay - how realistic is the market for security vulnerabilities?
Where's my 0day, please?
Delaying Yesterday's "0day" Security Vulnerability
Shaping the Market for Security Vulnerabilities Through Exploit Derivatives
Getting paid for getting hacked Continue reading →

North Korea's Cyber Warfare Unit 121

In a previous post, "Who's Who in Cyber Warfare" I commented on a very informative research on the topic, and pointed out that :

"Technology as the next Revolution in Military Affairs (RMA) was inevitable development, what's important to keep in mind is knowing who's up to what, what are the foundations of their military thinking, as well as who's copying attitude from who. Having the capacity to wage offensive and defense cyber warfare is getting more important, still, military thinkers of certain countries find network centric warfare or total renovation of C4I communications as the panacea when dealing with their about to get scraped conventional weaponry systems. Convergence represents countless opportunities for waging Cyber Warfare, offensive one as well, as I doubt there isn't a country working on defensive projects."

Recently, there's been some movement from North Korea's Cyber Warfare unit 121, one that :

"North Korea set up about eight years ago with some 1,000 personnel, said the intelligence official, who declined to be named because it was the agency's policy to remain anonymous. The North's operation, called unit 121, "has hacked into the South Korean and U.S. Defense Department" and has caused much damage in the South, the official said without elaborating."

According to numerous articles on recent "anomalies" at unclassified U.S state department systems, these might actually have to do with the group's actions itself -- quite a momentum to take advantage of, isn't it? Any country's interest in establishing cyber war forces shouldn't come as a surprise to anyone. But while North Korea is trying to balance its military powers through asymmetric and cyber warfare approaches given its outdated conventional weaponry thinking, I feel the real beast to worry about is China, who's sneakily hiding behind its currently strategic economic position. As the latest report on "Military Power of the People’s Republic of China 2006" points out :

"The People’s Liberation Army (PLA) has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks."

Taiwan is reasonably taking note on China's historical cyber warfare actions and has recently initiated its first cyber war game simulating attack from China :

"The drill, part of the island's annual major war game Hankuang No. 22, was held Wednesday and Thursday to intercept, block and counter a possible Chinese cyber attack of Taiwan's major computer network to paralyze the island's intranet operation, the Central News Agency quoted an unnamed defence source as saying."

Let's don't forget the use and abuse of island hopping points fueling further tensions in key regions and abusing the momentum itself, physically locating a network device in the future IPv6 network space is of key interest to all parties.

War room courtesy of Northrop Grumman.

Related resources:
Information Warfare
Cyber Warfare Continue reading →

Spreading Psychological Imagination Streams

Wish I could reference all the copywriting materials I've ever written and got commissioned for, but I'd rather we play a "words creativity" game. There's no better personal benchmark for keeping yourself in a good shape, and most importantly, indirectly summarizing what's going on in my head at a particular moment, than of coming up with random/instant sentences out of key words I come across to while reading an article. Enjoy, and remember a key word is worth a thousand sentences!

Wordlist :
- Breed
- Cupidity
- Intermediaries
- Powerhouse
- Quadrupled
- Commodities
- Proliferation
- Liquidity
- Licensing
- The arms race
- Competitiveness

Outcome :
- The boom of the Web, and the now experienced dotcom industry, has generated a whole new breed of wannabe entrepreneurs

- From some people's point of view, cupidity is just profit-maximization

- Among Dell's most important strategic objectives were to cut the intermediaries, thereby lowering the final price of a PC and stealing market share. Trouble is, hardware turned into a commodity these days

- AOL - the Internet's powerhouse from the early days of the Web itself, got the necessary attention from both, Microsoft, and Google due to the highly competitive atmosphere the rivals created. Eyeballs converted into revenue sources

- Since the standartization of advertising creative, online ad revenues quadrupled

- Commodity markets are the true nirvana when it comes to betting and the potential to gain enormous returns in a short period of time

- The proliferation of false statements by the Senator, has resulted in decline in our sales due to privacy concerns

- Achieving liquidity should be issue number one for a less capital goods intensive organization

- Licensing not only cuts R&D costs, it also provides a company with the ability to gain competitive advantage, and improve its value-added proposition next to its rivals' ones

- The arms race in patents and brands registering across the world, has resulted in a great deal of still unused, and in beta mode of testing technologies and names

- The competitiveness in the Business Services market segment that IBM was seeking, is among the main reasons for their sale of the company's entire PC units devision -- today's Lenovo

An analysis of hard cover security ads from the most popular business magazines will follow at the beginning of the week. Actual shots, the messages themselves and detailed recommendations are to be included as well. Information security and business always tend to intersect, excluding one is like ignoring the other. Continue reading →

India's Espionage Leaks

You may find this brief overview of Indian security's leaky past cases informative :

- "Defence Research and Development Organisation (DRDO) hard drive theft. The hard drives were stolen from the offices of the Scientific Analyses Group (SAG) and the Institute for System Studies and Analyses (ISSA) inside the DRDO complex. The SAG is responsible for cryptography. In other words, all codes and cyphers to ensure communication security for the defence forces have an SAG stamp. The ISSA, on the other hand, analyses competing weapons systems for induction into the armed forces."

- "Rabinder Singh. It is said there was a question mark over his reliability since the early 1990s when he began an operation for the collection of intelligence about US government activities in South Asia through a sister of his, who was employed in a sensitive US agency with links to the CIA."

- "Rattan Sehgal. The IB's counter-intelligence division reportedly found that a woman CIA officer posted in the US embassy was in contact with government servants and others on a mobile telephone, allegedly registered in the name of their boss, the suspect IB officer."

- "KV Unnikrishnan. During those jaunts in Singapore, compromising photographs of the stewardess and her lover were taken. These photographs and other documents were recovered by mid ’86 and it was learnt that Unnikrishnan was working for the CIA."

- "Larkins Brothers. The Larkins’ interrogations led to the arrest of Singh and it was found that Jockey and Bud were CIA operatives."

- "Samba Spy Case. By 1974, he began working for its army's Field Intelligence Unit at Sialkot on a regular basis. In the June of 1975, Dass was arrested on suspicion of espionage but by then he had persuaded some of his colleagues (including a certain Aya Singh) to become accomplices."

Understanding the past means predicting or at least constructively speculating on the future. Insider leaks due to HUMINT recruitment activities may seem to have vanished given the increasing number of IT-dependent infrastructures and the insecurities their connectivity brings -- SIGINT taking over HUMINT espionage. While modern spy gadgets remain trendy, this very same connectivity has resulted in various hacktivism tensions in the past, namely the India vs Pakistan cyberwar, and, of course, MilW0rm's infamous speculation on breaching India's Bhabha Atomic Research Center through the use of U.S military servers as island-hopping points.

Office surveillance graph courtesy of BugSweeps. Continue reading →

South Korea's View on China's Media Control and Censorship

Got bored of China's Internet censorship efforts, and its interest to control mobile communications as well? I haven't, and I doubt I ever will given China is among the many other countries on the world's map actively restricting access to information, and, of course, controlling the way it reaches the final audience -- if it does.

A recent article at The Korean Times, makes some very good points on the cons of censoring the reporting of "sudden events", and the typical for a (modern) communist type of government, total centralization. It emphasises on how :

"Beijing's approach is fundamentally flawed. The news media is a positive force in society. A free press is necessary to keep the government on its toes, especially when the government itself is not accountable to the public. Restricting the press will result in a public that is kept in the dark and in local governments whose excesses will no longer be subject to scrutiny.

Beijing should understand that many of today's problems today stem from abusive local officials. Premier Wen Jiabao acknowledged at a press conference in March that some local governments have infringed upon the legitimate rights and interests of the people, and social conflicts have subsequently occurred.

In this struggle between victimized farmers and avaricious officials, the press—and the central government—are on the same side. Muzzling the press will only deprive the victims of a powerful champion while enabling grasping officials to line their pockets without fear of being exposed. Surely, this cannot be what the Chinese government wants."

In case of a "sudden event" I feel they'd rather be winning time compared to keeping it quiet, then again I guess ruling one of the largest nation in the world while trying to maintain stability -- FDI matters folks -- is a dauting task, but one not necessarily having to do with ignoring the situation. Government accountability and possible changes in voting attitudes in China don't exist, mainly because there isn't any other party, but THE party, therefore historical (under)performance doesn't count at all.

In comparison, whereas Chinese citizens suffer from the lack of information or the blocked access to it, in the U.S there's a controversial debate going on regarding over-performing investigative journalists revealing details thought to be sensitive to national security, and the overall availability of potentially sensitive information to the general public. The problem isn't the "leak" as it's a common sense practice, but the publicity it got in the post 9/11, privacy-preserving society -- or at least one trying to. Doesn't really matter if the FOIA turned forty, "redacting" is often misspelled for censorship, in between the lines of personal and sensitive information.

At the bottom line, government practices' transparency with the help of the media watchdogs, a government incapable of knowing the exact state of a situation by itself, or the notion of too much publicly available information in today's OSINT world, up to you to decide, just don't rule, run business, or blog, by excluding the middle, or you'll sooner or later face with it in one way or another. Continue reading →

Security Research Reference Coverage

I’ve recently started getting more requests on participating or guiding to a certain extend, student theses and various other research papers. There's nothing more pleasant than exchanging points of view, don't preach, but teach and question everything is what I have in mind. So, I've decided to share some publications featuring some of my previous papers, and by the way, I'm very near to releasing two research papers on hot topics that emerged during 2006, so stay tuned!

Online Media
- Quoted in an article by Arthur G. Insana for ImediaConnection.com back in 2004, discussing the various threats posed by trojan horses. Trouble is, I'm no longer affiliated with the company. Respect the individual!
- Quoted in an article by Bill Brenner on the "Storm Worm" and social engineering when it comes to malware in general
- My paper on the future trends of malware got Slashdotted
- Security.nl covered the International Exploits Shop in an article
- Yet another article at Security.nl this time regarding my future trends of malware paper.
- Marc Olanié at Reseaux-Telecoms.net has been writing lots of articles regarding my research worth going through
- Microsoft, concepteur de virus
- Des truands, des failles, du business...
- Danchev sur l'Achat de failles
- Bientôt, le virus et l'attaque DoS on demand
- Encore et toujours F-Secure/Kaspersky...
- Clusif : le rapport criminalité 2005, chantages et escroqueries
- Le Cyber-Jihad fait trembler l'Amérique
- La vie secrète du phishing : 20/20 en éco et géographie
- Symantec : Boulevard du crime... et au delà

Research Papers/Academic
- Future of Malicious Code references my future trends of malware paper. Here's the French version
- Entwurf eines Kunstlichen Immunsystems zur Netzwerkuberwachung auf Basis eines Multi-Agenten-Systems references future trends of malware
- Limiting Vulnerability Exposure through effective Patch Management: Threat Mitigation Through Vulnerability Remediation references my best practices on security policies
- Developing a Security Policy refences my paper on security policies
- Policy Review references my paper on security policies

- Hu Xiaodong, “Security Centre for an Enterprise thesis”, CS Department, Stockholm’s University, references Building and Implementing a Successful Information Security Policy

- Jinqiao Yu, "TRINETR: An Intrusion Detection Alert Management and Analysis System dissertation", College of Engineering and Mineral Resources at West Virginia University, references Building and Implementing a Successful Information Security Policy

- Philippe Farges and Annick Tremblet, "Project on Trojans", Department of Computer Science Linkoping Institute of Technology, Sweden, references The Complete Windows Trojan Paper
- Fausi Qattan & Fredrik Thernelius, "Deficiencies in Current Software Protection Mechanisms and Alternatives for Securing Computer Integrity", Department of Computer and Systems Sciences
Stockholm University - Royal Institute of Technology, references The Complete Windows Trojan Paper
- Computer Knowledge, "Virus Tutorial" references The Complete Windows Trojan Paper
- Reyes, Juan Carlos, "Una Aproximación Teórica a la Prevención del Factor Humano en la Seguridad Informatica", references Reducing "Human Factor" Mistakes
- Rezan Fisli, "Secure Corporate Communications Over VPN-Based WANs", references Building and Implementing a Successful Information Security Policy
- Vo Khac Thanh, "An IT security policy framework", Asian Institute of Technology SAT : School of Advanced Technologies, references Building and Implementing a Successful Information Security Policy
- Rohmadi Hidayat, "Deteksi Trojan Dan Penanganannya", references The Complete Windows Trojan Paper
- Robert J. Kaufman III, "Susceptibilities Policy Review (Top-Down Methodology) Lesson 7 PPT", The University of Texas at San Antonio, College of Business, references Building and Implementing a Successful Information Security Policy
- "Trends of Spyware, Viruses and Exploits", references Malware - it's getting worse
- Steven M. Michnick, "Information Security Framework for Small and Medium Sized Businesses", references Passwords - Common Attacks and Possible Solutions
- Samer Catalan, "Trojan Horses", RWTH Aachen University, references The Complete Windows Trojan Paper
- Stephen M. Specht and Ruby B. Lee, "Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures", Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems, International Workshop on Security in Parallel and Distributed Systems, references The Complete Windows Trojan Paper

- Delwyn Lee, Adam Marks, David Bell, “Student Residence Secure Solutions Analysis of ResNet Security”, references Building and Implementing a Successful Information Security Policy

- Clarissa L. Evans Brown, “A Policy to prevent outsider attacks on the local network”, GSEC Practical Assignment, references Building and Implementing a Successful Information Security Policy

- Hatim Ali Badr, “Online home users Defense in Depth”, GIAC Practical Assignment, references The Complete Windows Trojan Paper

- Tim Strong, “PestPatrol in a Corporate Environment: A Case Study in Information Security” – GIAC Practical Assignment, references The Complete Windows Trojan Paper's Future of Trojans section

- Sorcha Canavan, "An Information Policy Development Guide for Large Companies" – GSEC, Practical Assignment, references Building and Implementing a Successful Information Security Policy

- Gregory R. Panakkal, “Advanced Survival Techniques in Malware”, Cochin University of Science and Technology, references The Complete Windows Trojan Paper

- Michael D. Thacker, "Effective Security Policy Management” – Virus Bulletin 2005 Conference, references Building and Implementing a Successful Information Security Policy

- My paper regarding security policies has been discussed in a network security course at the George Mason University

- University of Melbourne’s Network Security Course teaches on my security policies publication

- University of Houston are giving assignments on my security policies publication

- Tim Lackorzynski, "Future Trends of Malware PPT", Fakultät Informatik, Technische Universität Dresden, Proseminar Dependable Systems is discussing my "Malware - Future Trends" research
- Widener University have included my "Steganography and Cyber Terrorism Communications" in their forensics course reading materials Continue reading →