Foreign Intelligence Services and U.S Technology Espionage

Talking about globalization, like it or not, perceive it as a threat to national security or a key economic benefit, it's happening and you cannot stop it. Nothing else will add more long-term value to a business or a military force than innovation, and when it comes to the U.S military's self-efficiency in R&D, it's pretty evident they've managed to achieve the balance and still dictate the rhythm.

The methods used aren't nothing new :

"The report says that foreign spies use a wide variety of techniques, ranging from setting up front companies that make phony business proposals to hacking computers containing information on lasers, missiles and other systems. But the most popular methods of attempting to obtain information was a simple “informational request” (34.2%) and attempts to purchase the information (32.2%). Attempts were also made using personal relationships, searching the Internet, making contacts at conferences and seminars, cultural exchanges."

What's new is the actual report in question - "Technology Collection Trends in the U.S. Defense Industry". OSINT is also an important trends gathering factor, and so is corporate espionage through old-fashioned malware approaches or direct intrusions, and it's great the report is considering the ease of execution on these and the possible network vulnerabilities in the contractors :

"DSS also anticipates an increase in suspicious internet activity against cleared defense contractors. The potential gain from even one successful computer intrusion makes it an attractive, relatively lowrisk, option for any country seeking access to sensitive information stored on U.S. computer networks. The risk to sensitive information on U.S. computer systems will increase as more countries develop capabilities to exploit those systems."

Then again, what's produced by the U.S but cannot be obtained from there, will be from other much more insecure third-party purchasers -- how did Hezbollah got hold of night vision gear? Or even worse, by obtaining the leftovers from a battle conflict for further clues.

The bottom line question - is the illegal transfer of U.S technology threat higher than the indirect leakage of U.S educated students taking their IQ back home, while feeling offended by their inability to make an impact were they a U.S citizen?

Technical Analysis of the Skype Trojan

During December yet another trojan started making rounds, this time dubbed the Skype trojan -- SEO conspiracy. Was the trojan exploiting a zero day vulnerability in the Skype protocol? Absolutely not, as it was basically using Skype's messaging service as a propagation vector, thus, the gullible and in a Christmas mood end user was still supposed to interact with the malware by clicking on the link. And with required end user's interaction, the possibilities for major outbreaks were very limited. Perhaps the only development worth mentioning is the malware author's use of commercial anti-cracking software -- NTKrnl Secure Suite -- to make the unpacking harder, or at least theoretically improve the time needed to do so compared to using publicly obtainable, and much more easily detectable packers.

Two days ago, Nicolas Brulez from Websense Security Labs released a technical analysis of the trojan itself, and here's your proof for the logical possiblities of specific copy'n'paste malware modules :

"The main protection scheme I faced was the copy pasted from my Honeynet Scan of The month 33 Challenge. The breakpoint detection was 100% identical, even the numbers I had generated randomly. More importantly, the technique I had written based on SEH + cpuid/rdtsc was also copied. The only difference was that they used the EDX register to compare the timing.

Copy pasting protection code without even changing it a little, provides no security at all and allowed me to unpack it even quicker. (gotta love looking at code you wrote 2 years ago)

It apparently included some other tricks, that made it a little harder to unpack, and the file looked like it was corrupted at some point. In order to debug it and comment my disassembly in a readable way, I opted to use a userland debugger, and thus had to write a little shellcode for injection into the packed malware. Basically, it entailed abusing Windows Exception Handling (using a hook), to get past every check. After that, one could attach his favorite userland debugger to the malware and eventually find the Original Entry Point. Although the imports rebuilding for this protector isn't hard at all, it wasn't mandatory in this executable as it only imported one function: ExitProcess"

And while the average malware coder is using commercial tools to make his releases harder to analyze, the almighty jihadist is still living in the Hacker Defender world.

Were you Tracking Santa's Location?

As usual, NORAD were, but there's one minor issue to keep in mind and that's how during the Christmas and New Year holidays Santa Claus is the most successfully targeted victim of identity theft. Hopefully they were tracking the real Santa through the real Rudolph as the weakest link :

"The satellites have infrared sensors, meaning they can detect heat. When a rocket or missile is launched, a tremendous amount of heat is produced - enough for the satellites to detect. Rudolph's nose gives off an infrared signature similar to a missile launch. The satellites can detect Rudolph's bright red nose with practically no problem. With so many years of experience, NORAD has become good at tracking aircraft entering North America, detecting worldwide missile launches and tracking the progress of Santa, thanks to Rudolph."

All rest is a commodity but attitude.

Phishing Domains Hosting Multiple Phishing Sites

Well, well, well. What do we got here? Couple of interesting domains hosting phishing sites of multiple banks for you to take a look at, or at the cached versions to be precise. What's worth mentioning is the rise of phishing sites using the much more easily and anonymously registered .biz ; .info ; .name domains. However, the first part of these is related to 211.137.13.131 :

baldwindy.name
leqwas.biz
noosfo.biz
rsytarai.biz, another one

Multiple hosting:
201.195.156.13
lugers.biz
loreta.biz
tuker.info

Now, try searching the entire .biz space for "Bank Austria Creditanstalt". The good news is that even the average anti-phishing toolbar is capable of detecting these. The bad news is that customers aren't currently using such toolbars as much as they should. And with phishing toolkits lowering the entry barriers in this space by making it easy for wannabe phishers to "make an impact", we've got an efficient problem to deal with.

Google and Yahoo's Shareholders Against Censorship

Collective bargaining tends to achieve the necessary echo effect :

"The New York City Pension Fund wants shareholders to force Google and Yahoo to refuse Internet censorship requests by governments. The fund, which owns nearly $280 million worth of Google shares and $110 million in Yahoo shares, filed resolutions for shareholders at the two Internet companies to vote on at the next shareholder meetings. The resolution states that U.S.-based technology companies "that operate in countries controlled by authoritarian governments have an obligation to comply with the principles of the United Nations Declaration of Human Rights."

Go, go, go, shareholders. So that by the time censorship ends up where it's most aggressive for the time being, we can feel proud of ourselves living in a World 2.0, a world in which we all have universal access to the collective wisdom of everyone. Wait, that used to be part of both, Google's and Yahoo's mission statements once. From another perspective, the companies themselves have their hands tied by the overal Western world's revenues generation greed, and outsourcing inspirations in China's booming economy. But pretending it isn't happening is like ignoring the existence of the thought police these days.

Le Cyber Jihad

It's very nice to see that Marc Olanié is still keeping track of my articles. Here are several more worth Babelfishing.