Sampling Jihadists' IPs

Great idea as a matter of fact :

"The following is based on an analysis of 4,593 IP addresses (1,452 unique IP addresses). The IPs were acquired from 19 of the more prominent of the Salafist/Jihadist forums, including both Arabic and non-Arabic forums, from 01 January through 30 April of this year."

Taking into consideration the per-country stats, do not exclude the logical possibility of IP cloaking while browsing these and also, the tiny number of intelligence and lone gunman info warriors gathering OSINT data. In another much more in-depth analysis on mapping the online jihad, the authors point out the emerging internationalization of jihad as well :

"The near exclusive use of the Arabic language in these significant jihadi websites likely accounts for the concentration of activity in the Middle East and North Africa. But with a reach to more than 40 countries, the virtual community within these ten influential sites assumes a global significance. The international jihadi movement's use of the internet to fuel the exchange of ideological expansion and its corresponding influx of support will increase the vulnerability of many countries to the appeal of extremism."

At least these organizations don't rely on setting up fake jihadist communities to come up with the sample data, but know exactly where to look for.

Mind Mapping Web 2.0 Threats

An informative, and for sure to be expanded mind map presenting various Web 2.0 threats courtesy of Mike Daw who by the way neatly integrated the anti virus detection results to his web backdoors compilation, I commented on in a previous post. Here are two more mind maps of Firefox security related tools, and the threats faced by mobile devices. A related post on the "wormability" of web application insecurities for everyone thinking flash worms.

XSS The Planet

Yet another initiative proving that major sites indeed suffer from XSS vulnerabilities in exactly the same fashion E-banking sites do. Perhaps the most interesting point regarding the list is that it's from 2005 and some of the sites still remain vulnerable but why is that? Lack of internal incentive programs to deal with the problem? Not getting the necessary attention given the rise of the lost laptop with unencrypted data issue? A lack of common sense is the best alternative for me. Consider the perspective - its like utilizing quantum encryption for the sake of protecting the confidentiality of your data but remaining vulnerable to wardriving attacks capable of obtaining the data in a pre-encryption stage, even on the fly. The encrypted data myopia is on the rise and it's the result of a yet another "stolen laptop news article" emphasizing on current and ignoring the emerging trends, namely, that a mobile workforce's improved productivity is proportional with the insecurities coming from storing sensitive data in a less controlled external environment. There's no point in implementing state-of-the-art technology when you haven't taken care of the basics, such as the ones that are so easy to exploit even a script kiddie can become the next pentagon hacker bruteforcing passwords on an unclassified system. And yes - trivial XSS ones too.

Currently active URLs on the list are the following:
Nortel.com
Federal Deposit Insurance Corporation
JC Penney
SonyStyle.com
D-Link.com
Poetry.com

Big Brother Awards 2007

I always liked the idea of emphasizing on the big picture when it comes to the worst privacy invadors on a worldwide basis compared to that of a particular country only. They are all interconnected to a certain extend, united under the umbrella of the common good which as a matter of fact won a golden boot in this year's Big Brother International Awards :

"PI's 'Big Brother Awards' have been running for nearly ten years, with events run in eighteen countries around the world. Government institutions and companies have been named and shamed as privacy invaders in a variety of countries and contexts. This year was the first time that Privacy International ran an international event to identify the greatest invaders around the world. The event was hosted by 'the pope', as presented by Simon Davies in full regalia. Previous hosts include 'Dr. Evil' and 'The Queen of England'."

Here are the winners in their categories :

Most invasive company - Choicepoint
Data aggregators and centralizing too much personal data in a single place makes it vulnerable even to pringles hacking attacks. Next year I'm sure Google's purchase of Doubleclick would get more attention

Worst Public Official - Stewart Baker
The way Microsoft and open source look awkward in a sentence in this very same way democracy looks awkward next to Russia

Most Heinous Government - The United Kingdom
Fully agree here. Twisting the common good is very marketable

Most Appalling Project or Technology - The International Civil Aviation Organization

I think the CCTV industry should have won here the rest are bureaucrats whose closed doors propositions later on face the public outbreak of how not to implement them. Anyway supply meets the demand for surveillance.

Lifetime Menace Award - The 'Common Good'
The main reason for the existence of today's intrusive surveillance technologies is the idea of the common good. We spy on you to protect you, we take away your civil liberties to protect you, and CCTV after CCTV you end up in a situation which can be best seen in the U.K

Related posts:
The Future of Privacy = don't over-empower the watchers!
Security vs Privacy or what's left from it
The Cell-phone Industry and Privacy Advocates VS Cell Phone Tracking
Afterlife Data Privacy

Defeating Virtual Keyboards

To deal with the threat of keyloggers -- or to win time during te process of implementing two factor authentication and one-time-passwords-in-everything -- E-banking providers started introducing virtual keyboards as a pragmatic solution to the threat. Malicious attackers are anything but old-fashioned and this is a great example that insecurities are only a matter of perspective. To the E-banking providers who were aware that a static virtual keyboard would be much more easier to defeat, a randomized characters appearance came into play and so attackers adapted by first taking video sessions of the login process, and now turning each mouse click into a screenshot to come up with the accounting data in a PoC on Defeating Citibank Virtual Keyboard:

"Citibank Virtual Keyboard is a security enhancement for protecting from the key loggers. Using this virtual keyboard user can enter Card no and IPIN using mouse. This keyboard will display a keys in random position in a virtual keyboard on the screen where it makes little difficult for password capture. This only gives confidence for end user from key loggers not from other methods. Local attacker can use Win32 API’s to capture using screen shot method and obtain sensitive information including Credit Card/Debit Card (Suvidha Account), IPIN and misuse it."

From a malicious economies of scale perspective, these rather amateur techniques mean lack of efficiency compared to advanced tools suh as the Nuclear Grabber which I intend to cover in-depth in a future post from the Malicious Wild West series.

International Cryptography Regulations Map

Regulations on importing, exporting and using encryption greatly vary across the world. Bert-Jaap Koops came up with some informative maps highlighting the big picture :

"This is a graphic summary of the pertaining cryptography laws and regulations worldwide as outlined in the most recent version of my Crypto Law Survey. It shows the import controls, export controls, and domestic controls, according to the information available to me. Consult the corresponding entry in the Crypto Law Survey for the contents of the pertaining regulation in a particular country."

And here's a related post on a bureaucratic utopia, another one on bureaucracy vs reality when it comes to security, as well as famous cases related to criminals using encryption.