London Car Bombs and Internet Forums

richard m. smith wrote on funsec:

subject: tracking down the london bombers via an ip address

was london bomb plot heralded on web?

internet forum comment from night before: “london shall be bombed”

hours before london explosives technicians dismantled a large car bomb in the heart of the british capital’s tourist-rich theater district, a message appeared on one of the most widely used jihadist internet forums, saying: “today i say: rejoice, by allah, london shall be bombed.”

cbs news found the posting, which went on for nearly 300 words, on the “al hesbah” chat room. it was left by a person who goes by the name abu osama al-hazeen, who appears regularly on the forum. the comment was posted on the forum, according to time stamp, at 08:09 a.m. british time on june 28 — about 17 hours before the bomb was found early on june 29.

al hesbah is frequently used by international sunni militant groups, including al qaeda and the taliban, to post propaganda videos and messages in their fight against the west.

there was no way for cbs news to independently confirm any connection between the posting made thursday night and the car bomb found friday.

al-hazeen’s message begins: “in the name of god, the most compassionate, the most merciful. is britain longing for al qaeda’s bombings?”

al-hazeen decries the recent knighthood of controversial author salman rushdie as a blow felt by all british muslims. “this ‘honoring’ came at a crucial time, a time when the whole nation is reeling from the crusaders attacks on all muslim lands,” he said, in an apparent reference to the british role in iraq.

this is of course, scary and interesting, but i’d like to concentrate on the subject line of richard’s message:
tracking down the london bombers via an ip address

the more important thing to note here, is the fact these cyber terrorism forums have a real connection to real terrorism, rather than how they may be used to try and track the bad guys down (although that is of course, interesting).

it may be stating the obvious, and these forums are likely already tracked: i am unsure if this article will hurt plausible current surveilance efforts, but i am sure stating the obvious about this connection between the real and virtual worlds when it comes to terrorism, is important.

gadi evron,


IPv6, C&C (not botnets, coffee and cats)

So, someone sent this to NANOG:
An IPv6 address for new cars in 3 years?

From: Rich Emmings
Date: Thu Jun 28 17:47:46 2007

Mark IV systems has a spec for OTTO. Mark IV makes automatic
toll collection and related systems O(Not to mention other
automotive products)

The system spec’s show support for IPv6 and SNMPv3. Notably
absent was IPv4 as far as I could tell. No notes on if the IPv6
would be used for Firmware updates or live data collection.
802.1p radio is the spec’d LLP. O/S is VxWorks.

The expectation is for 100% of new cars to have OTTO around

Topicality: Looks like someone, somewhere intends to be live
with IPv6 in 3-5 years.
Off Topic: The privacy and security ramifications boggle the

Which I didn’t read.

Then, this thread happened:

> – — “Suresh Ramasubramanian” wrote:
> >On 6/29/07, Rich Emmings wrote:
> >>
> >> Topicality: Looks like someone, somewhere intends to be live with
> >> IPv6
> >> in 3-5 years. Off Topic: The privacy and security ramifications
> >> boggle
> >> the mind….
> >>
> >
> >Fully mobile, high speed botnets?
> *bing*

That last bing was from Paul Ferguson, our Fergie.
If I was drinking coffee, I’d have dropped it!

Other followups included Chris Morrow’s:
> I can’t help it:
> “If a bot-car is headed north on I-75 at 73 miles per hour for 3 hours
> and a bot-truck is headed west on I-90 at 67 miles per hour, how long
> until they are 129 miles apart?”

And Steve Bellovin’s:
Hmm — I was going to say 127.1 miles apart, but that’s not a v6
address… 1918 miles apart?


CPU vulnerabilities, the future is here?

On funsec, Richard M. Smith send this in after spotting it on /.

Critical update for Intel Core CPUs is out
Have Intel processor? Download the fix right now
By Theo Valich: Tuesday 26 June 2007, 07:26

A COUPLE OF WEEKS ago, we heard that Dell was dealing with a certain situation considering Intel dual-core MCW and quad-core KC marchitecture, and that the company was releasing urgent BIOS and microcode versions for its line up.

We learned that the affected CPUs are the Core 2 Duo E4000/E6000, Core 2 Quad Q6600, Core 2 Xtreme QX6800, QX6700 and QX6800.

In the mobile world, people with the Core 2 Duo T5000 and T7000 need to visit Microsoft’s site, while the server guys will want to use motherboard BIOSes if they do not rely on Microsoft Windows operating systems.

A microcode reliability update is available that improves the reliability of systems that use Intel processors


CFP: ISOI III (a DA workshop)

cfp: isoi iii (a da workshop)


cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security -
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at:

27th, 28th august, 2007
washington dc -
aed conference center:

registration via is mandatory, no cost attached to attending. check if you apply for a seat in our web page.


this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)

roger thompson (exp labs
- google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
- what you should be asking me as a routing vendor

john lacour (mark monitor)
- vulnerabilities used to hack sites for phishing
- using xss to track phishers

dan hubbard (websense)
- mpack and honeyjax (web 2.0 honeypots)

april lorenzen
- fastflux: operational update

william salusky (aol)
- the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
- incident response during the recent attack

Sun Shine (beyond security)
- strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
- botnet statistics from the estonian attack

andrew fried (treasury department)
- phishing and the irs – new methods

danny mcpherson (arbor)
- tba


RSS Spam

a friend just sent me this link. take a look.

newsgator online. indeed, it’s usually a smart strategy for keeping track of your company, products and identity in the blogosphere.

except when nude japanese nurses sneak into the picture

gadi evron,


Month of Random Months

From full-disclosure’s Month of Random Hashes (MoRH):

Dear list,

You asked for it, and we delivered! Due to the increased demand
for more “Month of” projects, and the growing popularity of posting
hashes to this list, we proudly present… THE MONTH OF RANDOM

Every day for the next month we will be providing a list of not
one… not two… not three… not four… not five… not six…
not seven… not eight… not nine… not ten… not eleven… not
twelve… not thirteen… not fourteen… not fifteen… not
sixteen… not seventeen… not eighteen… not nineteen… not
twenty… not twenty-one… not twenty -two… not twenty-three…
not twenty-four… not twenty-five… not twenty-six… not twenty-
seven… not twenty-eight… not twenty-nine… not thirty… not
thirty-one… not thirty-two… not thirty-three… not thirty-
four… not thirty-five… not thirty-six… not thirty-seven…
not thirty-eight… not thirty-nine… not forty… not forty-
one… not forty-two… not forty-three… not forty-four… not
forty-five… not forty-six… not forty-seven… not forty-
eight… not forty-nine… not fifty… not fifty-one… not fifty-
two… not fifty-three… not fifty-four… not fifty-five… not
fifty-six… not fifty-seven… not fifty-eight… not fifty-
nine… not sixty… not sixty-one… not sixty-two… not sixty-
three… not sixty-four… not sixty-five… not sixty-six… not
sixty-seven… not sixty-eight… not sixty-nine… not seventy…
not seventy-one… not seventy-two… not seventy-three… not
seventy-four… not seventy-five… not seventy-six… not seventy-
seven… not seventy-eight… not seventy-nine… not eighty… not
eighty-one… not eighty-two… not eighty-three… not eighty-
four… not eighty-five… not eighty-six… not eighty-seven…
not eighty-eight… not eighty-nine… not ninety… not ninety-
one… not ninety-two… not ninety-three… not ninety-four… not
ninety-five… not ninety-six… not ninety-seven… not ninety-

not even ninety-nine…


To make the project even more successful, this number (100) only
represents the number of random strings that hashes are generated
for, and not the total number of hashes we provide daily! You will
receive an md5sum, sha1sum, and sha256sum of all 100 random strings
every day.

That is THREE HUNDRED hashes. In your mailbox. Free. Every day.

Stay tuned for more details!

And another post on a newly invented term by Michael Silk:


you shall use it when hacking your way into something.

“i just hackcessed the mainframe”

kittens can use it in the form of “i’m in ur server because i
hackcessed my wai in”

and so on.

i’d post a hash of myself posting this message, to prove i’m the one
that posted it, but you know, it’s hardly worth it.

This message brought to you by MoNST* in the spirit of MoAPI**

68 65 6c 6c 6f 20 74 6f 20 79 6f 75 2c
20 68 65 78 20 64 65 63 6f 64 65 72 2e

* month of new security terms
** month of annoying project ideas


Macchiavelli and havesting targeted data for spam

for a long time now i’ve been getting spam email, much like everyone else. for a couple of years now, i’ve also been getting subject lines that at first, although not always, made me look at the spam for a fraction of a second.

these subject lines would mention issues i care about, such as security. the f-up would be the viagra that would sometimes follow in the same subject line.

very recently i spoke on a mailing list about macchiavelli. today i got a spam with macchiavelli in the subject line (regular spam body, same subject mistake).

spammers are smarter. the smarter they are the more annoying they become, because “they just don’t get it”.

gadi evron,


YouTube security video on YouTube :)

From funsec:

“For phun I posted a video of a piece of malcode using YouTube onto
Youtube…Lets see how many people that confuses.

Our blog post…


What is your favorite Capture the Flag?

I just became aware of this one at the US Military Academy, tested by the NSA:

Which is quite intresting. Defcon’s CfP resulted in much more interesting papers, though. Which are your favorites?


More Soloway documents online (Search warrant application) (Schmutz affidavit) (Reyes affidavit)

Original post:


The attacks on Estonia by Russians (or Russia?)

people have been wondering why i’ve been keeping quiet on this issue, especially since i was right there helping out.

a lot of people had information to share and emotions to get out of the way. also, it was really not my place reply on this – with all the work done by the estonians, my contributions were secondary. mr. alexander harrowell discussed this with me off mailing lists, and our discussions are public on his blog. information from bill woodcock on nanog was also sound.

as to what actually happened over there, more information should become available soon and i will send it here. i keep getting stuck when trying to write the post-mortem and attack/defense analysis as i keep hitting a stone wall i did not expect: strategy. suggestions for the future is also a part of that document, so i will speed it up with a more down-to-earth technical analysis (which is what i promised cert-ee).

in the past i’ve been able to consider information warfare as a part of a larger strategy, utilizing it as a weapon. i was able to think of impact and tools, not to mention (mostly) disconnected attacks and defenses.

i keep seeing strategy for the use in information warfare battles as i write this document on what happened in estonia, and i believe i need more time to explore this against my previous take on the issue, as well as take a look at some classics such as clausewitz, as posh as
it may sound.


gadi evron,


“Where is Waldo?”, or “Security by Origami”

This is an interesting excersize in security:

A friend of mine gave me a riddle this morning regarding “Where’s Waldo?”. The riddle is as follows:

You and a friend play “Where’s Waldo?”. You solve the puzzle before your friend, and you want to prove to your friend you solved the puzzle, without giving him any hints. How do you do this?

Zero knowledge? Geographic descriptions? Riddles? Hashes?
How do you let your friend know that you solved it, without helping out? What is your solution to this problem? Be creative and leave comments.

Math not required (please) but allowed (if you must). :)

For solutions and cool ideas, visit this blog post. There’s some other cool stuff on that blog.


Soloway: Another spammer bites the dust

A big victory against spam. From the article:

A notorious spammer once sued by Microsoft was arrested in Seattle this morning, a week after a federal grand jury indicted him under seal for allegedly illegal — and prolific — spamming.

Links from a friend:

Indictment & USDOJ press announcement here:

Early press accounts:

Update post and more documents:


Targeted or not targeted?

many of us have been having discussions and arguments over if the recent bbb phishing attacks are targeted or not.

thinking on this, i believe the better equivalent which may solve our terminology disagreements on if these bbb phishing emails were targeted or not would be “targeted spam” as a tried concept. we can assume, although in some cases incorrectly, that spam is bulk.

usually, spam goes to “lists” of addresses, harvested. sometimes it is targeted to a certain audience. but there are other types of lists, not just of addresses and interests.

it is possible to buy lists of addresses of people who attended rsa and visited booths, for example. or any other number of trade-shows. it is possible to harvest linkedin, etc.

my take is that this attack is targeted in the sense that it goes to certain individual types only, but is quite mundane and bulk in the type.

we need terms for individual/close-to attacks and attacks by targeting an audience, still in bulk.

gadi evron,


In memory of Michael Lowery

it is not every day that a member of our community passes away, especially not in such a fashion.

i feel very badly, and hope the family gets through this without unnecessary difficulties on top of what they already have to face. :(

“i’m sorry” doesn’t really cut it and i feel uncomfortable saying it. i am honoured to quote this blog post by randy abrams of eset, michael’s co-worker and friend, instead:

not your typical security blog

sometimes you just have to take a step back and appreciate what really matters. security is important. the problems we face are enormous and can cost a lot of money to deal with – even more if not dealt with correctly. but for all that, there is something much more valuable – our friends.

we at eset mourn the loss of one of our friends who passed away on memorial day weekend. mike lowery was our training manager. a highly talented and skilled individual, mike possessed a smile and heart that warmed all – he was the consummate professional and friend.

the measure of our loss is equal to the blessings we received in knowing and working with mike.

as we continue our work at eset we will all endeavor to honor his memory by making eset the best company we possibly can. great work, great fun, and great kindness are the attributes to which we at eset can best aspire in order to honor the memory of our dear friend.

randy abrams
friend of michael lowery

Sun Shine.


WMD in Second Life

hi guys and gals, how are you all doing? :)

i’ve always been a fan of virtual worlds (although for my own life’s sake, i don’t participate in them). this time around it’s about what some refer to as a wmd, and i like it.

funny how history repeats itself and he couldn’t control his “virus”. :)

gadi evron,