June 2007

London Car Bombs and Internet Forums

richard m. smith wrote on funsec:

subject: tracking down the london bombers via an ip address

was london bomb plot heralded on web?

internet forum comment from night before: “london shall be bombed”

hours before london explosives technicians dismantled a large car bomb in the heart of the british capital’s tourist-rich theater district, a message appeared on one of the most widely used jihadist internet forums, saying: “today i say: rejoice, by allah, london shall be bombed.”

cbs news found the posting, which went on for nearly 300 words, on the “al hesbah” chat room. it was left by a person who goes by the name abu osama al-hazeen, who appears regularly on the forum. the comment was posted on the forum, according to time stamp, at 08:09 a.m. british time on june 28 — about 17 hours before the bomb was found early on june 29.

al hesbah is frequently used by international sunni militant groups, including al qaeda and the taliban, to post propaganda videos and messages in their fight against the west.

there was no way for cbs news to independently confirm any connection between the posting made thursday night and the car bomb found friday.

al-hazeen’s message begins: “in the name of god, the most compassionate, the most merciful. is britain longing for al qaeda’s bombings?”

al-hazeen decries the recent knighthood of controversial author salman rushdie as a blow felt by all british muslims. “this ‘honoring’ came at a crucial time, a time when the whole nation is reeling from the crusaders attacks on all muslim lands,” he said, in an apparent reference to the british role in iraq.

this is of course, scary and interesting, but i’d like to concentrate on the subject line of richard’s message:
tracking down the london bombers via an ip address

the more important thing to note here, is the fact these cyber terrorism forums have a real connection to real terrorism, rather than how they may be used to try and track the bad guys down (although that is of course, interesting).

it may be stating the obvious, and these forums are likely already tracked: i am unsure if this article will hurt plausible current surveilance efforts, but i am sure stating the obvious about this connection between the real and virtual worlds when it comes to terrorism, is important.

gadi evron,
ge@beyondsecurity.com.

IPv6, C&C (not botnets, coffee and cats)

So, someone sent this to NANOG:
An IPv6 address for new cars in 3 years?

From: Rich Emmings
Date: Thu Jun 28 17:47:46 2007

Mark IV systems has a spec for OTTO. Mark IV makes automatic
toll collection and related systems O(Not to mention other
automotive products)

The system spec’s show support for IPv6 and SNMPv3. Notably
absent was IPv4 as far as I could tell. No notes on if the IPv6
would be used for Firmware updates or live data collection.
802.1p radio is the spec’d LLP. O/S is VxWorks.

The expectation is for 100% of new cars to have OTTO around
2010.

http://www.ivhs.com/pdf/FactSheet_OTTO_FactSheet1_101105.pdf

Topicality: Looks like someone, somewhere intends to be live
with IPv6 in 3-5 years.
Off Topic: The privacy and security ramifications boggle the
mind….

Which I didn’t read.

Then, this thread happened:

> – — “Suresh Ramasubramanian” wrote:
>
> >On 6/29/07, Rich Emmings wrote:
> >>
> >> Topicality: Looks like someone, somewhere intends to be live with
> >> IPv6
> >> in 3-5 years. Off Topic: The privacy and security ramifications
> >> boggle
> >> the mind….
> >>
> >
> >Fully mobile, high speed botnets?
>
> *bing*

That last bing was from Paul Ferguson, our Fergie.
If I was drinking coffee, I’d have dropped it!

Other followups included Chris Morrow’s:
> I can’t help it:
>
> “If a bot-car is headed north on I-75 at 73 miles per hour for 3 hours
> and a bot-truck is headed west on I-90 at 67 miles per hour, how long
> until they are 129 miles apart?”

And Steve Bellovin’s:
Hmm — I was going to say 127.1 miles apart, but that’s not a v6
address… 1918 miles apart?

PDF spam

I have been getting lately more and more PDF based spam, the PDF itself appears to be just a cover for the normal image spam. The idea I believe is that PDF is not investigated by most spam filtering agents, and is not regarded by spam filtering as a “score giver” (i.e. what makes the email look more spamish than others).

BTW: At first glance I though it was a malware or a exploit that uses PDF as its carrying bag, but after a days work of investigating, and probing the file with various PDF readers (non-standard ones), I concluded that it had nothing to do with a malware or an exploit :) kudos to me 😛

CPU vulnerabilities, the future is here?

On funsec, Richard M. Smith send this in after spotting it on /.

http://www.theinquirer.net/default.aspx?article=40567

Critical update for Intel Core CPUs is out
Have Intel processor? Download the fix right now
By Theo Valich: Tuesday 26 June 2007, 07:26

A COUPLE OF WEEKS ago, we heard that Dell was dealing with a certain situation considering Intel dual-core MCW and quad-core KC marchitecture, and that the company was releasing urgent BIOS and microcode versions for its line up.

We learned that the affected CPUs are the Core 2 Duo E4000/E6000, Core 2 Quad Q6600, Core 2 Xtreme QX6800, QX6700 and QX6800.

In the mobile world, people with the Core 2 Duo T5000 and T7000 need to visit Microsoft’s site, while the server guys will want to use motherboard BIOSes if they do not rely on Microsoft Windows operating systems.

http://support.microsoft.com/?kbid=936357

A microcode reliability update is available that improves the reliability of systems that use Intel processors

CFP: ISOI III (a DA workshop)

cfp: isoi iii (a da workshop)
=============================

introduction
————

cfp information and current speakers below.

isoi 3 (internet security operations and intelligence) will be held in
washington dc this august the 27th, 28th.

this time around the folks at us-cert (department of homeland security –
dhs) are hosting. sunbelt software is running the after-party dinner.

we only have a partial agenda at this time (see below), but to remind you of what you will see, here are the previous ones:
http://isotf.org/isoi2.html
http://isotf.org/isoi.html

if you haven’t rsvp’d yet, please do so soon. although we have 240 seats, we are running out of space.

a web page for isoi 3 can be found at: http://isotf.org/isoi3.html

details
——-
27th, 28th august, 2007
washington dc –
aed conference center:
http://www.aedconferencecenter.org/main/html/main.html

registration via contact@isotf.org is mandatory, no cost attached to attending. check if you apply for a seat in our web page.

cfp

this is the official cfp for isoi 3. main subjects include: fastflux, fraud, ddos, botnets. other subjects relating to internet security operations are also welcome.

some of our current speakers as you can see below lecture on anything from estonia’s “war” to current web 2.0 threats in-the-wild.

please email contact@isotf.org as soon as possible to submit a proposal. i will gather them and give them to our committee (jeff moss) for review.

current speakers (before committee decision)
——————————————–

roger thompson (exp labs
– google adwords .. .the dangers of dealing with the russian mafia

barry raveendran greene (cisco)
– what you should be asking me as a routing vendor

john lacour (mark monitor)
– vulnerabilities used to hack sites for phishing
– using xss to track phishers

dan hubbard (websense)
– mpack and honeyjax (web 2.0 honeypots)

april lorenzen
– fastflux: operational update

william salusky (aol)
– the spammer evolves – migration to webmail

hillar aarelaid (estonian cert)
– incident response during the recent attack

Sun Shine (beyond security)
– strategic lessons from the estonian “first internet war”

jose nazarijo (arbor)
– botnet statistics from the estonian attack

andrew fried (treasury department)
– phishing and the irs – new methods

danny mcpherson (arbor)
– tba

Burb Proxy open for orders

I’m writing this purely to pass on a message. If you’ve ever used the burp suite and have a comment about the software, now is the time to let the developers know. If you haven’t tried it yet, give it a go, you won’t regret it.

This is just to let you know that work is underway on the next release of Burp Suite, which should be available later this year. This will be a major upgrade with lots of new features in all of the tools.

At this point, it would be good to hear any other feature requests that you may have, however large or small. Please reply to me directly or join the discussion here:

http://blog.portswigger.net/

and I’ll address as many as I can.

I’d be grateful if you would pass this email on to anyone else in your team who uses Burp Suite.