Category Archives: Security

WMF zero day exploit

Latest report is that the exploit installs if you even download or index an infected WMF file. In other words if you use Google Desktop, which automagically touches your media files, then your system will be trojaned faster than you can say “how convenient”. No known patches are available.

F-secure, as usual, is ahead of the game with a new signature that detects the three variations already in the wild. They also have a pointer to Sunbelt who has a link to BugTraq.

Sparse information so far, but the early responders seem pretty concerned and recommending that WMF be filtered and/or all traffic be blocked to the following sites:

This seems far more serious than a Saudi teen winning a secular talent competition, so let’s hope someone higher-up issues the appropriate fatwa and/or is able to shutdown or block traffic at the carrier level.

Watch, but you can’t vote

Reuters said on Monday that a second telecom company in Saudi Arabia will block SMS messages intended as votes for a TV show:

Saudi religious scholars last May condemned the hugely popular talent show aired by Lebanese channel LBC as a crime against Islam when a young Saudi returned to a hero’s welcome after winning in the Lebanese capital Beirut.

The Saudi Telecommunications Co. (STC) made an announcement last January that it would block the messages, based on a religious decision made the prior year. The only other cell company in the country, a UAE-based consortium called Mobily (Etihad Etisalat), is finally following suit:

“We will definitely lose money, but how much, I don’t know,” [Mobily spokesman] Alghodaini said about the decision. “If we don’t (stop messaging) it would backfire on us and affect our brand.”

So, the carriers have been prohibited from profits related to the show, which does not stop the show or other forms of voting. Moreover, this certainly raises an interesting dilemma since the content of the message itself is not the problem but rather the intent of the sender to participate in a form of communication deemed objectionable to the religious leaders. And that kind of standard makes violations hard to find, let alone block.

MS Messenger 8 is NOT released

Here’s a funny new trend in announcing software to your users. “Microsoft Messenger 8 has not been released”. In fact, you may even want to say “If you see a file called BETA8WEBINSTALL.EXE (or an obvious variation/advertisement) then please ignore.”

Even the old saying “patch early/often” can and will be held against you by the clever worm and virus authors.

Carriers liable for end-point security

NetworkWorld quoted the AT&T CISO, Ed Amoroso:

The past decade has been tough – the security industry has lost its way. At one point we had no security; now there’s too much. This has been the era of security getting worse and worse. Today there’s too much software from vendors that needs to be patched. There are viruses and worms and spam and firewalls…carriers need to be doing security for the endpoints.

The theory is that a central entity can do a better job filtering the data to detect anomalies, and that the end users can not all afford to specialize in security.

But how do we know that AT&T has a security baseline that is consistent with ours as end users? I agree with Ed that the most basic threats should be removed by the carriers (like the centrally-controlled conditioning that removes big spikes and sags from the power lines), but do not see how he can get around that fact that end users will always have vastly different risk models that need individual solutions. Some of us still buy small UPS, some big, and some go with multiple UPS plus generators. That doesn’t mean we don’t think that the power company shouldn’t be liable for outages, it just means we don’t all address the same risks let alone agree to a universal fix.



This red-dot winner seems like a good idea at first glance. It’s a sunbrella/solar-panel. Perfect for beachgoers who need to power those portable air conditioning units or giant portable beer coolers. In fact, this seems like the just the right thing for small villages in the desert that suffer little or no wind, which brings me to my second glance; what happens when the breeze picks up the disc and launches it like a monster frisbee into the monster-truck parked next to the guy with all the muscles? And how do you collapse/store the thing when you don’t want every bird in the harbor to use it for target practice? Ew, messy. Oh, well. At least it looks a lot prettier than the CIA’s new solar and wind energy units, shown below, made by SkyBuilt Power.

The CIA plop and drop

The Gospel of the FSM

Bobby Henderson reveals that he is gainfully employed now. Just don’t ask about his last supper.

Interview with Wired News:

WN: How were you inspired to write The Gospel of the Flying Spaghetti Monster?

Henderson: The book is necessary so that people see how much hard evidence supports the existence of the FSM. You can make a pretty strong argument for His existence. Especially if you use the same sort of reasoning the ID people do: specious reasoning and circular logic. I suspect the mainstream religions will concede after reading it.

I know this might be a stretch for information security related topics, but the FSM brings to mind a need for clear standards to either accomodate a wide-base for interoperability or a narrow set of similarly defined values. If the core value is revealed to be nothing more than “specious reasoning”…well, that just opens the spec up for all sorts of crazy ideas. The Intelligent Design movement clearly had a supreme marketing department, but their engineering and IP controls leave a lot to be desired.

Or as Bobby put it:

I think it’s pretty amazing that these people without scientific backgrounds — or really any education at all — think they have the right to decide the science curriculum. And it blows my mind that they are getting away with it.

You have to admit the guy has balls, meat balls that is.

Ford Motor Breach

Another big “small” breach is announced:

“Ford Motor Co. informed about 70,000 active and former white-collar employees that a computer with company data, including social security numbers, was stolen from a Ford facility.”

These “smaller” breaches (compared to the hundreds of thousands or even millions of records lost by financial institutions, etc.) are especially worrying because of ID Analytics’ statement that the lesser numbers indicate a higher percentage will be used for fraud.

Guidance Software Announces Breach

This is big news about a small breach. The self proclaimed “leader in computer forensics and incident response solutions” discovered a security breach on December 7th, 2005. SecurityFocus reported today that financial information including CVV was lost:

The breach, which took place in November, resulted in the loss of customer names, credit-card numbers and the three-digit card verification values (CVVs), which merchants are not supposed to retain, according to reports.

This is also reported on (strange domain name, eh?):

The attack occurred in November, but wasn’t discovered until Dec. 7, John Colbert, chief executive officer of Guidance, said in an interview Monday. The attack exposed data on thousands of the company’s customers, including 3,800 whose names, addresses and credit card details were exposed, he said.

However, the official Guidance letter clearly states in the first paragraph “Fortunately, the database that was compromised did not contain any of your financial information that could put you at risk of identity theft.”

Of course most of the people (computer forensics and incident response professionals) who recieved this letter must have immediately suspected something was fishy. After all, why would Guidance send out the notice if there was no breach of sensitive data? And then there were those who are already reporting that they are victims of the breach…

Victory comes with consent

Interesting book by General Sir Rupert Smith called “The Utility of Force”.

The Times review says this military expert’s book criticizes US leadership to initiating a war in Iraq without a realistic mission definition. It is a critique that begins with semantics and ends with tactical suggestions.

You cannot blame the leaders, of course, if all they have read is Clausewitz. It will be no surprise therefore that General Smith is wholly dismissive of the US-led “War on Terror . . . intended to deliver a decisive victory over terror according to the leadership who declared it”. This is a notion “without useful meaning, at least in terms of describing the conduct of this confrontation,” says General Smith. “The terrorist is demonstrating a better understanding of the utility of force in serving his political purpose than those who are opposed to him — both political leaders and military establishments.”

The conclusion seems to be that warfare is now failing due to antiquated concepts applied to a changing world.

To take a historical example: machineguns, barbed wire and artillery made horsed cavalry obsolescent by 1915, but before the technological possibility of fast-moving, long-endurance tanks (not much before 1925) there was no alternative to keeping horsed cavalry since without a mobile arm there was no means of exploiting battlefield success. Ironically, General Smith now despairs of the huge numbers of tanks that Western forces possess since they are of limited utility when war is fought principally “amongst the people”. He does not say that swords should be beaten into billhooks, or for that matter into high-tech military instruments: he argues for an understanding that the longer and more complex battle is for the people’s will rather than for the destruction of an opponent’s forces.

Makes perfect sense to me. It reminds me of the development of the Apache gunship to outfight the Soviet helicopters in Afghanistan. The US technology was faster, more maneuverable and had more firepower. When the Soviets no longer were any kind of threat the Apache gunship became an expensive and lonely technology. It was thus re-purposed into new threats that were far more able to defeat it…ironically, the same threats that the Soviet helicopters really faced — Afghan guerrillas with US shoulder-fired rockets.

The bottom line is that in today’s political climate people will not agree to be subdued under impressive military might; they realize more than ever that they have the means and probably even justification to form their own power structures.

It comes down to a polite thank you for assistance removing one form of threat but a no thank you for further interference that is perceived as yet another threat.

Conservative thinkers such as Rumsfeld and Cheney apparently operated under an illusion that big armies win, end of story. Yet victory from violence at a shock and awe level alone does not warrant welcome parades. Sadly historians could have set them straight on this very quickly; it is actually a big army presence that is most likely to be rejected by local populations. A more tangible connection or concept has to accompany the utility of troops.

Battles just don’t work any more. War is now waged not in the field but the street, so victory is possible only with the people’s consent.

The event of being overrun by a top-down organization that is too large and foreign to be representative or responsive does not translate directly to the feeling of liberation.

My Masters Thesis on the liberation of Ethiopia by the British in 1940 to 1943 explored this issue. It was a delicate operation to repatriate a sovereign leader, which has had lasting effect on the security and stability in the Horn of Africa. The UK War Office tried to involve Haile Selassie with their troops as a means to bolster support for the British military offensive and acceptance after occupation. Instead they found Ethiopia still quickly moved to relationships with other nations that had no liberating role and they called for direct control or withdrawal of British forces. The inability of the occupation to generate social and economic successes precipitated political fracture. Groups worked together to pull apart the old regime. A vacuum of power allowed a new harsh unity to be formed by extremists, which further disintegrated notions of unity and the region fell into decades of separatist and guerrilla combat.

History is littered with examples of this liberation-to-loss concept, as the Times explains:

What is so appalling about Iraq is that it was predictable — and indeed it was predicted — from even a nodding acquaintance with history. General Smith cites Bonaparte’s invasion of Spain: the Spanish army collapsed, Madrid fell, but guerrilla warfare put the victory to nought, fatally bleeding the occupation forces. In the Anglo-Boer War, after the initial reverses the British quickly defeated the Boer field forces and occupied their two capitals, but a change of Boer tactics to something not unlike the Spanish guerrilleros’ prolonged the conflict by another two years, and at considerable cost to Britain’s military credibility and international moral standing.

Jamaican resistance to the Spanish is another good study. The US experience with the Philippines after liberation during the Spanish-American War also is worth a look.

eManifests in use in AZ

The US Customs and Border Protection site has announced the “First Electronic Truck Manifest Filed on Southern Border”. I guess to be accurate they should clarify that the manifest is electric, not the truck.

Anyway, I haven’t seen this picked up in any news (perhaps since it has been working for some time on the northern border of the US and isn’t newsworthy) but I figured the announcement must be meaningful to those who monitor the progress of tracking systems, plus it had some interesting language:

The automated manifest provides CBP officers with cargo information prior to a shipment arriving at the gate. Comprehensive data such as information on the driver and passengers; a description of the conveyance and any applicable equipment like a trailer; and details regarding the shipment are included.


There are currently 31 ACE ports in the states of Arizona, Michigan, Minnesota, North Dakota and Washington. The schedule for deployments of ACE to additional ports continues in January, beginning with selected ports in Texas in early 2006.

That is many more than I had been aware of and so I am curious when intra-state borders or even road-side checkpoints will have ACE setup.