I finally fell for the twitter hype and have been on twitter for a few months now. I still do NOT like the 140 byte limit – the world is  complex and complex ideas need more than 140 bytes. That being said I do like the running conversation and the way in which anyone can contribute and respond to anyone, so you can chalk me up as a reluctant convert. You can follow me @angelofsecurity.

There’s been a ton of speculation on stuxnet so far, much of it seeming to indicate that this was created by a state actor. Most people have pointed at the incredible levels of effort that went into creating it. However people are forgetting that many recent malware attacks – including Zeus and Conficker, have had the title of “most complex ever” bestowed upon them as well. It seems natural that malware and computer attacks will only continue to get more complex. Complexity alone does not indicate a state actor.

What people aren’t saying (but I have a feeling many people sense it intuitively without stating it), is that the lack of monetization combines with the effort is indicative of a state actor being behind the stuxnet worm. Zeus and Conficker were easily monetized, which explains the effort involved – people (perhaps many people), worked hard to create something to make them money. If they needed an exploit, one could be purchased with the hope that they’d recoup the costs later. The fact that Stuxnet seems to do something (but we don’t know what), and doesn’t seem to be easy to monetize, certainly seems to indicate a non-criminal motive. Since we haven’t seen many other players in this space with significant resources other that criminals and governments, government because the natural suspect.

As for the target of Stuxnet, Iran has the most infections, but that could very easily be coincidence. So far there’s no evidence at all that Iran, or anyone else, was a specific target, and we’ve had a simple case of the media continuing to report on each other’s reporting. There are so many reasons that Iran could have more infections I can’t even count them all. Perhaps Iran doesn’t have great antivirus adoption rates. Perhaps the first few infections simply happened to be there. Perhaps, this was made by Iranians. Viruses are inherently untargetted, so trying to guess at a target based on the geographical location of infections is speculative at best. However, since no one has any better theories, the media echo chamber will continue to promote this until people assume it’s true, whether or not it really is.

In the Verizon DBIR report they have an interesting graph on page 26. It shows the percentage of malware infections that have been customized. (That is to say that the malware itself is customized). In 2005-2007 the percentage held steady between 21%-28%. In 2008 is jumped to 59% and in 2010 is it still high at 54%. Perhaps not surprisingly, even though only half of the malware is customized, that half is responsible for 97% of the stolen records. Presumably non-customized malware and all other methods are responsible for the remaining 3%. Why the huge discrepancy? It’s easy – antivirus. Non-customized malware gets detected, customized doesn’t. This just goes back to something many people have started to feel in the last few years – antivirus is inherently flawed, and we’re starting to see it’s flaws. Blacklisting is inherent a losing battle, because there will always be new bad things, and there will always be something you didn’t think of. Whitelisting may seem like a pain at first, but in the long run it’s almost always easier and more efective.

It’s amazing how quickly something can go from “brand new” to “mandatory reading’, but that’s exactly what the Verizon Data Breach Investigations Report has become in its short existence. The 2010 report has been released. The total number of cases analyzed since the inception of the report is now over 900, and is easily the largest data set to date.

There’s a new full disclosure website in town – http://www.vs-db.info names and shames those with web application vulnerabilities (like SQL injection, XSS, XSRF, CRLF injection, etc.), without providing enough details for exploit.

If you’ve ever read 2600, you know that the letters usually make up a large part of each issue, and reflect a broad range of ideas and opinions. I recently found that 2600 is publishing a book reprinting letters from their last 25 years. Called Dear Hacker, it is scheduled to be published in July. I wonder how many of them will be from teenagers asking the editor how to hack into their high school?

According to a series of news accounts today, it looks like twitter was either hacked or not hacked, depending on who you listen to. The bottom line seems to be that Twitter’s DNS servers were hijacked. How this was done has not been revealed. Twitter seems to be dodging the brunt of the blame because their provider runs their DNS servers. (Confirmed by a quick nslookup below). While this may be true, that only reflects how twitter should react internally. The risk to twitter’s users is still the same. If the hackers had wanted to do damage instead of showing off by putting up a “look at me I’m so cool” type of page, then they would have forwarded users to a phishing page that intercepted authentication credentials. (While this has fairly trivial implications for twitter, imagine if they did this for a bank).

C:\>nslookup

> set type=ns
> twitter.com
Server:  UnKnown
Address:  x.x.x.x

(root)
primary name server = trafficdns1.ddc.com
responsible mail addr = hostmaster.jettissystems.com
serial  = 2009072301
refresh = 43200 (12 hours)
retry   = 3600 (1 hour)
expire  = 1209600 (14 days)
default TTL = 3600 (1 hour)

Update: more details on the DNS records can be found at SANS’ incident handler diary.

Apparently the drones that the US has been using in Iraq and Afghanistan have no encrypted their video feeds, and pentagon officials have revealed that insurgents have been eavesdropping on the video transmissions. According to the WSJ:

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.

U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.

Think that’s astounding? Wait till you see this:

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.

They’ve known about this for nearly two decades and haven’t done anything? C’mon guys – encryption isn’t exactly a new technology. As for assuming that insurgents wouldn’t know how to take advantage of the flaw, don’t even get me started. You should never underestimate your adversary, especially in war. In the modern information age knowledge is easy to come by, so assuming any large group of people will not have certain knowledge is a perilous assumption.

It should never surprise anyone that a government wants to occasionally watch it’s citizens for law enforcement purposes. The methods of surveillance change with time and technology of course, and it appears that the United Arab Emirates has just crossed a new threshold – using spyware to spy on people’s blackberries. Etisalat, one of the regions’ major telecom providers, provided a new patch claiming it was to improve performance. It turns out the patch included spyware, which, once activated, would report all activities performed on the BB back to a central server. Due to a programming glitch, the “patch” also ran down the blackberry’s battery at an alarming rate, which bothered many users. After a few days of silence, Etisalat issued a statement which must set records for government non-denial denials claiming only that “a conflict in the settings in some BlackBerry devices has led to a slight technical fault while upgrading the software of these devices.” The users and the loca media of course know better.

This is the best news I’ve heard this week. L0phtcrack, the original Windows password cracker is back. L0phtcrack was original developed by an independent group of hackers known as l0pht. Through a series of mergers and buyouts, it was owned by Symantec, which decided to unceremoniously drop the product as it didn’t fit into Symantec’s line of offerings. Although old versions and cracks could be found on the internet, it’s good to see that the tool is back with new features. You can get it from http://www.l0phtcrack.com.