More Chasers on Terrorism
This is a couple of years old, but I hadn’t seen it before. Funny.
Blog: 2007 Archives
The Nugache Worm/Botnet
I’ve already written about the Storm worm, and how it represents a new generation of worm/botnets. And Scott Berinato has written an excellent article about the Gozi worm, another new-generation worm/botnet.
This article is about yet another new-generation worm-botnet: Nugache. Dave Dittrich thinks this is the most advanced worm/botnet yet:
But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.
[…]
Nugache, and its more famous cousin, the Storm Trojan, are not simply the next step in the evolution of malware. They represent a major step forward in both the quality of software that malware authors are producing and in the sophistication of their tactics. Although they’re often referred to as worms, Storm and Nugache are actually Trojans. The Storm creator, for example, sends out millions of spam messages on a semi-regular basis, each containing a link to content on some remote server, normally disguised in a fake pitch for a penny stock, Viagra or relief for victims of a recent natural disaster. When a user clicks on the link, the attacker’s server installs the Storm Trojan on the user’s PC and it’s off and running.
Various worms, viruses, bots and Trojans over the years have had one or two of the features that Storm, Nugache, Rbot and other such programs possess, but none has approached the breadth and depth of their feature sets. Rbot, for example, has more than 100 features that users can choose from when compiling the bot. This means that two different bots compiled from an identical source could have nearly identical feature sets, yet look completely different to an antivirus engine.
[…]
As scary as Storm and Nugache are, the scarier thing is that they represent just the tip of the iceberg. Experts say that there are several malware groups out there right now that are writing custom Trojans, rootkits and attack toolkits to the specifications of their customers. The customers are in turn using the malware not to build worldwide botnets a la Storm, but to attack small slices of a certain industry, such as financial services or health care.
Rizo, a variant of the venerable Rbot, is the poster child for this kind of attack. A Trojan in the style of Nugache and Storm, Rizo has been modified a number of times to meet the requirements of various different attack scenarios. Within the course of a few weeks, different versions of Rizo were used to attack customers of several different banks in South America. Once installed on a user’s PC, it monitors Internet activity and gathers login credentials for online banking sites, which it then sends back to the attacker. It’s standard behavior for these kinds of Trojans, but the amount of specificity and customization involved in the code and the ways in which the author changed it over time are what have researchers worried.
[…]
“I’m pretty sure that there are tactics being shared between the Nugache and Storm authors,” Dittrich said. “There’s a direct lineage from Sdbot to Rbot to Mytob to Bancos. These guys can just sell the Web front-end to these things and the customers can pick their options and then just hit go.”
See also: “Command and control structures in malware: From Handler/Agent to P2P,” by Dave Dittrich and Sven Dietrich, USENIX ;login:, vol. 32, no. 6, December 2007, and “Analysis of the Storm and Nugache Trojans: P2P is here,” Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich, USENIX ;login:, vol. 32, no. 6, December 2007. The second link is available to USENIX members only, unfortunately.
New Lithium Battery Rules for U.S. Airplanes
Starting in 2008, there are new rules for bringing lithium batteries on airplanes:
The following quantity limits apply to both your spare and installed batteries. The limits are expressed in grams of “equivalent lithium content.” 8 grams of equivalent lithium content is approximately 100 watt-hours. 25 grams is approximately 300 watt-hours:
- Under the new rules, you can bring batteries with up to 8-gram equivalent lithium content. All lithium ion batteries in cell phones are below 8 gram equivalent lithium content. Nearly all laptop computers also are below this quantity threshold.
- You can also bring up to two spare batteries with an aggregate equivalent lithium content of up to 25 grams, in addition to any batteries that fall below the 8-gram threshold. Examples of two types of lithium ion batteries with equivalent lithium content over 8 grams but below 25 are shown below.
- For a lithium metal battery, whether installed in a device or carried as a spare, the limit on lithium content is 2 grams of lithium metal per battery.
- Almost all consumer-type lithium metal batteries are below 2 grams of lithium metal. But if you are unsure, contact the manufacturer!
Near as I can tell, this affects pretty much no one except audio/visual professionals. And the TSA isn’t saying whether this is a safety issue or a security issue. They aren’t giving any reason. But those of you who paid close attention to the Second Movie-Plot Threat Contest know of the dangers:
Terrorists camouflages bombs as college textbooks, with detonators hidden in the lithium-ion batteries of various electronics. The terrorist nonchalantly wanders up by the cockpit with his armed textbook and detonates it right after the seat belt sign goes off, but while the plane is still over an inhabited area. Thousands die, with most of the casualties on the ground.
Chat about the ban on FlyerTalk. Does any other country have any similar restrictions?
EDITED TO ADD (12/28): It’s not a TSA rule; it’s an FAA rule.
The FAA has found that current systems for putting out aircraft cargo fires could not suppress a fire if a shipment of non-rechargeable batteries ignited during flight, the release said.
Here’s the actual rule; it’s the DOT that published it. Lithium batteries have been banned as cargo for a long time now. This is the DC-8 fire that led to the ban.
FBI Building Biometrics Database
The FBI is building a vast biometrics database.
Given its track record, does anyone believe for a minute that his or her biometrics information will be secure in this database?
Security of Adult Websites Compromised
This article claims the software that runs the back end of either 35% or 80%-95% (depending on which part of the article you read) has been compromised, and that the adult industry is hushing this up. Like many of these sorts of stories, there’s no evidence that the bad guys have the personal information database. The vulnerability only means that they could have it.
Does anyone know about this?
Slashdot thread.
Picasso Stolen from Brazilian Museum
The thieves used a hydraulic car jack to pry their way past the pull-down metal gate that protects the museum’s front entrance. Then, they smashed through two glass doors, probably using a crowbar, to get to the paintings on the second floor, police said.
The fundamental problem with securing fine art is that it’s so extraordinarily valuable; museums simply can’t afford the security required.
Local media reports estimated their value at around $100 million, but Cosomano and other curators said it is difficult to put a price on them because the paintings had not gone to auction.
“The prices paid for such works would be incalculable, enough to give you vertigo,” said curator Miriam Alzuri of the Bellas Artes Museum of Bilbao, Spain.
We basically rely on the fact that fine art can’t be resold, because everyone knows it’s stolen. But if someone wants the painting and is willing to hang it in a secret room somewhere in his estate, that doesn’t hold.
“Everything indicates they were sent to do it by some wealthy art lover for his own collection—someone who, although wealthy, was not rich enough to buy the paintings,” Moura added.
Airport Security Study
Surprising nobody, a new study concludes that airport security isn’t helping:
A team at the Harvard School of Public Health could not find any studies showing whether the time-consuming process of X-raying carry-on luggage prevents hijackings or attacks.
They also found no evidence to suggest that making passengers take off their shoes and confiscating small items prevented any incidents.
[…]
The researchers said it would be interesting to apply medical standards to airport security. Screening programs for illnesses like cancer are usually not broadly instituted unless they have been shown to work.
Note the defense by the TSA:
“Even without clear evidence of the accuracy of testing, the Transportation Security Administration defended its measures by reporting that more than 13 million prohibited items were intercepted in one year,” the researchers added. “Most of these illegal items were lighters.”
This is where the TSA has it completely backwards. The goal isn’t to confiscate prohibited items. The goal is to prevent terrorism on airplanes. When the TSA confiscates millions of lighters from innocent people, that’s a security failure. The TSA is reacting to non-threats. The TSA is reacting to false alarms. Now you can argue that this level of failures is necessary to make people safer, but it’s certainly not evidence that people are safer.
For example, does anyone think that the TSA’s vigilance regarding pies is anything other than a joke?
Here’s the actual paper from the British Medical Journal:
Of course, we are not proposing that money spent on unconfirmed but politically comforting efforts to identify and seize water bottles and skin moisturisers should be diverted to research on cancer or malaria vaccines. But what would the National Screening Committee recommend on airport screening? Like mammography in the 1980s, or prostate specific antigen testing and computer tomography for detecting lung cancer more recently, we would like to open airport security screening to public and academic debate. Rigorously evaluating the current system is just the first step to building a future airport security programme that is more user friendly and cost effective, and that ultimately protects passengers from realistic threats.
I talked about airport security at length with Kip Hawley, the head of the TSA, here.
"Tiger Team" Reality TV Show
On Court TV:
This vérité action series follows Tiger Team a group of elite professionals hired to infiltrate major business and corporate interests with the objective of exposing weaknesses in the world’s most sophisticated security systems, defeating criminals at their own game. Tiger Team is comprised of Security Audit Specialists Chris Nickerson, Luke McOmie and Ryan Jones who employ a variety of covert techniques electronic, psychological and tactical—as they take on a new assignment in each episode.
Watch the trailer. Look at the photo. Okay, so it’ll be unrealistically sensationalist. But it might be fun.
First episode is tonight.
EDITED TO ADD (12/26): My apologies. The episodes aired last night, on Christmas Day. If there are any recordings out there, please post URLs.
Sidebar photo of Bruce Schneier by Joe MacInnis.