Category Archives: Information Security

Here’s why everyone believes NSA Leaker Edward Snowden is on Aeroflot 150 to Cuba

Aeroflot 150 is a scheduled flight from Moscow, Russia, to Havana, Cuba.

It is flown by an Airbus A330 and, as any scheduled commercial liner, unless something very special happens, it always takes the same route to Cuba.

However, on Jul. 11 it flew a different route, a southern route that completely avoids the U.S. airspace (for the history of such flight in the last weeks take a look here). Furthermore, AFL150 is the same flight believed to be carrying the NSA leaker Edward Snowden a couple of weeks ago, when some journalist boarded the plane to find the accused spy’s seat empty.


Image credit: FlightAware

Even if such a significant change of route is at least unusual, it might be explained by the bad weather affecting U.S. East Coast.

At the time of writing, the aircraft is about to land at Int’l José Martí airport in Havana. If Snowden is on board, we’ll know very soon.

Enhanced by Zemanta

U.S. Air Force to turn combat planes into flying wireless routers

The U.S. Air Force is trying to turn the targeting pods carried by some of its legacy fighters and the B-1 Lancer bomber, into flying wireless routers that would allow ground troops to communicate each other.

Tested by the 40th Flight Test Squadron at Eglin Air Force Base, Florida, on an A-10 Warthog, the flying router is a software upgrade called Net-T (network tactical) for the Litening II and Sniper advanced targeting pods.

A-10 flares

Image credit: U.S. Air Force

It allows ground units on patrol to interconnect each other by way of Remote Operations Video Enhanced Receiver (ROVER) 5, a portable terminal similar to a tablet or a mini-iPAD that JTACs (Joint Terminal Attack Controllers) use to receive realtime footage from the aircraft targeting pods.

ROVER systems are used by JTACs to determine whether the pilot on a nearby combat plane is cueing the weapons to the correct ground target.

Until now, ROVERs could only upload and download data from a nearby aircraft. With the new capability, that has begun developmental testing in October 2012 and flown 23 sorties so far, data streams from different terminals will be routed by the pod.

In other words, different units on the ground, in “line of sight” to the fighter plane, will be able to exchange imagery, maps and any file type without relying on satellite or radio communication.

Obviously, such wireless network will need to be protected with proper security measures, in order to prevent enemy from eavesdropping traffic or sending malware to the various peers.

According to Maj. Olivia Elliot, the 40th FLTS A-10 flight commander who undertook the test flight for the Warthog, the Net-T portion of the targeting pod is quite easy to operate and once the proper settings are configured “it’s a single button push” and the pilot’s only concern is to remain within range of the system.


Image credit: U.S. Air Force

During testing activity aimed to discover the operational envelope of the system, five ROVER terminals were set up within the Eglin range and data exchange was tested on a variety of aircraft and pod types, including F-16, F-15E and B-1B.

Such tests by 53rd Wing’s “Team Eglin” will be used to validate the system, that is expected to enter the active service by 2014.

Enhanced by Zemanta

Digital map error may have caused U.S. Navy minesweeper grounding

It is not a secret that modern military heavily relies on digital systems.

Just have a look at the cockpit of a fighter jet, bomber or helicopter (even if the same is for warships, tanks, etc.) and you’ll be struck by the lack of traditional old-fashioned analog gauges: they are filled with multi-function LCD screens and other electronic instruments to such an extent they are known as “glass cockpits”.

Actually, digital technologies also equip flight helmets that are interconnected with the airplane to project relevant information, including aircraft’s airspeed, altitude, weapons status and aiming on the visor, enabling the pilot to look out in any direction with all the required data always in his field of vision.

Even if digital equipment has improved safety, reliability, accuracy of all weapons systems, they can still be the cause of some rather dangerous and embarrassing incidents.

In 2011, a computer virus infected U.S. Predator and Reaper drones ground control stations, logging pilots’ keystroke during their missions over Afghanistan, Libya and other warzones.

Few days ago, USS Guardian, a U.S. Navy minesweeper en route to Indonesia, ran aground on the Tubattaha Reef on Jan. 17, and it looks like a digital chart used for navigation has been a significant contributing factor to the mishap.

USS Guardian

Image via PressTV

Noteworthy, according to Navy Times (highlight mine): “as of Jan. 18, Navy ships have been directed to “operate with caution” when using similar electronic charts and compare the map data with paper charts, which are considered accurate.”

While the investigation will determine all the contributing factor to the incident, the preliminary analysis indicates that the reef was misplace as a  result “from incorrect geographic rectification of satellite imagery used to built” the type of Digital Nautical Charts (DNC) used by the minesweeper and most USN ships.

Hence, not an epic fail as that of Apple Maps, but possibly more dangerous.

All the source data for nautical charts will be reviewed.

In the meanwhile old paper charts will guide U.S. warships through the world’s troubled waters.

Enhanced by Zemanta

Israel Blamed for Fueling Flame Cyber Weapon in Middle East

The day after its discovery, there are few doubts that the infamous malware dubbed Flame (or sKyWIper) has been developed by a government with significant budget and effort. The complexity of the malware suggests that it has been used for a huge cyber-espionage campaign and, easily predictable, Israel is listed as the main culprit, even if in good company if it is true, as argued by some bloggers, that the malware was created by a strict cooperation coproduction between CIA and Mossad.

Israeli vice Premier Moshe Ya’alon has contributed to fuel the Flame: speaking in an interview with Army Radio, Ya’alon has hinted that Jerusalem could be behind the cyber attack, saying “Israel is blessed to be a nation possessing superior technology. These achievements of ours open up all kinds of possibilities for us.” In light of this statement, it does not appear a simple coincidence the fact that the main victims of the cyber weapon, as reported by Kaspersky Lab, are nations who may not be just considered in good neighborhood relations with Israel.

Consequently it is not that surprise the fact that the same interview has been readily reported by the Iranian News Agency Fars (which has interpreted it as a sign of liability and has hence blamed Israel for waging cyber war in Iran) as well as it is not that surprise the tone of several comments to an article posted on the Haaretz newspaper’s Web site (“Nice One Israel, Proud of You!!!!”).

Of course it is too soon to jump to conclusion,in any case, whether Israel (and U.S.) is behind Flame or not, I could not help but wonder how it is possible that a malware has been able to go undetected for at least 5 years. Are endpoint protection technologies really dead, leaving us at the mercy of a (cyber)world ruled by APTs?

If you want to have an idea of how fragile our data is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at And follow the author of this article @paulsparrows on Twitter for the latest updates.


Flame malware infiltrating Middle East computers: the most complex Cyber Weapon, ever!

Irony of fate: not even a day after the publication of a provocative article on the role of Cyber Warfare for maintaining peace, a new cyber threat appears, which is destined to leave an indelible mark on the cyber weapons’ landscape.

Today is one of those days that the Infosec Community will remember for a long time. It looks like the mystery of the malware targeting the Iranian Oil business a month ago has come to a solution, and it is not that kind of conclusion we would have hoped and expected.

Nearly in contemporary Kaspersky Lab, CrySyS Lab and the Iranian Computer Emergency Response Team Coordination Center have unleashed details of what has been defined (arguably) the most complex malware ever found.

The malware, which has been dubbed Flame (Kaspersky), or sKyWIper (CrySyS Lab), or also Flamer (CERTCC), has some unprecedented features that make it one of the most complex threats ever discovered:

  • The Cyber Weapon Malware is a sophisticated attack toolkit, It is a backdoor, a Trojan, and has worm-like features (three in one). According to Kaspersky its development has taken a couple of years and it will probably take year to fully understand the 20MB of code of Flame.
  • According to CrySyS Lab Flame has been in the wild since 2007, having been seen in the following geographical regions: Europe on Dec 5 2007, The United Arab Emirates on Apr 28 2008 and the Islamic Republic of Iran on Mar 1 2010;
  • Flame is controlled via an SSL channel by a C&C infrastructure spread all around the world, ranging from 50 (Kaspersky) to 80 (CrySyS) different domains;
  • Flame owns many capabilities, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard. C&C operators may choose to upload up to about 20 modules, which can expand Flame’s functionality;
  • The complete set of 20 modules is 20 MB in size when fully deployed (about 20 times larger than Stuxnet and maybe it is the reason why it wasn’t discovered for so long);
  • Flame includes a piece of code (about 3,000 lines) written in LUA, a not so common occurrence for malware;
  • Top 7 affected countries include Islamic Republic of Iran (189 Samples), Israel/Palestine (98 samples), Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), Egypt (5).
  • Flame appears to have two modules designed for infecting USB sticks: “Autorun Infector” (similar to Stuxnet) and “Euphoria” (spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened);
  • Flame may also replicate via local networks using the following:
    1. The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI;
    2. Remote jobs tasks.
    3. When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.

    So far

  • So far no 0-day vulnerabilities have been found, despite the fact that some fully-patched Windows 7 installations have been compromised, might indicate the presence of high-risk 0-days.

With no doubt a beautiful piece of malware written with the precise intent of Cyber-Espionage. Besides the resounding features of the malware, I found particularly interesting the same infection mechanism used by Stuxnet, that make me think of (another) possible double agent implanting the first infection.

This (legitimate) suspicion is also reinforced by the disarming conclusions issued by CrySyS Lab:

The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.

[Originally posted on]

If you want to have an idea of how fragile our data is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at And follow the author of this article @paulsparrows on Twitter for the latest updates.