Sunday, February 24, 2013

Boeing's CHAMP Missile Demo - Directed High Frequency Microwave Disables Electronics

By Randy Jackson

A recent weapons flight test in the Utah desert may change future warfare after the missile successfully defeated electronic targets with little to no collateral damage.

Boeing and the U.S. Air Force Research Laboratory (AFRL) Directed Energy Directorate, Kirtland Air Force Base, N.M., successfully tested the Counter-electronics High-powered Microwave Advanced Missile Project (CHAMP) during a flight over the Utah Test and Training Range.

CHAMP, which renders electronic targets useless, is a non-kinetic alternative to traditional explosive weapons that use the energy of motion to defeat a target.

Artist's rendering shows a CHAMP flying over a target

Power is cut to a room of computers after being hit by a high-powered microwave pulse from a Counter-electronics High-powered Advanced Missile Project.

During the test, the CHAMP missile navigated a pre-programmed flight plan and emitted bursts of high-powered energy, effectively knocking out the target's data and electronic subsystems. CHAMP allows for selective high-frequency radio wave strikes against numerous targets during a single mission.

"This technology marks a new era in modern-day warfare," said Keith Coleman, CHAMP program manager for Boeing Phantom Works. "In the near future, this technology may be used to render an enemy’s electronic and data systems useless even before the first troops or aircraft arrive."

Power is cut to a room of computers after being hit by a high-powered microwave pulse from a Counter-electronics High-powered Advanced Missile Project.

Friday, February 22, 2013

Linux in Defense - An Urgent Threat to National Security | Dan O'Dowd

By Dan O’Dowd, CEO of Green Hills Software

Many people have called me an alarmist for saying that the spread of Linux through defense systems is an urgent threat to national security. They ask: “What is the big problem? Sure there are plenty of malicious hackers releasing worms and viruses on the Internet bringing down Linux systems, inserting keystroke loggers on computers to steal passwords and credit card numbers, and lots of other mischief, but what does that have to do with national security?”

Many major defense programs are planning to rely on Linux for their security, including the Army’s Future Combat System (FCS), the Land Warrior, and the Global Information Grid, which will connect all future military systems into a single network. If the security of these systems is compromised, there will be dire consequences.

Foreign Intelligence Services Will Compromise Any Defense System that uses Linux

If it is easy for a bunch of juvenile delinquents to find and exploit Linux security vulnerabilities in their spare time, imagine how easy it is for foreign intelligence agencies and military services with huge budgets, buildings full of computers, and armies of dedicated full-time Ph.D.s to exploit security vulnerabilities. The difference between the cyberattack capabilities of foreign governments and the capabilities of the “script kiddies,” who so frequently disrupt computer networks, is the difference between an armored division and a gang of juvenile delinquents. According to Vince Cannistraro, former director of counterintelligence at the CIA, "China is developing a cyberattack capability… to be used in case of war." Many other countries have similar programs to exploit our critical dependence on computer systems and networks.

The movement to the Global Information Grid will make our entire defense system dependent on computer networks. National security will be completely dependent on the security of the operating systems that run the computers that constitute the Global Information Grid. If we use the same operating systems for the Global Information Grid that high school students can hack into in their spare time, we must expect that the Global Information Grid will be easily hacked, spied on, disabled, and commandeered by those who are determined to harm us.

When juvenile delinquents find a vulnerability in Linux they create viruses and worms to exploit the vulnerability. They measure their success by the scope of the disruption they cause. The disruption causes the Linux community to develop a patch for the vulnerability. But foreign intelligence and military services do not announce their success when they compromise one of our systems. They secretly collect data, passwords, encryption keys, military plans, intelligence assessments, force deployments, security arrangements, and the latest weapons technology. The Linux community won’t develop a patch for a security problem until some juvenile delinquent discovers it and exploits it to cause widespread disruption. When a foreign intelligence agency or military service finds a previously unreported vulnerability with their superior resources, they silently compromise Linux systems all over the world for months or years without anyone noticing until some amateur finds and exploits the vulnerability. After a foreign intelligence agency or military service compromises one of our systems, they install a back door so that when the vulnerability that they have exploited is eventually patched, the system will remain compromised. Every infected system is used to silently infect the systems to which it is connected by exploiting the trust that those systems place in the infected system. Once an attacker is inside the network, silently compromising the rest of the installation is usually easy.

Security Patches Guarantee Insecurity

Many people argue that having source code for the operating system that they use makes it easy to install patches when security vulnerabilities are found. But this argument implicitly acknowledges that so many Linux security vulnerabilities occur so often that the efficiency of installing patches is an important issue!

The issuance of a security patch for a vulnerability means that for months or years the system has been vulnerable to an easy attack. At every moment in time, every Linux system in the world can be spied on, disabled, or commandeered by an attack that exploits any of the vulnerabilities that will be fixed by future security patches. The need for frequent security patches proves that a system is always vulnerable to easy attack and subversion.

It is frightening to think that our national defense might become dependent on Linux systems that are always vulnerable to easy attack and subversion. When war breaks out, the enemy will immediately deploy cyber attacks and activate back doors that they have spread throughout our systems when they were vulnerable. All of the vulnerable systems and all of the systems that were compromised while they were temporarily vulnerable will go out of service or be commandeered by the enemy. We will be defenseless.

What we need for critical defense systems is software that is secure all of the time: systems that never need to be patched. We need operating systems that are proven secure by mathematically sound methods such as the Common Criteria Evaluation Assurance Level 7 (See Part I of this series of white papers). Our systems must never be vulnerable. Just one moment of vulnerability, before a patch can be applied, is enough time for a patient attacker, waiting for the moment to strike, to get inside a system and install a permanent back door that will survive the patch that removes the vulnerability. Our defense systems need an operating system like Green Hills Software’s INTEGRITY real-time operating system whose security can be mathematically ensured at all times without any need for patches.
The 9/11 terrorist organizers had creativity, patience, and a desire to kill as many people as possible. The terrorists’ success and their continued ability to evade capture provides an example and encouragement to others. We must not turn our national defense over to Linux or any other operating system that is vulnerable to easy attack and subversion at all times. The 9/11 terrorist organizers, and all those whom they have inspired, are still out there, and they are still creative and patient. And if we make our national defense easy to attack, they will kill a lot more people. If Linux is deployed in critical defense systems, the result will be catastrophic.

Our Enemies Will Compromise our Defense Systems if We Use Linux

Some people say my concerns are unfounded. They say no one is intentionally inserting malicious code into software that they know is going to be used in military systems or critical infrastructure. Who would do such a thing? Who would even think of doing such a thing? We would. And we did it. And we are proud of it according to a CIA website. In the early 1980’s, thanks to French intelligence, the CIA penetrated a massive Soviet intelligence operation to obtain technology from the West. The CIA intentionally fed phony technology to the Soviet Union through this channel to disrupt Soviet attempts to modernize their military and civilian infrastructure.

The CIA had a program to insert Trojan horses and back doors into software that the Soviets got from the West. One exploit was recently recounted by Thomas Reed, former Secretary of the Air Force and a member of President Reagan’s National Security Council, in his book, “At the Abyss: An Insider's History of the Cold War.” In the early 1980’s, the CIA inserted a Trojan horse into a Canadian company’s pipeline control software that the CIA knew the Soviets were planning to use to control the trans-Siberian gas pipeline. The software worked fine for a while – just long enough for it to pass its tests. But after the software was running the pipeline, the CIA Trojan horse took over, raising pressures to unsafe levels. The stress on the pipeline eventually resulted in a massive three kiloton explosion. By the late 1980’s, the Soviets came to realize that much of the software that they had gotten from the West had been sabotaged by U.S. intelligence agencies.

It is incredibly naive to believe that no other country would take an easy opportunity to sabotage our military systems or critical infrastructure when we have been doing the same thing to them for over twenty years!

The Threat to National Security Posed by Using Linux in Defense Systems is Urgent
Many people believe that the threat to national security posed by using Linux in defense systems is not urgent because Linux security is better than any alternative. But Part III of this series of white papers shows that Linux is even less secure than Microsoft Windows, which most open source advocates would probably agree is not secure enough for defense applications. For example, the U.S. National Institute of Standards and Technology (NIST) security vulnerabilities database lists more vulnerabilities for Linux than Windows in every one of the last ten years.

The alternative to Linux for defense systems is not Windows. Part I of this series of white papers shows that the only safe operating system for defense systems is an absolutely-secure totally-reliable real-time operating system, such as INTEGRITY-178B, which has been approved for the highest levels of safety by the Federal Aviation Administration and which meets the requirements of the NSA’s most stringent security standards.

Many people believe that the open source process will detect any attempt by intelligence agents to insert back doors, Trojan horses, or other malicious code into Linux. But Part II of this series of white papers shows that it is ridiculous to believe that the many eyes looking at Linux source code will find all of the malicious code cleverly hidden in the Linux source code by foreign intelligence agents, when they can’t even find the thousands of bugs accidentally left lying around in the code by honest contributors every year.

People are choosing Linux for use in defense systems because they have heard that Linux is more secure and less expensive than any alternative operating system. Nothing could be farther from the truth. Part III of this series of white papers shows that the severe security and reliability problems of Linux are systemic and cannot be fixed, while Part IV of this series of white papers shows that the total cost of using Linux in a defense system far exceeds the cost of using an absolutely-secure totally-reliable operating system, such as INTEGRITY.

The urgent threat to national security is that defense systems may soon be using a hopelessly insecure operating system with thousands of bugs that will inevitably lead to a national disaster, when absolutely-secure totally-reliable operating systems are available that will ensure national security.

Linux is Spreading Rapidly through our Defense Systems

One reason that Linux is spreading so rapidly through our defense systems is that it is much easier to acquire than proprietary software. The bureaucratic hassle involved in acquiring proprietary software can be substantial. In order to use proprietary software, the purchase must be budgeted and a purchase requisition must be approved. Then the legal department must negotiate the license agreement with the vendor. This can extend the process even more. On the other hand, Linux bypasses all of the purchasing, legal, and security procedures because it can be freely downloaded from the Internet without the need for a budgetary adjustment, a purchase requisition, or legal review.

A recent two week survey by MITRE found 251 deployments of Linux and other free and open source software in the Department of Defense. Linux is being considered for many more defense systems. For instance, the Linux community has widely disseminated an article in National Defense Magazine, November 2003, that quotes Army Lt. Col. Dave Gallop, program manager for the Army’s Land Warrior as saying, “We are moving in general to where the Army is going, to Linux-based OS.” The Linux community has also often referred to a Boeing website for Future Combat. The question “What Operating System will FCS use? Windows? VX Works? Lynxos? Linux? Other?” is answered with “FCS C4ISR has selected the Linux OS.”

We Must Act Now to Stop the Spread of Linux through our Defense Systems

It is not yet too late to prevent Linux from compromising national security. So far, Linux has only been deployed in a few defense systems, but its use in the development of new defense systems is spreading rapidly.

We must act quickly to move the development of new defense systems off of Linux. Early in the development phase, it is not difficult to port software from Linux to an absolutely-secure totally-reliable POSIX compliant operating system, such as INTEGRITY. But as development proceeds, it becomes increasingly difficult to switch operating systems without impacting schedules. There will come a day when the bureaucrats will decide that keeping to the schedule is more important than building a secure system. That is when we are all in real trouble. That is why we must act now. If that makes me an alarmist, we need more alarmists.

The only thing necessary for the triumph of evil is for good people to do nothing.

Thursday, February 21, 2013

Virtual Suicide Assistance - This is the end, my only friend, the end! | Seppukoo

Due to the paradoxical controversy between the Facebook and Seppukoo; Seppukoo is no longer able to assist in your 'virtual suicide'! However, you don't really need a web service to get rid of your virtual identity... You can do it yourself, get your own memorial page and join Seppukoo's legendary suicidal wall.

Now the power of Seppukoo is in your hands, use it well, young samurai!

Hacking Facebook Privacy - Chris Conley | Defcon 18

Chris Conley is the Technology & Civil Liberties Fellow at the ACLU of Northern California where he focuses on launching the organization's new online privacy campaign, Demand Your dotRights. A former computer scientist turned lawyer, Chris still uses his tech skills to explore the ramifications of new technologies and to create educational tools that expose the privacy consequences of technical design, ranging from short videos to Facebook applications. He works with users, developers, businesses, and lawmakers to promote transparency, protect individual rights from government intrusion, and give users of new technologies greater control of their own information.

What can we, as hackers, do to protect the privacy of those millions?

Facebook's privacy issues are numerous and well-documented, from software "glitches" to decisions that take control away from users. Despite that, it is a still-growing force in the modern Internet and is currently trying to position itself as the gateway to the "social Web" for its 500 million users.

This panel walks through a few existing projects that apply software skills to the privacy challenges that Facebook presents, from working within the system using Facebook's Platform API to adding a layer to the system with browser extensions to presenting a robust open-source alternative to the whole Facebook platform. We'll discuss how these different tools fit into various strategies to alter or replace Facebook's existing privacy regime and what other approaches might be successful in protecting privacy on Facebook and other user networks.

Wednesday, February 20, 2013

How I met your girlfriend - Samy Kamkar | Defcon 18

Defcon 18 was held in 2010. @SamyKamkar does a great job explaining the math and the technology behind PHP and some of the more popular social media sites; while still making his presentation very entertaining!

Samy Kamkar is a security researcher, possibly best known for creating the Evercookie and the MySpace worm Samy (XSS), and for his mobile phone tracking research that showed that the Apple iPhone, Google Android and Microsoft Windows Phone mobile devices transmit GPS and Wi-Fi information to their parent companies!

Sunday, February 10, 2013

Sam Bowne: Who Cares About IPv6 and Dos Attacks at DEFCON 18

What is IPv6? Why should you care? If we ignore it, will it just go away? This video covers changes in internet protocol and the vulnerabilities this represents. It also covers the denial of service (DoS) attacks that some hackers like the Jester, members of Anonymous and LulSec have used.

The current Internet Protocol numbering scheme, IPv4, is nearing its end-of-life. Within two years, all the IPv4 numbers will be allocated, so that new devices will not be able to connect directly to the Internet. We all will be forced to adapt to the new IPv6 system soon. But how can we get started?

This talk explains why IPv6 is necessary, how it works, and how everyone can quickly and easily start using it now. I will explain and demonstrate how to set up a free tunnel to access the Internet via IPv6.

I will also explain the Hurricane Electric IPv6 certifications. The certifications are great because they guide a novice through the stages of IPv6 knowledge: connecting as a client, setting up an IPv6-enabled Web server, email server, DNS server, and glue records.

There are large security implications to IPv6 too. I will explain several important IPv6 vulnerabilities and countermeasures, including auto-configuration privacy risks, torrents over IPv6, bypassing VPNs with IPv6, Routing Header Zero packet amplification attacks, and the ping-pong IPv6 DoS vulnerability.

My goal is to convince the audience to pay attention to IPv6 and to guide them to an easy way to start learning about it and using it now. All my students at City College San Francisco will have IPv6 homework from now on--you need to get on board now or be left behind!

Download Power Point Slides and you can follow Sam Bowne at

Saturday, February 9, 2013

Think your web browsing doesn't leave a footprint? Think Again!

How you are tracked on the internet no matter what you do! Even if you think you are anonymous, someone is keeping track of you!

If you're not paying for something, you're not the customer; you're the product being sold. - Andrew Lewis

As you surf the Web, information is being collected about you. However, web tracking is not as bad as it sounds. Tracking data can make your web browsing more efficient. Websites and advertisers store cookies on your computer to help your favorite websites personalize your visit. It helps advertisers show you adds for products you may be interested in, and helps make the internet a better user experience. However as Gary Kovacs points out, it's your right to know what data is being collected about you and how it affects your online life. He unveils a Firefox add-on to do just that: