The new leader of al Qaeda in Iraq said in an audio message posted online yesterday that more than 4,000 foreign terrorists have been killed in Iraq since the U.S.-led invasion in 2003 — the first apparent acknowledgment from the insurgents about their losses.
The message also called for experts in the fields of “chemistry, physics, electronics, media and all other sciences — especially nuclear scientists and explosives experts” to join the terror group’s holy war against the West.
“We are in dire need of you,” said the man, who identified himself as Abu Hamza al-Muhajir — also known as Abu Ayyub al-Masri — the leader of al Qaeda in Iraq. “The field of jihad [holy war] can satisfy your scientific ambitions, and the large American bases [in Iraq] are good places to test your unconventional weapons, whether biological or dirty, as they call them.”
It was not clear why al-Masri would advertise the loss of the group’s foreign fighters, but martyrdom is revered among Islamist fundamentalists, and could be used as a recruiting tool. The Arabic word he used, “muhajer,” indicated he was speaking about foreigners who joined the insurgency in Iraq, and not coalition troops.
“The blood has been spilled in Iraq of more than 4,000 foreigners who came to fight,” the man thought to be al-Masri said on the 20-minute tape. The voice could not be independently identified.
Al-Masri also offered amnesty to Iraqis who cooperated with their country’s “occupiers,” calling on them to “return to your religion and nation” during the Muslim holy month of Ramadan, which Sunnis began observing in Iraq on Saturday and Shi’ites on Monday.
He urged insurgents to capture Westerners so they could be traded for the imprisoned Egyptian Sheik Omar Abdel-Rahman, who was convicted in 1995 of conspiring to blow up New York landmarks.
“I appeal to every holy warrior in the land of Iraq to exert all efforts in this holy month so that God may enable us to capture some of the Western dogs to swap them with our sheik and get him out of his dark prison,” he said.
Al-Masri, a Sunni Muslim, is believed to have succeeded Abu Musab Zarqawi, who died in a U.S. air strike north of Baghdad in June.
Meanwhile, police found 40 more bodies in Baghdad, and bombings and shootings killed at least 21 persons in a spike of violence with the onset of Ramadan.
A car bomb exploded near a restaurant in central Baghdad, killing five persons and wounding 34, police said. Although the Muslim fasting month of Ramadan is under way, some Iraqis — including Christians — are not abstaining from eating meals during daytime hours.
The violence came amid reports from a number of senior coalition military officials that a large and powerful militia run by radical Shi’ite cleric Muqtada al-Sadr has been breaking apart into freelance death squads and gangs — some of which are being influenced by Iran.
Sheik al-Sadr’s Mahdi Army is one of the largest and most powerful militias in Iraq, along with the Badr Brigades, which was once the military wing of Iraq’s largest Shi’ite political group — the Supreme Council for the Islamic Revolution in Iraq.
http://washingtontimes.com/
At a customer site the other day I saw that they were having a problem with timeouts. Timeouts are something that many people will overlook, but they are very important because they can usually lead to inaccurate scan results.
Typical reasons for timeouts to occur:
WebInspect will retry the attack as many times as your settings specify but it will sometimes falsely flag on things like buffer overflows, not find pages, and worse yet, not find critical vulnerabilities.
When an attack times out it is usually the result of the web app, the server, or the network closing the connection. To better determine which is the result, go to the scan log tab and look at the requests that are failing (the ones in red). To better examine the requests, double-click on the red text and scroll to the right. As an error message you should see something similar to “Request timed out”, “Connection forcibly closed”, or “Connection closed by remote host”.
If sequential requests are failing…
…you may have lost your connection to the server, or the server (or application) may have gone down. Verify using your web browser that the app is indeed working and the server is up as well. On one customer site, WebInspect’s crawler found the administration section of the application’s framework and took the site down. If something like this is the case, make sure to exclude that section by un-selecting that area in your scan tree, or adding some values to “Excluded URLs” in your default scan settings. If the application is indeed up, change your timeout settings to the ones at the bottom of the page.
…you may have hit a problem page in the application. If you are currently on one of the parameter manipulation engines (i.e. Query Injection, Postdata Injection, etc) and all-of-a-sudden every request is failing, check the text in red. If it is the same filename every time, just different parameter attacks, you definitely hit a problem page. Some applications have pages that do not respond well to garbage stuck in their parameters. Rather than give an error message back to the user, they simply dangle the connection and WebInspect slowly times out. These problems should be reported to the developers and the problem page noted for further evaluation. There could actually be a vulnerability here, but there is definitely a problem with quality of service.
If random requests are failing…
…you may have an IPS (intrusion prevention system) or a webapp firewall between you and your target machine. If attacks fail that are signature attacks like “boot.ini” and “etc/passwd” but other requests seem to be fine, this is most definitely the case. Some security professionals do not know whether they have one of these devicess in between them and the application, and only by seeing WebInspect timeouts and then asking their networking teams do they find out. While scanning with one of these devices turned on is a good test of the device, you will want to turn it off (or ask the networking guys for a bypass) for a comprehensive vulnerability test of the web application. Just remember, it is better for you to find it through security scanning then a hacker down the road.
…you may have hit the limit of the application. See the section directly below.
If you are getting an extraordinary amount of timeouts…
…you may have an application that cannot handle the load of a web scan, or the amount of concurrent requests that we are making at a time. Sometimes applications closely watch a user’s session state, and when we make several requests at a time using the same session state, the application hangs. To prevent this, make the settings changes at the bottom of the page. If this does not help, you should consider speaking with the developers about the problem. With these slower settings WebInspect should not put a larger load then about 3 concurrent users of the application. You might also ask about putting the application on a better server.
These settings are designed to slow a scan down as a result of timeouts. To change these in WebInspect, go into Tools -> Default Settings.
Request Timeout: 60 (secs)
Reason: if you increase the time until a request times out, it will allow more time for a slower application (or server) to respond.
Retry Count: 5
Reason: if you increase the retry count, when a request fails WebInspect will retry it again and again, making sure that the attack takes place. Note: the total amount of requests is calculated like so: 1 (original) + 5 (retry count) = 6 total requests
Thread Count: 1
Reason: if you lower the amount of threads the scan will take longer, but WebInspect will be much gentler on the application (and server) and you should fix most of your timeout problems.
500 Total Timeouts
Reason: if you are having problems with the scan pausing after you reach a bunch of timeouts, increase this value. If after 500 total timeouts and the scan still pauses, you are definitely doing an inaccurate scan and you should consult your development and networking teams.
50 Consecutive Timeouts
Reason: if you see 50 timeouts in-a-row you have probably lost your connection to the server or the application has gone down, and 20 requests (the default) can be the result of an IPS or web app firewall.
More information about this topic:
Get this fix right away: Microsoft released an unusual out-of-cycle patch yesterday for the latest zero-day hole in Internet Explorer 6 that can hit fully patched systems (up until yesterday) with a drive-by-download.
The threat involves images in a little-used Microsoft format called VML, for vector markup language. Microsoft had originally said it would release a patch on its next scheduled update day, Oct. 10. But my colleague Robert McMillan at the IDG news service reported that there are already thousands of Web sites exploiting this VML graphics bug. So to their credit, Microsoft moved more quickly than they originally stated. The ongoing attacks against the similar similar WMF hole from January likely played a part.
Redmond is distributing the fix via Automatic Updates. I installed the patch on my computers last night as I got the notice (I have updates set to download automatically but wait for my ok to install). You should also be able to run Windows Update manually to get it.
Earlier this month, Mitre revealed that web application vulnerabilities have now claimed the top three spots on the CVE request list. Specifically, the ranking for 2006 is as follows:
The statistics are significant as they provide evidence of the prevalence of web application vulnerabilities. Coverage of this issue has however been somewhat misleading as reports have suggested that it is a measure of what attackers are doing. This assumption is false. CVE requests represent the volume of discovered vulnerabilities in commercial and open source applications, they do not reflect the degree to which those vulnerabilities exist in the real world, nor do they reflect what vulnerabilities attackers are actually using to access vulnerable systems.
Web applications pose a unique threat as programming web applications does not require employing skilled programmers. Anyone with access to various point and click tools is now a web developer. For that reason, I suspect that web application vulnerabilities are even more of a threat in the real world than the Mitre statistics would suggest. CVE numbers tell us that web application vulnerabilities are plaguing software developers but they do not provide insight into vulnerabilities within custom built sites. (more…)
37 queries. 0.325 seconds