Wednesday, January 21, 2009

CWE/SANS TOP 25 Most Dangerous Programming Errors

(Compiler's note: A must read item.)

Project Manager: Bob Martin, MITRE

Experts Announce Agreement on the 25 Most Dangerous Programming Errors - And How to Fix Them
Agreement Will Change How Organizations Buy Software.


(January 12, 2009) Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.

The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies.

People and organizations that provided substantive input to the project are listed below. They are among the most respected security experts and they come from leading organizations ranging from Symantec and Microsoft, to DHS's National Cyber Security Division and NSA's Information Assurance Division, to OWASP and the Japanese IPA, to the University of California at Davis and Purdue University. The MITRE and the SANS Institute managed the Top 25 Errors initiative, but the impetus for this project came from the National Security Agency and financial support for MITRE's project engineers came from the US Department of Homeland Security's National Cyber Security Division. The Information Assurance Division at NSA and National Cybersecurity Division at DHS have consistently been the government leaders in working to improve the security of software purchased by the government and by the critical national infrastructure.

What was remarkable about the process was how quickly all the experts came to agreement, despite some heated discussion. "There appears to be broad agreement on the programming errors," says SANS Director, Mason Brown, "Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."

The Office of the Director of National Intelligence expressed its support saying, "We believe that integrity of hardware and software products is a critical element of cybersecurity. Creating more secure software is a fundamental aspect of system and network security, given that the federal government and the nation's critical infrastructure depend on commercial products for business operations. The Top 25 is an important component of an overall security initiative for our country. We applaud this effort and encourage the utility of this tool through other venues such as cyber education."

Until now, most guidance focused on the 'vulnerabilities' that result from programming errors. This is helpful. The Top 25, however, focuses on the actual programming errors, made by developers that create the vulnerabilities. As important, the Top 25 web site provides detailed and authoritative information on mitigation. "Now, with the Top 25, we can spend less time working with police after the house has been robbed and instead focus on getting locks on the doors before it happens." said Paul Kurtz, a principal author of the US National Strategy to Secure Cyberspace and executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

What You Will Find In This Announcement:

  • Which People and Organizations Made Substantive Contributions to the Top 25 Errors List?
    Please note that the proposed procurement guidelines incorporate in part language utilizing the OWASP Secure Software Contract Annex.
    https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex
  • How Will the Top 25 Errors Be Used?
  • How Important Are the Top 25 Errors?
  • What Errors Are Included in the Top 25?
  • Resources to Help Organizations Eliminate The Errors
  • Which People and Organizations Made Substantive Contributions to the Top 25 Errors List?

    Please note that the proposed procurement guidelines incorporate in part language utilizing the OWASP Secure Software Contract Annex. https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex.

    Robert C. Seacord, CERT
    Pascal Meunier, CERIAS, Purdue University
    Matt Bishop, University of California, Davis
    Kenneth van Wyk, KRvW Associates
    Masato Terada, Information-Technology Promotion Agency (IPA), (Japan)
    Sean Barnum, Cigital, Inc.
    Mahesh Saptarshi and Cassio Goldschmidt, Symantec Corporation
    Adam Hahn, MITRE
    Jeff Williams, Aspect Security
    Carsten Eiram, Secunia
    Josh Drake, iDefense Labs at VeriSign, Inc.
    Chuck Willis, MANDIANT
    Michael Howard, Microsoft
    Bruce Lowenthal, Oracle Corporation
    Mark J. Cox, Red Hat Inc.
    Jacob West, Fortify Software
    Djenana Campara, Hatha Systems
    James Walden, Northern Kentucky University
    Frank Kim, ThinkSec
    Chris Eng and Chris Wysopal, Veracode, Inc.
    Ryan Barnett, Breach Security
    Antonio Fontes, New Access SA, (Switzerland)
    Mark Fioravanti II, Missing Link Security Inc.
    Ketan Vyas, Tata Consultancy Services (TCS)
    Lindsey Cheng, Ian Peters and Tom Burgess, Secured Sciences Group, LLC
    Hardik Parekh and Matthew Coles, RSA - Security Division of EMC Corporation
    Mouse
    Ivan Ristic
    Apple Product Security
    Software Assurance Forum for Excellence in Code (SAFECode)
    Core Security Technologies Inc.
    Depository Trust & Clearing Corporation (DTCC)
    The working group at the first OWASP ESAPI Summit
    National Security Agency (NSA) Information Assurance Division
    Department of Homeland Security (DHS) National Cyber Security Division

    Robert Martin, CWE Project Leader at MITRE heralded the effort of these contributors by saying, "It is gratifying to see the amount of collaboration and energy that all these serious, security-savvy people invested in making this list as accurate and authoritative as it can be. Very impressive!"

    How Will the Top 25 Errors Be Used?

    The Top 25 Errors will have four major impacts:

    • Software buyers will be able to buy much safer software.
    • Programmers will have tools that consistently measure the security of the software they are writing.
    • Colleges will be able to teach secure coding more confidently.
    • Employers will be able to ensure they have programmers who can write more secure code.
    First, software buyers will be able to buy much safer software.

    Buyers will require that software vendors certify in writing that the code they are delivering is free of these 25 programming errors. Certification shifts responsibility to the vendor for correcting the errors and for any damage caused by those errors. The standard procurement language under development by the State of New York and other state governments already is being adjusted to use the Top 25 Errors. Over time the multi-national Common Criteria program may also adopt the Top 25 as one approach for ensuring code purchased by the US government is free of the Top 25 errors.

    Second, programmers will have tools that consistently measure the security of the software they are writing.

    Software testing tools will use the Top 25 in their evaluations and provide scores for the level of secure coding in software being tested. In parallel with this announcement, on January 12, one of the leading software testing vendors is announcing that its software will be able to test for and report on the presence of a large fraction of the Top 25 Errors. Application development teams will use such testing software during the development process.

    Colleges will be able to teach secure coding more confidently.

    Colleges and others who prepare programmers will use the Top 25 Errors as a foundation for curriculum that ensures their students know how to avoid the critical programming errors. One of the colleges that participated in developing the Top 25, UC Davis, has already established a secure coding clinic where student-written software is reviewed for the key programming errors that lead to critical security vulnerabilities. The Top 25 enables the clinic to prioritize errors in its review. Other colleges are beginning to emulate the secure coding clinics.

    Employers will be able to ensure they have programmers who can write more secure code.

    Employers will use the Top 25 Errors list as a guide for evaluating and improving skills of programmers they hire and of outsourced programming talent. More than 100 large employers are already using a common assessment tool called the GSSP (GIAC Secure Software Programmer) to measure secure coding skills. The GSSP exams are being reviewed in an effort to fully incorporate and highlight mastery of programming knowledge needed to find and eliminate or avoid the Top 25. More data on the GSSP may be found at http://www.sans-ssi.org/ and organizations with at least 500 programmers may have up to 100 of those programmers? secure coding skills assessed confidentially and at no cost. Email spa@sans.org to get that started.

    Courses are available that teach secure coding skills to programmers in C/C++, in Java, and in .NET languages. Information at http://www.sans-ssi.org/courses/

    How Important Are the Top 25 Errors?

    We asked several of the participants why they thought this effort was important enough to merit a significant amount of their time and expertise. Here are a few of their answers. More are at the end of the announcement.

    National Security Agency's Information Assurance Directorate
    "The publication of a list of programming errors that enable cyber espionage and cyber crime is an important first step in managing the vulnerability of our networks and technology. There needs to be a move away from reacting to thousands of individual vulnerabilities, and to focus instead on a relatively small number of software flaws that allow vulnerabilities to occur, each with a general root cause. Such a list allows the targeting of improvements in software development practices, tools, and requirements to manage these problems earlier in the life cycle, where they can be solved on a large scale and cost-effectively."
    -Tony Sager, National Security Agency's Information Assurance Directorate
    US Department of Energy:
    "The CWE/SANS Top 25 effort is extremely valuable and will provide many organizations with a tangible way to begin addressing software security problems."
    - Michael Klosterman, SCADA Operations, Western Area Power Association, US Department of Energy
    Depository Trust:
    "The CWE-SANS Top 25 Errors is a vital tool for organizations that believe in a risk-based approach to software security enabling them to assess the specific vulnerabilities identified in their environments compared with a composite perspective of risk from industry recognized experts."
    - Jim Routh, CISO, The Depository Trust & Clearing Corporation
    Microsoft:
    "The 2009 CWE/SANS Top 25 Programming Errors project is a great resource to help software developers identify which security vulnerabilities are the most important to understand, prevent and fix."
    - Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft Corp.
    OWASP Foundation:
    "When facing a huge application portfolio that could contain many thousands of instances of over 700 different types of weaknesses, knowing where to start is a daunting task. Done right, stamping out the CWE Top 25 can not only make you significantly more secure but can cut your software development costs."
    - Jeff Williams, Aspect Security CEO and The OWASP Foundation Chair
    Symantec:
    "The 2009 CWE/SANS Top 25 Programming Errors reflects the kinds of issues we've seen in application software and helps provide us with actionable direction to continuously improve the security of our software."
    - Wesley H. Higaki, Director, Software Assurance, Office of the CTO, Symantec Corporation
    Software Assurance Consortium:
    "As an advocate for the consumer, this is viewed as a giant step forward in providing security for all users. It increases awareness of the various levels of secure software by highlighting its effects on our daily use of all software products. The CWE/SANS Top 25 effort adds the capability to our tool box which in turn aids the SwAC in our mission to bring together Industry and Government to transform the security and dependability of all software products."
    - Dan Wolf, Director, Software Assurance Consortium.
    EMC:
    "The Top 25 List puts a powerful tool into the hands of the programmers along with every person involved in designing and developing software. The simple fact that such a list now exists will allow software assurance to be practiced more effectively."
    - Dan Reddy, Consulting Product Manager, EMC Product Security Office
    Purdue:
    "The CWE Top 25 should be watched because targeting the most troublesome programming mistakes can potentially reduce the occurrence of vulnerabilities and our exposure at a national level, while diminishing our undesirable dependence on patches."
    - Pascal Meunier, CERIAS, Purdue University
    Secunia:
    "This Top 25 is without a doubt one of the most useful compilations of common coding mistakes leading to vulnerabilities in software. The list, which has been created based on feedback from many experts in the security industry, focuses on selection criteria like severity and prevalence, thus covering a broad range of the most critical errors commonly introduced in applications today. The Top 25 is compiled in a easy-to-read and entertaining language and does not only provide a good understanding of common coding mistakes, but also how to avoid them. I can therefore highly recommend this read to anyone involved in software design to ensure that they won't make the same mistakes in 2009 as they've made previously."
    - Carsten Eiram, Chief Security Specialist, Secunia.
    Ken van Wyk:
    "This list of programming errors should be enormously useful to the community. It serves to help us all get our collective "arms around" understanding the most common security defects in our code, just as the OWASP Top 10 helps us understand the attacks against those defects."
    - Kenneth R. van Wyk, KRvW Associates, LLC
    Veracode:
    "A prioritized list of security issues is the starting point to make software security practical in the business world of resource constraints and ship dates. The Top 25 list gives developers a minimum set of coding errors that must be eradicated before software is used by customers."
    - Chris Wysopal, Co-Founder and CTO of Veracode, Inc.
    Core Security Technologies:
    "This is the first serious attempt at building a taxonomy of software security weaknesses and flaws with an emphasis on the practical application of identifying, preventing and fixing or mitigating the issues they pose. It is a necessary and long overdue step towards creating a common language for the software development and security communities in need of a more rational way to address what are currently the most urgent and relevant software security problems."
    - Ivan Arce, CTO of Core Security Technologies Inc.
    Breach Security:
    "The CWE/SANS Top 25 List is an excellent tactical resource for organizations to prioritize and remediate the root causes of today's successful attacks. This should be required reading for all developers as it is a "Cliff Notes" version of essential secure coding principles."
    - Ryan C. Barnett, Director of Application Security Research, Breach Security
    McAfee:
    "The 2009 CWE/SANS Top 25 Programming Errors effort is right on target. By educating software developers on the most important issues and showing them how to avoid writing security bugs, this effort will help programmers correct code issues before they become security problems."
    - Kent Landfield, Director, Risk and Compliance Security Research, McAfee, Inc.
    Ounce Lab:
    "Let's use this list as a way to jumpstart the solutions - make 2009 a year to make things happen and solve these problems that have been around way too long. Far too many solutions exist out there to help address these all-too-common errors. Start using this list to secure your software today because if the last few years have been any indication, tomorrow is already too late."
    - Ryan Berg, Co-Founder and Chief Scientist, Ounce Labs
    Grammatech:
    "Bugs in software are a plague on our profession and bad for business. They are inevitable, yet understanding of which bugs are most important is often gained the hard and expensive way when they show up in the field. The CWE/SANS Top 25 effort will raise awareness of the huge variety of different kinds of defects that can occur, and will help programmers focus on those that matter most to application quality and security."
    - Paul Anderson - Vice President of Engineering, Grammatech Inc.

    What Errors Are Included in the Top 25?

    The Top 25 Errors are listed below in three categories:

    Clicking "MORE" in any of the listings takes you to the relevant spot in the MITRE CWE site where you will find the following:

    • links to the full CWE entry data,
    • data fields for weakness prevalence and consequences,
    • remediation cost,
    • ease of detection,
    • attack frequency and attacker awareness
    • related CWE entries
    • related patterns of attack for this weakness.

    Each entry at the Top 25 Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.

    CATEGORY: Insecure Interaction Between Components

    CWE-20: Improper Input Validation

    It's the number one killer of healthy software, so you're just asking for trouble if you don't ensure that your input conforms to expectations...MORE >>

    CWE-116: Improper Encoding or Escaping of Output

    Computers have a strange habit of doing what you say, not what you mean. Insufficient output encoding is the often-ignored sibling to poor input validation, but it is at the root of most injection-based attacks, which are all the rage these days...MORE >>

    CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')

    If attackers can influence the SQL that you use to communicate with your database, then they can...MORE >>

    CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')

    Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications...If you're not careful, attackers can...MORE >>

    CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')

    When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers...MORE >>

    CWE-319: Cleartext Transmission of Sensitive Information

    If your software sends sensitive information across a network, such as private data or authentication credentials, that information crosses many...MORE >>

    CWE-352: Cross-Site Request Forgery (CSRF)

    With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim...MORE >>

    CWE-362: Race Condition

    Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable...MORE >>

    CWE-209: Error Message Information Leak

    If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data...MORE >>

    CATEGORY: Risky Resource Management

    CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer

    Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're...MORE >>

    CWE-642: External Control of Critical State Data

    There are many ways to store user state data without the overhead of a database. Unfortunately, if you store that data in a place where an attacker can...MORE >>

    CWE-73: External Control of File Name or Path

    When you use an outsider's input while constructing a filename, you're taking a chance. If you're not careful, an attacker could... MORE >>

    CWE-426: Untrusted Search Path

    If a resource search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing. This causes the software to access the wrong resources at the wrong time...MORE >>

    CWE-94: Failure to Control Generation of Code (aka 'Code Injection')

    For ease of development, sometimes you can't beat using a couple lines of code to employ lots of functionality. It's even cooler when...MORE >>

    CWE-494: Download of Code Without Integrity Check

    You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can perform all sorts of tricks...MORE >>

    CWE-404: Improper Resource Shutdown or Release

    When your precious system resources have reached their end-of-life, you need to...MORE >>

    CWE-665: Improper Initialization

    Just as you should start your day with a healthy breakfast, proper initialization helps to ensure...MORE >>

    CWE-682: Incorrect Calculation

    When attackers have some control over the inputs that are used in numeric calculations, this weakness can lead to vulnerabilities. It could cause you to make incorrect security decisions. It might cause you to...MORE >>

    CATEGORY: Porous Defenses

    CWE-285: Improper Access Control (Authorization)

    If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and...MORE >>

    CWE-327: Use of a Broken or Risky Cryptographic Algorithm

    You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers...MORE >>

    CWE-259: Hard-Coded Password

    Hard-coding a secret account and password into your software's authentication module is...MORE >>

    CWE-732: Insecure Permission Assignment for Critical Resource

    If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become...MORE >>

    CWE-330: Use of Insufficiently Random Values

    If you use security features that require good randomness, but you don't provide it, then you'll have attackers laughing all the way to the bank...MORE >>

    CWE-250: Execution with Unnecessary Privileges

    Spider Man, the well-known comic superhero, lives by the motto "With great power comes great responsibility." Your software may need special privileges to perform certain operations, but wielding those privileges longer than necessary can be extremely risky...MORE >>

    CWE-602: Client-Side Enforcement of Server-Side Security

    Remember that underneath that fancy GUI, it's just code. Attackers can reverse engineer your client and write their own custom clients that leave out certain inconvenient features like all those pesky security controls...MORE >>

    Resources to Help Eliminate The Top 25 Errors

    The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites
    www.sans.org/top25
    cwe.mitre.org/top25/

    MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional programming errors, design errors and architecture errors that can lead to exploitable vulnerabilities. cwe.mitre.org/

    SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.
    Email spa@sans.org for details
    And see www.sans-ssi.org/certification/ for the GSSP Blueprints

    SAFECode - The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.
    http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf

    Nearly a dozen software companies offer automated tools that test programs for these errors. SANS maintains case studies of user experience with these and other security tools at www.sans.org/whatworks.

    New York State has produced draft procurement standards to allow companies to buy software with security baked in.

    Draft New York State procurement language will be posted at www.sans.org/appseccontract.

    Intelligence Agencies' Databases Set to Be Linked After Years Bureaucratic Snags, System Aims to Ease Communications, Give Spies Access to More Data

    WASHINGTON -- U.S. spy agencies' sensitive data should soon be linked by Google-like search systems, nearly five years after the intelligence community was rebuked by the 9/11 Commission for failing to "connect the dots" and detect the attack.

    Director of National Intelligence Mike McConnell has launched a sweeping technology program to knit together the thousands of databases across all 16 intelligence agencies. After years of bureaucratic snafus, intelligence analysts will be able to search through secret domestic and international files the same way they search public data on the Internet.

    Mr. McConnell's new technology program is also addressing a more basic problem: Spies often have trouble emailing colleagues in other U.S. intelligence agencies, because email addresses aren't readily accessible, and messages sometimes get eaten by security filters. Mr. McConnell aims to solve that by uniting the agencies' email systems into a single system with a full directory that links names, expertise and addresses.

    Linking up the 16 agencies is the challenge at the heart of the job of director of national intelligence, created after 9/11. Dennis Blair, nominated by President Barack Obama to succeed Mr. McConnell, faces a confirmation hearing Thursday where senators are likely to ask how he will make agencies with different histories and missions work together.

    The new information program also is designed to include Facebook-like social-networking programs and classified news feeds. It includes enhanced security measures to ensure that only appropriately cleared people can access the network. The price tag is expected to be in the billions of dollars, but much of that money will be reallocated from existing technology programs.

    The impact for analysts, Mr. McConnell says, "will be staggering." Not only will analysts have vastly more data to examine, potentially inaccurate intelligence will stand out more clearly, he said.

    Today, an analyst's query scans about 5% of the total intelligence data in the U.S. government, said a senior intelligence official. Even when analysts find documents, they sometimes can't read them without protracted negotiations to gain access. Under the new system, an analyst could search around 95% of the data, the official said.

    Several similar efforts have been aborted in the past decade, because cultural divides couldn't be bridged between rival agencies. Some of those efforts predated 9/11, and many intelligence agencies have botched their own technology programs since 2001.

    Mr. McConnell's team says this effort, called the Information Integration Program, has experienced officials working on it full-time and is designed to deliver tangible products every few months. "There really is a very different spirit about doing all these things than there was, I think, in the past," said Prescott Winter, a senior National Security Agency official who is directing the program for Mr. McConnell.

    The program is likely to get a review from Mr. Blair. The new administration is expected to make sure it is adequately funded, effective and protects privacy.

    The initiative grew out of discussions more than a year ago between the Pentagon's intelligence chief and Mr. McConnell's top deputy, who were concerned that military and civilian intelligence data couldn't be easily tapped. They asked the chief information officers at the six largest intelligence agencies to develop a solution.

    Over the summer, the officers began to sketch out the technology and policy problems to be solved, including protecting sources and connecting systems at different levels of classification. They also assembled case studies, which showed that the typical analyst is using technology that is about a decade old, a senior intelligence official said.

    In September, all 16 agencies agreed to the goal of creating one searchable data and email system, and Mr. McConnell borrowed Mr. Winter from the NSA to get the program under way.

    The first stage of the initiative is to merge the email systems of the six largest intelligence agencies, including the Federal Bureau of Investigation, the Central Intelligence Agency and the NSA. Mr. Winter said that is on track to be largely completed by the end of the month. Then, they will expand to the other 10 agencies. By 2010, the intelligence agencies and the Pentagon would have a single email system.

    With the Google-like system, intelligence officials would like to connect the bulk of the databases by the end of the year, though no firm date has been set. The system would search all intelligence data, and quickly determine which data an analyst is permitted to see. Someone focused on one corner of the world may be allowed to see everything available on the countries in the region, but not other regions.

    Currently, an analyst might run a search but not be able to open a document without negotiating for access. "You don't want to sort of have to play Twenty Questions to figure out where it is hidden," Mr. Winter said.

    Time for a Break

    You are not going to believe this one! Check out this video of a stunt plane which loses one of it's wings. You won't believe what happens next! Amazing!

    AirRace plane loses wing, watch what happens next!

    China warns of "grim" fight against deadly bird flu

    BEIJING, Jan 21 (Reuters) - China faces a "grim" situation in preventing and controlling human cases of bird flu, the health minister said, after announcing four human infections in the last two weeks and three deaths.

    Health Minister Chen Zhu called for hospitals to spare more resources in diagnosing and treating bird flu and more cooperation between agriculture authorities and his ministry, Xinhua news agency said.

    A Chinese newspaper reported that the mother of a toddler diagnosed with bird flu had died of severe pneumonia earlier this month, but no samples had been taken to see if she had bird flu. She had been in contact with poultry before her death.

    The toddler, and the three recent fatalities, have all fallen ill in areas where there have been no known cases of bird flu in birds. China vaccinates heavily for bird flu, raising concerns among some experts that the vaccines could be masking the presence of the virus.

    "The current cases are separate cases. There's no connection," Shu Yuelong, vice director of virus control and prevention with the National Centre for Disease Control and Prevention, was quoted by Xinhua as saying.

    "But these cases warn us to improve prevention and supervision over the epidemic and ensure early detection and diagnosis when new cases are found."

    The H5N1 strain of flu remains largely a virus among birds, but experts fear it could change into a form that is easily transmitted among humans and could spark a pandemic that could kill millions worldwide.

    Since the H5N1 virus resurfaced in Asia in 2003, it has infected 391 people, killing 247 of them, according to WHO figures released in mid-December. At least 34 people have been infected in China and 23 have died.

    Worth Reading: A Report on Drug Trafficking That is Terrifying and Incomplete

    By Douglas Farah

    If you want a fairly complete, and completely terrifying view of the power of organized criminal activity in the United States, take some time to read the National Drug Threat Assessment of the National Drug Intelligence Center.

    Yet as good and comprehensive as it is, it reflects one of the fundamental weaknesses and walls that still exist.

    The entire report mentions the overlap with terrorist activities exactly ONE time, and that, in a footnote relating to prison radicalization.

    While different law enforcement agencies (the DEA in particular) have made drug cases leading directly to Hezbollah, the FARC and the Taliban, this is not mentioned. The FARC is the primary trafficking organization in Colombia, while the Taliban controls most of the heroin heading to Europe. Hezbollah skims from illicit drug laundering from Venezuela to Colombia to Maracaibo and Panama. At least 19 of the 43 designated terrorist organizations have been shown to have direct ties to drug trafficking.

    Yet the NDIC is kept completely separate from terrorist analysis, just as terrorist analysts are still largely segregated from anything to do with drug trafficking and organized crime. It is called stovepiping information, as the 9/11 Commission made famous.

    This, despite the fact that there is an undeniable and growing link between terrorist organizations and the organized criminal pipeline.

    I understand the report was on the threat of drugs in the United States. But, given the existing case precedent and stated desire of different terrorist organizations to attack the United States, I cannot help reading things like the following and wondering what it portends in terms of terrorism.

    Mexican DTOs (drug trafficking organizations) are the greatest drug trafficking threat to the United States; they control most of the U.S. drug market and have established varied transportation routes, advanced communications capabilities, and strong affiliations with gangs in the United States. Mexican DTOs control a greater portion of drug production, transportation, and distribution than any other criminal group or DTO.

    Their extensive drug trafficking activities in the United States generate billions of dollars in illicit proceeds annually. Law enforcement reporting indicates that Mexican DTOs maintain drug distribution networks or supply drugs to distributors in at least 230 U.S. cities.

    So, we have groups that can cross our border virtually at will and have access to at least 230 cities. How do they manage to coordinate their activities? By using technology that law enforcement and the intelligence can only dream of acquiring.

    Mexico- and U.S.-based Mexican drug traffickers employ advanced communication technology and techniques to coordinate their illicit drug trafficking activities. Law enforcement reporting indicates that several Mexican DTOs maintain crossborder communication centers in Mexico near the U.S.–Mexico border to facilitate coordinated cross-border smuggling operations. These centers are staffed by DTO members who use an array of communication methods, such as Voice over Internet Protocol, satellite technology (broadband satellite instant messaging), encrypted messaging, cell phone technology, two-way radios, scanner devices, and text messaging, to communicate with members. In some cases DTO members use high frequency radios with encryption and rolling codes
    to communicate during cross-border operations.

    So, while setting up shop in 230 cities, these organizations can cross our borders and communicate at will to coordinate actions on both sides of the border. Accessing this pipeline would the the ultimate dream of any terrorist organization seeking to attack the United States or any place along the way.

    It is striking to me how much good reporting is available, but from the USG and private sources, and still how few of the dots are connected in a way that gives a picture of the whole.

    Taliban commander killed in Kandahar

    By

    Coalition forces killed a senior Taliban commander in the insurgency-wracked south, where a battle for control of Kandahar province is underway.

    Taliban commander Haji Adam was killed in a "precise air strike" in Kandahar's contested Maywand district. Adam was "directly involved in the movement of fighters, improvised explosive device production, and in the planning and execution of attacks," the International Security Assistance Force stated in a press release.

    Adam was "also engaged in the illegal narcotics trade in the Sangin area of Helmand, using the profits to fund insurgent activity." Maywand borders the district of Sangin in neighboring Helmand province. He had "strong links to senior Taliban leaders Akhter Mohammed Mansour, Mullah Naim Barich and Attiqullah."

    The Taliban and Coalition forces have been vying for control of Kandahar's Maywand province. Several operations have taken place in the rural district over the past year. US soldiers from the 1st Infantry Division's 3rd Brigade Combat Team built Combat Outpost Terminator earlier this month to establish a permanent presence in the region. Two days prior to the opening of the outpost, two US soldiers and three Afghan civilians were killed in a suicide attack at a market.

    Coalition and Afghan forces have been targeting senior Taliban leaders in Kandahar and neighboring Helmand and Uruzgan provinces in an effort to decapitate the group's leadership and regain control of the rural areas.

    In July 2008, several Taliban military commanders and members of the "shadow government" for Kandahar were killed in a series of strikes. The Taliban establishes a shadow or parallel government in the regions it control. These shadow governments fill the void by dispensing sharia justice, mediating tribal and land disputes, collecting taxes, and recruiting, arming and training fighters.

    The Taliban have established shadow governments throughout Afghanistan, with provincial and militarily leaders appointed to command activities. Last week, the Taliban claimed to be in control of more than 70 percent of Afghanistan's rural areas and established shadow governments in 31 of Afghanistan's 34 provinces.

    In Uruzgan province, Coalition and Afghan forces, lead by the Australians, have conducted multiple operations and raids in an effort to wrest control of the province from the Taliban. Five days ago, Coalition and Afghan forces launched a major operation to clear the Baluchi Valley, a region just south of Tarin Kot.

    Over the past year, Australian Special Forces killed four Taliban commanders and captured seven more in Uruzgan. More than 180 Taliban fighters were also killed in the clashes.

    In August 2008, Uruzgan's shadow governor was detained and several Taliban commanders were killed. Heavy fighting took place in October, with more than 70 Taliban killed after they attacked an outpost.

    In October, Coalition forces killed a senior Taliban leader who commanded forces in Helmand province and also coordinated operations in Kandahar, Nimroz, and Farah provinces. US Marines killed more than 500 Taliban fighters during operations in Helmand province during 2008. The Marines are expected to be extending the deployment in Helmand as part of the upcoming 'surge' of US forces. More than 30,000 US troops are expected to be deployed in Afghanistan by mid-summer.

    Kandahar and Helmand provinces remain two of the most violent in Afghanistan. The violence in Uruzgan has tripled during 2008, making it one of the most dangerous provinces in the South.

    Roubini Predicts U.S. Losses May Reach $3.6 Trillion (Update1)

    By Henry Meyer and Ayesha Daya bailout

    Jan. 20 (Bloomberg) -- U.S. financial losses from the credit crisis may reach $3.6 trillion, suggesting the banking system is “effectively insolvent,said New York University Professor Nouriel Roubini, who predicted last year’s economic crisis.

    “I’ve found that credit losses could peak at a level of $3.6 trillion for U.S. institutions, half of them by banks and broker dealers,” Roubini said at a conference in Dubai today. “If that’s true, it means the U.S. banking system is effectively insolvent because it starts with a capital of $1.4 trillion. This is a systemic banking crisis.

    Losses and writedowns at financial companies worldwide have risen to more than $1 trillion since the U.S. subprime mortgage market collapsed in 2007, according to data compiled by Bloomberg.

    President Barack Obama will have to use as much as $1 trillion of public funds to shore up the capitalization of the banking sector, following the $350 billion injection by the Bush administration, Roubini told Bloomberg News. Congress last year approved a $700 billion rescue fund, of which half remains to be disbursed.

    Bank of America Corp., the largest U.S. bank by assets, posted a quarterly loss of $1.79 billion last week, its first since 1991, and received $138 billion in emergency government funds. Citigroup Inc. posted an $8.29 billion fourth-quarter loss, completing its worst year, and plans to split in two under Chief Executive Officer Vikram Pandit’s plan to rebuild a capital base eroded by the credit crisis.

    ‘Bankrupt’ System

    “The problems of Citi, Bank of America and others suggest the system is bankrupt,” Roubini said. “In Europe, it’s the same thing.”

    Stocks in Europe, Canada and Brazil dropped yesterday on speculation government efforts to shore up the financial industry will fail to stem the deepening global recession. The U.K.’s Royal Bank of Scotland Group Plc said it expects to post a loss of as much as 28 billion pounds ($41 billion) for 2008 and the government got ready to raise its stake in the lender.

    Oil prices will trade between $30 and $40 a barrel all year, Roubini predicted.

    “I see commodities falling overall another 15-20 percent,” Roubini said. “This outlook for commodity prices is beneficial for oil importers, it’s going to imply that economic recovery might occur faster, but from the point of view of oil exporters, this will be very negative.”

    Oil has tumbled 77 percent from its July high of $147.27 as the global economy sinks into recession, straining the budgets of crude exporters. Saudi Arabia, Oman and Dubai, the second- largest sheikdom in the United Arab Emirates, have said they will post budget deficits this year.

    Crude oil for February delivery fell to $32.70, down 10.4 percent from last week’s close and the lowest since Dec. 19, on the New York Mercantile Exchange today. The contract traded at $33.37 a barrel at 10:45 a.m. London time.

    Inaugural prayer slam prompts Obama smile

    By Chelsea Schilling

    Outrage is erupting over the inauguration benediction by Rev. Joseph Lowery, an 87-year-old civil rights pioneer, for asking God to help mankind work for a day when "white would embrace what is right."

    Lowery, known for co-founding the Southern Christian Leadership Conference with Martin Luther King Jr., asked God to encourage America to make "choices on the side of love, not hate, on the side of inclusion not exclusion, tolerance not intolerance" after President Barack Obama took the presidential oath.

    Then he ended his prayer with, "Lord, in the memory of all the saints who from their labors rest, and in the joy of a new beginning, we ask you to help us work for that day when black will not be asked to get back, when brown can stick around – when yellow will be mellow – when the red man can get ahead, man – and when white will embrace what is right."

    Obama reacted to the benediction with a smile.

    The crowd cheered and boomed with a loud "Amen."

    However, talk radio host Rush Limbaugh said Lowery's prayer "offended" and was "far more memorable than the inaugural address by President Obama."

    Referring to Lowery's "When black will not be asked to get in back" comment, Limbaugh responded, "When does that happen today? Did we not just inaugurate a black man as president of the United States?"

    Limbaugh went through each statement about color, attempting to decipher Lowery's intended message.

    "I know it's a left over from the '60s thing," he said. "It's not relevant today! Everybody here is living in the past, and they don't want anybody to think we've made any progress at all despite inaugurating Barack Obama as president today."

    Repeating Lowery's "When white will embrace what is right" statement, Limbaugh said, "He just insulted this country, large numbers of which elected Barack Obama president of the United States."

    Several angry bloggers posted reactions to Lowery's prayer, including the following:

    • Didn't whites just do that by electing Jesus Christ president?
    • Am I allowed to be offended?
    • Race card pulled during the inauguration. Wow that didn't take long.
    • It is completely inappropriate to have that in any prayer, much less a prayer at an inauguration that is supposed to be about how "We're all one."
    • Black … brown … red … yellow … white? I'm stunned. The prayer is so racist and so inappropriate. Is Rev. Lowery just a kinder, gentler Rev. Wright?
    • You guys are all spelling it wrong. That's the problem. I'm sure that if you look at his notes you'll see that it says "… whites will embrace what is Wright."

    Al-Qaeda cell killed by Black Death 'was developing biological weapons'

    from Telegraph.co.uk

    An al-Qaeda cell killed by the Black Death may have been developing biological weapons when it was infected, it has been reported.

    The group of 40 terrorists were reported to have been killed by the plague at a training camp in Algeria earlier this month.

    It was initially believed that they could have caught the disease through fleas on rats attracted by poor living conditions in their forest hideout.

    But there are now claims the cell was developing the disease as a weapon to use against western cities.

    Experts said that the group was developing chemical and biological weapons.

    Dr Igor Khrupinov, a biological weapons expert at Georgia University, told The Sun: "Al-Qaeda is known to experiment with biological weapons. And this group has direct communication with other cells around the world.

    "Contagious diseases, like ebola and anthrax, occur in northern Africa. It makes sense that people are trying to use them against Western governments."

    Dr Khrupinov, who was once a weapons adviser to the Soviet president Mikhail Gorbachev, added: "Instead of using bombs, people with infectious diseases could be walking through cities."

    It was reported last year that up to 100 potential terrorists had attempted to become postgraduate students in Britain in an attempt to use laboratories.

    Ian Kearns, from the Institute for Public Policy Research, told the newspaper: "The biological weapons threat is not going away. We're not ready for it."

    US Agencies Chase Down Potential Inauguration Day Terror Threat

    from National Terror Alert Response Center

    US intelligence services chased reports of a potential terrorist threat Tuesday as President Barack Obama was sworn in before massive crowds amid an unprecedented security lockdown.

    Officials were tightlipped about the seriousness of the terrorist threat, with the Department of Homeland Security saying the information was “of limited specificity and uncertain credibility.”

    But a Homeland Security official, who asked not to be identified, said it was linked to a militant Somali group called al-Shabab.

    “The FBI has acknowledged publicly that there has been a lot of incoming information, all of which we are running to ground. This is the only specific bulletin that has gone out,” the official said.

    With an estimated two million or more people jammed into the heart of Washington to celebrate the inauguration of the first African American president, security officials braced for a potential security nightmare.

    But the most vulnerable moment of the day passed without incident when Obama and his wife Michelle stepped down from a slow moving motorcade and walked along Pennsylvania Avenue to the deafening cheers of the multitudes.

    Secret Service agents in black coats walked the route, at the ready as Obama’s motorcade crept from the Capitol to the White House.

    The Obamas moved through a city blanketed by more than 12,500 active troops and military reservists, thousands of metropolitan police with reinforcements from 99 law enforcement agencies around the nation.