Threat Weekly – A Situational Awareness Report from our
Technical Security Team
Volume 2, Issue 2 – 12 January 2012
Both Microsoft and Adobe have released
important security patches this week. Computer devices are at
elevated risk until they are patched.
TOP OF THE NEWS
Israel vows to retaliate after credit cards are
Israel has said it will respond to
cyber-attacks in the same way it responds to violent "terrorist"
acts after the credit card details of thousands of its citizens
were published online. A hacker named OxOmar claiming to be Saudi
said on Thursday he had leaked the private information.
Credit card companies say at least
6,000 valid cards have been exposed. Reports say OxOmar may be a
19-year-old living in Mexico.
Such cyber-attacks are "a breach of
sovereignty comparable to a terrorist operation, and must be
treated as such", Deputy Foreign Minister Danny Ayalon has said.
"Israel has active capabilities for striking at those who are
trying to harm it, and no agency or hacker will be immune from
retaliatory action," he added, without giving further details.
An aide to Mr Ayalon said Israel was
aware of the report OxOmar may be in Mexico, but had not yet
requested help from the Mexican authorities, Reuters news agency
Symantec: Hackers did steal code, but it's old
Symantec confirmed late Thursday that hackers
did in fact compromise a portion of its source code, but the stolen
code is related to two enterprise security products that have been
discontinued. The code belonged to Endpoint Protection 11.0 and
Antivirus 10.2, which are four and five years old, respectively.
Symantec's consumer security line, Norton, was not affected.
"Presently, we have no indication that the code
disclosure impacts the functionality or security of Symantec's
solution," the company said in a Facebook update. "Furthermore,
there are no indications that customer information has been
impacted or exposed at this time." Symantec said an unnamed
third-party network, not its own, was breached.
It is possible the hacked network belonged to
India's military intelligence agency. On Thursday, a cyber-gang
named The Lords of Dharmaraja said it possessed source code
belonging to a dozen software companies, according to a Pastebin
document. A second document, which is no longer available,
contained a sneak peak of the Symantec source code and promised a
A spokesman for the anti-virus company
originally denied that any of the documents revealed code, but now
the company confirms that one of them did include a segment of the
programming language. Experts said the age of the code will likely
prevent misuse. "In general, there isn't much hackers can learn
from the code which they hadn't known before," Rob Rachwald,
director of security strategy at Imperva, told SCMagazine.com in an
email. "Why? Most of the anti-virus product is based on attack
signatures. By basing defences on signatures, malware authors
continuously write malware to evade signature detection. With code
that is four to five years old, chances are the software product
has changed quite a bit, making the code even less useful."
Microsoft finally vanquishes the BEAST-related bug
A Microsoft Windows update today [Tuesday] fixes
a weakness in the protocols used to secure e-commerce sites, which
was first exposed by researchers using a tool they dubbed
Microsoft planned to release the BEAST (Browser
Exploit Against SSL/TLS)-related patch last month, but had to pull
it because it created compatibility issues with SAP software.
Researchers had demonstrated the vulnerability using BEAST in
September, prompting fears that attackers would use the tool to
snoop on protected Internet sessions in what is called a
"man-in-the-middle" attack. MS12-006 patches a hole in the Secure
Sockets Layer and Transport Layer Security protocols.
The seven bulletins in Microsoft's Patch Tuesday
release fix eight vulnerabilities and only one bulletin is rated
"critical" -- MS12-004. It plugs two holes in Windows Media Player
that could allow an attacker to take over a computer by sending a
malicious MIDI or DirectShow file to a targeted user. More details
are available at the Microsoft TechNet blog.
The security bulletin summary for January also
includes MS12-001 to address a security feature bypass flaw, a new
category of issues that can't be directly exploited by an attacker,
but which an attacker could use to facilitate use of another
Meanwhile, Adobe released updates today for
Adobe Reader X (10.1.1) and earlier versions for Windows and
Macintosh, and Adobe Acrobat X (10.1.1) and earlier versions for
Windows and Macintosh to resolve critical security issues.
US expels Venezuela diplomat after cyber-attack
Venezuela's consul general in Miami was ordered
Sunday to leave the United States after allegations surfaced that
she discussed possible cyber-attacks on U.S. soil. The State
Department said it had declared the diplomat, Livia Acosta Noguera,
persona non grata and given her until Tuesday to leave the
State Department spokesman Mark Toner said the
Venezuelan government was notified of the decision on Friday,
giving her 72 hours to depart under standard diplomatic procedure.
There was no immediate reaction from the Venezuelan government.
Toner would not discuss the reason for the expulsion, but said it
was done in accordance with Article 23 of the Vienna Convention on
Consular Relations. That article does not require the expelling
state to explain its decision. The move follows an FBI
investigation into allegations contained in a documentary aired by
the Spanish-language broadcaster Univision last month.
According to the documentary, "The Iranian
threat," Acosta discussed a possible cyber-attack against the U.S.
government when she was previously assigned as a diplomat in the
Venezuelan Embassy in Mexico. The documentary was based on
recordings of conversations with her and other officials, and also
alleged that Cuban and Iranian diplomatic missions were involved.
Citing audio and video obtained by the students at the National
Autonomous University of Mexico, Univision said Acosta was seeking
information about the servers of nuclear power plants in the
After the documentary aired, the State
Department said the allegations were "very disturbing" and
officials said the FBI had opened an investigation into the matter.
The New York Times reported that there was no indication American
officials had been able to substantiate the allegations aired by
Univision. However, it said, the decision to expel the diplomat
coincided with the Obama administration's expression of disapproval
for Venezuela's willingness to maintain friendly relations with
Venezuela's leader, Hugo Chavez, expelled the
American ambassador to Venezuela, Patrick D. Duddy, in September
2008, charging that the United States was backing a group of
military officers plotting a coup against him. In response, the
United States expelled the Venezuelan ambassador. Despite the
breakdown in diplomatic relations, the two countries continue to
have deep economic ties. Venezuela is the fourth-largest supplier
of crude oil to the United States, the NYT said.
Iran squeezes Web surfers, prepares censored national
Iranians have lost the right to surf the Web
anonymously at Internet cafes as the government reportedly moves
closer to its ultimate goal of replacing the global network with a
censored national intranet. The Iranian Cyber Police published new
rules on Wednesday designed to allow officials to know exactly who
is visiting what Web sites. Before they can log on, Iranians are
required to provide their name, father's name, address, telephone
number and national ID, according to an Iranian media report cited
by Radio Free Europe. Cafe owners will be required to install
security cameras and to keep all data on Web surfers, including
browsing history, for six months.
The rules, which come as the country prepares
for parliamentary elections in March, are a deterrent to activists
who might want to use the Internet cafes to organize protests.
Calls to boycott elections distributed via social networks or
e-mail will be treated as national security crimes, the Iranian
judiciary announced last week, according to a report today in the
Wall Street Journal. Government officials claim they need to
control access to the Internet to counter what they say is a "soft"
cultural war being waged by Western countries to influence the
morals of Iranians.
Monitoring Web surfers is an interim measure
until the government is done building out its own domestic intranet
that is "halal," or pure. Initially, the Iran intranet will run in
tandem with the Internet before the global Web is shut off to the
23 million Internet users in Iran, according to reports. Payam
Karbasi, spokesman for Iran professional union Corporate Computer
Systems, told Iranian media that the domestic network, which was
announced last March, would be launched in coming weeks, the WSJ
Iranians have reported that during the
intranet tests this week, Internet connections have slowed down and
Web sites have been blocked. Access to VPNs (virtual private
networks) Iranians use to access sites like Facebook, Twitter and
YouTube have also been affected, reports said.
Widespread protests over purported fraud in
the 2009 election, which brought President Mahmoud Ahmadinejad back
to office, prompted the Iranian government to cut off access to
opposition Web sites and mobile telephone networks. But protesters
flocked to Twitter and Facebook to skirt the communications
crackdown, to spread videos and news and to organize
demonstrations. Tor and other tools were then used to get around
government shutdowns of those sites.
Some of the extreme censorship measures
adopted by Iran have also been used in Libya and in China, which
deploys the "Great Firewall" to keep objectionable content out of
the country. China also requires identification to use Internet
cafes in Beijing, and has a history of shutting down blogs as well
as allegedly meddling with Gmail and targeting activists with
THE REST OF THE WEEK’S NEWS
US Navy Warships Brace For Cyber Attacks
As the Navy prepares to push further into the
Western Pacific, service leaders are doing all they can to prepare
their warships for potential cyberattacks, the head of the Navy's
surface warfare fleet said today.
Cyberwarfare remains the preeminent threat to
U.S. naval forces around the world, Vice Adm. Richard Hunt,
commander of naval surface forces, said today. The Navy, along with
the rest of the Pentagon and U.S. government, are constantly
pursuing ways to fortify government networks from cyberattacks.
Many of these attacks are allegedly launched by China or their
allies across the globe. Aside from protecting its key networks,
Navy leaders are also looking at ways to keep the fleet combat
ready in the wake of a cyberattack.
Hunt stressed maintaining the readiness and
resilience of Navy warships, even if critical communication
networks are clipped due to a cyberattack. One strategy Hunt and
other Navy leaders are exploring is extending how long a ship can
sustain itself at sea without resupply. If a cyberattack cripples a
ship's navigation and communications systems, it is essentially on
its own. A ship's crew can survive and fight without resupply or
support for only a finite amount of time. Since there is no
guarantee when that isolated ship will be able to re-establish
comms with the rest of the fleet, service leaders want to stretch
how long that vessel can fend for itself in contested waters, Hunt
explained. "We need to find a way to work around that," he
Navy leaders are also looking to implement a
more rigorous ship inspection process to "minimize discovery" of
sometimes fatal flaws in some of the fleet's older vessels.
Spearheaded by Hunt's office, the Navy is "actively moving forward"
with those plans, the three-star admiral said. Service leaders are
in the midst of putting the final touches on a Navy-wide guidance
outlining the aggressive new plan, he added. This plan, if
successful, will help the Navy take on the massive role envisioned
for the service in the White House's new national security
strategy. President Obama personally unveiled the plan last week at
With a limited number of new ships expected
to come into the fleet over the next decade, Navy leaders will need
every functional hull in the water to make the administration's
plan work. For his part, Hunt is not worried. "If there is a
[maritime] chokepoint out there, we are going to be there," he
Via Glen Forbes
Man Arrested in US $1.5 Million Skimming Case
A Romanian man has been arrested in a $1.5
million card-skimming operation that targeted 40 ATMs belonging to
HSBC branches in New York. Between May 2010 and this week Laurentiu
Iulian Bulat and others allegedly installed card-skimming devices
that stole card numbers and PINs on HSBC ATMs in Manhattan, Long
Island and Westchester.
The devices recorded information embedded in
the magnetic stripe of bank cards as customers inserted them into
the ATMs. Pin-hole cameras the hackers installed in the ATMs
recorded the PINs as customers typed them on the keypad. The
thieves would return to the ATMs within a day or two to collect the
stored data and subsequently embed it on blank cards. Then using
the videotaped PINs, they withdrew about $1.5 million from customer
accounts over about seven months, authorities say.
According to an affidavit filed by U.S.
Secret Service Agent Eric Friedman (below), Bulat was caught on
bank surveillance cameras on Thursday morning – and on prior
occasions – installing the skimmers and pin-hole cameras and made
no attempt to hide his face.
Bulat, according to authorities, has been in
the U.S. illegally on an overstayed visa. He’s charged with one
count of conspiracy to commit bank fraud and one count of bank
fraud. If convicted, he faces a maximum sentence of 60 years in
Pirate Bay block prompts Anonymous to launch DDOS
Anonymous has struck the websites of two
anti-piracy organizations, a day after Finnish ISP Elisa blocked
access to The Pirate Bay search engine in response to an injunction
requested by one of the organizations. The Finnish site for the
International Federation of the Phonographic Industry (IFPI) and
the website for the Copyright Information and Anti-Piracy Centre
(CIAPC) of Finland were both offline, apparently as a result of a
distributed denial-of-service attack, said Antti Kotilainen ,
CIAPC's managing director. CIAPC does work for the IFPI, he said.
"It doesn't really affect our work but of course it's annoying,"
Kotilainen said. The owner of the Twitter account "@anon_finland"
took credit for the attack, writing on Monday that "we'll keep it
down as long as want."
On Monday Elisa stopped its subscribers
accessing The Pirate Bay and other associated websites and
domain-name servers, to comply with a temporary injunction issued
by a Helsinki court at the request of IFPI Finland in October.
Elisa has filed an appeal with Helsinki's Court of Appeal,
according to a company statement.
The IFPI is asking for injunctions that would
force two other major ISPs, TeliaSonera and DNA, to block The
Pirate Bay, Kotilainen said. Those rulings may be released as soon
as next month, Kotilainen said. If granted, the injunctions would
mean the website would be blocked in about 80 percent of the
Finnish broadband market, Kotilainen said. The Pirate Bay enables
users to search for torrents, or small information files that
coordinate the download of content among people using the
BitTorrent file-sharing system. For years, it has drawn the ire of
the entertainment industry, who allege that most of the content it
indexes has been shared in violation of copyright protections.
In November, IFPI Finland and music companies
Warner Bros., EMI, Universal Music Group and Sony Music
Entertainment filed a civil suit in Finland against three men
affiliated with The Pirate Bay: Peter Sunde, Fredrik Neij and
Gottfrid Svartholm Warg. The suit asks the court for compensation
and for the three to stop infringing copyright, Kotilainen
Kotilainen said he holds little hope for
In April 2009, the three men plus Carl
Lundstrm, were each sentenced to one year in prison in a Stockholm
court for being accessories to crimes against copyright law. The
court ordered that the four pay about 11 million Swedish kronor to
Twentieth Century Fox and 41,467 (US$54,000) to Sony Music
Entertainment in Sweden. They were also supposed to forfeit 1.2
million Swedish kronor (US$140,000) in advertising revenue
generated from the site.
In 2010, three of the four men lost an
appeal, but they hope Sweden's Supreme Court will take on the case,
according to the TorrentFreak blog.
New slow-motion DoS attack: just a few PCs, little fear of
Qualys Security Labs researcher Sergey
Shekyan has created a proof-of-concept tool that could be used to
essentially shut down websites from a single computer with little
fear of detection. The attack exploits the nature of the Internet's
Transmission Control Protocol (TCP), forcing the target server to
keep a network connection open by performing a "slow read" of the
The Slow Read attack, which is now part of
Shekyan's open-source slowhttptest tool, takes a different approach
than previous "slow" attacks such as the infamous Slowloris—a tool
most notably used in 2009 to attack Iranian government websites
during the protests that followed the Iranian presidential
election. Slowloris clogs up Web servers' network ports by making
partial HTTP requests, continuing to send pieces of a page request
at intervals to prevent the connection from being dropped by the
SQL Injection Attack Spreads
Slow Read, on the other hand, sends a full
request to the server, but then holds up the server's response by
reading it very slowly from the buffer. Using a known vulnerability
in the TCP protocol, the attacker could use TCP's window size
field, which controls the flow of data, to slow the transmission to
a crawl. The server will keep polling the connection to see if the
client—the attacker—is ready for more data, clogging up memory with
unsent data. With enough simultaneous attacks like this, there
would be no resources left on the server to connect to legitimate
Shekyan said in his post about the tool that
this type of attack could be prevented by setting up rules in the
Web server's configuration that refuse connections from clients
with abnormally small data window settings, and limit the lifetime
of an individual request.
At the beginning of December researchers from
the Internet Storm Center spotted a relatively limited SQL attack -
about 80 affected pages - redirecting visitors of legitimate
websites to malicious ones serving fake AV and fake Adobe Flash.
Now, little over a month later, the number of affected websites
surpassed one million and became officially large enough for
sounding the alarm again. The attack was dubbed "Lilupophilupop" by
the researchers after the domain to which the victims are
redirected. The offending string is typically introduced into
several tables, and sites running ASP or ColdFusion with an MSSQL
backend are targeted primarily.
At the beginning, the attack looked
completely automated and was spreading rapidly, but researcher Mark
Hofman says that it now seems to be partially automated and
partially manual. "The manual component and the number of sites
infected suggests a reasonable size work force or a long
preparation period," he concluded. The attackers first probed
systems for vulnerable pages and tried to establish which product
was being used. This went on for a couple of weeks, and from a
variety of IP addresses, and once a vulnerable page has been found,
the script was inserted.
“If you want to find out if you have a
problem just search for: "<script="http://lilupophilupop.com/"
in Google and use the site: parameter to hone in on your domain,"
he advises, and warns that identifying the entry page is crucial
for cleaning the site. "If you restore your DB and bring the system
back online without identifying the entry point, then it will only
be a matter of time before the system is re-compromised. When
looking at fixing the problem do not forget that this vulnerability
is a coding issue. You may need to make application changes."
Dammit Ramnit! Worm slurps 45,000 Facebook
A bank account-raiding worm has started
spreading on Facebook, stealing login credentials as it creeps
across the site, security researchers have revealed. Evidence
recovered from a command-and-control server used to coordinate the
evolving Ramnit worm confirms that the malware has already stolen
45,000 Facebook passwords and associated email addresses. Experts
from Seculert, who found the controller node, have supplied
Facebook with a list of all the stolen credentials found on the
server. Most of the victims are from either the UK or France.
Ramnit differs from other worms, such as
Koobface, that have used Facebook to spread because it relies on
multiple infection techniques and has only recently extended onto
social networks. Koobface, by contrast, only uses Facebook or
Twitter to spread. "Ramnit started as a file infector worm which
steals FTP credentials and browser cookies, then added some
financial-stealing capabilities, and now recently added Facebook
worm capabilities," Aviv Raff, CTO at Seculert, told El Reg.
"We suspect that they use the Facebook logins to post on a victim's
friends' wall links to malicious websites which download Ramnit,"
Ramnit first appeared in April 2010. By last
July variants of the malware accounted for 17.3 per cent of all new
malicious software infections, according to Symantec. A month later
Trusteer reported that flavours of Ramnit were packing
sophisticated banking login credential snaffling capabilities -
technologies culled from the leak of the source code of the
notorious ZeuS cybercrime toolkit at around the same time. The new
Ramnit configuration was able to bypass two-factor authentication
and transaction-signing systems used by financial institutions to
protect online banking sessions. The same technology might also be
used to bypass two-factor authentication mechanisms in order to
gain remote access to corporate networks, Seculert warns.
The move onto Facebook by the miscreants
behind Ramnit seems designed primarily to expand the malware's
distribution network and infect more victims. "We suspect that the
attackers behind Ramnit are using the stolen credentials to expand
the malware’s reach," Seculert concludes, adding that capturing the
login credentials of Facebook accounts creates a means to attack
more sensitive accounts that happen to use the same email address
and password combination. "The cyber-criminals are also taking
advantage of the fact that people usually use the same passwords
for different web-based services (Facebook, Gmail, Corporate SSL
VPN, Outlook Web Access, etc.) to gain remote access to corporate
networks," it said. The Ramnit outbreak on Facebook follows the
November outbreak of an earlier worm that tried to infect victims
with a variant of ZeuS. "More and more malware families have
started using social networks to reach victims instead of spam,"
Father's attempt at parental control resulted in hacked
German police system
The course of events that led to the July
2011 compromise of a computer server used by German authorities for
GPS surveillance might have started with a police official
monitoring his daughter's online activities, according to reports
in German media.
The man, who is a senior official within the
German Federal Police in Frankfurt, installed some type of spyware
on his daughter's computer in order to see what she does online,
German weekly magazine Der Spiegel reported on Sunday. Later,
a friend of the girl, who had ties to the German hacker scene,
stumbled over the Trojan installed on her computer. To get back at
the curious father, the hacker friend decided to break into the
man's personal computer.
Apparently, the police officer had diverted
official work-related emails to his private computer, which is most
likely a serious violation of data handling policies. "I expect
that this is against the rules and is almost always a bad idea,"
said Chester Wisniewski, a senior security advisor at security
company Sophos. The emails contained information that helped
hackers obtain unauthorized access to the PATRAS system used by
police and customs authorities for GPS surveillance. The police
official is now being investigated by authorities in Cologne.
A group of hackers calling themselves
"n0-N4m3 Cr3w" (No Name Crew) announced in July 2011 that they had
obtained access to a PATRAS server, prompting German authorities to
temporarily shut down the entire system and launch an
investigation. The group leaked documentation, usernames,
passwords, phone numbers, license plates and geographic coordinates
related to police investigations that were copied from the
The German Federal Police arrested two
individuals suspected of being responsible for the security breach.
One of them, a 23-year-old man from the North Rhine-Westphalia
region, was believed to be the leader of "n0-N4m3 Cr3w."
US-CERT warns about spoofed US-CERT phishes
Phishers are spoofing email addresses
belonging to US-CERT, an arm of the Department of Homeland Security
that coordinates information sharing related to cyber threats, to
trick users into installing malware. According to an alert Tuesday,
a campaign is currently underway that targets a number of private
and government organizations. The messages contain a .zip
attachment, "US-CERT Operation Center Report," which is actually a
malicious executable file. The alert recommends that recipients
immediately delete the socially engineered emails.
Stuxnet cyberweapon looks to be one on a production line,
Evidence is rising that Stuxnet, a
cyberweapon that attacked Iran's nuclear facilities in 2009, is
part of a super sophisticated manufacturing process for malicious
software, two antivirus companies tell the Monitor. Somewhere in
the world, the creators of the Stuxnet worm are involved in a
cyberweapon manufacturing operation that can pump out super
sophisticated malicious software tweaked for specific missions, new
targets, and detection evasion.
Stuxnet, the first military-grade cyberweapon
known to the world, has been called a digital missile and a
cyber-Hiroshima bomb. But it was not a one-shot blast, new research
shows. Rather, Stuxnet is part of a bigger cyber weapons system – a
software platform, or framework – that can modify
already-operational malicious software, researchers at two leading
antivirus companies told the Monitor.
The platform appears to be able to fire and
reload – again and again – to recalibrate for different targets and
to bolt on different payloads, but with minimal added cost and
effort, say researchers at Kaspersky Labs and at Symantec.
Kaspersky, based in Moscow, and Symantec, in Sunnyvale, Calif., are
antivirus companies, competitors in fact. Each has had teams
labouring independently for more than a year to decipher Stuxnet.
Both are amazed to have discovered digital fingerprints of a much
larger family of weaponized software.
What each has uncovered are at least seven
cyberweapon "launcher" files created from a common software
platform. A launcher file is needed to stealthily insert the
malicious payload (Stuxnet, for instance) onto a computer, as well
as carrying the payload files and encryption keys needed to unfurl
them and make them function. All seven launcher files contain
chunks of identical source code, yet differ in small but important
ways, according to a Kaspersky Labs study released last week. Just
two of those files are known to be used by the Stuxnet program. Two
others are related to an espionage software program called Duqu,
discovered last fall.
That leaves three launcher files with no
known affiliations. While those three could be affiliated with
as-yet-undetected variants of Stuxnet or Duqu, they are more likely
to be affiliated with undiscovered cyberweapons operating "in the
wild" somewhere in cyberspace, researchers say.
Kaspersky's findings are buttressed by
researchers at Symantec, which led the deciphering effort on
Stuxnet in 2010. The companies' findings imply that Stuxnet's
creators are not resting on past deeds, such as the attack on
Iran's nuclear fuel manufacturing facilities. Instead, they are
apparently churning out new cyberweapons for new missions from that
same common software platform, researchers from both firms told the
More on this story at:
How to Secure Your New Facebook Timeline
Facebook is ever evolving and has had more
than one security issue over the last few years. There is a new
feature that has been rolled out conveniently named "Timeline"
which will let you, your friends and, depending on your privacy
settings, complete strangers flip through you Facebook history like
a digital scrapbook. It has a newspaper-like appearance and all is
easily navigated. Simply click on the year you are interested in
and it jumps to all your old posts for that time frame.
Netsecurity.about.com have released a guide
on how to update your security settings ensuring you are able to
keep stalkers and other bad guys from perusing your old posts (and
your new ones as well).
Written by: David Gray VCSL
And Finally……………Iranian Engineer: US drone captured using
flying saucer and force fields
Much of the world was concerned when Iran
showed off a US drone that it had captured in December. The fact
that the drone was entirely intact, suggested that the Middle
Eastern nation’s technology prowess may be far greater than anyone
had estimated. At the time, Iranian authorities claimed that the
craft had been captured using ”cyber warfare” tactics and now, an
oddball account that purports to explain how it was done has
emerged. According to an Iranian engineer, who claims to have led
the capture of the RQ-170, Iran used a dream sci-fi combination of
a force field and a flyer saucer to down the craft.
According to Wired, Mehran Tavakoli Keshe
told an online forum that his country used “advanced space
technology” that he himself had pioneered: The craft has been
air-picked-up and been put down on its belly through the use of
field forces [which we take to mean force fields].
Iran did go public with claims that it had
developed a flying saucer early last year, however, Wired has a
more rational explanation of how the capture may have been carried
out: Iran could have captured the drone by spoofing the RQ-170's
GPS-based navigational backup systems. No force fields or saucers
We’re a big fan of all things UFO related,
but this is even more unlikely than then the ‘alien shaped skull’
that turned up in Peru in November. That said, we like Wired’s
imaginative illustration of the RQ-170 kidnap, based in the
engineers tale account. Experts have suggested that the US drone
will be difficult to break into and copy, so it looks like Iran
will be stuck with its flying saucer and forcefields instead.