Daily Report Thursday, March 1 , 2007

Daily Highlights

The Federal Energy Regulatory Commission on Monday, February 26, endorsed a plan to allow competitive bidding for rights to build a long−envisioned Alaska North Slope natural gas pipeline. (See item 4)
·
The Los Angeles Times reports aircraft came too close to one another at Los Angeles International Airport twice last weekend, the first such incidents at the facility since September; a ground radar system alerted controllers to impending collisions in each case. (See item 12)
·
The Department of Homeland Security has released $194 million to help states and local governments prepare and implement emergency management activities through the Emergency Management Performance Grant program. (See item 33)
·
Information Technology and Telecommunications Sector

34.
February 28, US−CERT — Worm actively exploits vulnerability in Sun Solaris Telnet Daemon. US−CERT is aware of public reports of a worm that is actively exploiting a known vulnerability in the Sun Solaris telnet daemon (in.telnetd). The worm targets Solaris 10 (SunOS 5.10) systems that are not patched to address this vulnerability and have enabled the telnet daemon. More information about this vulnerability is located in the following: Vulnerability Note VU#881872 − Sun Solaris telnet authentication bypass vulnerability:
http://www.kb.cert.org/vuls/id/881872
Sun Alert 102802 − Security Vulnerability in the in.telnetd (1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host:
http://sunsolve.sun.com/search/document.do?assetkey=1−26−102 802−1
Source: http://www.us−cert.gov/current/current_activity.html#sunwrme xinet

35. February 28, CNET News — PC hardware can pose rootkit threat. PC hardware components can provide a way for hackers to sneak malicious code onto a computer, a security researcher warned Wednesday, February 28. Every component in a PC, such as graphics cards, DVD drives and batteries, has some memory space for the software that runs it, called firmware. Miscreants could use this space to hide malicious code that would load the next time the PC boots, John Heasman, research director at NGS Software, said in a presentation at this week's Black Hat event. "This is an important area and people should be concerned about this," Heasman said. "Software security is getting better, yet we run increasingly complicated hardware. Unless we address hardware security, we're leaving an interesting avenue for attack." Malicious code delivered via the memory on hardware components poses a rootkit threat since it will run on the PC before the operating system loads, Heasman said. This likely will hide it from security software and other protection mechanisms, he added. Such low−level malicious code is known as a rootkit.
Source: http://news.com.com/PC+hardware+can+pose+rootkit+threat/2100−7349_3−6162924.html?tag=nefd.top

36. February 28, Register (UK) — Warezov worm fiends target Skype. The authors of the prolific Warezov worm are targeting users of Skype. Instead of arriving via an e−mail attachment, the latest variant of the worm spreads using a bogus Skype chat message asking users to click on a link, which points to a hacker−controlled Website hosting malicious codes. The plausibility of the attack is increased because infected messages likely come from a target's list of known contacts, though the abrupt dialogue it generates might trigger a few alarm bells. Some older Warezov variants used other Instant Messaging clients in a similar fashion, but this variant (Warezov−LY) is the first to use Skype, anti−virus firm F−secure reports.
Source: http://www.theregister.co.uk/2007/02/28/warezov_skype_im_wor m/

37. February 28, Sophos — Graphic Japanese Trojan attacks P2P file−sharing pirates. Sophos has warned of a bizarre Trojan horse that has been distributed on Japanese peer−to−peer (P2P) file−sharing networks. The Troj/Pirlames−A Trojan horse has been distributed on the controversial Winny file−sharing network in Japan, posing as a screensaver. However, if P2P users download and run the program their files are overwritten by pictures of a popular comic book star who abuses them for using Winny. Programs, music files and e−mail mailboxes are amongst the files targeted by the Trojan horse.
Source: http://www.sophos.com/pressoffice/news/articles/2007/02/pirl ames.html

38. February 27, InfoWorld — Researchers: Worms not heading underground. During the past two years, security experts and software vendors have downplayed the threat of so−called worm viruses, but new evidence suggests that the attacks are still as dangerous, if not more so, than ever. While the enormous mass−mailing worm viruses of years past −− such as the well−known MyDoom, Sobig, and Slammer attacks −− that were aimed at crippling IT infrastructure have all but disappeared, smaller outbreaks that aim to load financially−motivated malware onto end users' computers −− such as the recent Storm Worm −− will continue to menace the Internet, according to researchers. Consensus opinion among security experts has been that as businesses and consumers improved their desktop security tools and computing habits, it became harder for malware writers to lure the same volumes of people with worms. This trend pushed the attackers away from creation of the self−propagating threats and further into financially−motivated crimeware, market watchers observed. However, the continued spread and modification of Storm Worm, which first surfaced in mid−January 2007, could illustrate an emerging breed of the attacks that is likely to trouble users in years to come.
Source: http://www.infoworld.com/article/07/02/27/HNwormtrender_1.ht ml

39. February 27, ComputerWorld — Researcher charts new, more dangerous Oracle attack. In a paper discussed Wednesday, February 28, at the Black Hat DC 2007 conference, noted database security researcher David Litchfield outlined a new attack method against Oracle databases that boosts the danger to unpatched systems. Litchfield, the managing director of UK−based NGS Software has found a way to exploit Oracle vulnerabilities without requiring system privileges. The new tactic, which he spelled out in "Cursor Injection: A New Method for Exploiting PL/SQL Injection and Potential Defenses," increases the threat risk of many Oracle−disclosed bugs. "On occasion, Oracle in their alerts state that the ability to create a procedure or a function is required for an attacker to be able to exploit a flaw," Litchfield said in the paper. "This is not the case. All SQL injection flaws can be fully exploited without any system privilege other than CREATE SESSION and, accordingly, the risk should never be 'marked down' [in an alert]," he said. The new technique doesn't rely on a vulnerability and applies to all versions of Oracle.
Litchfield's report: http://www.databasesecurity.com/dbsec/cursor−injection.pdf
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011942&source=rss_topic85

40. February 27, ComputerWorld — Firefox, IE7 open to URL spoof. Although Mozilla Corp. patched one more Firefox bug last week than first reported, the researcher whose work has plagued the open−source browser for weeks has released details about another flaw. Firefox does not properly handle JavaScript "onUnload" events and can be tricked into taking the user to an unintended destination, said security researcher Michal Zalewski. "This flaw allows the attacker to track your footsteps and either redirect you to the URL you wanted to visit, which wouldn't be noticed at all, or to a similarly named phishing Website when you choose to visit a target of some significance," Zalewski said. The bug affects the just−released Firefox 2.0.0.2 and 1.5.0.10 updates, as well as Microsoft's Internet Explorer 7. JavaScript can be disabled in the browsers to block such redirects.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011939&source=rss_topic85