Monday, December 10, 2007

Daily Report

• The Los Angeles Times reports that, according to a study by the U.S. Geological Survey released Tuesday, ash from wildfires in Southern California’s residential neighborhoods poses a serious threat to people and ecosystems because it is extremely caustic and contains high levels of toxic metals. The scientists warned that rainstorms, which are forecast for the region beginning Friday, are likely to wash the dangerous substances into waterways. (See item 18)

• According to and other outlets, hackers succeeded in breaking into the computer systems of two of the U.S.’ most important science labs, the Oak Ridge national Laboratory in Tennessee and Los Alamos National Laboratory in New Mexico. It appears that intruders accessed a database of visitors to the Tennessee lab between 1990 and 2004, which included their social security numbers and dates of birth, though further details of the breach are being withheld pending investigation. Three thousand researchers reportedly visited the lab each year. (See item 24)

Information Technology

24. December 7, – (National) Hackers launch major attack on U.S. military labs. Hackers have succeeded in breaking into the computer systems of two of the U.S.’ most important science labs, the Oak Ridge National Laboratory (ORNL) in Tennessee and Los Alamos National Laboratory in New Mexico. In what a spokesperson for the Oak Ridge facility described as a “sophisticated cyber attack,” it appears that intruders accessed a database of visitors to the Tennessee lab between 1990 and 2004, which included their social security numbers and dates of birth. Three thousand researchers reportedly visit the lab each year, a who’s who of the science establishment in the U.S. The attack was described as being conducted through several waves of phishing e-mails with malicious attachments, starting on October 29. Although not stated, these would presumably have launched Trojans if opened, designed to bypass security systems from within, which raises the likelihood that the attacks were targeted specifically at the lab. ORNL’s director described the attacks in an e-mail to staff earlier this week as being a “coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country.” “Because of the sensitive nature of this event, the laboratory will be unable for some period to discuss further details until we better understand the full nature of this attack,” he added. The ORNL has set up a Web page giving an official statement on the attacks, with advice to employees and visitors that they should inform credit agencies so as to minimize the possibility of identity theft. Less is known about the attacks said to have been launched against the ORNL’s sister-institution at Los Alamos, but the two are said to be linked. It has not been confirmed that the latter facility was penetrated successfully, though given that a Los Alamos spokesman said that staff had been notified of an attack on November days after the earliest attack wave on the ORNL -- the assumption is that something untoward happened there as well, and probably at other science labs across the U.S. The ORNL is a multipurpose science lab, a site of technological expertise used in homeland security and military research, and also the site of one of the world’s fastest supercomputers. Los Alamos operates a similar multi-disciplinary approach, but specializes in nuclear weapons research, one of only two such sites doing such topsecret work in the U.S.

25. December 7, – (International) Cyber criminals steal data from Fasthosts and force hundreds of websites to shut down. Hundreds of websites have been shut down temporarily by one of the largest web hosting companies in Britain after the personal details of customers were stolen by computer hackers. The hackers managed to access the “master database” of Fasthosts for information, including addresses, bank details, e-mails, and passwords. The action is expected to lose vital business for hundreds of small companies in the run-up to Christmas. “The theft of data from Fasthosts is a further example of cyber criminals’ continual attempts to target large organizations and businesses in order to access to vast quantities of sensitive data. Businesses are already reporting large financial losses and fear that their businesses will be forced to close as a direct result. This is not a small scale attack by any stretch of the imagination and there is potential for the thieves to have accessed everything on the database. The growing number of incidents of this type highlights the extensive value such data can provide for cyber criminals with malicious intent. Companies of all sizes need to take note and learn from these highly publicized mistakes and continue to prioritize their security procedures in order to maintain maximum data safety.” commented a security analyst from McAfee.

26. December 7, – (National) Staff wireless networks put data at risk. A Wi- Fi management firm has warned that companies may be unaware that their data is open to hackers because staff members have set up their own wireless networks. AirMagnet claimed that one employee could put the whole network at risk simply by plugging their own router into an access point. “We go into a lot of companies which say ‘we haven’t got any wireless access’ and we do a demo and three or four access points pop up,” a managing director at AirMagnet said. The culprit is not necessarily attempting to breach the network, but simply wants to be able to use Wi-Fi on their laptop. “It is not always malicious but it gives you visibility,” he said. AirMagnet’s Air Enterprise software has a triangulation function to pinpoint the offending Wi-Fi, and can root out problems on existing wireless networks by looking for anomalies. “For example, if you normally use Netgear kit and you see a Linksys router you know that’s not right,” he said. “If a wireless connection is popping up at four in the morning for an hour that’s definitely malicious but it won’t be picked up if no-one is monitoring it.” He also poured scorn on companies which believe they are protected because they are using the Wired Equivalent Privacy security algorithm. “Everyone knows that Wep is untrustworthy and can be easily cracked,” he said.

27. December 6, – (International) Businesses at risk from hacker attacks, warns Finjan. Businesses around the world are at risk from attacks distributed in China and existing signature-based anti-virus software and URL-based web monitoring may not be enough to protect end-users, researchers have warned. A study from Finjan, a supplier of secure web gateway products, has reported that users’ PCs are being infected by Trojans distributed from China. The company’s Malicious Code Research Center (MCRC) has detected malicious activity by groups that distribute their content using a network of websites to bypass traditional information security technology. The researchers uncovered a sophisticated attack that used zero-day exploits (malware for which there is no security patch) as well as other new hacking techniques. They also discovered a centralized group of activity based from China. One of the websites in the group belongs to a Chinese governmental office. The research found that these infected PCs are stealing data from organizations. Once the user’s PC has been infected, the Trojan starts to send data to other websites in the network, which are hard to detect. Additional sites in the network monitor and control the attack using statistics about how many users visit the site and how many got infected. The Trojans also collect data from the user, including which operating system is used, the applications that are running, users’ personal information, and what security systems are installed. The information collected by the Trojan network is then fed into other sites, which refine the attack. Signature-based antivirus software is unable to protect users against this attack, Finjan’s chief technology officer said. “In order to have a signature for your anti-virus software, a researcher needs to create a signature. But each time it is downloaded a new version of the Trojan is created.” IT directors will also be unable to block access to malicious website, he warned. “The website URLs are being changed dynamically so you will never be able to keep your website monitoring database up to date. Hackers will change the location of the malicious code.”

28. December 5, – (National) Attackers exploiting QuickTime RTSP flaw in the wild. The unsavory types have done exactly as security researchers warned they would, releasing into the wild exploit code for a vulnerability in how Apple’s QuickTime Player 7.3 handles RTSP (Real Time Streaming Protocol) responses from a video/audio streaming server. Symantec on December 1 spotted an attack that uses iFrame code to force a browser to send out a request to a URL embedded in an adult content site. Users visiting the site are redirected to a malicious page serving the exploit. The attacks have since then taken on new twists: attackers are now exploiting the issue through the Second Life Viewer to steal virtual money—known as Linden Dollars— from victims, Symantec’s Deep Sight Alert Services said in a December 4 update to its original advisory. The mention of a virtual reality game might make the vulnerability sound too consumer-ish for businesses to take seriously. However, with no patch available and no word from Apple on a patch ETA, there are only workarounds such as these from US-CERT (United States Computer Emergency Readiness Team), each of which “makes the use of valid QuickTime content next to impossible,” the SANS Institute noted in a December 2 advisory. Anti-virus programs are picking up the exploits, but Symantec is warning people to still be careful when browsing the Web. They are also recommending that, in the absence of a patch, users run browsers at the highest security settings possible; disable QuickTime as a registered RTSP protocol handler; and filter outgoing activity over common RTSP ports, including TCP port 554 and UDP ports 6970-6999.

Communications Sector

Nothing to report.