Tuesday, January 8, 2008

Daily Report

• The Associated Press reported that hundreds of thousands of Californians were still without power after a series of fierce storms pounded the state over the weekend and toppled nearly 500 miles of power lines. More than 145,000 homes and businesses in Northern California and the Central Valley were in the dark Sunday, down from more than 215,000 earlier in the day, ahead of rain and snow that were forecast to return again soon. In all, more than 2 million customers from the Oregon border to Los Angeles have lost power since the storms arrived Friday. (See items 1)

• According to Computer Weekly, hackers may be able to access aircraft flight and management systems in Boeing’s new mid-range jet, the 787-8. The FAA said that there are links between the networks that run the passenger “domain,” which allows passengers to access the internet during flights, and aircraft-management systems. A Boeing spokesman said the aircraft maker was aware of the problem and would test its fix in March. (See item 11)

Information Technology

24. January 7, IDG News Service – (International) CA’s website attacked by hackers. Hackers have attacked software vendor CA’s website and are redirecting visitors to a malicious website hosted in China. Although the problem now appears to have been corrected, cached versions of some pages on CA.com show that the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to the director of the SANS Internet Storm Center. The hack is similar to last year’s attack on the Dolphin Stadium website, which infected visitors looking for information on the Super Bowl football game, he said. “It’s exactly the same setup,” he said. “It’s JavaScript that they’ve managed to insert into the title or the body of the HTML.” CA itself may not even host the press release section of its site, as that job is often outsourced to a third party, he said. Often a misconfigured application server or a web or database programming error can give hackers all the opening they need to insert their malicious code. The uc8010.com domain serves attack code that exploits a recently patched vulnerability in the RealPlayer multimedia software, he said. The criminals behind this domain have hacked tens of thousands of Web pages and inserted code that redirects visitors to the malicious server, he added. SANS has posted a note on the uc8010.com issue and recommends that IT staff block access to the domain. He said another domain, ucmal.com, which is also hosted in China, should also be blocked because it is associated with a similar type of attack.


25. January 7, Computerworld – (National) Mass hack infects tens of thousands of sites. Tens of thousands of Web sites have been compromised by an automated SQL injection attack, and, although some have been cleaned, others continue to serve visitors a malicious script that tries to hijack their PCs using multiple exploits, security experts said this weekend. The chief research officer of Grisoft SRO pointed out that the hacked sites could be found via a simple Google search for the domain that hosted the malicious JavaScript. On Saturday, he said, the number of sites that had fallen victim to the attack numbered more than 70,000. “This was a pretty good mass-hack,” he said in a blog post. “It wasn’t just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared.” Symantec Corp. cited reports by other researchers that fingered a SQL vulnerability as the common thread. “The sites [were] hacked by hacking robot by means of a SQL injection attack, which executes an iterative SQL loop [that] finds every normal table in the database by looking in the sysobjects table and then appends every text column with the harmful script,” said one of the researchers. “It’s possible that only Microsoft SQL Server databases were hacked with this particular version of the robot since the script relies on the sysobjects table that this database contains.” According to the same researcher, the attack appends a JavaScript tag to every piece of text in the SQL database; the tag instructs any browser that reaches the site to execute the script hosted on the malicious server. Hacked sites included both .edu and .gov domains, added SANS Institute’s Internet Storm Center (ISC) in a warning posted last Friday, while others flagged several pages of security vendor CA Inc.’s Web site as infected.


Communications Sector

26. January 5, Government Health IT – (National) DHS offers advice for ensuring telecom during pandemic. The so-called “last mile” of the nation’s telecommunications system would be vulnerable in the event of a pandemic influenza, according to a working group tasked with studying the potential communications consequences of an outbreak. The Department of Homeland Security’s assistant secretary of cybersecurity and communications weighed in on the security of a pandemic health crisis, noting that as much as 40 percent of the workforce would be unable to go to work during peak periods of an outbreak. “And you don’t get to pick which 40 percent that could be,” he said during a speech at the New York Metro Infragard Alliance Security Summit in December. “Naturally, telecommuting will be a key mechanism to keeping our businesses and government operational during a pandemic flu.” The working group, which meets monthly, found that connections to homes, hospitals, health plans, and physicians would likely be disrupted. But that scenario could be mitigated if ISPs, telecommunications carriers and service vendors put in place safeguards, policies and best practices ahead of time, he said. Among the group’s recommendations to hospitals, businesses, and government agencies: obtain a telecommunications service priority (TSP) for enterprises; subscribe to government emergency telecommunications service (GETS) cards and/or wireless priority services (WPS) capabilities for critical IT staff; limit access to business critical services through the enterprise connection; limit remote access to users critical to maintaining business continuity; adjust or retime automatic desktop backup software updates for telecommuters; and enhance the enterprise’s cybersecurity posture due to increased reliance on communications and IT, reduced support staff and the increased threat of cyber attack.