Thursday, January 10, 2008

Daily Report

• The Associated Press reported that starting January 31, citizens of the U.S. and Canada ages 19 and older will have to present a government-issued photo ID along with proof of citizenship in order to enter or depart the U.S. by land or sea. Children ages 18 and younger need proof of citizenship, such as a birth certificate. (See items 12)

• According to Agence France-Presse, an incurable, mosquito-borne dengue disease could spread from subtropical areas into the United States, requiring greater efforts to combat it. While dengue-related illness in the United States “is presently minimal,” global warming and poor efforts to control mosquito populations responsible for its spread could accelerate the disease’s propagation northward, the experts said. (See item 20)

Information Technology

24. January 9, Computerworld – (National) New rootkit hides in hard drive’s boot record. A rootkit that hides from Windows on the hard drive’s boot sector is infecting PCs, security researchers said today. Once installed, the cloaking software is undetectable by most current antivirus programs. The rootkit overwrites the hard drive’s master boot record (MBR), the first sector -- sector 0 -- where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks. Because it hides on the MBR, the rootkit is effectively invisible to the operating system and security software installed on that operating system. “A traditional rootkit installs as a driver, just as when you install any hardware or software,” said the director of Symantec Corp.’s security response team. “Those drivers are loaded at or after the boot process. But this new rootkit installs itself before the operating system loads. It starts executing before the main operating system has a chance to execute.” Control the MBR, he continued, and you control the operating system, and thus the computer. According to other researchers, including those with the SANS Institute’s Internet Storm Center, Prevx Ltd., and a Polish analyst who uses the alias “gmer,” the rootkit has infected several thousand PCs since mid-December, and is used to cloak a follow-on bank account-stealing Trojan horse from detection, as well as to reinstall the identity thief if a security scanner somehow sniffs it out.
Source:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleI
d=9056378&source=rss_topic17

25. January 8, IDG News Service – (National) Microsoft: Flaw could lead to worm attack. Microsoft has fixed a critical flaw in the Windows operating system that could be used by criminals to create a self-copying computer worm attack. The software vendor released its first set of patches for 2008 on Tuesday, fixing a pair of networking flaws in the Windows kernel. Microsoft also released a second update for a less serious Windows flaw that would allow attackers to steal passwords or run Windows software with elevated privileges. The critical bug lies in the way Windows processes networking traffic that uses IGMP (Internet Group Management Protocol) and MLD (Multicast Listener Discovery) protocols, which are used to send data to many systems at the same time. Microsoft says that an attacker could send specially crafted packets to a victim’s machine, which could then allow the attacker to run unauthorized code on a system. Security experts say that there is no known code that exploits this flaw, but now that the patch has been posted, hackers can reverse-engineer the fix and develop their own attack code. Because IGMP is enabled in Windows XP and Vista by default, this bug could be used to create a self-copying worm attack, Microsoft said Tuesday.
Source:
http://www.infoworld.com/article/08/01/08/Microsoft-flaw-could-lead-toworm-attack_1.html

26. January 8, IDG News Service – (National) Report: IRS information security still poor. The Internal Revenue Service continues to have “pervasive” information security weaknesses that put taxpayer information at risk, and it has made limited progress in fixing dozens of problems the U.S. Government Accountability Office (GAO) has previously identified, according to a GAO report released Tuesday. The IRS, the tax collecting arm of the U.S. government, has “persistent information security weaknesses that place [it] at risk of disruption, fraud or inappropriate disclosure of sensitive information,” the GAO report said. The agency, which collected about $2.7 trillion in taxes in 2007, has fixed just 29 of 98 information security weaknesses identified in a report released last March, the new report said. Information security weaknesses -- both old and new -- continue to impair the agency’s ability to ensure the confidentiality, integrity and availability of financial and taxpayer information,” the GAO report said. “These deficiencies represent a material weakness in IRS’s internal controls over its financial and tax processing systems.” The GAO has issued multiple reports blasting IRS information security in recent years. The latest report described an IRS data center that took more than four months to install critical patches to server software. At one IRS data center, about 60 employees had access to commands that would allow them to make “significant” changes to the operating system, the GAO said. At two data centers, administrator access to a key application contained unencrypted data log-ins, potentially revealing users’ names and passwords. Three IRS sites visited by GAO auditors had computers or servers with poor password controls, the GAO said. The IRS also had lax physical security controls in place for protecting IT facilities, the GAO report said. One data center allowed at least 17 workers access to sensitive areas when their jobs did not require it, the GAO said. The IRS’s acting commissioner said the agency made significant progress in fixing information security problems during 2007, and in a letter to the GAO, said “While we agree that we have not yet fully implemented critical elements of our agency-wide information security program, the security and privacy of taxpayer information is of great concern to the IRS.”
Source:
http://www.infoworld.com/article/08/01/08/IRS-information-security-stillpoor_1.html

Communications Sector

Nothing to report.

Wednesday, January 9, 2008

Daily Report

• According to WVEC 13 Hampton Roads, two pipe bombs found on railroad tracks in Newport News, Virginia, over the weekend were safely detonated. (See items 15)

• IDG News Service reported that Symantec Corp. said U.S. government agencies need to take additional steps to protect against cybersecurity problems after a series of congressional hearings and reports exposed several weaknesses in 2007. The U.S. Government Accountability Office also issued about a dozen reports in the last six months criticizing federal agencies for not fully implementing the GAO’s cybersecurity recommendations. (See item 31)

Information Technology

30. January 8, Register (National) Hackers turn Cleveland into malware server. Tens of thousands of websites belonging to Fortune 500 corporations, state government agencies, and schools have been infected with malicious code that attempts to engage in click fraud and steal online game credentials from people who visit the destinations, security researches say. More than 94,000 URLs had been infected by the fast-moving exploit, which redirects users to the uc8010-dot-com domain. The security company Computer Associates was infected at one point, as were sites belonging to the state of Virginia, the city of Cleveland, and Boston University. Malicious hackers were able to breach the sites by exploiting un-patched SQL injection vulnerabilities that resided on the servers, according to the CTO for the SANS Internet Storm Center. The injections included javascript that redirected end users to the rogue site, which then attempted to exploit multiple vulnerabilities to install key-logging software that stole passwords for various online games. According to a researcher for ScanSafe, the exploits forced end users to visit sites that pay third parties a fee in exchange for sending them traffic. She speculates the attackers signed up as affiliates of the sites and then profited each time an end user was infected. The malware also installed keyloggers on end user machines that stole passwords to various online games, another researcher said. He added that the uc8010-dot-com domain was registered in late December using a Chinese-based registrar, indicating the attackers were fluent in Chinese.
Source:
http://www.theregister.co.uk/2008/01/08/malicious_website_redirectors/

31. January 7, IDG News Service – (National) U.S. government needs new cybersecurity steps, Symantec warns. U.S. government agencies need to take additional steps to protect against cybersecurity problems after a series of congressional hearings and reports exposed several weaknesses in 2007, representatives of Symantec Corp. said. The government sector, including state and local governments, accounted for 26 percent of data breaches that could lead to identity theft in the first half of 2007, according to Symantec’s latest Government Internet Security Threat Report, published in September. The U.S. Government Accountability Office (GAO) also issued about a dozen reports in the last six months criticizing federal agencies for not fully implementing the GAO’s cybersecurity recommendations. While U.S. agencies have a set of cybersecurity rules set out in the Federal Information Security Management Act, agencies are not held accountable when they have breaches, said Symantec’s vice president for the public sector. Agencies do not lose funding from Congress after cybersecurity incidents, he said. Agencies can take more steps to fix problems, he added, such as to inventory IT assets, to develop comprehensive cybersecurity plans, do systematic vulnerability testing, have a data backup plan and back up frequently. There still seems to be interest from lawmakers in agency cybersecurity and breach notification, he said. The hearings and information requests from lawmakers are bringing to light multiple attacks and breaches at agencies, he said. “There’s no real mechanism requiring agencies to report breaches,” added Symantec’s federal government relations manager.
Source:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9056002&taxonomyId=17&intsrc=kc_top

32. January 7, Computerworld – (National) ‘Hacker safe’ Web site gets hit by hacker. On Friday, Geeks.com, a $150 million company specializing in the sale of computer-related excess inventory and manufacturers’ closeouts, began notifying an unspecified number of customers whose personal and financial data may have been compromised by an intrusion into the systems that run the online technology retailer’s Web site. The compromised information included the names, addresses, telephone numbers, and Visa credit card numbers of customers who had shopped at Geeks.com, according to a copy of the letter that was posted on The Consumerist blog. Its Web site prominently proclaims that it is tested on a daily basis by ScanAlert Inc., a vendor in Santa Clara, California, that agreed in October to be acquired by McAfee Inc. McAfee officials were not immediately available to comment on what might have happened at Geeks.com. A telephone operator at Geeks.com’s headquarters in Oceanside, California, said that she was unable to find anyone at the retailer who could comment about the incident. Last week’s notification included a number for non-U.S. residents to call, suggesting that the breach may have affected customers in other countries as well. According to a letter, which was signed by chief of security at Geeks.com, the intrusion has been reported to local law enforcement authorities, as well as to the U.S. Secret Service. The incident has also been reported to Visa without providing any indication of why only Visa card numbers appear to have been compromised.
Source:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9056004&source=rss_topic17

33. January 7, Network World – (International) Nugache worm kicking up a storm. Although the infamous Storm worm enters 2008 with a reputation as the world’s most dangerous botnet, security experts say there is an up-and-comer called Nugache. Nugache was first sighted about two years ago, but last month, hackers, believed to be tied to the notorious Russian Business Network online criminal mob, gave Nugache a facelift, copying many of the successful attributes of Storm, such as encryption, a rootkit, and the ability to spread as Web-borne malware. “Nugache now includes the ability to encrypt itself and every version that rolls out is generated a bit differently to obfuscate detection,” said the vice president of technology evangelism at Secure Computing. Nugache is now also peer-to-peer controlled to put it under a more decentralized command-and-control structure that makes it difficult to take down the botnet it can construct once it infects desktop machines. The rise of the Nugache botnet appears to already be giving the Storm botnet more competition. Prices as low as 1 million spam messages for $100 are being advertised online mainly because of the rise of Nugache, said the researcher. Business and consumers should be aware that Nugache could attempt to compromise their desktop machines in various ways, particularly through Web-based drive-by downloads. One way it has been seen spreading is through URLs embedded by attackers in blogs. “They will create the blog entry, then embed hundreds of key words and embed pointers to other blog entries, such as the second blog entry pointing back to the first entry,” he said. “Google rates you on how many other people point to your URL. So they’re getting down the science of artificially inflating their position in the search engine. They want these blog postings to show up on the top.”
Source:
http://www.networkworld.com/news/2008/010708-nugache-worm.html

Communications Sector

34. January 7, RCR Wireless News – (National) Industry challenges FCC’s emergency backup power rule. The Federal Communications Commission (FCC) is facing a gathering legal storm over its emergency back-up power rule. The new rule, among other things, calls for a minimum 24 hours of emergency back-up power for telecom assets inside central offices and eight hours for other facilities such as cell sites, remote switches, and digital loop carrier system remote terminals. “The FCC lacks authority to issue the rule,” Sprint Nextel told the U.S. Court of Appeals for the District of Columbia Circuit. “There is no provision in the Communications Act directing the commission to issue regulations requiring wireless carriers to adopt back-up power rules, and the commission’s attempt to rely on ‘ancillary jurisdiction’ … strains the reach of those provisions beyond the breaking point.” Cellphone industry associations CTIA and USA Mobility Inc., whose appeals of the back-up power rule have been consolidated, told the court expedited treatment of the appeal is justified because the back-up power rule “would impose overwhelming compliance costs, most of which would be incurred during the pendency of these cases.” The two parties also pointed to the FCC’s own admission that compliance with the back-up power rule could force carriers to take down cell sites critical to wireless communications, including emergency 911 services. The FCC told the court it does not oppose expedited treatment of back-up power appeal, but would vigorously oppose Sprint Nextel’s stay motion.
Source:

http://www.rcrnews.com/apps/pbcs.dll/article?AID=/20080107/SUB/3392962/1005/allnews

35. January 6, Chicago Tribune – (National) Workers’ remote wireless access to documents lets hackers grab data. Smart phones are poised to become the next major security challenge for businesses. Consumer-oriented mobile phones, which have far fewer safety features, are increasingly taking on such PC-like characteristics as Wi-Fi connectivity, making them attractive to people who want to use them for work. In a Computing Technology Industry Association survey conducted this year of 1,070 small businesses in North America, 60 percent of firms said they have seen an increase in the past year in security issues related to the use of handheld computing devices. A specialist at Alternative Technology said the concern for businesses is whether these phones “will cause so much of a risk that they will eventually ... just be banned from corporate environments.” The increasing ease of working remotely is creating a growing set of security concerns for companies. So far, there have not been any high-profile epidemics of mobile viruses like the “I love you” worm for PCs that spread rapidly around the world in 2000. But developers have demonstrated the destructive potential of such worms. The “Cabir” virus, which first appeared in 2004, used Bluetooth technology to jump from phone to phone. Another virus, known as “Commwarrior.A,” replicated itself by sending a picture or text message to people in the infected device’s contacts list. Theft is a bigger issue now. While hacking once was about bragging rights or cyber vandalism, security industry officials say profit now largely drives attacks, as the kind of information traveling over wireless networks grows in volume and value.
Source:

http://www.freep.com/apps/pbcs.dll/article?AID=/20080106/BUSINESS07/801060605/1020