Friday, May 16, 2008

Daily Report

• New Scientist reports Core Security has discovered a serious vulnerability in a software package called Suitelink that is widely used to automate the operation of power stations, oil refineries, and production lines. (See item 3)

• According to SkyNews, Swiss police say Al Qaeda is planning to attack the Euro 2008 football championships in Switzerland and Austria in June. (See item 36)

Information Technology

30. May 15, IDG News Service – (International) Non-tech criminals can now rent-a-botnet. Online fraudsters that are not highly skilled in the arts of cybercrime can now rent a service that offers an all-in-one hosting server with a built-in Zeus Trojan administration panel and infecting tools, allowing them to create their own botnet. EMC’s security division, the RSA Anti-Fraud Command Centre (AFCC), cited an increase in the use of the Zeus Trojan in attacks against financial institutions in its April online fraud report, claiming the Trojan is “extremely user friendly and easy to operate.” “Fraudsters who execute Zeus attacks simply need to take control of a compromised server or have their own back-end servers; once they have a server in place, they merely need to install the Zeus administration panel, create a user name and password, and start launching their attacks,” the report stated. But the AFCC recently traced a new service that does all of the above for would be botnet barons. The service offers access to a “bullet-proof hosting server with a built-in Zeus Trojan administration panel and infection tools...the service includes all of the required stages in a single package, meaning that all the fraudster now has to do is pay for the service, access the newly hired Zeus Trojan server, create infection points, and start collecting data.” RSA’s banking and finance specialist said that those offering the Zeus package are mirroring what legitimate security vendors are offering -- security-as-a-service -- but in their case they are slinging malware-as-a-service. Source:

31. May 14, Computerworld – (National) Phishing botnet expands by hacking legit sites. A botnet is now using a SQL injection attack tool designed to hack legitimate Web sites, a move meant to add more hijacked PCs to its collection, according to a security researcher. The Asprox botnet, which specializes in sending phishing spam, is pushing an update to the infected PCs it controls, the director of malware research at Atlanta-based SecureWorks Inc. said. The update is an executable file -- “msscntr32.exe” -- that installs as a Windows service dubbed “Microsoft Security Center Extension.” But the executable actually installs an SQL injection attack tool, he said. SQL injection attacks have become widespread as criminals increasingly target legitimate Web sites, figure out a way to hack them, then plant iFrames on those sites to redirect users to malicious servers. Those servers silently attack visitors’ PCs, often trying multiple exploits, and if one works, they download additional code to the machine to hijack it from its rightful owner and add it to an army of infected systems. “There are multiple things out there launching similar attacks,” said the researcher in explaining why there is confusion about how the tool is being spread. Some analysts have mistakenly concluded that the SQL injection tool is using wormlike tactics, according to the research director. “The tool does not spread on its own but relies on the Asprox botnet to propagate to new hosts,” he said. Source:

32. May 14, ars technica – (International) New international group to become the CDC of cyber security. Next week, the biannual World Congress of IT (WCIT) will be the venue for the launch of a new initiative from an organization that aims to become a platform for international cooperation on cyber security. The group calls itself the International Multilateral Partnership Against Cyber-Terrorism (IMPACT), and its advisory board features numerous tech luminaries. The group’s forthcoming World Cyber Security Summit (WCSS), which will be part of the WCIT 2008, is an effort to raise IMPACT’s profile as an international platform for responding to and containing cyber attacks. On a conference call this morning, one of IMPACT’s principals described the organization’s mission as becoming a kind of “CDC [Centers for Disease Control] for cyber security.” The idea is that it will provide both a forum and an actual communications system for coordinating international responses to cyber attacks, especially when those attacks involve civilian networks as a target, a source, or both. The principal members of IMPACT are governments, but the organization will include experts from academia and the private sector, as well. Indeed, the group is premised on the understanding that universities and corporations own most of the networks and computers that are at increasing risk of cyber attack, and that these entities are also at the forefront of current information security research and development. Source:

Communications Sector

33. May 14, SecurityFocus – (National) Admins warned of brute-force SSH attacks. Allowing secure shell access to a server tends to attract the occasional attempt to guess a valid username and password for the service. However, a spike in attacks this week has system administrators worried. According to the senior security analyst at UC Berkeley, “Given enough time, any password can be broken, and a lot of them can be broken with relative ease because humans are, to a degree, lazy and will almost always opt for non-random, easy to recall -- and hence easy to guess -- passwords.” Over the weekend, a number of network administrators issued warnings over an order-of-magnitude increase in the number of attempts to guess the username and password of systems running secure shell (SSH), the encrypted access method that replaced the common telnet service. System administrators at universities and some companies have reported login attempts coming from hundreds and thousands of Internet addresses over the past week, a stark increase from the handful of attacks the administrators saw previously. The Internet Storm Center, a network monitoring team supported by the SANS Institute, warned system administrators on Monday to take steps to protect their systems, noting the sharp spike in attacks. Source:

34. May 14, IDG News Service – (International) Hacker writes rootkit for Cisco’s routers. A security researcher has developed malicious rootkit software for Cisco Systems’ routers, a development that has placed increasing scrutiny on the routers that carry the majority of the Internet’s traffic. A researcher with Core Security Technologies developed the software, which he will unveil on May 22 at the EuSecWest conference in London. Rootkits are stealthy programs that cover up their tracks on a computer, making them extremely hard to detect. To date, the vast majority of rootkits have been written for the Windows operating system, but this will mark the first time that someone has discussed a rootkit written for IOS, the Internetwork Operating System used by Cisco’s routers. “An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems,” said the developer. Rootkits are typically used to install key-logging software as well as programs that allow attackers to remotely connect with the infected system. A Cisco rootkit is particularly worrisome because, like Microsoft’s Windows, Cisco’s routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm IDC. In the past, researchers have built malicious software, known as “IOS patching shellcode,” that could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS. The new rootkit will be different. “It could work on several different versions of IOS,” he said. The software cannot be used to break into a Cisco router -- an attacker would need to have some kind of attack code, or an administrative password on the router to install the rootkit, but once installed it can be used to silently monitor and control the device. Source:

Thursday, May 15, 2008

Daily Report

• According to the Associated Press, Federal investigators have concluded that a lack of company safeguards such as alarms and automatic shutoffs led to a massive chemical plant explosion in Danvers, Massachusetts in November 2006. (See item 3)

• Autopia reports that an FAA airspace redesign project meant to reduce congestion and delays at airports in the Northeast corridor is creating pilot confusion that could result in safety problems. The plan creates additional jet routes by allowing planes to fly closer to one another and by routing departing flights on a set of parallel paths, rather than having them criss-cross. (See item 14)

Information Technology

25. May 14, Associated Press – (International) NATO allies sign agreement on cyber defense center. Seven NATO allies signed a deal Wednesday to fund a research center to boost the alliance’s defenses against cyber attacks, seen as a growing threat to military and civilian computer networks. The center is based in the Baltic nation of Estonia, which was hit last year by an unprecedented wave of cyber attacks that crippled government and corporate computer networks. The attacks followed a dispute over the relocation of a Soviet war memorial in the Estonian capital, leading many to suspect the Kremlin was behind the virtual strikes. Moscow denied involvement. Defense chiefs from Estonia, Latvia, Lithuania, Germany, Italy, Spain and Slovakia all signed the agreement to provide staff and funding for the center in Tallinn. “It is a cooperative effort to bring all the best minds together in cyber defense,” said a U.S. general and NATO’s top commander in charge of military modernization. “We cannot say that we are not going to defend the Web that everybody needs.” The United States will join the project as an observer, and other NATO nations may join later. The agreement was signed during a regular meeting of chiefs of defense staff from the 26 NATO allies. The defense center will be operational in August, although the formal opening is planned for 2009. A staff of 30 specialists will conduct research and training on cyber warfare. Source:

26. May 13, InformationWeek – (National) Microsoft patch Tuesday: Six vulnerabilities fixed in four bulletins. Microsoft issued its May security fix, addressing six vulnerabilities in four bulletins. Three of the bulletins describe critical vulnerabilities in Microsoft Word, Microsoft Publisher, and Microsoft Jet Database Engine. The fourth details a moderate vulnerability in Microsoft’s Malware Protection Engine, which powers products like Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, and Microsoft Forefront Security. All the vulnerabilities addressed this month are client-side vulnerabilities. MS08-026 fixes two privately reported holes in Word that could have allowed an attacker to take control of a victim’s computer using a maliciously crafted Word file. MS08-027 fixes a privately reported vulnerability in Publisher that, similarly, could have allowed an attacker to subvert a victim’s computer using a maliciously crafted file. MS08-028 repairs a publicly reported flaw in the Microsoft Jet Database Engine (4.0) in Windows. If successfully exploited, the vulnerability could allow an attacker to execute arbitrary code, mitigated by the user’s administrative rights. MS08-029 resolves two privately reported issues affecting Microsoft Malware Protection Engine that could have allowed a remote attacker to craft a malicious file that, when scanned, could have led to a denial of service attack. Source:

Communications Sector

27. May 14, – (International) Lack of bandwidth and huge traffic threatens to engulf companies. Around half of European IT managers expect their bandwidth requirements to grow by over 50 percent in the next five years, but do not expect to see more than a 5 percent increase in their budgets according to research commissioned by Viatel. The pan-European business communications provider’s survey warns that companies may stand to face serious WAN problems in the future with pressures such as storage, green technologies and compliance strongly competing for budget, and a significant proportion of companies (28 percent) believing that their bandwidth requirements would double within five years. Driving this growth was the sheer weight of email and web traffic with 39 percent of the survey seeing this as the biggest contributor to the need for more bandwidth. 30 percent believed that VoIP and converging technologies such as video on demand would also have a significant effect on traffic in the future, and 18 percent attributed the increase in bandwidth requirements to supporting ERP and CRM systems. Even though 91 percent believed their bandwidth needs would grow significantly over the next five years, three quarters of the sample stated that increasing network bandwidth was not their top IT concern. Preparing for the impact of the downturn in the economy, as well as dealing with the worsening security climate were the clear priorities with over half (56 percent) of the sample making, preparing and implementing business continuity plans the top concerns for the coming year. Protecting the business against emerging IT security threats, such as denial-of-service attacks, also accounted for a large slice of IT managers’ budgets. Source:

28. May 14, Inquirer – (National) Doctors fear wireless internet killers. Doctors are concerned that the proposed use of unoccupied TV airwaves for high-speed Internet services could kill critically ill patients. The American Society of Healthcare Engineering, an arm of the American Hospital Association, claims that signals which monitor critically ill patients could be lost because of interference. They say that using empty channels for unlicensed broadcasts could disrupt the monitoring of patients’ heart rates, blood oxygen levels and other vital signs at hospitals. If the machines go down, even for a few seconds, doctors lose information on the patient’s condition. Medical device maker GE Healthcare asked the FCC to ‘proceed carefully’ when it permitted use of the idle channels. Since the 1980s, hospitals have used channels 33 to 36 to operate unlicensed wireless patient-monitoring devices. Channel 37 has been set aside for exclusive use of medical equipment. However some hospitals still use other channels. Source: