Daily Report Wednesday, February 28 , 2007

Daily Highlights

The Department of Transportation's Inspector General will review two recent cases of airlines leaving passengers stranded on board aircraft for hours, and then provide specific recommendations for what airlines, airports, and the government can do to prevent future similar events. (See item 10)
The Associated Press reports nearly two−dozen people were being decontaminated Tuesday, February 27, after a white, powdery substance was found on an international student who claimed to have a bomb and threatened "terrorist−type" actions at the University of Missouri−Rolla. (See item 26)
Information Technology and Telecommunications Sector

February 27, CNET News.com — Storm Worm variant targets blogs, bulletin boards. A variant of the Trojan horse attacks known as Storm Worm emerged Monday, February 26, targeting people who post blogs and notices to bulletin boards. Storm Worm emerged in January and raged across the globe in the form of e−mails with attachments that, when opened, loaded malicious software onto victims' PCs, commandeering the machines so they could be used for further attacks. The new Storm Worm variant attacks the machines of unsuspecting users when they open an e−mail attachment, click on a malicious e−mail link or visit a malicious site, said Dmitri Alperovitch, principal research scientist at Secure Computing. But the twist comes when these people later post blogs or bulletin board notices. The software will insert into each of their postings a link to a malicious Website, said Alperovitch, who rates the threat as "high." The danger in this most recent case, he added, is that the user is actually posting a legitimate blog or bulletin board notice, unaware that a malicious link has been slipped into the text of the posting.
Source: http://news.com.com/Storm+Worm+variant+targets+blogs%2C+bulletin+boards/2100−7349_3−6162623.html?tag=cd.lede

32. February 26, Federal Computer Week — Security, consolidation top CIOs’ agendas. Despite progress on information technology security, agency chief information officers’ top priorities and concerns are still meeting statutory and regulatory requirements, ensuring data is secure while also available to meet mission needs, and facilitating overall network defense. A survey of 47 CIOs at 33 organizations in the executive, legislative and judiciary branches issued today by the IT Association of America (ITAA) found cybersecurity policies, management and training have improved in the past year, but the execution of cybersecurity remains a major challenge. ITAA found that many CIOs focus on accomplishing what they have started and not on new projects. Besides IT security and information sharing, CIOs continue to work on the consolidation of back−office and mission−critical systems, enterprise IT management, and the Office of Management and Budget’s line of business initiatives. Those are among the CIOs’ top challenges, the survey found.
Survey: http://www.itaa.org/newsroom/release.cfm?ID=2424
Source: http://fcw.com/article97779−02−26−07−Web
Daily Report Tuesday, February 27 , 2007

Daily Highlights

The Associated Press reports the Federal Deposit Insurance Corporation and VeriSign Inc., which manages domain registry names, say fraudulent e−mails claiming to be from them should be considered a malicious attempt to collect personal data. (See item 7)
The Postal Regulatory Commission on Monday, February 26, recommended a U.S. Postal Service rate increase, which may be implemented as early as May; the average rate increase will be 7.6 percent. (See item 15)
Information Technology and Telecommunications Sector

February 26, Computerworld — Microsoft Office 2003 apps, Explorer hit with new crash bugs. Microsoft's Word 2003 and Excel 2003 can be crashed by attackers who feed the business applications malformed documents, Symantec Corp. reported Monday, February 26. "A remote attacker may exploit this vulnerability by presenting a malicious WMF file to a victim user," said Symantec's report. "The issue is triggered when the application is used to insert the malicious file into a document." Specially crafted WMF (Windows Metafile) image files were the root of a major attack in late 2005 and early 2006 that was launched from hundreds of malicious Websites and compromised thousands of PCs. The Excel flaw can be leveraged by a malformed spreadsheet file rather than a WMF image, Symantec added. Attacks using either vulnerability require users to download malicious files from a Website or open them when they arrive as e−mailed file attachments. Also at risk, said Symantec, is XP's and Server 2003's Windows Explorer, the operating system's file interface. Explorer will crash when attempting to open a malformed WMF image.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=servers&articleId=9011799&taxonomyI d=68&intsrc=kc_top
Daily Report Monday, February 26 , 2007

Daily Highlights

The Des Moines Register reports ice accumulation of up to one and one−half inches wreaked havoc on Iowa's power lines Saturday, February 24, leaving more than 171,000 customers without electricity and others in jeopardy of losing power if winds pick up. (See item 1)
The Transportation Security Administration on Friday, February 23, unveiled an operational test to evaluate backscatter technology, which detects weapons, explosives, and other metallic and non−metallic threat items concealed under layers of clothing, at Phoenix Sky Harbor Airport. (See item 13)
U.S. scientists have confirmed the first reported case of pig meningitis in a human being in North America: a 59−year−old farmer in New York State, who complained of sudden fever and confusion. (See item 25)

Information Technology and Telecommunications Sector

February 23, IDG News Service — Mozilla fixes Firefox bugs. Mozilla has released an update to its Firefox browser, fixing security flaws in the product. The Firefox release includes a fix for a bug disclosed by a security researcher last week. That flaw can be exploited by attackers to manipulate cookie information in the Firefox browser, making it probably the most important fix in the update, according to Window Snyder, Mozilla's head of security strategy. The updates also include a fix for a previously undisclosed memory corruption flaw in the browser that could be exploited to run unauthorized software on a Firefox user's computer. This flaw could also affect Thunderbird users who have configured their mail client to run JavaScript automatically, something that Mozilla does not recommend. Thunderbird is Mozilla's free e−mail client. Mozilla has patched a total of seven Firefox bugs and is also addressing two bugs in Thunderbird.
Source: http://www.infoworld.com/article/07/02/23/HNmozillafixesfire foxbugs_1.html

32. February 23, CNET News.com — Flaw found in Office 2007. Researchers at eEye Digital Security found a file format vulnerability in Microsoft Office Publisher 2007, which could be exploited to let an outsider run code on a compromised PC. An attacker could create a malicious publisher file, said Ross Brown, eEye's chief executive. Once the recipient opens the file, he or she could find the system infected and susceptible to a remote attack. Microsoft, meanwhile, said it is investigating the report of a possible vulnerability in Publisher 2007 and will provide users with additional guidance if necessary.
Source: http://news.com.com/Flaw+found+in+Office+2007/2100−1002_3−6161835.html?tag=ne.fd.mnbc

33. February 23, Websense — Monster.com email lure to malicious code. Websense Security Labs has discovered emails that attempt to lure users to click on a link in order to upgrade their system security. The emails, which are spoofed from Monster, are written in HTML and claim that Monster systems have been upgraded and that users need to download a certified utility to be able to use Monster. The domain name that the emails point to are using five different IP addresses. Upon connecting to one of the IP addresses, the code is run, several files are downloaded and installed on the user's machine, and another file is downloaded and installed from a server in Denmark. The files appear to be designed to steal end−user information.
Source: http://www.websense.com/securitylabs/alerts/alert.php?AlertI D=747

34. February 23, US−CERT — Vulnerability Note VU#393921: Mozilla Firefox fails to properly handle JavaScript onUnload events. The JavaScript onUnload event is executed when the browser exits a Web page. An event handler can be installed via JavaScript to trap and process this event. Mozilla Firefox fails to properly handle JavaScript onUnload events. Specifically, Firefox may not correctly handle freed data structures modified in the onUnload event handler possibly leading to memory corruption. By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. We are currently unaware of a practical solution to this problem; however, disabling JavaScript will prevent exploitation of this vulnerability.
Source: http://www.kb.cert.org/vuls/id/393921
Daily Report Saturday, February 24, 2007

Daily Highlights

The story of Julie Amero, a travesty of justice, continues to attract attention, now with much more detail. (See Item 1)

Information Technology and Telecommunications Sector

1. February 17, blog.e-computer-security.info — Julie Amero -- I've Been Silent for Too Long!! -- Phase 2. The Julie Amero case, a school teacher who has been railroaded by the State of Connecticut criminal justice system is being documented in far greater detail than previously.
Windows Secrets: http://windowssecrets.com/comp/070222#story0
Center for Safe and Responsible Internet Use: http://csriu.org/
Source: http://blog.e-computer-security.info/2007/02/22/julie-amero--ive-been-silent-for-too-long--phase-2.aspx

Notice: This special posting on the DHS Daily Open Source Infrastructure Report blog is neither endorsed or supported by the Department of Homeland Security. Rather it is the sole effort of the author of this blog to bring this issue to the attention of the widest possible audience with the hope that your support will help to correct this travesty of justice.
Daily Report Friday, February 23 , 2007

Daily Highlights

SC Magazine reports hackers infiltrated network systems −− potentially accessing the personal details of millions of shoppers −− at TJX, the parent of T.J. Maxx and Marshalls, for a longer period than the discount clothing retailer initially thought. (See item 10)
The National Transportation Safety Board has called in a glass specialist to examine the cracked windshields found on at least 14 airplanes at Denver International Airport during a storm last week. (See item 12)
The Daily Sentinel reports biologists from the Colorado Division of Wildlife continue to puzzle over the possible causes for the deaths of more than 600 waterfowl at several water treatment plants across Denver and Boulder. (See item 26)

Information Technology and Telecommunications Sector

February 22, Federal Computer Week — GSA considers establishing IPv6 program office. With the deadline for agencies to be IP Version 6−ready set for mid−2008, General Services Administration (GSA) officials are considering establishing a program office to guide GSA’s compliance, and according to John Johnson, GSA’s assistant commissioner for Integrated Technology Service, something could develop in the next several months. The Office of Management and Budget mandated in 2005 that agencies have an IPv6−ready network backbone by June 2008. Continuing on an evolution to IPv6−capable IT systems makes the deadline only a starting point, administration officials working closely with IPv6 transitions have said. Officials are mulling over what the office would do, specifically what its goals and objectives would be. They are analyzing the migration’s size and complexity regarding GSA's Networx contract, governmentwide acquisition contract programs and Schedules.
Source: http://www.fcw.com/article97731−02−22−07−Web

35. February 22, InformationWeek — Despite government data losses, security education spending not growing. While laptop and data loss continue to plague government agencies, a new report shows that federal spending on user education remains stagnant. Out of an annual IT security budget of $5.6 billion, the U.S. is spending $140 million to $150 million annually on security awareness and training, according to information security analyst Prabhat Agarwal. That user education number is expected to hold steady through 2012. Agarwal estimates that government employs between six million and 10 million people. In his report, Agarwal says users are the weakest link in the government's security −− much like they are in the corporate world.
Report: http://www.input.com/corp/press/detail.cfm?news=1311
Source: http://www.informationweek.com/news/showArticle.jhtml;jsessionid=K1XPX1NPMLYF2QSNDLOSKH0CJUNN2JVN?articleID=197008122

36. February 22, SC Magazine — Former FBI agent: Youth turning to cybercrime for the money. Young technology graduates from developing countries are being drawn into organized cybercrime believing they'll make more money than at legitimate jobs, according to Ed Gibson, chief security adviser for Microsoft U.K. Gibson, who addressed delegates at a security conference organized by Claranet in London Thursday, February 22, warned: "In countries like Ukraine, it is tempting for young people with a technology background to work for these hacking gangs because there is not a lot of money in legal jobs. Even when a person wants out, their family is threatened with violence so they continue to work for these organized criminals." The former FBI agent said that cybercrime gangs are operating in emerging nations−−such as Ukraine and Bulgaria−−to run online fraud campaigns because of lax law enforcement and lack of cooperation between authorities there in the West. "The police here in the U.K. and other developed countries are territorially and jurisdictionally bound," he said. "They can't just go to these emerging countries, where these cybercriminals are working, and liaise with the authorities there."
Source: http://scmagazine.com/us/news/article/635172/former−fbi−agent−youth−turning−cybercrime−money/

37. February 21, Government Computer News — NGA issues standards for geospatial intel interoperability. The National Geospatial−Intelligence Agency (NGA) has publicly released a document outlining the overall National System for Geospatial−Intelligence (NSG) standards baseline. The baseline was developed and coordinated by the National Center for Geospatial Intelligence Standards, or NCGIS, which was formed by the NGA soon after September 11 with other Defense Department agencies, intelligence agencies, standards organizations, civil agencies, private industry and foreign partners. The purpose in establishing the set of standards is to enable data and service interoperability in the context of a service−oriented architecture. “Geospatial Intelligence Standards: Enabling a Common Vision,” issued in November but released to the public February 20, endorses a set of key specifications known collectively as the Open Geospatial−Intelligence Consortium Spatial Data Infrastructure 1.0 baseline. These OGC standards include the OpenGISR Specifications for Web Feature Service (WFS), Geography Markup Language (GML), Web Map Service (WMS), Styled Layer Descriptor (SLD), Catalogue Services (CS−Web) and Filter Encoding Specifications (FE).
“Geospatial Intelligence Standards: Enabling a Common Vision” http://portal.opengeospatial.org/files/?artifact_id=19983
Source: http://www.gcn.com/online/vol1_no1/43190−1.html
Daily Report Thursday, February 22, 2007

Daily Highlights

SC Magazine reports phishers are using Google Maps and IP addresses in a new social engineering attack for committing identity theft, targeting customers with Bank of America accounts in the United States and account holders with other financial institutions in Australia and Germany. (See item 8)
The Department of Homeland Security has announced the launch of the Traveler Redress Inquiry Program, which allows travelers to seek redress and resolve possible watch list misidentification issues with any of the department’s component agencies at an easy to use and easy to access online location. (See item 14)

Information Technology and Telecommunications Sector

February 21, US−CERT — Multiple vulnerabilities in Trend Micro ServerProtect. US−CERT is aware of multiple stack−based buffer overflow vulnerabilities in the Trend Micro ServerProtect "stcommon.dll" and "eng50.dll" modules. Exploitation of these vulnerabilities may allow execution of arbitrary code with SYSTEM privileges.
US−CERT recommends users apply the ServerProtect 5.58 for Windows Security Patch 1−
Build 1171 patch as soon as possible: http://www.trendmicro.com/download/product.asp?productid=17
Trend Micro Vulnerability Response: http://esupport.trendmicro.com/support/viewxml.do?ContentID= EN−1034290
NVD Vulnerability Summary CVE−2007−1070: http://nvd.nist.gov/nvd.cfm?cvename=CVE−2007−1070
Source: http://www.us−cert.gov/current/current_activity.html#tmbofs

29. February 21, CRN — Google Desktop vulnerability fixed. Google has fixed a serious vulnerability in its popular Google Desktop software that could allow remote attackers to access confidential data and gain full control over affected PCs. Google Desktop, which extends Google's Web search and indexing functions to local PC hard drives, is susceptible to a cross−site scripting attack (XSS) because of its failure to properly encode output data, according to researchers at security vendor Watchfire, which discovered the flaw in January. Google issued a fix for the vulnerability soon after being notified by Watchfire, and users are being automatically updated with the patch, according to a Google spokesperson. Although Google has fixed this XSS vulnerability, the fact that the online and offline connection with Google Desktop still exists means that the software could still be vulnerable, according to said Mike Weider, CTO of Watchfire.
Original report: http://www.watchfire.com/news/releases/02−21−07.aspx
Source: http://www.crn.com/sections/breakingnews/dailyarchives.jhtml ?articleId=197007769

30. February 21, SC Magazine — Microsoft takes down malicious MSN Messenger banner advertisements. Banner advertisements that install malware onto the user's computer were left unnoticed for several days on the MSN Messenger service, according to researchers. The advertisements appear to promote a security application, known as Winfixer or ErrorSafe−−said to identify and repair threats and other computer problems. The malware is downloaded and installed onto the user’s machine without their authorization and announces fake security warnings to entice the recipient into buying a licensed copy of the product, according to security analysts. Microsoft has now acknowledged the problem and removed the advertisements, which were displayed in the contacts panel in its instant messaging program.
Source: http://scmagazine.com/us/news/article/634699/microsoft−takes−down−malicious−msn−messenger−banner−advertisements/

31. February 20, Government Computer News — Many unknowns remain in move to IPv6. On Tuesday, February 20, a panel of government and industry experts met during the IPv6 Tech Forum in Virginia to discuss uses for the new IPv6−enabled networks and the challenges users will face. The Department of Defense, along with civilian agencies, has set a goal of transitioning its networks to the next generation of Internet Protocols by July 2008. But a successful transition to IPv6 will merely establish parity with existing networks. The return on the investment will depend on how applications take advantage of the new functionality. Unfortunately, there still are many unanswered questions about what will happen when networks begin using IPv6. The federal government is a major driver in the industry’s move to IPv6, because it has been requiring functionality for the new protocols in its networking equipment. The business rationale for moving to IPv6 will be improved productivity or functionality. The opportunity to strip proprietary protocols out of legacy systems and build everything on IPv6 should save money on licensing and simplified application development. But the steep learning curve in managing networks with the new protocols could delay these benefits.
IPv6 Tech Forum: http://www.afcea.org/committees/technology/techforum/
Source: http://www.gcn.com/online/vol1_no1/43184−1.html
Daily Report Wednesday, February 21, 2007

Daily Highlights

Stop & Shop said Saturday, February 17, that thieves stole account and personal identification numbers from customers’ credit and debit cards at several Rhode Island locations by tampering with checkout−lane keypads. (See item 12)
The Associated Press reports Dole is recalling more than six−thousand cartons of imported cantaloupes grown in Costa Rica; this is yet another product being recalled after testing positive for salmonella. (See item 21)

Information Technology and Telecommunications Sector

32. February 19, US−CERT — Technical Cyber Security Alert TA07−050A: Sourcefire Snort DCE/RPC Preprocessor Buffer Overflow. A stack buffer overflow vulnerability in the Sourcefire Snort DCE/RPC preprocessor could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the Snort process. Sourcefire Snort is a widely−deployed, open−source network intrusion detection system (IDS). Snort and its components are used in other IDS products, notably Sourcefire, and Snort is included with a number of operating system distributions. The DCE/RPC preprocessor reassembles fragmented SMB and DCE/RPC traffic before passing data to the Snort rules. The vulnerable code does not properly reassemble certain types of SMB and DCE/RPC packets. An attacker could exploit this vulnerability by sending a specially crafted TCP packet to a host or network monitored by Snort. The DCE/RPC preprocessor is enabled by default, and it is not necessary for an attacker to complete a TCP handshake.
Solution − Upgrade to Snort http://www.snort.org/docs/release_notes/release_notes_2613.t xt
Source: http://www.us−cert.gov/cas/techalerts/TA07−050A.html

33. February 16, InformationWeek — Princeton professor finds no hardware security in e−voting machine. A Princeton University computer science professor who bought several Sequoia electronic voting machines off the Internet claims he found no hardware security to prevent someone from accessing the technology that controls the vote counting. Andrew Appel said Friday, February 16, there was nothing in the five Sequoia AVC Advantage machines he bought for $82 that would stop him from reaching the read−only memory (ROM) chips that hold the program instructions for counting votes. The chips were not soldered to the circuit boards, and could be easily removed with a screwdriver and replaced with other chips. Therefore, a person who had access to a machine chip could reverse engineer the program instructions and then write his own instructions on a ROM chip available from any computer equipment retailer, according to Appel. If that person had access to a machine in a voting station, he could easily open the computer, pop out the original chip from its socket, and press in the new one. Sequoia, which says it has managed thousands of electronic elections for 14 years in 16 states, said the professor's analysis was incorrect because the machines bought off the Internet are not in a voting station, where election officials implement their own security measures to prevent machine tampering.
Source: http://www.informationweek.com/shared/printableArticle.jhtml ?articleID=197006847

34. February 16, Government Computer News — NIST releases info security documents. The National Institute of Standards and Technology (NIST) has published two new interagency reports designed to help auditors, inspectors general and senior management understand and evaluate information security programs. NISTIR 7359, titled “Information Security Guide for Government Executives,” is an overview of IT security concepts that senior management should grasp. NISTIR 7358, titled “Program Review for Information Security Management Assistance (PRISMA),” lays out a standardized approach for measuring the maturity of an information security program. PRISMA is a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program. It is intended for use by security personnel, as well as internal reviewers, auditors and IGs. Tools laid out in NISTIR 7358 should help identify program deficiencies, establish baselines, validate corrections and provide supporting information for Federal Information Security Management Act scorecards.
NISTIR 7359: http://csrc.nist.gov/publications/nistir/ir7359/NISTIR−7359. pdf
NISTIR 7358: http://csrc.nist.gov/publications/nistir/ir7358/NISTIR−7358. pdf
Source: http://www.gcn.com/online/vol1_no1/43141−1.html
Daily Report Tuesday, February 20, 2007

Daily Highlights

InformationWeek reports the Delaware U.S. attorney on Thursday, February 15, revealed a massive insider data breach at chemicals company DuPont where a former scientist late last year pleaded guilty to trying to steal $400 million worth of company trade secrets. (See item 13)
The Associated Press reports airlines are investigating why windshields on at least 13 planes cracked at Denver International Airport as winds of up to 100 mph whipped through the foothills in Colorado. (See item 17)
Governor Ed Rendell has ordered an investigation to find out what happened with PennDOT, the Pennsylvania Emergency Management Agency, and other agencies that resulted in hundreds of motorists being stranded in their cars for as much as 24 hours on Interstate 78. (See item 18)
The Chicago Tribune reports hundreds of cattle from Canada, which this month confirmed its ninth case of mad cow disease, have entered the U.S. without government−required health papers or identification tags. (See item 25)

Information Technology and Telecommunications Sector

February 16, US−CERT — Technical Cyber Security Alert TA07−047A: Apple Updates for Multiple Vulnerabilities. Apple has released Security Update 2007−002 to correct multiple vulnerabilities affecting Apple Mac OS X, Mac OS X Server, and iChat. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Attackers may take advantage of the less serious vulnerabilities to bypass security restrictions or cause a denial of service. Apple Security Update 2007−002 addresses a number of vulnerabilities affecting Apple Mac OS X, OS X Server, and iChat. Further details are available in the related vulnerability notes. The vulnerabilities addressed in this update were previously disclosed as part of the Month of Apple Bugs project. The impacts of these vulnerabilities vary. Potential consequences include remote execution of arbitrary code or commands, bypass of security restrictions, and denial of service.
Users should install Apple Security Update 2007−002: http://docs.info.apple.com/article.html?artnum=106704
Source: http://www.us−cert.gov/cas/techalerts/TA07−047A.html

47. February 16, US−CERT — Cisco Releases Security Advisories to Address Multiple Vulnerabilities in PIX, ASA, and FWSM. Cisco has released Security Advisory cisco−sa−20070214−pix to address multiple vulnerabilities in the PIX 500 Series Security Appliances and the ASA 5500 Series Adaptive Security Appliances. The vulnerabilities exist due to flaws in the way Cisco PIX and ASA appliances process malformed HTTP requests, SIP packets, and TCP−based packets. By sending specially crafted packets to a vulnerable appliance, an attacker may be able to cause a denial of service, escalate user privileges, or take complete control of the appliance. Note: The Security Advisory also states that some of these vulnerabilities affect the Cisco Firewall Services Module (FWSM).
Cisco Security Advisory cisco−sa−20070214−pix − Multiple Vulnerabilities in Cisco PIX and
ASA Appliances: http://www.cisco.com/en/US/products/products_security_advisory09186a00807e2484.shtml#details
Cisco Security Advisory cisco−sa−20070214−fwsm − Multiple Vulnerabilities in Firewall
Services Module: http://www.cisco.com/en/US/products/products_security_advisory09186a00807e2481.shtml#details
Source: http://www.us−cert.gov/current/#cscopxasa
Daily Report Saturday, February 17, 2007

Daily Highlights

Numerous sites around the world are telling the story of Julie Amero, a travesty of justice. (See Item 1)

Information Technology and Telecommunications Sector

1. February 17, blog.e-computer-security.info — Julie Amero -- I've Been Silent for Too Long!!. A brief discussion of the Julie Amero case, a school teacher who has been railroaded by the State of Connecticut criminal justice system.

Notice: This special posting on the DHS Daily Open Source Infrastructure Report blog is neither endorsed or supported by the Department of Homeland Security. Rather it is the sole effort of the author of this blog to bring this issue to the attention of the widest possible audience with the hope that your support will help to correct this travesty of justice.
Daily Report Friday, February 16, 2007

Daily Highlights

The Associated Press reports that Jet Blue Airlines passengers were left waiting on planes at a New York airport for as long as nine hours during a snow and ice storm, Wednesday, February 14. (See item 12)
The Associated Press reports another 100 National Guardsmen will soon be stationed along New Mexico’s southern border with Mexico bringing Guard numbers close to 900 for the region, according to a commander with Operation Jump Start. (See item 18)

Information Technology and Telecommunications Sector

34. February 15, IDG News Service — Attackers seize on new zero−day in Word. Microsoft's Word and Office programs have been targeted again, with the company warning that hackers may already exploiting a new vulnerability found in the applications. The warning comes just after the company issued fixes for 20 other bugs in its products on Tuesday, February 13, including six for Word. The latest problem affects Office 2000 and Office XP, Microsoft said in a security advisory on Wednesday. An attacker could create a specially−crafted Word document that, if opened, could allow them to control a victim's computer remotely. As usual it advised great caution when opening unsolicited attachments. Microsoft said it had received reports of "very limited, targeted" attacks. Danish security vendor Secunia ranked the problem as "extremely critical." The emergence of a security bug so soon after Microsoft's scheduled patch release follows a familiar pattern by hackers, who want to maximize the amount of time they have to take advantage of a vulnerability, said Thomas Kristensen, Secunia's chief technical officer.
Microsoft Advisory: http://www.microsoft.com/technet/security/advisory/933052.ms px
Source: http://www.infoworld.com/article/07/02/15/HNzerodayinword_1. html

35. February 15, IDG News Service — Drive−by Web attack could hit home routers. If you haven't changed the default password on your home router, do so now. That's what researchers at Symantec and Indiana University are saying, after publishing the results of tests that show how attackers could take over your home router using malicious JavaScript code. For the attack to work, the attackers would need a couple of things to go their way. First, the victim would have to visit a malicious Website that served up the JavaScript. Second, the victim's router would have to still use the default password that it's pre−configured with it out of the box. In tests, the researchers were able to do things like change firmware and redirect a D−Link Systems DI−524 wireless router to look up Websites from a Domain Name System server of their choosing. They describe these attacks in a paper, authored by Sid Stamm and Markus Jakobsson of Indiana University, and Symantec's Zulfikar Ramzan. "By visiting a malicious Webpage, a person can inadvertently open up his router for attack," the researchers write. "A Website can attack home routers from the inside and mount sophisticated...attacks that may result in denial−of−service, malware infection, or identity theft."
Research: http://www.cs.indiana.edu/pub/techreports/TR641.pdf
Source: http://www.infoworld.com/article/07/02/15/HNdrivebywebattack _1.html

36. February 15, CNET News — U.S. servers use more power than Mississippi. It's no secret that the servers behind every Web 2.0 company, bank Internet site and corporate e−mail system are consuming ever larger amounts of power. But now a Lawrence Berkeley National Laboratory study has quantified exactly how much. Servers in the United States and their attendant cooling systems consumed 45 billion kilowatt−hours of energy in 2005. That's more than Mississippi and 19 other states, according to study author Jonathan Koomey, a scientist at Lawrence Berkeley National Laboratory and consulting professor at Stanford University. And the computers' electricity appetite is still growing fast. "Over a five−year period from 2000 to 2005, there has been about a doubling," Koomey said. Most of the growth is from the widespread adoption of lower−end servers costing less than $25,000, he said. Server power demand has moved high up customer priority lists−− especially with rising power costs and overstuffed data centers −− and hardware makers are responding. Among the touted fixes are energy−efficient processors, power consumption caps, water cooling and consolidation of work from numerous inefficient low−end servers to fewer, more−powerful machines.
Source: http://news.com.com/U.S.+servers+slurp+more+power+than+Mississippi/2100−1010_3−6159583.html?tag=nefd.top

37. February 15, VNUNet — Quake−hit Web links restored in Asia. Asian telecom cables damaged in an earthquake late last year have been fully repaired, restoring Internet links to the region, Hong Kong authorities announced Wednesday, February 14. Two violent magnitude seven quakes in the space of five minutes either directly severed undersea cables, or triggered undersea landslides that buried and broke the data links on December 26. The links normally carry more than 80 percent of East Asia's voice and data traffic.
Source: http://www.vnunet.com/vnunet/news/2183438/asia−net−links−res tored

38. February 14, Sophos — Chinese police consider releasing hacker's Panda virus fix. Sophos has advised computer users to think carefully about how they remedy virus infections, following news that the Chinese police are to release a clean−up program written by the author of the Fujacks worm. According to media reports from China, authorities are planning to issue a fix to the Fujacks worm which turns icons into a picture of a panda burning joss−sticks. Controversially, the utility has been written by Li Jun, the suspect author of the virus. "Hackers and virus writers have shown themselves to be irresponsible and untrustworthy and I certainly wouldn't choose to run their code on my computer," said Graham Cluley, senior technology consultant for Sophos. "Additionally, the Fujacks virus left some infected files unable to run. That hardly suggests that the author took quality assurance seriously when he constructed his malware."
Source: http://www.sophos.com/pressoffice/news/articles/2007/02/fuja cks−fix.html
Daily Report Thursday, February 15, 2007

Daily Highlights

The Associated Press reports snow and ice coated streets Wednesday, February 14, as a blizzard shut down schools, highways, and air travel across the Northeast, and left 300,000 homes and business without electrical power. (See item 3)
The Associated Press reports two baggage handlers working for Menzies Aviation at Seattle−Tacoma International Airport have been arrested and fired in suitcase thefts that included laptop computers, video cameras, and DVDs. (See item 10)
All Headline News reports a mysterious ailment, called the Colony Collapse Disorder, is killing the nation's honeybees that are necessary to pollinate most of the food crops, as well as pollinating plants in home and public gardens. (See item 21)
InformationWeek reports Microsoft is warning customers that the switch to early daylight savings time on March 11 isn't accounted for in a number of its products, and that users will need to update their software to avoid potential problems. (See item 33)

Information Technology and Telecommunications Sector

33. February 14, InformationWeek — Microsoft issues warning on daylight−savings time software flaw. Microsoft is warning customers that the switch to early daylight savings time this year isn't accounted for in a number of its products, including Windows XP, and that users will need to update their software to avoid potential problems. U.S. daylight savings time will start on March 11, this year −− three weeks earlier than usual. The change was authorized by the U.S. Energy Policy Act of 2005, but Microsoft says its Y2K−like implications mean computer users need to parry like its 1999. "Unless certain updates are applied to your computer, it is possible that the time zone settings for your computer's system clock may be incorrect during this four week period," the software maker said in a statement issued Tuesday, February 13. That could lead to all kinds of problems, from calendaring applications not working properly to key, automated processes not taking place on time. Microsoft said the fix is already built into Windows Vista and Office 2007, but that earlier operating systems and applications could be hit by the problem. As of Tuesday, the company had released an update for Windows XP SP2 users via its Automatic Updates service.
Microsoft statement: http://support.microsoft.com/gp/dst_homeuser#affected
Source: http://www.informationweek.com/showArticle.jhtml;jsessionid=VORJ0BAAN1KVYQSNDLPSKHSCJUNN2JVN?articleID=197006039

34. February 14, VNUNet — Valentine worm spreading fast. Security experts warned Wednesday, February 14, that a "widespread worm" posing as a Valentine's greeting is spreading fast across the Internet. Dref−AB was deliberately spread so that office workers and home computer users found the malicious e−mail in their inbox first thing Wednesday morning. Since midnight GMT Dref−AB has accounted for 76.4 percent of all malware sighted at Sophos. Subject lines used in the attack are many and varied, but all pose as a romantic message. The worm is attached to the e−mails in files called "flash postcard.exe," "greeting postcard.exe," "greeting card.exe," or "postcard.exe."
Source: http://www.vnunet.com/vnunet/news/2183228/valentine−worm−spr eading−fast

35. February 13, U.S. Computer Emergency Readiness Team — US−CERT Technical Cyber Security Alert TA07−044A: Microsoft updates for multiple vulnerabilities. Microsoft has released updates to address vulnerabilities that affect Microsoft Windows, Internet Explorer, Office, Works, Malware Protection Engine, Visual Studio, and Step−by−Step Interactive Training as part of the Microsoft Security Bulletin Summary for February 2007. The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial−of−service on a vulnerable system. Some of the updates released for Microsoft Office address vulnerabilities that are actively being exploited. For more information, refer to the following Vulnerability Notes:
Solution: Microsoft has provided updates for these vulnerabilities in the February 2007 Security
Bulletins. The Security Bulletins describe any known issues related to the updates. Note any
known issues described in the Bulletins and test for any potentially adverse effects in your
environment. System administrators may wish to consider using an automated patch
distribution system such as Windows Server Update Services:
http://www.microsoft.com/windowsserversystem/updateservices/ default.mspx
Microsoft February 2007 Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/ms07−feb. mspx
Source: http://www.uscert.gov/cas/techalerts/TA07−044A.html

36. February 13, InformationWeek — Cisco warns of multiple IOS vulnerabilities. Cisco Systems announced on Tuesday, February 13, that there are several vulnerabilities in the Intrusion Prevention System (IPS) feature set of its Internetwork Operating System (IOS). Fragmented IP packets may be used to evade signature inspection, according to a warning on Cisco's Website. It also warned that the IPS signatures using the regular expression feature of the Atomic.TCP signature engine may cause a router to crash, resulting in a denial−of−service.
Cisco Security Advisory: http://www.cisco.com/warp/public/707/cisco−sa−20070213−iosips.shtml
Source: http://www.informationweek.com/showArticle.jhtml;jsessionid=VORJ0BAAN1KVYQSNDLPSKHSCJUNN2JVN?articleID=197005905&articleId=197005905

37. February 13, SecurityFocus — Old Firefox, IE flaw remains unfixed. Security researchers discovered that both Mozilla's Firefox and Microsoft's Internet Explorer Web browsers fail to securely handle keystrokes entered by the user, potentially allowing an attacker the ability to download files. The design flaws, which resemble issues found in June 2006 and as far back as 2000, allow certain keystrokes to be sent to a different application as long as the attacker can convince the user to type the appropriate characters. Attackers could use typing−intensive tasks such as keyboard−based games and comment fields to collect a user's input and send the appropriate keystrokes to a hidden application. "The vulnerability allows the attacker to silently redirect focus of selected key press events to an otherwise protected file upload form field," researcher Michal Zalewski, who discovered the most recent issues, stated in a post to the Full disclosure security mailing list on Sunday, February 11. "This is possible because of how onKeyDown [and] onKeyPress events are handled, allowing the focus to be moved between the two. If exploited, this enables the attacker to read arbitrary files on victim's system." The issue appears to affect versions 1.5 and 2.0 of Firefox and versions 5.0, 5.5, 6 and 7 of Internet Explorer.
Source: http://www.securityfocus.com/brief/433
Daily Report Wednesday, February 14, 2007

Daily Highlights

GovExec reports the hard drive missing from an Alabama Veterans Affairs Department facility last month contained highly sensitive information on nearly all U.S. physicians and medical data for about 535,000 Veterans Affairs patients. (See item 8)
The Associated Press reports snow, freezing rain and plunging temperatures on Tuesday, February 13, created problems for travelers across the Midwest with canceled flights as well as cars and tractor−trailer rigs sliding off highways; Chicago's O'Hare International Airport canceled more than 400 flights. (See item 14)
The Associated Press reports the 18−year−old gunman who opened fire on shoppers in the Trolley Square shopping mall, killing five and wounding four others before police fatally shot him, was armed with several rounds of ammunition and was carrying two guns. (See item 31)

Information Technology and Telecommunications Sector

26. February 13, Reuters — China detains six over 'panda' computer virus. China has detained six men in their 20s for writing or profiting from a computer virus dubbed the "joss−stick burning panda," which has infected over a million PCs in the country. The worm wreaked havoc among individual and corporate users in China in a late 2006 outbreak, deleting files, damaging programs and attacking Web portals. Chinese media have said that the worm was able to steal account names of online gamers and instant messengers, which are hotly traded with real money in China's cyberspace. Police held Li Jun, 25, a native of Wuhan city in central China, who wrote the virus in October and had earned more than $12,890 by selling it to about 120 people, the Beijing News said. The other five, from three different provinces, were detained for updating and spreading the virus or for profiting from the stolen account names.
Source: http://www.eweek.com/article2/0,1895,2094418,00.asp

27. February 13, IDG News Service — T−Mobile: VoIP will have no major impact. Don't expect new mobile phone services based on the Internet Protocol to become nearly as prevalent as those running over PCs. That's the view of Hamid Akhavan, CEO of T−Mobile International. Voice over Internet Protocol, or VoIP, services provided over mobile phone networks will have "far less impact" than those offered over fixed−line networks, Akhavan said Tuesday, February 13, on the sidelines of a news conference at the 3GSM conference in Barcelona. "There are all sorts of technical issues that make mobile VoIP services difficult to implement," he said. Technical issues related to how networks pass on IP addresses of mobile users have not been completely resolved, he noted. "Take reachability, for example: How can the call come to me?" Akhavan also said emergency phone service and "always on" connectivity are also big issues, since staying online takes up bandwidth on pricey mobile networks. And then there's price: "When people talk about VOIP, they think free," Akhavan said. "With any mobile service provided over the Internet, you're going to need to buy a data package."
Source: http://www.infoworld.com/article/07/02/13/HNvoipnoimpact_1.h tml

28. February 12, IDG News Service — U.S. Government readying massive cybersecurity test. The Department of Homeland Security (DHS) is planning a large−scale test of the nation's response to a cyberattack to be held in early 2008. The test will be a follow−up to the February 2006 Cyber Storm test, which was billed as the largest−ever U.S. government online attack simulation. Cyber Storm 2 will be conducted in March 2008, said Gregory Garcia, assistant secretary for cyber security and telecommunications with DHS, speaking at the RSA Conference in San Francisco last week. Like the first Cyber Storm, this exercise will evaluate the ability of the public and private sector to provide a coordinated response to a large−scale cyber event, he said. The second Cyber Storm test, which is in the planning stages right now, will include a greater number of participants than its predecessor. In particular, the number of international participants will be increased.
Source: http://www.infoworld.com/article/07/02/12/HNcyberstorm2_1.ht ml

29. February 12, ComputerWorld — Spam, viruses, botnets: Can the Internet be saved? Advances in IT over the decades have come mostly in small increments. That kind of evolutionary approach has served users well, boosting speeds, capacities and application capabilities by many orders of magnitude. But such incremental improvements are no longer sufficient to keep the Internet viable, according to a growing number of researchers. In fact, they say, the Internet is at the tipping point of overwhelming abuse and complexity. The most sanguine of observers say that even if the Internet is able to avoid some kind of digital Armageddon brought on by spammers, hackers, phishers and cyberterrorists, it nevertheless will drown in a flood of mobile gadgets, interactive multimedia applications and Internet−enabled devices. And it isn’t just a problem of security and reliability, says Nick McKeown, a computer scientist at Stanford University; the Internet is getting crushed by complexity. He points out that the original Internet design was based on the idea that users were immobile and connected to the Net by wires.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=279934&intsrc=hm_ts_head

30. February 12, ComputerWorld — 'Storm Trojan' spreading via IM, attacking rival malware. The Trojan horse that pumped up spam volumes in January is at it again, researchers said Monday, February 12, and is now spreading over instant messaging and engaging in attacks on rival malware. Symantec Corp. researchers said that the "Storm Trojan," aka "Peacomm," is now spreading via AOL Instant Messenger (AIM), Google Talk and Yahoo Messenger. An alert to some Symantec customers pegged the new infection vector as "insidious" because the message and the included URL can be dynamically updated by the attacker. Even worse, according to Alfred Huger, senior director of Symantec's security response team, "it injects a message and URL only into already−open windows. It's not just some random message that pops up, but it appears only to people [you are] already talking to. That makes the approach very effective." Moreover, the server from which the malware is downloaded to the victim's PC can be quickly changed by the attacker using the Trojan's peer−to−peer control channel.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011146&intsrc=hm_list
Daily Report Tuesday, February 13, 2007

Daily Highlights

Johns Hopkins −− which comprises Johns Hopkins University and Johns Hopkins Hospital in Baltimore −− disclosed that it has lost the personal data on roughly 52,000 employees and 83,000 patients. (See item 10)
The U.S. Postal Inspection Service is working with law enforcement agents from the FBI and ATF, as well as local and state agencies, to investigate two explosive devices sent to financial institutions since January 31, and has its own employees nationwide on high alert to identify suspicious packages. (See item 14)
The Associated Press reports thousands of people were evacuated from a Spokane mall Sunday afternoon, February 11, after noxious fumes of unknown origin sickened people inside. (See item 34)

Information Technology and Telecommunications Sector

26. February 12, IDG News Service — China and Russia top list of worst copyright violators. China and Russia are the two worst foreign infringers of U.S. software and music copyrights and they should remain on the U.S. government's priority watch list, a group representing the software, music, books, and movie industries said Monday, February 12. The International Intellectual Property Alliance (IIPA) put out the figures as part of its recommendations to the U.S. Trade Representative. China topped all rivals on the IIPA most−wanted list by pumping out $2.21 billion worth of pirated goods last year, mainly business software, according to IIPA figures. Russia ran a close second at $2.18 billion, it said.
Source: http://www.infoworld.com/article/07/02/12/HNworstcopyrightvi olators_1.html

27. February 12, InformationWeek — Penn State researchers develop new worm−stopping technology. Researchers at Penn State University say they have developed anti−malware technology that can identify and contain worms in milliseconds rather than minutes −− greatly limiting how far they spread and how much damage they cause. The new technology focuses on analyzing packet rate and frequency of connections, rather than signature or pattern identification, according to a release from Penn State. "A lot of worms need to spread quickly in order to do the most damage, so our software looks for anomalies in the rate and diversity of connection requests going out of hosts," said Peng Liu, associate professor of information sciences and technology at Penn State and lead researcher on the system. Penn State researchers assert that because many security technologies focus on signature or pattern identification for blocking worms, they cannot respond to new attacks fast enough, allowing worms to exploit network vulnerabilities.
Source: http://www.informationweek.com/showArticle.jhtml;jsessionid=MIRYBBI1UOICGQSNDLRCKH0CJUNN2JVN?articleID=197005266

28. February 12, InformationWeek — SANS warns of 'major zero−day' bug in Solaris. The SANS Institute is warning of a zero−day bug in Sun's Solaris 10 and 11 Telnet that allows hackers to easily gain remote access to the computes running the operating systems. The vulnerability −− called a "major zero−day bug" −− has been verified, according to a release on the SANS' Internet Storm Center Website. The problem lies in the way Telnet, which is a network protocol, uses parameters during the authentication process, says Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Storm Center. Ullrich says that by simply adding what he calls a "trick" or simple text to the telnet command, the system will skip asking for a user name and password. No exploit needs to be downloaded. Every Solaris 10 and 11 system is at risk. If the systems are installed out of the box, they automatically come Telnet enabled. Storm Center analysts are recommending that Telnet be disabled on the Solaris systems.
Source: http://www.informationweek.com/showArticle.jhtml;jsessionid=MIRYBBI1UOICGQSNDLRCKH0CJUNN2JVN?articleID=197005178

29. February 12, Sophos — Valentine's spammers face a harder sell. In the run−up to Valentine's Day, Sophos has reported seeing a rise in the number of spam campaigns selling romantic gifts such as jewelry, chocolate and lingerie. However, a new Sophos poll reveals that just five percent of computer users now admit to purchasing goods sold via spam, compared to nine percent this time last year. According to Sophos, many of the Valentine's Day themed campaigns make use of graphics embedded in the regular e−mail text. This type of image spam, most often used for promoting stock pump−and−dump scams or medication, is popular with spammers thanks to its ability to bypass anti−spam filters that scan text content only.
Source: http://www.sophos.com/pressoffice/news/articles/2007/02/vale ntine.html

30. February 09, Federal Computer Week — Attack by Korean hacker prompts DoD cyber debate. The Department of Defense (DoD) computer networks are probed and attacked hundreds of time each day. But a recent attack on the civilian Internet is causing DoD officials to re−examine whether the policies under which they fight cyber battles are tying their hands. “This is an area where technology has outstripped our ability to make policy,” said Air Force Gen. Ronald Keys, Commander of Air Combat Command. “We need to have a debate and figure out how to defend ourselves.” Unlike in the war on terror, DoD can’t go after cyber attackers who plan or discuss crimes until they act, Keys said. Websites in other countries are beyond DoD's reach, he added. “If they’re not in the United States, you can’t touch 'em.” Keys said it would probably take a cyber version of the 9/11 attacks to make the U.S. realize that barriers to action in cyberspace should be re−evaluated.
Source: http://www.fcw.com/article97645−02−09−07−Web

31. February 09, CNET News — Price of cybercrime tools shrinks. It's becoming cheaper and easier to get hold of the tools needed to launch a cybercrime attack, according to security company RSA. Jens Hinrichsen, the company's product marketing manager for fraud auction, said Thursday, February 8, that RSA has been monitoring the Websites and ICQ channels where malicious hackers and cybercriminals interact. These sites allow participants to share feedback and even review one another's products. Addressing an audience at the RSA Conference 2007, Hinrichsen showed several screengrabs to illustrate that the prices being asked for hacking tools have been dropping, with many participants embracing volume discounts and other incentives. One example was a post offering a "Super Trojan," which could be used to install malicious code on a victim's PC, for $600.
Source: http://news.com.com/Price+of+cybercrime+tools+shrinks/2100−7349_3−6158025.html
Daily Report Monday, February 12, 2007

Daily Highlights

The Associated Press reports police are on the lookout for those responsible for shooting bullet holes in the Westfield water tank causing extensive damage to the tank, which supplies water to the community of Toquerville in southern Utah. (See item 18)
The New York Times reports New York City will soon test ways of strengthening defenses against a nuclear device or a radioactive dirty bomb attack, with an elaborate network of radiation alarms at relevant bridges, tunnels, roadways, and waterways, creating a 50−mile circle around the city. (See item 23)

Information Technology and Telecommunications Sector

27. February 09, eWeek — Cyber−security czar calls on IT industry for help. Addressing a crowded room of attendees at the ongoing RSA Security Conference on Thursday, February 8, Greg Garcia, assistant secretary for cyber−security and telecommunications at the Department of Homeland Security, said that he and his team are already hard at work creating policies that aim to better protect critical infrastructure. Over the first four months on the job, Garcia said, he has focused primarily on establishing a game plan for his office's future projects and working to establish inroads with members of the IT and communications industries to encourage private companies' contribution to those efforts. While the federal government is aggressively looking for ways to create stronger protections for the nation's IP backbone, the process will not be able to move forward quickly unless businesses and academic institutions that control the nation's largest networks are willing to pitch in, he said. The cyber−security chief said that his initial priorities revolve around work to breed cooperation between federal agencies to develop common security policies for defending networks and to help the private sector strengthen national preparedness and incident−response plans.
Source: http://www.eweek.com/article2/0,1895,2093175,00.asp

28. February 09, eWeek — Next wave in security: Protecting smart phones, PDAs. With the number of employees using smart phones and other mobile devices, corporations must start to focus their security on more than just their network perimeter, according to security analysts and specialists attending the RSA Conference. Research done by the Business Forum Management Program in 2006 found that roughly 49 percent of the 680 executives surveyed are "mobile" or "very mobile," and about 80 percent plan to increase the number of mobile devices used in the next few years. And even though a quarter of the respondents reported having critical data stored on mobile devices, 40 percent said they have no security and compliance measures in place to protect data on those devices. The next wave in security will deal with protecting items such as smart phones, said Curtis Cresta, vice president and general manager of North American Operations for F−Secure. Smart phones, he said, are easier to maintain and cost less than laptops. In other regions, such as Asia and Europe, the widespread use of business applications on mobile phones has already begun, noted Gartner analyst John Pescatore. With the increased presence of applications on cell phones, the threat of Web−based attacks becomes less theoretical, he said.
Source: http://www.eweek.com/article2/0,1895,2093092,00.asp

29. February 09, Register (UK) — Anatomy sheds new light on Storm Worm. A deluge of Trojan−laced spam that slyly tricked recipients by promising information about winter storms ravaging Northern Europe last month was even craftier than originally thought. Among the new revelations: The Storm Worm malware launched DDoS attacks on a host of Websites related to spam, antispam and just about anything else that may have piqued the perpetrators' ire, according to Joe Stewart, senior security researcher for SecureWorks. It also appears to be a close descendant of worms that spread in November and December, a connection that few if any have made until now. Stewart says Storm Worm is a variant of the Win32/Nuwar worm that spread as early as November. Unbeknownst to most at the time, Storm Worm also installed a DDoS attack tool that wreaked havoc on various Websites. Among them was spamnation.info, which is dedicated to countering the menace of spam. Other sites that were also targeted by Storm Worm included stockpatrol.com and several sites Stewart guesses were run by rival spammer gangs.
Anatomy of a worm report: http://www.secureworks.com/research/threats/view.html?threat=storm−worm
Source: http://www.theregister.co.uk/2007/02/09/storm_worm_anatomy/

30. February 08, eWeek — Highly−critical flaw discovered in Trend Micro products. A dangerous buffer−overflow flaw in Trend Micro anti−virus software products was reported by Trend Micro and confirmed by security researchers at iDefense Labs. Researchers at Secunia have also posted an advisory on this vulnerability and have deemed this to be highly critical. This flaw can be exploited in both Windows and Linux systems, and could be used to gain access to machines, cause denial−of−service activity and allow attackers total control of affected systems. Trend Micro responded to the vulnerability by pushing out a patch that a company spokesperson says fixes the issue. The vulnerability targets all scan engine and pattern file technology in Trend Micro products due to an error within UPX compressed executables.
Secunia Advisory: http://secunia.com/advisories/24087/
Source: http://www.eweek.com/article2/0,1895,2092841,00.asp

31. February 08, IDG News Service — Big set of Microsoft security patches coming Tuesday. Microsoft plans to release 12 sets of security patches Tuesday, February 13, fixing critical vulnerabilities in a number of its products, including the company's new security software. The bulk of the patches will fix flaws in the Windows operating system and Office, Microsoft said. Five of the updates will be for Windows, and two of them will be for Office. Microsoft also plans to release one less−critical update that addresses flaws in both Windows and Office.
Source: http://www.infoworld.com/article/07/02/08/HNmssecuritypatche s_1.html

32. February 08, CNET News — Spyware, data privacy bills reappear in House. In October 2004, all but one member of the U.S. House of Representatives voted for a bill that was supposed to curtail the threat of malicious PC−disrupting spyware. But the Senate ignored it. So the House once again approved spyware regulations in May 2005, which yielded precisely the same lack of a result. Hoping that the third time proves the charm, House leaders on Thursday, February 8, introduced a bill that would once again try to impose 31 pages of regulations on the software industry in an effort to define what types of activities are permissible and which ones aren't.
Source: http://news.com.com/Spyware%2C+data+privacy+bills+reappear+in+House/2100−1028_3−6157826.html?tag=nefd.top
Daily Report Friday, February 9, 2007

Daily Highlights

USA TODAY reports the U.S. government is asking foreign countries to allow pilots to carry guns in the cockpit when they fly overseas, trying to expand a four−year−old program that allows thousands of pilots to carry guns on domestic flights. (See item 17)
The Transportation Security Administration said Wednesday, February 7, that the nation's 43,000 airport security screeners will now receive notices and photos of abducted children as part of the AMBER Alert network's quest to find missing people. (See item 22)
The Department of Homeland Security has announced the establishment of the National Advisory Council, which is being created to advise the Administrator of the Federal Emergency Management Agency on all aspects of emergency management in an effort to ensure close coordination with all involved. (See item 36)

Information Technology and Telecommunications Sector

37. February 08, eWeek — Botnet stalkers share takedown tactics at RSA. A pair of security researchers speaking at the ongoing RSA Conference Wednesday, February 7, demonstrated their techniques for catching botnet operators who use secret legions of infected computers to distribute malware programs and violent political propaganda. The botnet experts, both of whom are employed by anti−malware software maker FaceTime Communications, detailed how they identified and pursued individuals believed to be responsible for running a pair of sophisticated botnet schemes, which have been subsequently shut down or significantly scaled back. Addressing a packed room of conference attendees, Chris Boyd and Wayne Porter offered a rare inside glimpse into the world of botnet herders, which the researchers entered by hanging out on the shady online bulletin boards and chat relays where the schemers meet to share the tricks of the trade and their malware programs. By luring the prolific scammers to offer details about their work, and spying on the criminals, the researchers claim to have pieced together the identities of several of the unsavory individuals and helped take down their networks of subverted machines.
Source: http://www.eweek.com/article2/0,1895,2092435,00.asp

38. February 08, Information Week — Polycom boosts Wi−Fi voice effort with SpectraLink acquisition. Polycom reported that it will acquire SpectraLink for $220 million in cash in a move that will bolster Polycom's drive into the nascent voice over Wi−Fi market. The addition of SpectraLink will boost Polycom's ability to provide fixed and mobile telecommunications products covering voice, video, and data over desktop and mobile environments.
Source: http://www.informationweek.com/showArticle.jhtml;jsessionid=4MG1IA020SCFCQSNDLOSKH0CJUNN2JVN?articleID=197004389

39. February 08, SecurityFocus — US−CERT: Companies increasingly reporting attacks. Corporate America is getting better about telling the U.S. government about serious security incidents, according to an official from the Department of Homeland Security (DHS). In 2006, companies, universities and government agencies reported 23,000 incidents to the U.S. Computer Emergency Readiness Team (US−CERT), up from 5,000 reported in 2005, Jerry Dixon, deputy director of the DHS's National Cyber Security Division, said at the RSA Security Conference on Wednesday, February 7. So far, in the first quarter of 2007, more than 19,000 incidents have been reported to US−CERT, Dixon said. "Increasingly, the private sector is reporting these incidents," Dixon said. "We are getting a much better picture than what we use to get at the DHS."
Source: http://www.securityfocus.com/brief/430

40. February 07, eWeek — Symantec spots exploit for Excel zero−day flaw. Symantec has uncovered malicious code that could exploit Microsoft's newest zero−day vulnerability. Wednesday, February 7, on Security Response Weblog, Symantec revealed the exploit, which could drop a back−door Trojan onto an infected system. The exploit "may enable an attacker to gain remote access to your computer," wrote Amado Hidalgo in the blog post. The malicious code "appears to be exploiting a bug on MSO.DLL," which is an Office shared library, Hidalgo wrote. In a security bulletin issued on February 2, Microsoft warned that "other Office applications are potentially vulnerable" to the zero−day flaw. Symantec has only seen code that exploits Excel. The exploit actually uses two different Trojans. The first, Trojan.Mdropper.Y, drops the second, Backdoor.Bias. Symantec has released patches for both Trojans. A signature update for the first one was issued Wednesday. "Fully patched versions of Office 2000, XP and 2003 appear to be vulnerable to this exploit," Hidalgo wrote.
Symantec blog: http://www.symantec.com/enterprise/security_response/weblog/2007/02/latest_office_zeroday_vulnerab.html
Source: http://www.eweek.com/article2/0,1895,2091695,00.asp

41. February 07, CNET News — Two flaws found in Firefox. A security company has reported two new flaws in the Mozilla Firefox browser that may leave locally saved files vulnerable to outside attacks. Both flaws were announced by SecuriTeam, a division of Beyond Security, this week. The first flaw lies in Firefox's pop−up blocker feature, according to a SecuriTeam statement on Monday, February 5. The browser typically does not allow Websites to access files that are stored locally, according to the official report, but this URL permission check is superseded when a Firefox user has turned off pop−up windows manually. As a result, an attacker could use this flaw to steal locally stored files and personal information that might be stored in them. The second flaw, announced by SecuriTeam on Wednesday, concerns Firefox's phishing protection feature. With this vulnerability, an adept phisher could fool the browser into believing that a fraudulent site is actually secure by adding particular characters into the URL of its Website. The phishing flaw does appear to apply to the current version of Firefox.
Popup blocker flaw advisory: http://www.securiteam.com/securitynews/5JP051FKKE.html
Phishing flaw advisory: http://www.securiteam.com/securitynews/5MP0320KKK.html
Source: http://news.com.com/Two+flaws+found+in+Firefox/2100−1002_3−6 157307.html
Daily Report Thursday, February 8, 2007

Daily Highlights

Midwest Independent Transmission System Operator −− in charge of keeping power flowing smoothly among Xcel Energy Inc. and other regional utilities −− says that as of noon Tuesday, February 6, 15,000 megawatts of power were flowing through the grid, with only 600 megawatts in reserve. (See item 2)
IDG News Service reports online hackers briefly disrupted service on at least two of the 13 root servers that are used to direct traffic on the Internet, in an attack which began Tuesday, February 6; this was the most significant attack against the root servers since an October 2002 DDoS attack. (See item 34)

Information Technology and Telecommunications Sector

31. February 07, Reuters — Cell phones silent as Mexico's biggest network fails. Millions of Mexicans had their cell phone conversations put on hold for much of Tuesday, February 6, after a wireless network belonging to the world's third richest man, tycoon Carlos Slim, temporarily crashed. A technical fault in western Mexico City saturated the Telcel cell phone network, Mexico's largest and owned by Slim's telecommunications giant America Movil, the company said on Tuesday. Telcel has 40 million users across the country. Worst affected were those in the vast capital and its surroundings, where most of the company's customers are located. Service began returning hours later and was 90 percent functional by late afternoon.
Source: http://www.eweek.com/article2/0,1895,2091424,00.asp

32. February 07, Washington Technology — DHS still grappling with IT management. Nearly four years after it was formed, the Department of Homeland Security (DHS) continues to struggle in managing, integrating and securing its IT systems, Inspector General Richard L. Skinner testified at a congressional hearing Tuesday, February 6. “Integrating the IT systems, networks and capabilities of the various legacy agencies to form a single infrastructure for effective communications and information exchange remains one of DHS’ biggest challenges,” Skinner told the House Appropriations subcommittee on homeland security. In the IT realm, the department has made progress in eliminating redundant firewalls, replacing hardware encryption devices and combining operations centers, Skinner said. But component agencies have not yet aligned their programs for information security with departmentwide programs.
Skinner's Testimony: http://www.dhs.gov/xoig/assets/testimony/OIGtm_RLS_020607.pd f
Source: http://www.washingtontechnology.com/news/1_1/daily_news/30079−1.html?topic=homeland

33. February 06, eWeek — Testers shine light on CA−Vista vulnerability. Vulnerability
researchers at penetration testing software maker Core Security claim that a well−known vulnerability existing in CA's BrightStor backup software can be exploited when the program is running on Microsoft Windows Vista, essentially defeating the purpose of the operating system's much−publicized security features. Officials with Core announced the flaw at the ongoing RSA Conference. The issue illustrates the fact that unless third−party application vendors go to great lengths to integrate their products with Vista's security features, the technologies cannot take advantage of the operating system's malware−defense tools, Core officials said. Core contends that a previously disclosed vulnerability in CA's BrightStor ARCserve Backup software, dubbed CVE−2007−0169, can be exploited to compromise systems running the new Vista operating system. By exploiting the buffer overflow vulnerability in versions 9.01 through 11.5 of the CA software, along with its Enterprise Backup 10.5 and CA Server/Business Protection Suite r2 products, attackers could remotely execute arbitrary code on computers and potentially gain access to other systems, the company said. To craft an attack that takes advantage of the flaw, hackers need only manipulate slightly exploits designed to attack the same problem on systems running Microsoft's earlier Windows XP and 2000 operating systems, Core maintains.
Source: http://www.eweek.com/article2/0,1895,2090825,00.asp

34. February 06, IDG News Service — Hackers slow Internet root servers with attack. Online attackers have briefly disrupted service on at least two of the 13 "root" servers that are used to direct traffic on the Internet. The attack, which began Tuesday, February 6, at about 5:30 a.m. EST, was the most significant attack against the root servers since an October 2002 DDoS attack, said Ben Petro, senior vice president of services with Internet service provider Neustar. Root servers manage the Internet's DNS, used to translate Web addresses such as Amazon.com into the numerical IP addresses used by machines. The attack appeared to have been launched by a botnet, Petro said. "Two of the root servers suffered badly, although they did not completely crash; some of the others also saw heavy traffic," said John Crain, chief technical officer with the Internet Corporation for Assigned Names and Numbers (ICANN). The two hardest−hit servers are maintained by the Department of Defense and ICANN. The botnet briefly overwhelmed these servers with useless requests, but did not disrupt Internet service, Petro said. By 10:30 a.m. EST, Internet service providers were able to filter enough of the traffic from the botnet machines that traffic to and from the root servers was essentially back to normal.
Source: http://www.infoworld.com/article/07/02/06/HNrootserverattack _1.html

35. February 06, IDG News Service — Texas, Minnesota eye move to ODF. Texas and Minnesota may become the second and third U.S. states to adopt Open Document Format for XML (ODF) as the standard file format for government documents instead of the file format that Microsoft uses in its Office 2007 software suite. Two separate bills up for legislative consideration in each state propose to mandate the use of an open, XML−based file format that is "interoperable among diverse internal and external platforms and applications; fully published and available royalty−free; implemented by multiple vendors; and controlled by an open industry organization with a well−defined inclusive process for evolution of the standard," according to the Minnesota House of Representatives bill. The Texas bill uses similar wording to describe the file format the states intend to support. Though the bills do not specifically name ODF as the document format under consideration, the explanation of what each state wants to move to seems to fit the standard. Proponents of ODF view the bills as another victory for the file format and another step closer to giving Microsoft Office the best competition it's had in years.
Source: http://www.infoworld.com/article/07/02/06/HNtexasminnodf_1.h tml

36. February 06, Computer World — Study: Weak passwords really do help hackers. Left online for 24 days to see how hackers would attack them, four Linux computers with weak passwords were hit by some 270,000 intrusion attempts −− about one attempt every 39 seconds, according to a study conducted by a researcher at the University of Maryland. Among the key findings: Weak passwords really do make hackers' jobs much easier. The study also found that improved selection of usernames and associated passwords can make a big difference in whether attackers get into someone's computer. The study was led by Michel Cukier, an assistant professor of mechanical engineering and an affiliate of the university's Clark School Center for Risk and Reliability and Institute for Systems Research. His goal was to look at how hackers behave when they attack computer systems −− and what they do once they gain access. Using software tools that help hackers guess usernames and passwords, the study logged the most common words hackers tried to use to log into the systems. Cukier and two graduate students found that most attacks were conducted by hackers using dictionary scripts, which run through lists of common usernames and passwords in attempts to break into a computer.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9010540&intsrc=hm_list

37. February 05, Associated Press — CDC Website attacked by virus. Officials at the Centers for Disease Control and Prevention (CDC) are concerned about a different kind of virus −− a computer one. Hackers broke into the CDC's Website last week and planted a virus that could have infected visitors' computers. CDC officials said the hacking was concentrated to the agency's podcast site −− which has audio and video clips on a variety of public health topics −− and they do not think any sensitive information was compromised. The podcast site will be down for a few days.
Source: http://www.ledger−enquirer.com/mld/ledgerenquirer/news/local /16626841.htm