Monday, April 30, 2007

Daily Highlights

Saudi police have arrested 172 Islamic militants, some of whom were being trained abroad as pilots so they could fly suicide attacks against public figures, oil facilities, refineries, and military zones −− some of which were outside the kingdom. (See item 1)
The Department of Health and Human Services has announced the establishment the Biomedical Advanced Research and Development Authority that will manage the procurement and advanced development of medical countermeasures for chemical, biological, radiological, and nuclear agents. (See item 26)

Information Technology and Telecommunications Sector

30. April 27, Government Accountability Office — GAO−07−424: Information Technology: DHS Needs to Fully Define and Implement Policies and Procedures for Effectively Managing Investments (Report). The Department of Homeland Security (DHS) relies extensively on information technology (IT) to carry out its mission. For fiscal year 2008, DHS requested about $4 billion −− the third largest planned IT expenditure among federal departments. Given the size and significance of DHS’s IT investments, the Government Accountability Office's (GAO) objectives were to determine whether DHS (1) has established the management structure and associated policies and procedures needed to effectively manage these investments and (2) is implementing key practices needed to effectively control them. The GAO used its IT Investment Management (ITIM) framework and associated methodology to address these objectives, focusing on the framework’s stages related to the investment management provisions of the Clinger−Cohen Act. GAO recommends that DHS fully define the project−level and portfolio−level policies and procedures defined in GAO’s ITIM framework and implement the practices needed to effectively control investments. In written comments on this report, DHS agreed with GAO's findings and recommendations and stated it will use the report to improve its investment management process.

31. April 26, IDG News Service — FCC approves plan for auctioning 700MHz spectrum. The Federal Communications Commission (FCC) has approved a plan for auctions of wireless spectrum in the 700MHz band, taking the first step toward the multi−billion−dollar sale of spectrum being abandoned by television stations. The FCC late Wednesday, April 25, approved an auction plan that would sell pieces of the spectrum in chunks of varying geographic sizes, including metropolitan areas, larger regional economic zones, and multi−state regions. The FCC also will invite comments on a number of proposals for the spectrum, made available after Congress voted last year to require TV stations to switch to digital broadcasts and abandon channels 51 to 69 by February 2009.
Source: on_1.html

32. April 26, IDG News Service — New York teen hacks AOL, infects systems. A New York teenager broke into AOL networks and databases containing customer information and infected servers with a malicious program to transfer confidential data to his computer, AOL and the Manhattan District Attorney's Office allege. In a complaint filed in Criminal Court of the City of New York, the DA's office alleges that between December 24, 2006 and April 7, 2007, 17−year old Mike Nieves committed offenses like computer tampering, computer trespass, and criminal possession of computer material. Among his alleged exploits: Accessing systems containing customer billing records, addresses, and credit card information; Infecting machines at an AOL customer support call center in New Delhi, India, with a program to funnel information back to his PC; Logging in without permission into 49 AOL instant message accounts of AOL customer support employees; Attempting to break into an AOL customer support system containing sensitive customer information; Engaging in a phishing attack against AOL staffers through which he gained access to more than 60 accounts from AOL employees and subcontractors.
Source: ml

33. April 26, IDG News Service — Four plead guilty in auction software piracy scheme. Four men have pleaded guilty in U.S. court in Wisconsin to selling copyrighted software on, the Department of Justice (DOJ) announced Thursday, April 26. Pleading guilty in U.S. District Court for the Eastern District of Wisconsin were Eric Neil Barber of Manila, AR; Phillip Buchanan of Hampton, GA; Wendell Jay Davis of Las Vegas; and Craig J. Svetska, of West Chicago, IL, the DOJ said. The four sold counterfeit Rockwell Automation software with a retail value of more than $19.1 million through eBay, the DOJ said.
Source: 1.html

34. April 26, Associated Press — Lawsuit targets spam harvesters. An anti−spam organization filed a federal lawsuit Thursday, April 26, targeting so−called spam harvesters, who facilitate the mass distribution of junk e−mail by trolling the Internet and collecting millions of e−mail addresses. The lawsuit was filed in U.S. District Court in Alexandria, VA, by a Utah company called Unspam Technologies Inc. The company runs a Website called Project Honey Pot dedicated to tracking spam harvesters worldwide. Project Honey Pot has collected thousands of Internet addresses that it has linked to spam harvesters, but it so far has been unable to link those addresses to an actual person. The lawsuit names a variety of John Does as defendants, and the plaintiffs hope that the legal process will allow them to track the actual people who are harvesting the e−mail addresses, said lead attorney Jon Praed with the Arlington−based Internet Law Group.

35. April 26, VNUNet — Hacking tools top malware threats. Hacking tools head up the list of malware detected on computers around the world, according to figures released by Microsoft at Infosecurity Europe 2007. "Backdoors, key−loggers, downloads and droppers continue to be the main malware menaces we're seeing in the marketplace," said Nicholas McGrath, head of platform strategies Microsoft. Data collected from Microsoft's security software between July and December 2006 showed that attacks were much more likely to target individual machines. "The exploits are very much targeted at the individual, either by taking their identity to gain from something like their credit card, or taking control of the PC to build their own botnets to be used in organized criminal activities," said McGrath.
Source:−tools−top− malware−threats

36. April 26, VNUNet — Mobile phone users oblivious to data threats. Consumers fail to realize how much sensitive information they carry in their mobile phones, according to a university study. Professor Steve Furnell from Plymouth University, UK, said that focus groups carried
out on the campus showed a worrying trend of users not protecting their data on mobile devices because they did not see any threat. The study found that only 66 percent of people used a PIN to protect their device, although 45 percent of those did not bother to change the default number. Furnell said that the technology exists to protect users, but that they simply did not make use of it.
Source:−phone−users −oblivious
Friday, April 27, 2007

Daily Highlights

Government Technology reports Texas Governor Rick Perry has announced the reduction of crime by 30 percent in the El Paso area during a recent border security operation known as Operation Wrangler III. (See item 16)
University of California scientists have identified likely suspects in the massive die−off of bee colonies in the U.S., including a parasite called Nosema ceranae that has been associated with affecting Asian bees. (See item 20)
Computer World reports a reverse 911 notification system will be deployed to some 17,500 households to notify residents of impending flooding if an emergency occurs during a $309 million rebuilding project under way at the Wolf Creek Dam on the Cumberland River in southern Kentucky. (See item 32)

Information Technology and Telecommunications Sector

33. April 26, CNET News — Schneier questions need for security industry. Outspoken author and security guru Bruce Schneier has questioned the very existence of the security industry, suggesting it merely indicates the willingness of other technology companies to ship insecure software and hardware. Speaking this week at Infosecurity Europe 2007, a leading trade show for the security industry, Schneier said, "the fact this show even exists is a problem. You should not have to come to this show ever." "We shouldn't have to come and find a company to secure our e−mail. E−mail should already be secure. We shouldn't have to buy from somebody to secure our network or servers. Our networks and servers should already be secure." Schneier, chief technology officer at BT Counterpane, said his own company was bought by BT Group last year because the UK telecommunications giant realized the need for security to be part of any service, not an add−on at additional cost and inconvenience to the user. His words echoed those of Lord Broers, chair of the House of Lords science and technology committee, who suggested every company, from operating system and application vendors to ISPs, needs to take greater responsibility for the security of end users.

34. April 26, CNET News — Exploit code released for Adobe Photoshop flaw. Exploit code that could take advantage of a "highly critical" security flaw in the most recent versions of Adobe Photoshop has been published, a security researcher reported. The security flaw affects Adobe Photoshop Creative Suite 3, as well as CS2, according to a security advisory issued by Secunia on Wednesday, April 25. The vulnerability concerns the way Adobe Photoshop handles the processing of malicious bitmap files, such as .bmp, .dib, and .rle. A malicious attacker could exploit the flaw with a buffer overflow attack, followed by remotely taking over a user's system. Although a security researcher has published code to demonstrate how to exploit the vulnerability, Secunia has yet to detect any malicious use of the code, said Thomas Kristensen, Secunia's chief technology officer.
Secunia advisory:

35. April 26, ComputerWorld — Entrepreneurial hackers buy sponsored links on Google. A hacker scheme that involved buying search keywords on Google and then routing users to a malicious site when they clicked on sponsored links was revealed Wednesday, April 25, by a security company. According to Roger Thompson, chief technology officer at Exploit Prevention Labs, the ploy involved sponsored links (the text ads that appear alongside search results on Google), a malicious intermediary and malware that steals online banking usernames and passwords. Those keywords put the criminals' sponsored links at the top of the page when searches were run for brand name sites like the Better Business Bureau or, using phrases such as "betterbusinessbureau" or "modern cars airbags required." But when users clicked on the ad link, they were momentarily diverted to, a malicious site that used an exploit against the Microsoft Data Access Components (MDAC) function in Windows to plant a back door and a "post−logger" on the PC.

36. April 26, U.S. Computer Emergency Readiness Team — US−CERT Vulnerability Note VU#127545: Cisco NetFlow Collection Engine contains known default passwords. A vulnerability in the Cisco NetFlow Collection Engine could allow a remote attacker to gain access to a vulnerable system. The Cisco Network Services (CNS) NetFlow Collection Engine (NFC) is a software package for supported UNIX platforms and is used to collect and monitor NetFlow accounting data for network devices such as routers and switches. Versions of NFC prior to 6.0 create and use default accounts with an identical username and password of "nfcuser." A remote attacker with knowledge of the default account information can gain administrative control of the NFC application configuration through the Web−based interface. For some configurations, the attacker may also be able to gain user access to the host operating system with the privileges of nfcuser. This access may allow for additional privilege escalation attacks on an affected system.
Solution: Change passwords for the affected account. Cisco has published instructions for changing the passwords on the nfcuser account in Cisco Security Advisory

37. April 25, eWeek — Acer joins Sony battery pack recall. Nine months following those first voluntary recalls of Sony−made notebook battery packs, Acer will recall some 27,000 notebooks that also contained those same lithium−ion batteries. Acer announced the recall Wednesday, April 25. The 27,000 notebooks recalled by Acer were all sold in the United States between May 2004 and November 2006. The models that came with faulty packs included the company's TravelMate notebooks with model numbers 321x, 242x, 330x, 561x, C20x, 422x, 467x and 320x. The recall also involves some models in the company's Aspire line, including the 980x, 556x, 930x, 941x, 560x and 567x.

38. April 25, SecurityFocus — Storm Worm marries malware and spam. The stock−touting e−mail messages regularly sent out by spam−focused bot nets have started to include links to malicious code, according to a report published Wednesday, April 25, by e−mail security firm MessageLabs. The criminal groups responsible for the spam appear to believe that recipients of the e−mail may click on a Web link, even if they don't buy the stock touted by the e−mail message. In the past 10 days, MessageLabs has only detected about 3,500 of the messages, so the spammers may be testing to waters to see how often the scam works, said Mark Sunner, chief technology officer for the company. The Storm Worm, which is actually a Trojan horse that does not spread on its own, embodies the latest tactics by spammers and bot masters to grow their networks. Rather than using worms and viruses to create bot nets that likely grow out of control, the Storm Worm −− also known as Zhelatin and Peacomm −− is sent out in spam to increase the size of a bot net at a controllable pace.
Thursday, April 26, 2007

Daily Highlights

Computerworld reports a new wave of extortion e−mails targeted at higher−income professionals is circulating on the Internet −− sent directly to the victims from valid e−mail accounts −− that threaten recipients with bodily harm and death if they do not pay thousands of dollars to the sender. (See item 13)

The U.S. Food and Drug Administration says that it will test imports of wheat gluten, corn gluten, corn meal, soy protein, rice bran, and rice protein concentrate to detect any contamination with melamine, which has been found in both human and animal food. (See item 24)

Information Technology and Telecommunications Sector

35. April 25, U.S. Computer Emergency Readiness Team — Vulnerability in HP−UX running sendmail. The U.S. Computer Emergency Readiness Team (US−CERT) is aware of a vulnerability in HP−UX running sendmail that may allow a remote user to cause a 12 denial−of−service condition. US−CERT recommends users apply the patches as described in HP Technical Knowledge Base Document c00841370. Please note that logon credentials may be needed to access this document. US−CERT will continue to investigate this issue and provide additional information as it becomes available. HP Technical Knowledge Base Document c00841370:−1335382922+1177517201483+28353475

36. April 25, IDG News Service — Microsoft ups security stance with new labs. In a move to strengthen its response to security threats, Microsoft is opening two labs to study the growing amount of malicious software circulating on the Internet, security executives announced Wednesday, April 25. The Malware Protection Centers, in Dublin and Tokyo, will be staffed with analysts who will create updates −− called "signatures" −− for its security products to detect malicious software, said Roger Halbheer, chief security advisor for Europe, the Middle East and Africa. The labs will be similar to ones run by competitors such as Symantec and McAfee.
Source: .html

37. April 25, IDG News Service — 'Evil twin' Wi−Fi access points proliferate. Beware of the "evil twin." That's the term for a Wi−Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up by a hacker to eavesdrop on wireless communications among Internet surfers. Unfortunately, experts say there is little consumers can do to protect themselves, but enterprises may be in better shape. With the growth in wireless networks, the "evil twin" type of attack is on the rise, said Phil Cracknell, president of the UK branch of the Information Systems Security Association. Such attacks are much easier than others seeking logins or passwords, such as phishing, which involves setting up a fraudulent Website and luring people there, Cracknell said. The growth in the number of Wi−Fi networks poses increasing opportunities for hackers, who can make their networks appear to be legitimate by simply giving their access point a similar name to the Wi−Fi network on the premises.
Source: ints_1.html

38. April 25, VNUNet — Rogue software floods anti−spyware market. Malware writers are flooding the market with rogue anti−spyware applications in an attempt to steer consumers away from genuine security software and make money from selling bogus applications. Download service Snapfiles said that the rogue applications outnumber genuine software by a factor of four to one. Snapfiles hosts free and trial applications for consumers to download, and claims to reject any software that fails to deliver the promised functionality or causes harm to a system. Download site Tucows confirmed the figure, saying that it too rejects about four−fifths of the anti−spyware programs it receives from developers. Rogue anti−spyware programs present themselves as legitimate security solutions, but have no intention of ridding a user's system of malware. Instead, the application scares the user with false test results, fails to get rid of existing spyware infections, and in some cases even infects the system with additional pieces of spyware and adware. Source:−apps−dominat ing 13

39. April 24, Associated Press — Researchers break Internet speed records. A group of researchers led by the University of Tokyo has broken Internet speed records −− twice in two days. Operators of the high−speed Internet2 network announced Tuesday, April 24, that the researchers on December 30 sent data at 7.67 gigabits per second, using standard communications protocols. The next day, using modified protocols, the team broke the record again by sending data over the same 20,000−mile path at 9.08 Gbps. Source:−Faster−Interne t.html?_r=1&oref=slogin

40. April 24, CNET News — Web threats to surpass e−mail pests. By next year, Internet users can expect more cyberattacks to originate from the Web than via e−mail, security firm Trend Micro predicts. E−mail has traditionally been the top means of attack, with messages laden with Trojan horses and other malicious programs hitting inboxes. But the balance is about to tip as cybercrooks increasingly turn to the Web to attack PCs. "By 2008, most of the threats you are facing will be Web placed. Today most of it is still e−mail," Raimund Genes, Trend Micro's chief researcher, said in a presentation at the Gartner Symposium and ITxpo on Monday, April 23. The reason for the flip is simple. Security tools for e−mail have become commonplace, but the same isn't true for Web traffic. Security firms have found it tough to secure what comes into a network and computers over port 80, the network port used to browse the Web using the hypertext transfer protocol, or HTTP. Source:−mail+pests/2100−7349_3−6178930.html
Wednesday, April 25, 2007

Daily Highlights

The Department of Homeland Security is warning U.S. chemical plants and bomb squads to guard against a new form of terrorism: chlorine truck bombs; the Chlorine Institute recently alerted the FBI to several thefts or attempted thefts of 150−pound chlorine tanks from water treatment plants in California. (See item 4)
The Manhattan District Attorney's Office announced Friday, April 20, it has indicted 13 members of an identity theft ring that made more than $3 million worth of illegal purchases using small hand−held devices to read and record personal information stored on the credit card's magnetic strip. (See item 9)

Information Technology and Telecommunications Sector

28. April 24, Information Week — Malware spikes in 1Q as hackers increasingly infect Websites. The number of new pieces of malware spiked in the first quarter of this year, and the majority of the new threats are being embedded in malicious Websites. According to a study from Sophos, an antivirus and anti−spam company, researchers discovered 23,864 new threats in the first three months of 2007. That's more than double the number of new malware identified in the same period last year, when Sophos discovered 9,450. While the number of malware is increasing, where it's being found is changing. Historically, malware has plagued e−mail, hidden in malicious attachments. While that's still happening, more virus writers are putting their efforts into malicious Websites. Sophos noted that the percentage of infected e−mail has dropped from 1.3 percent, or one in 77 e−mails in the first three months of 2006, to one in 256, or just 0.4 percent in this year's first quarter. In the same time period, Sophos identified an average of 5,000 new infected Web pages every day. With computer users becoming more aware of how to protect against e−mail−based malware, hackers have turned to the Web as their preferred vector of attack.
Sophos study:

29. April 23, ComputerWorld — Microsoft: No patch yet for DNS Server bug. Microsoft Corp.'ssecurity team Sunday, April 22, said it is still working on a patch for a critical bug in the company's server software. The vulnerability in the Domain Name System (DNS) Server Service of Windows 2000 Server SP4, Windows Server 2003 SP1 and Windows Server 2003 SP2, has been exploited since at least April 13, Microsoft acknowledged earlier −− although the 11
company has continued to characterize those attacks as "limited." "Our teams are continuing to work on developing and testing updates...[but] we don't have any new estimates on release timelines," said Christopher Budd, program manager for the Microsoft Security Response Center (MSRC) on the group's blog. "I can say that our ongoing testing so far has not raised any issues that would make us believe we might be looking at a longer timeline."
MSRC blog:−update−on−microsoft−security−advisory−935964.aspx

30. April 23, ComputerWorld — Safari, Firefox, IE all vulnerable if QuickTime is installed, say researchers. The vulnerability that put $10,000 into the pocket of a New Yorker last Friday, April 20, during a Mac hacking contest is in Apple Inc.'s QuickTime media player, researchers said Monday, April 23. The contest, held at the CanSecWest security conference in Vancouver last week, pitted a pair of MacBook Pro notebooks, each with all currently−available security patches installed, against all comers. On Friday, Sean Comeau, one of the CanSecWest organizers, said the bug was in Safari, the Apple browser bundled with Mac OS X. But Monday, researchers at Matasano Security LLC, a New York−based consultancy, said the flaw is actually in QuickTime. "Dino's finding targets Java handling in QuickTime," said Matasano researcher Thomas Ptacek on the group's blog. "Any Java−enabled browser is a viable attack vector, if QuickTime is installed. Apple's vulnerable code ships by default on Mac OS X (obviously) and is extremely popular on Windows, where this code introduces a third−party vulnerability." Ptacek confirmed that both Safari and Mozilla Corp.'s Firefox can be exploited through the new QuickTime bug. Matasano also said it assumes that Firefox is vulnerable on Windows PCs if QuickTime's plug−in is installed.

31. April 16, Government Computer News — Solar flare puts GPS off the air. Mysteriously, on December 6, 2006, Global Positioning System (GPS) devices suddenly malfunctioned across large swaths of the planet. The cause was an intense burst of radio energy, called a solar flare, emitting from the sun’s surface. Although the event temporarily knocked out many GPS receivers, no airplanes fell from the sky, and no ships lost their way at sea. But the event nonetheless generated concern among scientists. Although they were aware that radio bursts generated by solar flares could affect GPS equipment, they were surprised that this large an event occurred during a period of relatively low solar−flare activity and that its impact was as strong as it was. “It’s more serious than we thought. We didn’t think this was going to happen until the next solar maximum, which is about 2011,” said Paul Kintner Jr., professor of electrical and computer engineering at Cornell University. “We’ve been monitoring solar flares for four years. [The Dec. 6 event] suggests that monitoring has been inaccurate. And we don’t have a good historical basis for predicting what’s going to happen, so we’re concerned.” The radio bursts don’t actually damage equipment but only interfere with transmissions between GPS satellites and receivers.

Note: Our apology for the lateness of this post. Unfortunately our Internet access broke sometime last night and did not come back up until after we left for the day. Simply stated, the delay was beyond our control.
Tuesday, April 24, 2007

Daily Highlights

The Transportation Security Administration, American Association of Airport Executives, Airports Council International−−North America, and National Air Transportation Association have announced a six−point plan to maximize the effectiveness of screening employees at airports. (See item 16)
The General Services Administration has unveiled a redesign of, the federal government’s official Web portal, which provides a centralized place to search for information on hundreds of government services, from checking tax refund status to contacting elected officials. (See item 27)

Information Technology and Telecommunications Sector

33. April 23, USA TODAY — Cyberspies exploit Microsoft Office. Cyberspies have a new secret weapon: tainted Microsoft Office files. A rising number of cyberattacks are taking aim at specific individuals at critical government agencies and corporations −− enticing them to unwittingly open a corrupted Word, Excel or PowerPoint file sent as an e−mail attachment. Clicking on the file relinquishes control of the PC without the user's knowledge. The attacker then uses the compromised PC as a base from which to roam the organization's internal network. Federal agencies and defense and nuclear contractors are under assault. Security firm MessageLabs says it has been intercepting a series of attacks from PCs in Taiwan and China since November. In early 2006, security experts detected one or two such attacks a week. Last month, MessageLabs intercepted 716 e−mails carrying corrupted Office files aimed at 216 different agencies and companies. Assaults are coming from China and perhaps other countries in the hunt for military, trade and infrastructure intelligence, says Alan Paller, research director at The SANS Institute, a security think tank. The goal: strategic advantage over the USA. "The attacks are working," says Paller. "Penetrations are deep and broad."

34. April 23, eWeek — Oracle issues database patch postponed for testing. Oracle has released a missing fix for the database flaw rated most deadly in the Critical Patch Update the company released last week. The flaw, dubbed DB01 in the update issued April 17, is in the Core RDBMS (relational database management system) and can be remotely exploited over the network by an attacker sans user identification or password authentication. The flaw is specific to the Windows operating system and affected the version of the database. On Friday, April 20, Eric Maurice of Oracle posted a note on a company blog announcing the Critical Patch Update for the Windows 32−bit version of the database is now available.
Oracle blog:

35. April 20, IDG News Service — Hacker shows Mac break−in. A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver. In winning the contest, he exposed a hole in Safari, Apple's browser. "Currently, every copy of OS X out there now is vulnerable to this," said Sean Comeau, one of the organizers of CanSecWest. The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e−mail. Dino Di Zovie, who lives in New York, sent along a URL that exposed the hole. Because the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on. The URL opened a blank page but exposed a vulnerability in input handling in Safari.
Source: rence_1.html

36. April 20, IDG News Service — Kickbacks on federal IT contracts widespread, involved millions, DOJ charges. An alleged multimillion−dollar kickback scheme involving work on numerous U.S. government contracts touches dozens of IT vendors and systems integrators, according to court documents unsealed Friday, April 20. The allegations set up a major confrontation between the U.S. government and virtually the entire U.S. IT industry. The U.S. Department of Justice (DOJ) filings list improper kickbacks on a number of contracts, including ones from the U.S. Army, the Air Force, the FBI, the Department of State, the General Services Administration, the Department of Education and the U.S. Postal Service. The DOJ announced it had joined three whistle−blower lawsuits against Hewlett−Packard Co., Sun Microsystems Inc. and Accenture Ltd. The DOJ's complaints allege that the three companies, through "alliance partnerships" with dozens of other vendors, exchanged millions of dollars in illegal rebates and other payments since the late 1990s. The DOJ complaints accuse Accenture and other systems integrators of collecting money from IT vendors in exchange for preferential treatment on government contracts they were working on, or exchange for strong recommendations to potential government customers. The defendants did not report these kickbacks to the U.S. government, the DOJ alleges.
DOJ press release:

37. April 20, Network World — Nortel warns of three VPN Router product flaws. Nortel last week warned of several backdoors, and other flaws, in its VPN and secure routing products that could allow unauthorized remote access to an enterprise network. User accounts used for diagnostics on Nortel VPN routers (formerly known as Contivity) could be used to gain access to a corporate VPN. In another potential vulnerability, unauthorized remote users could also gain administrative access to a VPN router through a Web interface. A third vulnerability could result in someone cracking users' VPN passwords. Nortel says it has issued software that fixes these flaws. Product versions affected include all Nortel VPN router models −− 1000, 2000, 3000, 4000 and 5000.
Source:−nortel−vpn−rout er−flaw.html
Monday, April 23, 2007

Daily Highlights

The Associated Press reports Mohammad Alavi, a former engineer at the nation's largest nuclear power plant −− Palo Verde power plant west of Phoenix −− has been charged with taking computer access codes and software to Iran and using it to download details of plant control rooms and reactors. (See item 1)
The New York Times reports the Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Department of Agriculture programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations. (See item 17)

Information Technology and Telecommunications Sector

39. April 20, eWeek — RIM: Software upgrade caused BlackBerry failure. BlackBerry maker Research In Motion (RIM) announced late Thursday, April 19, that it has determined the apparent cause of the shutdown that stopped e−mail service to BlackBerry users throughout North America earlier in the week. According to a statement from the Waterloo, Ontario−based company, the shutdown on April 17 was related to a software upgrade that went awry, followed by a failover process that also didn't work properly. The BlackBerry blackout happened when the company introduced a new, noncritical system routine into its database, officials said. The routine, according to RIM, was designed to improve cache optimization but instead caused a series of interaction errors between the databases and the cache.

40. April 19, IDG News Service — Spammers, hackers seize on Virginia Tech shootings. Spammers and hackers are using the slayings at Virginia Tech as a gory lure to infect computers with malicious software, security experts noted Thursday, April 19. While the video made by gunman Cho Seung−hui prior to the killing of 33 people on Monday was widely posted on news Websites and, spam e−mails were intercepted Wednesday night purporting to link to the footage on a Brazilian Website, said Graham Cluley, senior technology consultant, at security vendor Sophos. If clicked, the link caused a computer to automatically download a malicious screensaver, called TERROR_EM_VIRGINIA.scr by Sophos, which installs a Trojan horse program that collects banking details, Cluley said. It's unclear yet what banks the Trojan is engineered to exploit, Cluley said. The e−mails are unlikely to mean much to English speakers since they're written in Portuguese, Cluley said. But hackers have repeatedly used breaking news events to try to trick users into opening malicious programs.

41. April 19, CNET News — Cyberattacks at federal agencies draw House scrutiny. As new details emerged about cyberattacks against networks at the State and Commerce departments last year, politicians on Thursday, April 19, said they're concerned many federal agencies are ill−prepared to fend off such intrusions. Members of a U.S. House of Representatives cybersecurity subcommittee said they weren't confident that the computer systems at bureaus within the State and Commerce departments were adequately secured and scrubbed of backdoors that could allow cybercrooks to re−enter. They also questioned agency representatives on whether they could truly guarantee that sensitive information hadn't been accessed or copied. Twenty−one of 24 major federal agencies had weak or deficient information security controls in place during the last fiscal year, according to audit reports, said Gregory Wilshusen, director of information security issues for the Government Accountability Office (GAO). Pitfalls ranged from failing to replace well−known vendor−supplied passwords on systems to not encrypting sensitive information to not creating adequate audit logs to track activity on their systems, according to a new GAO report he summarized at the hearing.

42. April 19, Government Accountability Office — GAO−07−751T: Information Security: Persistent Weaknesses Highlight Need for Further Improvement (Testimony). For many years, the Government Accountability Office (GAO) has reported that weaknesses in information security are a widespread problem with potentially devastating consequences −− such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information. In reports to Congress since 1997, GAO has identified information security as a governmentwide high−risk issue. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the information security program, evaluation, and reporting requirements for federal agencies. FISMA also defines responsibilities for ensuring centralized compilation and analysis of incidents that threaten information security and providing timely technical assistance in handling security incidents. In this testimony, GAO discusses the continued weaknesses in information security controls at 24 major federal agencies, the reporting and analysis of security incidents, and efforts by the Department of Homeland Security to develop a cyber threat analysis and warning capability. GAO based its testimony on its previous work in this area as well as agency and congressional reports.

43. April 19, CNET News — Bug hunter targets routers, other gadgets. Software that runs home routers, cell phones and personal digital assistants is rife with security bugs, an expert said Thursday, April 19. Barnaby Jack, a Juniper Networks security researcher, gave a tutorial at the CanSecWest conference on how bug hunters can find exploitable vulnerabilities in such devices and demonstrated an attack on a D−Link router using a yet−to−be−patched hole. "Security flaws are abundant on these devices," Jack said. "Security needs to reach further than a home PC. Insecure devices pose a threat to the entire network. Hardware vendors must take security into consideration." There hasn't yet been a large amount of security research into the type of software Jack looks at. This is code that runs gadgets equipped with ARM, MIPS, XScale and PowerPC microprocessors. However, researchers appear increasingly interested in finding ways to attack routers and other such "embedded" devices. In examining software from various devices, Jack found that there are many exploitable "null pointers" in the code. "Vulnerabilities that are near dead in the PC realm are abundant," he said. "This is a new class of attack...This is a remote attack the same way as a buffer overflow or a heap overflow, but it is more reliable."
Friday, April 20, 2007

Daily Highlights

The Benton Courier reports an access area to the Saline River no longer is open to the public because of recent vandalism that incapacitated the Arkansas Health Center water system for four days. (See item 16)
The Associated Press reports Oklahoma Governor Brad Henry is creating a task force to study safety and security at college, university, and CareerTech campuses across Oklahoma. (See item 22)

Information Technology and Telecommunications Sector

26. April 19, US−CERT — Technical Cyber Security Alert TA07−109A: Apple Updates for Multiple Vulnerabilities. Apple has released Security Update 2007−004 to correct multiple vulnerabilities affecting Apple Mac OS X and Mac OS X Server. The most serious of these vulnerabilities may allow a remote attacker to execute arbitrary code. Attackers may take advantage of the less serious vulnerabilities to bypass security restrictions or cause a denial of service.
Users should install Install Apple Security Update 2007−004:
Thursday, April 19, 2007

Daily Highlights

Computerworld reports a database intrusion by foreign hackers may have compromised Social Security numbers and other sensitive data belonging to more than 14,000 current and former employees at Ohio State University. (See item 15)
The New York Times reports the first vaccine against avian flu has won government approval; the vaccine is directed against the H5N1 strain of influenza virus, which some public health experts say could possibly spark a deadly epidemic of flu in humans. (See item 25)·

Information Technology and Telecommunications Sector

34. April 18, IDG News Service — Microsoft: DNS patch to potentially come by May 8. Microsoft hopes to fix by May 8 a critical flaw in Windows Domain Name System (DNS) servers that is being exploited by online criminals, the company said late Tuesday, April 17. Microsoft has been under pressure to address the flaw, reported last week, since software that exploits it has now been widely disseminated, and criminals are beginning to use it in attacks. On Monday, security experts confirmed that variants of the Rinbot worm (also called Nirbot by some vendors) had been scanning networks for vulnerable systems and then attempting to exploit the DNS bug. Microsoft characterizes the level of attacks as "not widespread."
Source: l

35. April 18, Associated Press — BlackBerry service being restored. BlackBerry service was being restored Wednesday morning, April 18, after an overnight outage that left millions of users without mobile access to their e−mail on the popular device. Research in Motion Ltd., the Canadian company that provides the devices and e−mail service, said the service interruption began Tuesday night, affecting users in North America. "Root cause is currently under review, but service for most customers was restored overnight and RIM is closely monitoring systems in order to maintain normal service levels," the statement from RIM said. It wasn't immediately clear whether the problems affected all cellular carriers that offer BlackBerry service.

36. April 18, InformationWeek — Hackers attack PowerPoint more than Microsoft Word. For the first time, PowerPoint has surpassed Microsoft Word as the most common exploit vector, and hackers are increasingly pinpointing their enterprise attacks, according to a report out Wednesday, April 18, from MessageLabs. There's one specific gang that's running up the numbers on PowerPoint attacks. Most of the attacks are originating from an IP address within Taiwan, noted the MessageLabs report. The company also pointed out in its study of March messaging attacks that hackers are foregoing the traditional widespread attack for targeted attacks. Instead of spamming out hundreds of thousands of e−mails to try to trick users into divulging critical information, a hacker sends one very specific e−mail to one or two people in a specific position inside the same company.
Source: eID=199100538

37. April 17, eWeek — Wireless problems played part in chaos at Virginia Tech. The inability of students and others at Virginia Tech in Blacksburg, VA, to make cell phone calls during the April 16 shooting tragedy added to the chaos surrounding the events of the day. Many students reported being unable to gain access to the wireless phone system either to place a voice call or to send text messages. The reason appeared to be due to a massive increase in wireless call volume, according to carriers serving the Virginia Tech campus. Verizon Wireless spokesperson John Johnson acknowledged that for awhile during the heaviest call volumes on April 16, some calls did not go through. "We did see some call blocking," Johnson said. "We did also see some heavy text message traffic." Cingular/AT&T's Mark Siegel said that his company also saw very heavy call volumes, but saw no call blocking. "We had no problems with text messaging," Siegel noted. "It's a great alternative in these situations." Part of the problem, notes Verizon's Johnson, is that wireless companies have to build their networks to handle the demand that they anticipate. "We are engineered to handle heavy call volume there [Blacksburg]. But of course you can't engineer for a tragedy on this scale," he said.

38. April 17, Associated Press — Digital TV will cause analog blackout. Federal Communications Commission (FCC) Commissioner Michael Copps on Tuesday, April 17, called for greater efforts to educate the public about a government−mandated switch−over to digital television signals in two years. Copps, appearing alongside fellow Commissioner Deborah Taylor Tate, told the annual convention of the National Association of Broadcasters that there was a possibility of serious disruptions when analog TV signals go off the air on February 17, 2009. When the change to digital television or "DTV" occurs, viewers who don't have digital−compatible televisions and use traditional antennas won't be able to view broadcast TV signals unless they have a digital converter box. With the deadline less than two years away, concerns have been growing that not enough people are aware of the switch−over or what will need to be done to make sure their sets still work. Many are also concerned that not enough is being done to prepare for a smooth switch−over. Digital converter boxes aren't in stores yet and aren't likely to go on sale until next January, about a year before the change. Copps called for more efforts in both the private and public sector to educate the public about the issue.
Source:− fcctv17−ON.html

39. April 17, IDG News Service — Update: Oracle glitch leaves critical Windows flaw unpatched. Some Oracle Corp. customers using the Windows operating system will have to wait another two weeks to receive a critical software update to their database software, thanks to a glitch that came up in testing the company's latest patches. On Tuesday, April 17, Oracle unveiled its quarterly release of software patches, fixing not only database flaws, but also bugs in a host of other applications. In total, the patches fix 36 vulnerabilities, 13 of which relate directly to the database. However, the most serious database flaw discussed in April's Critical Patch Update will not actually become available for users of the version of Oracle's database until April 30, due to an issue that was uncovered in testing, said Darius Wiles, a manager with Oracle Security Alerts. The bug affects only the Windows platform and is patched on all other supported versions of the database, he added. That flaw, known as DB01, is in the Core RDBMS (relational database management system) used by Oracle's database. It can be remotely exploited over the network and unlike most of the database flaws, an attacker does not need to have authentication rights to the database to exploit the problem.

40. April 16, Federal Communications Commission — FCC begins inquiries on broadband data and deployment. The Federal Communications Commission (FCC) on Monday, April 16, announced two proceedings focused on evaluating broadband deployment. The first is a Notice of Inquiry (NOI) under Section 706 of the Telecommunications Act of 1996 into whether broadband services are being deployed to all Americans in a reasonable and timely fashion. The second is a Notice of Proposed Rulemaking exploring ways to collect information the Commission needs to set broadband policy in the future. Both actions recognize the critical importance of broadband services to the nation’s present and future prosperity. The NOI is the fifth such inquiry conducted by the Commission under Section 706 of the Telecommunications Act of 1996, which requires the Commission to determine whether broadband services are being deployed to all Americans in a reasonable and timely fashion. Among the questions the Commission asks in the NOI is how to define broadband in light of the rapid technological changes occurring in the marketplace, including the development of higher speed services and new broadband platforms. The Commission will also focus on the availability of broadband, including in rural and other hard−to−serve areas; on whether consumers are adopting new services; and on the level of competition in the marketplace.
Source:−272365 A1.pdf
Wednesday, April 18, 2007

Daily Highlights

The Washington Post reports some lending companies with access to a national database that
contains confidential information on tens of millions of student borrowers have repeatedly searched it in ways that violate federal rules, raising alarms about data mining and abuse of privacy. (See item 12)
U.S. Customs and Border Protection officers and Border Patrol agents using rail gamma−imaging technology apprehended a 30−year−old Honduran citizen entering at Blaine, Washington, along with 34 pounds of marijuana. (See item 15)
Information Technology and Telecommunications Sector

35. April 17, ComputerWorld — Botworms exploit Windows DNS bug. Security researchers late Monday, April 16, spotted botworms exploiting a zero−day bug in Microsoft Corp.'s Windows DNS Server Service, confirming suspicions earlier in the day that hackers were sniffing out vulnerable systems. McAfee Inc.'s Avert Labs was the first to report that a new Nirbot variant −− the worm also goes by the name Rinbot −− was trying to exploit the DNS vulnerability in the wild. In a blog entry Monday afternoon, virus research manager Craig Schmugar said the botworm was an "Internet relay chat [IRC] controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer." Later Monday, McAfee announced it had found a second Nirbot/Rinbot variant exploiting the bug. According to McAfee's analysis, the new Nirbot botworms scan for vulnerable servers, then use multiple exploits −− including the unpatched DNS flaw −− in an attempt to hijack the machine. Earlier Monday, Symantec Corp. warned of an extraordinary spike in scans for TCP and UDP Port 1025. Monday evening, Symantec confirmed that the source of the increased Port 1025 activity was the Nirbot/Rinbot, and like McAfee, posted an initial analysis of the worm.

36. April 17, VNUNet — Panic spreads over 'killer' mobile phone virus. Fears of a deadly virus that can be transmitted by mobile phone have swept the Afghani capital of Kabul, prompting the government to step in and reassure the public. Reports from inside the city suggest that mobile phone users are fearful that a biological virus is spreading via mobile phone calls. Rumors claim that several people have already died. The stories appear to have come from Pakistan, where similar rumors began spreading last week.
Source:−killer−mobil e−phone−virus

37. April 16, eWeek — Researchers: Botnets getting more resilient. A select group of some 40 security researchers gathered on April 10 in the first Usenix event devoted to botnets. The invitation−only event, called HotBots, was held in Cambridge, MA. At the event, researchers warned that botnets −− which can contain tens or even hundreds of thousands of zombie PCs that have been taken over for use in spamming and thievery of financial and identity−related data −− are on the brink of a technological leap to more resilient architectures and more sophisticated encryption that will make it that much harder to track, monitor and disable them. Specifically, security researchers have spotted the early development stages of resilient botnets that have included peer−to−peer (P2P) architectures. Botnets have traditionally been organized in a hierarchical structure, with one central command−and−control location. This centralization has been a blessing to researchers, as it gives them a single point of failure on which to focus. With a P2P botnet, however, there is no centralized point for command and control.
Tuesday, April 17, 2007

Daily Highlights

The Associated Press reports a fierce storm drenched the Northeast with record rainfall and wind causing hundreds of thousands to lose electricity; the National Guard was sent to help with rescue and evacuation efforts in the suburbs north of New York City. (See item 2)
The Richmond Times Dispatch reports Virginia Tech in Blacksburg became the scene of the deadliest campus shooting in U.S. history when at least 33 people were killed Monday, April 16; at least 28 more were being treated at area hospitals. (See item 29)

Information Technology and Telecommunications Sector

31. April 16, IDG News Service — New worm targets Skype. A worm targeting Skype Ltd.'s Voice over Internet Protocol application is harvesting e−mail addresses and directing users to a range of sites hosting other malicious software, security vendors said Monday, April 16. Once a machine is infected, the worm sends a malicious link via instant messages to other users in person's Skype contact list, according to F−Secure's blog. The link leads to an executable file that downloads a Trojan horse capable of downloading other malicious software, F−Secure said. It then shows a photo of a "lightly dressed" woman. The link also directs users to at least eight Websites with information about Africa. It's not clear what type of scam or harm those pages intend, but some of the sites have advertising on them, indicating that it might be a click−fraud scam, said Graham Cluley, senior technology consultant for Sophos. F−Secure calls the worm "IM−Worm:W32/Pykse.A," and Sophos named it "Mal/Pykse−A."

32. April 16, ComputerWorld — Exploit goes public for Windows DNS Server bug. A public exploit appeared just two days after Microsoft Corp. acknowledged a critical vulnerability in its server software, a change one security company said "greatly increases" the chances of a broad attack. The zero−day bug in the Domain Name System (DNS) Server Service in Windows 2000 Server (SP4) and Windows Server 2003 (SP1 and SP2) was confirmed by Microsoft late on Thursday. On Friday, the company said the current beta of Longhorn Server, the next−generation server software expected to ship later this year, was also affected. Symantec Corp. warned Saturday, April 14, that the Metasploit Project had released a public exploit for the vulnerability. "The release of this exploit greatly increases the chance of widespread exploitation of this issue before a patch is made available," warned Symantec. Metasploit is a security testing tool largely guided by developer and researcher HD Moore and is frequently first out the gate with exploits of Windows vulnerabilities.

33. April 16, ComputerWorld — Clear evidence of a two−phase attack plan, say researchers. The group behind last week's massive Storm Trojan spam blast set up Windows users with a one−two punch by switching tactics in mid−run, making the second stage's subject headings more believable, researchers said Monday, April 16. "There was a very distinct transition point" between the two stages, said Adam Swidler, senior manager of solutions marketing at Postini Inc. "It was a concerted effort to trick users." The huge wave of worm−infected spam e−mails sent out starting early Thursday had receded by about 2 a.m. Pacific Time Friday. "It petered out around then, and spam went back to its average daily and hourly rates," said Swidler.
Although most of the attention was paid to the attack's second phase −− when spammed messages arrived with subject headings such as "Worm Alert!" and "Virus Activity Detected!" −− the assault began with less alarming mail marked "Our Love Nest," "A Token of My Love" and other romantic phrases. The switch, speculated Swidler, was by design.

34. April 13, TechWorld (UK) — WiFi bug found in Linux. A bug has been found in a major Linux WiFi driver that can allow an attacker to take control of a laptop −− even when it is not on a WiFi network. There have not been many Linux WiFi device drivers, and this is apparently the first remotely executable WiFi bug. It affects the widely used MadWiFi Linux kernel device driver for Atheros−based WiFi chipsets, according to Laurent Butti, a researcher from France Telecom Orange, who found the flaw and released the information in a presentation at last month's Black Hat conference in Amsterdam. "You may be vulnerable if you do not manually patch your MadWiFi driver," said Butti. Before making it public, he shared the flaw with the MadWiFi development team, who have released a patch. However, not all Linux distributions have yet built the patch into their code, said Butti.

35. April 12, eWeek — Federal government makes improvements in information security. A House committee gave the federal government a grade of C−minus for 2006 as part of the committee's annual assessment of how well information is protected on government computers. The annual report by the House Government Oversight and Reform Committee is meant to judge compliance with the Federal Information Security Management Act (FISMA). The committee has given the government overall grades of D, D−plus and D−plus in 2003, 2004 and 2005, respectively. The Department of Justice (DOJ) and the Department of Housing and Urban Development (HUD) showed the most improvement from 2005 to 2006. The DOJ jumped from a D to an A−minus, while HUD climbed from D−plus to A−plus. HUD, for the first time, developed a full inventory of its information security apparatus, which the committee counted as a major plus in the grading. NASA fell from a B−minus to a D−minus, and the Department of Education dropped from a C−minus to an F, according to the committee. The Department of Homeland Security received a D for 2006, marking the first time it did not receive an F since ratings began in 2003.
FISMA report: ort.pdf
Monday, April 16, 2007

Daily Highlights

The Maui News reports a Transportation Security Administration screener at Lanai Airport found a duffel bag with forged IDs including that of a Maui police lieutenant whose name, address, Social Security number, and birth date were stolen last year from missing U.S. Department of Veterans Affairs records. (See item 21)
The Miami Herald reports Florida water managers ordered the deepest water−use cutbacks ever across South Florida on Thursday, April 12, and started the formal process of extending restrictions year−round in an effort to halt rapidly worsening conditions. (See item 31)
The Baltimore Sun reports a two−year−old boy was severely burned Saturday afternoon, April 14, at the playground of a Middle River, Maryland, elementary school after going down a slide doused in sulfuric acid and landing in a pool of the corrosive liquid; this follows a similar incident in Texas. (See item 37)·

Transportation and Border Security Sector

21. April 13, Maui News (HI) — Suspect found with forged IDs by TSA screener in Hawaii. The name on the duffel bag read Robert Folsom. But when a federal Transportation Security Administration (TSA) screener looked through the bag March 29 at Lanai Airport, she found a Hawaii driver’s license with a different name. As she continued to examine the traveler’s belongings, she turned up 43 Hawaii driver’s licenses, each with photos of the same man but with 35 different names, addresses and Social Security numbers, said Deputy Prosecutor John Tam. The suspect’s is Shane James Deighan, a 33−year−old Honolulu resident with a prior forgery conviction. Also found in his baggage were 19 credit cards, 11 of them matching one of the Hawaii driver’s licenses, with four of the credit cards signed on the back; three other apparently stolen Hawaii driver’s licenses with other people’s names and photos; two apparently stolen Texas driver’s licenses with other people’s names and photos; three Social Security cards, two blank checks, one military identification and a Canadian birth certificate. Deighan also had the personal information of a Maui police lieutenant whose name, address, Social Security number, and birth date were written in a notebook, possibly stolen last year from missing U.S. Department of Veterans Affairs records.

Information Technology and Telecommunications Sector

42. April 13, Reuters — Deadly virus phone threat causes Pakistan panic. Mobile service providers in Pakistan have been inundated by calls from subscribers worried by a prank message that they could die of a deadly virus being transmitted via their phones. The rumor was so effective that some mosques in the country's biggest city, Karachi, made announcements that people were being killed by a mobile virus and they should be aware of God's wrath. In a prank reminiscent of the plot in the hit Hollywood movie "The Ring" in which people die within a week after watching a video, the prankster warned users that a deadly virus transmitted through phones had killed 20 people. There are more than 52 million mobile users among 160 million people in Pakistan.

43. April 13, CNET News — Storm Worm variant ignites e−mail virus activity. Postini has reported that Thursday, April 12, likely marked the largest proliferation of e−mail virus attacks in more than a year. The e−mail security company indicated that two variations of the Storm Worm virus, which originally spread across the Internet in January, had driven global virus levels 60 times higher than their daily average. E−mail users were warned to be alert for messages with "love"−related subject lines and an executable attachment that would contain a Trojan virus, as well as messages with "Worm Alert!" subject lines that contained a .zip file full of malicious code. According to warning notices from Postini as well as VeriSign, which also has been following the threat, clicking on the executable file in one of the new Storm Worm e−mails installs a rootkit with anti−security measures in order to mask the malicious software's presence from virus scans and shut down security programs that may be running. The virus then taps into a private peer−to−peer network where it can download new updates and upload personal information from the compromised computer. Additionally, the virus scans the machine's hard drive to locate e−mail addresses to which it can replicate itself.

44. April 13, U.S. Computer Emergency Readiness Team — US−CERT Technical Cyber Security Alert TA07−103A: Microsoft Windows DNS RPC Buffer Overflow. A buffer overflow in the Remote Procedure Call (RPC) management interface used by the Microsoft Windows Domain Name Service (DNS) service is actively being exploited. This vulnerability may allow a remote attacker to execute arbitrary code with SYSTEM privileges. Systems affected: Microsoft Windows 2003 Server and Microsoft Windows 2000 Server. Solution: US−CERT is unaware of a complete solution to this vulnerability. Until a fix is available, there are workarounds that may reduce the chances of exploitation. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. For instance, disabling the RPC interface of the DNS service may prevent administrators from being able to remotely manage a Microsoft Windows DNS server. Consider this when implementing the following workarounds: a) Disable the RPC interface used by the Microsoft Windows DNS service; b) Block or restrict access to RPC services. Refer to source for details.
Microsoft Security Advisory:

45. April 12, eWeek — Spammers increase efforts to exploit animated cursor flaw. IT organizations are being urged to deploy a patch for a bug affecting how Microsoft Windows handles animated cursors as spammers step up their efforts to exploit the flaw −− this time with a promise of lewd pictures of celebrity hotel heiress Paris Hilton. The spammed e−mail messages have subject lines such as "Hot pictures of Paris Hilton nude" but actually contain an embedded image of adult film star and entrepreneur Jenna Jameson. When clicked on, the image links to a Website containing the malicious Troj/Iffy−B Trojan horse, which in turn points to another piece of malware targeting the Microsoft vulnerability.

46. April 12, IDG News Service — Cisco fixes wireless security holes. Cisco has patched a number of security flaws in the software used to manage its wireless networking products. The company issued two sets of patches Thursday, April 12. One fixes flaws in the Wireless Control System software used to manage the company's Aironet Lightweight Access Points, Wireless LAN Controllers, and Wireless Location Appliance. A second set of patches fixes bugs in the Wireless LAN Controller, which controls Aironet access points as well as flaws in the access points themselves, Cisco said.
Security advisory:
Second security advisory:
Source: 1.html

47. April 12, InformationWeek — New Bug reported in Windows help files. Another Microsoft vulnerability has been disclosed, along with proof−of−concept code. The so−called heap−overflow vulnerability affects Windows help files in multiple versions of Windows XP, Windows Server 2003, Windows NT, and Windows 2000. Researchers at SecurityFocus reported that the Help File viewer is prone to a heap−overflow vulnerability because it fails to perform boundary checks before copying user−supplied data into insufficiently sized memory buffers. The problem arises when the application handles a malformed or malicious Windows Help File. Hon Lau, a member of the Security Response Team at Symantec, wrote in a blog entry on Thursday that researchers there have not seen the vulnerability being actively exploited. Lau said Symantec analyzed a sample of the proof−of−concept code and released the Bloodhound.Exploit.135 to detect threats that exploit the vulnerability.
Symantec blog:
Friday, April 13, 2007

Daily Highlights

Department of Homeland Security officials are increasing their efforts to prevent attacks that involve deadly chemicals, especially because insurgents in Iraq have increased their use of bombs laced with chlorine gas. (See item 4)
The Jerusalem Post reports the Israeli Air Force came very close Wednesday afternoon, April 11, to intercepting and destroying a U.S. civilian airliner that had failed to make contact with Air Traffic Control and comply with international regulations as it approached the country's airspace. (See item 13)
CNN reports a 43−year−old U.S. citizen, Christopher Paul of Columbus, Ohio, faces charges of providing material support to al Qaeda and plotting to set off bombs in Europe and the U.S., according to a federal indictment unsealed in Columbus. (See item 37)

Information Technology and Telecommunications Sector

31. April 12, InformationWeek — Google dissects a clickbot, and discusses the cost of click fraud. Over the past year, Google has been reaching out to the media and the public to allay fears that click fraud represents a serious threat to its business. Its executives have repeatedly said the problem is under control and not significant for Google. On Tuesday, April 11, Google published "The Anatomy of Clickbot.A," an analysis of malicious software used to commit click fraud. Despite Google CEO Eric Schmidt's past insistence that click fraud is "immaterial," the paper argues that more needs to be done to protect search engines and computers in general against botnet attacks. "We believe that it is important to disclose the details of how such botnets work to help the security community, in general, build better defenses," the paper states, adding that Google identified and invalidated all the clicks originating from the Clickbot.A botnet in question. The particular Clickbot.A botnet described in the paper consisted of 100,000 machines when analyzed in June 2006. The Clickbot.A software was designed to conduct "a low−noise click fraud attack against syndicated search engines."
Anatomy of Clickbot.A:

32. April 11, Federal Computer Week — Shortcomings plague State's IT security. Despite some improvements, the Department of State still falls short in its information security efforts, according to a new report from Inspector General Howard Krongard. Nearly half of the 34 departmental posts and bureaus audited by the inspector general from April to September 2006 displayed shortcomings in information technology security, according to the report. These shortcomings were apparent in classified data being stored in unclassified systems, inadequate separation of duties among IT employees and missing or inadequate documentation on security settings used to protect data. Despite progress in addressing privacy and in reporting computer hacking incidents, the department also shows inadequacies in its Federal Information Security Management Act compliance and documentation.
OIG Website:

33. April 11, Government Computer News — OMB, DoD to enforce desktop standard through procurement. The Office of Management and Budget (OMB) and the Department of Defense (DoD) are taking similar but separate paths to ensure a standard Microsoft Windows desktop configuration is used by all agencies. Karen Evans, OMB’s administrator for IT and e−government, has recommended to Paul Denett, the administrator in the Office of Federal Procurement Policy (OFPP), that the Federal Acquisition Regulations (FAR) Council add a clause to the FAR, or OFPP send out a memo to all chief acquisition officers, that would require all IT contracts to include the requirement that all software and hardware does no harm to the standard configuration. The Air Force, meanwhile, has submitted a three−part clause to the DoD chief information officer that would be included in every IT contract, said Ken Heitkamp, associate director for lifecycle management and director of the Air Force’s IT Commodity Council. Eventually, Heitkamp said, DoD’s rule could be given to OMB for them to decide whether to take it governmentwide. OMB has set a June 30 deadline for agencies to include provisions in contracts addressing the standard configuration.

34. April 11, eWeek — MS first look: No Word 2007 bugs. Microsoft says a preliminary investigation into reports of vulnerabilities in its Office 2007 suite has produced no evidence of a threat to users. Reports of new security holes in MS Office have been made public on known exploit sites, including information about four bugs posted on one site. Microsoft has not released specific information about the vulnerabilities, citing potential risk to users. "Microsoft's initial investigation has found that none of these claims demonstrate any vulnerability in Word 2007 or any Office 2007 products," a company spokesperson said April 11. "Our investigation into the possible impact of these claims on other versions of Microsoft Office is continuing." The reported flaws were uncovered by Mati Aharoni of Offensive−, in Israel.

35. April 11, IDG News Service — Sophos: China fixing spam problem. The amount of spam pumping out of China dropped precipitously in the first three months of 2007, security vendor Sophos reported Wednesday, April 11. A year ago, computers in China were sending out 21.1 percent of all spam messages, but that number has steadily dropped over the past year, totaling just 7.5 percent in the most recent quarter, Sophos said. During the first seven days of 2007, for example, China accounted for only 1.7 percent of spam messages, an unusually precipitous drop, said Carole Theriault, a senior security consultant with Sophos. The cutoff was probably caused by two major December 26 earthquakes off the coast of Taiwan, which damaged underwater data cables and disrupted Internet access in Asia, Theriault said. But some of the credit also goes to a country−wide spam crackdown, she added.

36. April 10, InfoWorld — McAfee: Cyber−crime will continue to pay. The latest research report from McAfee's Avert Labs paints a frightening picture for enterprise IT administrators and end−users, predicting continued maturation of cyber−crime and the technological means being used to carry out external attacks. According to McAfee's semi−annual Sage journal, a roundup of the company's ongoing security research, everything from spam to spyware will become more dangerous over the course of 2007 as hackers look for new ways to exploit end users' machines in their quest for fast cash. As was the case in 2006, the drive for profits among hackers and malware code writers will dominate development of the threat landscape over the next 12 months, McAfee experts said. "The overall trend remains more attacks geared toward making money that make use of malware or support people making malware," said Dave Marcus, security research manager with Avert Labs. "What is surprising is the service and support that's going on around the malware industry; there are more sites selling custom Trojans with support contracts and attacks coded to target banks of the buyer's choice and more malware suppliers offering patches and variants to their users."
McAfee's Sage Journal: