Thursday, January 24, 2008

Daily Report

• Purdue University News reports that researchers at the university are working with the state of Indiana to develop a system that would use a network of sensor-equipped cell phones to detect radiation sources, including possible radiological “dirty bombs” and nuclear weapons. By adding sensitive, but small radiation sensors to cell phones, which already contain GPS locators, researchers say they could enable a network of phones to function as a tracking system. (See items 7)

• According to Reuters, a new GAO report states that vaccines and drugs will not be enough to slow or prevent a pandemic of influenza, which global health experts almost universally agree is overdue. Supplies of antiviral drugs are low and a vaccine would have to be formulated to match the precise strain causing the pandemic. (See item 25)

Information Technology

30. January 23, – (International) China has penetrated key U.S. databases: SANS director. An aggressive, non-stop campaign by China to penetrate key government and industry databases in the United States already has succeeded and the United States urgently needs to monitor all internet traffic to critical government and private-sector networks “to find the enemy within,” the SANS Institute’s director of research told He said that empirical evidence analyzed by researchers leaves little doubt that the Chinese government has mounted a non-stop, well-financed attack to breach key national security and industry databases, adding that it is likely that this effort is making use of personnel provided by China’s People’s Liberation Army. The “smoking guns” pointing to a government-directed effort are keystroke logs of the attacks, which have been devoid of errors usually found in amateur hack attacks, the use of spear phishing to gain entry into computer networks, and the massively repetitive nature of the assault, the SANS research director said. SANS earlier this week placed espionage from China and other nations near the top of its annual list of cybersecurity menaces, reporting that targeted spear phishing is the weapon of choice used in the assault on U.S. databases and those of its allies.

31. January 22, ars technica – (National) Compromised web sites serve more malware than malicious ones. According to security firm WebSense, the number of legitimate web sites that have been hacked and are distributing or enabling various types of malware attacks is greater than the number of malicious sites created specifically for that purpose. The company’s latest report discusses this trend, along with the tremendous impact the Storm Worm had on the Internet through all of 2007. As WebSense states, there is a clear advantage to infecting a legitimate site that comes with its own built-in traffic and a user base. The type of theft varies depending on the site. Personal data and credit card information are the most obvious acquisition targets, but online gaming account theft and click-fraud are apparently common as well. It is well known that there are forums, discussion groups, and IRC channels devoted to the topics of which web sites are known to be vulnerable. The problem also runs deeper than simply educating administrators about security vulnerabilities in the software that they use -- locating the correct host provider for any particular web space can be difficult, and many sites do not fall off WebSense’s malicious site blacklist quickly, sometimes remaining there for weeks or even months after being notified of a problem.

32. January 22, Network World – (National) First case of “drive-by pharming” identified in the wild. The theory is now a reality. Symantec reported Tuesday that drive-by pharming, in which a hacker changes the DNS settings on a customer’s broadband router or wireless access point and directs the link to a fraudulent Web site, has been observed in the wild. The first drive-by pharming attack has been observed against a Mexican bank: “It’s associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company,,” says Symantec Security Response’s principal researcher. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it. In the e-mail evidence Symantec has examined, the code seeks to change 2Wire DSL routers to point the user’s Web browser to a fraudulent bank site that mimics the site of one of the largest Mexican banks. “So, whenever you’d want to go to the bank site, instead of the real one, you’d get the attacker’s fake site,” he says. For the home PC user, the danger is that this drive-by pharming attack is “so silent and there’s only subtle telltale signs that it’s occurring,” he adds. A white paper last year from Symantec and the Indiana University School of Informatics coined the term. At the time the researchers detailed the JavaScript-based security threat and said such an attack could hit up to 50 percent of home broadband users. Drive-by pharming can occur because home router equipment is often left configured with default log-in and password information and never changed.

Communications Sector

33. January 23, Associated Press – (National) AT&T may begin monitoring online traffic. AT&T Inc. may begin monitoring traffic over its online network in an effort to stamp out theft of copyrighted material, its chief executive said Wednesday. The company’s CEO told a conference at the World Economic Forum that the company was still evaluating what it would do about peer-to-peer networks, one of the largest drivers of online traffic, but also a common way to illegally exchange copyright files. “It’s like being in a store and watching someone steal a DVD. Do you act?” he asked.