Friday, February 29, 2008

Daily Report

• According to internal government documents obtained by ABC News, thousands of foreign student pilots who do not have the proper visas have been able to enroll in U.S. flight schools and obtain pilot licenses. Under laws passed in the wake of the September 11 attacks, American flight schools are only supposed to provide pilot training to foreign students who have been given a background check by the Transportation Security Administration and have a specific type of visa. (See item 15)

• The Milwaukee Journal Sentinel reports Milwaukee police are investigating the apparently intentional disruption of Milorganite fertilizer production this week at the Jones Island sewage treatment plant in Wisconsin. Six of 12 sewage sludge dryers used in Milorganite production had to be shut down Tuesday morning after a manually operated valve for a cold water pipe to a dryer had been opened. (See item 32)

Information Technology

29. February 27, InfoWorld – (National) eBay Red Team confab aims to help security officers. eBay is trying to help CISOs (chief information security officers) build a common front in the war against cybercrime. The company played host to chief security officers and a handful of technology vendors this week, holding its annual Red Team security conference at the company’s San Jose, California, campus, billing it as a networking opportunity for security professionals where they could discuss areas of common concern. “What we were trying to do was to get all the CISOs together,” said eBay’s CISO. “We’re dealing with similar problems, almost all of us.” While companies using Internet technology may be facing a common set of problems, they have not always shared information with their peers. That is because if news of a hacked server or a data breach is leaked to the press, it can become a public-relations disaster for the company involved. At this week’s conference, CISOs discussed common issues, including how they are pursuing cross-border investigations and what they think of the security products they were using. The second-ever Red Team conference ran Monday and Tuesday. The first day of the conference focused on CISO issues, while on day two, the discussion was opened up to security vendors such as iSight Partners and Cisco, which gave presentations on the state of security.

30. February 27, Computerworld – (International) Finjan finds illegal database with more than 8,700 stolen FTP credentials. A fresh discovery by security vendor Finjan provides yet another example of how easy it is becoming for almost anyone to find the tools needed to break into, infect, or steal data from corporate Web sites. The vendor announced Wednesday that it has uncovered an illegal database containing more than 8,700 stolen FTP server credentials including user name, password, and server addresses. Anyone can purchase those credentials and use them to launch malicious attacks against the compromised systems. The stolen credentials belong to companies from around the world and include more than 2,500 North American companies, some of whose Web sites are among the world’s top 100 domains, according to Finjan’s CTO. The FTP credentials would allow someone with malicious intent to break into and upload malware to a compromised server with a click or two, he said. “You could pick any server you wanted in the list, pay for it,” and launch an attack with very little effort. A trading interface on the server hosting the illegal database allows purchasers to buy FTP server credentials based on the country in which the servers are located, or even by the Google ranking of the Web sites, he said. It also appears designed to give criminals looking to resell FTP credentials a better basis for pricing the stolen data, he said.

Communications Sector

31. February 28, CNET News – (International) In Pakistan vs. YouTube, it’s not all about technology. The flap earlier this week in which Pakistan Telecom knocked off the Internet for two hours was unusual. It was not like when a court in Turkey blocked access to YouTube from within the country, or when China restricts Western news sites. Those were country-specific and intentional. The outage on Sunday was global and, as far as we know, unintentional. So what is to stop another Internet service provider -- especially a government-owned one -- from intentionally trying this trick? The short answer is that while the Internet is anarchic, it is not that anarchic. In fact, the way network providers handle Internet routing is very specific and carefully defined in a series of standards. Network providers -- called autonomous systems, or Ass -- are assigned unique ID numbers that are compiled by the Internet Corporation for Assigned Names and Numbers. While ICANN holds the master list of AS numbers, they are actually assigned by allocating large blocks of 1,000 or so at a time to regional address registries. And when one network provider misbehaves and broadcasts a false claim to be the proper destination for certain Internet addresses -- as Pakistan Telecom (AS 17557) did this week -- it is easy enough to figure out what is going on. The Internet may be run by computers, but it is managed by people who share tips and alert each other to potential network problems. Some of these discussions take place on public mailing lists; some occur in more private settings. Many of these network operators know each other personally through groups like NANOG, AfNOG, and SANOG. Human intervention, manual overrides, and personal relationships based on inperson meetings are not perfect: ideally, false broadcasts could be prevented completely through encryption-outfitted mechanisms like Secure BGP. But these less-formal relationships have worked remarkably well, and are (for now at least) the first line of defense against someone learning the lessons from Pakistan Telecom and attempting to do far more damage than merely taking out YouTube for a few hours.