Wednesday, March 12, 2008

Daily Report

• According to CNN, the Federal Aviation Administration announced Monday it is mandating that cockpit voice recorders record for longer periods of time and continue recording after a loss of power. Magnetic tape, which is vulnerable to damage, will be replaced with new technology in cockpit voice recorders (See item 17)

• Buffalo News reports New York has alerted 40,000 members in Western and Northeastern New York that they may be at risk for identity theft, after a former employee’s laptop computer went missing with confidential information several months ago. The Buffalo-based parent of Blue- Cross BlueShield of Western New York sent letters late last week to the affected customers. (See item 24)

Information Technology

32. March 11, Security Products – (National) DHS conducts Cyber Storm II to examine cyber preparedness, response capabilities. The Department of Homeland Security (DHS) is conducting the largest cyber security exercise ever organized. Cyber Storm II is being held from March 10-14 in Washington, D.C. and brings together participants from federal, state and local governments, the private sector and the international community. Cyber Storm II is the second in a series of congressionally mandated exercises that will examine the nation’s cyber security preparedness and response capabilities. The exercise will simulate a coordinated cyber attack on information technology, communications, chemical, and transportation systems and assets. Securing cyberspace is vital to maintaining America’s strategic interests, public safety, and economic prosperity,” said DHS’s assistant secretary for Cyber Security and Communications. “Exercises like Cyber Storm II help to ensure that the public and private sectors are prepared for an effective response to attacks against our critical systems and networks,” he said. Cyber Storm II will include 18 federal departments and agencies, nine states (Calif., Colo., Del., Ill., Mich., N.C., Pa., Texas and Va.), five countries (United States, Australia, Canada, New Zealand and the United Kingdom), and more than 40 private sector companies. For more information on Cyber Storm II, visit:

33. March 11, IDG News Service – (National) Judge rules against accused spyware distributor. A U.S. judge has granted a request by the Federal Trade Commission for a judgment against a company accused of distributing spyware and adware onto people’s computers. A judge in the U.S. District Court for the District of Nevada has ordered the accused to give up $4,595.36, the money he made from a scheme that tricked consumers into downloading spyware by offering free screensavers and videos on Web site, the FTC said Monday. Software on the site included spyware called Media Motor from ERG Ventures that changed consumers’ home pages, tracked their Internet activity, altered browser settings, degraded computer performance and disabled antispyware and antivirus software, the FTC said. ERG Ventures, based in Nevada, agreed to pay $330,000 as part of a settlement with the FTC last September. The default judgment against the man, who has lived in Tennessee, ends the November 2006 lawsuit the FTC filed against ERG Ventures, its owners and the accused man. The FTC had accused him and ERG Ventures of distributing spyware that infected 15 million computers. Many of the malware programs were “extremely difficult or impossible” for consumers to remove from their computers, the FTC said. The judgment bars him from distributing software that interferes with consumers’ computers, including software that tracks consumers’ Internet activity or collects other personal information; generates disruptive pop-up advertising; tampers with or disables other installed programs; or installs other advertising software onto consumers’ computers.

34. March 10, Dark Reading – (National) Battle against fast-flux botnets intensifies. First there was fast flux, and now there is double flux: a variant of the stealthy fast-flux hosting technique used by major bot herders that rapidly shifts malicious Web servers and domain name servers (DNS) from machine to machine to evade detection. A new advisory by the ICANN Security and Stability Advisory Committee (SSAC) sheds new light on the emerging double flux threat and provides proposed recommendations and best practices for Internet domain registrars, ISPs, users, and other members of the Internet community, in an effort to derail fast-flux botnets. Fast flux is where botnet herders continuously move the location of a Web, email, or DNS server from computer to computer in an effort to keep its malicious activity – spamming or phishing, for example – alive and difficult to detect. IP blacklists are basically useless in finding fast flux-based botnets. The infamous Storm botnet, for instance, was one of the first to deploy this technique of preserving its botnet infrastructure and hiding from investigators. “Double-flux is just another evasion technique applying two levels of... deception as opposed to one,” says a member of ICANN’s SSAC and one of the authors of the paper. “It’s particularly troublesome because using domain names is a whole lot easier than using IP addresses. Before this, you could hone in on a domain server as a way of shutting down a [malicious] site. But now they [the bad guys] have one more tool in their evasion toolkit.” With double flux, the DNS name servers that resolve the Web host names are moved from machine to machine, as are the actual hosts serving up the phony pharmaceuticals or other nefarious sites. By the time investigators get on its trail, the fast-flux botnet has changed the IP address again, he says.

Communications Sector

35. March 11, ZDNet – (National) Cisco Companies urged to ensure BlackBerry security. Companies are being warned to make sure they correctly configure their BlackBerry devices, or risk weakening their IT security. Internet security consultancy NTA Monitor said recent testing showed that organizations are still failing to ensure the smartphone devices are locked down. It said the BlackBerry architecture can be insecure if no firewalls are used to separate the BlackBerry Enterprise Server (BES) router component from the central BES server on the internal network. If the BES is compromised and there is no separation of the BES router, it can lead to the whole network becoming insecure, the company claimed. The technical director at NTA, said in a statement: “A hacker could potentially use this back channel to move around inside an organization undetected,” adding that the ideal scenario for BlackBerry security is to create a “demilitarized zone” to separate the router component from the BES. He explained: “If the BES router gets compromised, the demilitarized zone will ensure that there is no direct access to the local area network.” The vice president of global security at Research in Motion, which manufactures BlackBerry, said that while that solution may work for some BlackBerry customers, it is just one approach to securing the devices. He stressed that there is no “one-size-fits-all answer” to security.

36. March 10, Multichannel News – (National) House panel to vet net neutrality. A House panel on Tuesday will hear conflicting testimony on whether Congress needs to regulate cable and phone companies to prevent discriminatory behavior against Internet-based content and applications. The session will be held by the House Judiciary Committee Antitrust Task Force at a time when the Federal Communications Commission has Comcast Corp. under investigation for allegedly blocking BitTorrent uploads during hours of peak network congestion. Comcast admitted to delaying some traffic as a reasonable network management tool. Some witnesses will voice support for passage of a network neutrality law, pointing to allegations against cable, wireless and traditional phone companies as ample justification for close supervision of their network management practices.

37. March 10, IDG News Service – (National) Cisco to patch routers on regular schedule. Following the lead of Microsoft and Oracle, Cisco Systems will start releasing security patches for some of its products on a schedule. The scheduled updates will be for the Internetwork Operating System (IOS) software used by routers and switches that Cisco sells to enterprise and telecommunications industry customers. Other Cisco products, including those from its Linksys division, will continue to be updated as before. The first of these scheduled updates will occur on Wednesday, March 26, and Cisco will continue to release patches on a twice-yearly schedule after that, Cisco said in a note posted Wednesday on its Web site. These firmware updates will ship on the fourth Wednesday of September and March each year. That’s less frequently than the other major vendors that have moved to regular security updates. Microsoft releases its security patches on the second Tuesday of every month; Oracle is on a quarterly update schedule. Cisco published eight security advisories for IOS security bugs last year. IOS has come under increased scrutiny in recent years as hackers have developed new ways of attacking router software. Because Cisco’s routers are so widely used, IOS is considered to be an attractive target for attackers.

38. March 10, SC Magazine – (International) Money-stealing mobile trojan surfaces in China. Security researchers from McAfee have identified a trojan that attempts to extort money from owners of Symbian-based smartphones in China. After being downloaded onto the user’s smartphone, the malicious software, which McAfee has dubbed Kiazha.A, deletes any SMS messages and threatens to shut the phone down unless the user sends 50 yuan (about $7) to the malware author. The trojan asks the user to pay via QQ coins, a virtual currency used in the popular Chinese QQ instant messaging network, A security research and communications manager at McAfee’s Avert Labs, told on Wednesday that Kiazha.A is part of a “malware cocktail” called MultiDropper.CR. The various components create a bundle that tries to persuade the user to install the package, sets up SMS forwarding to collect information, creates a QQ account, in case the victim doesn’t have one, and then deletes SMS messages to cover its tracks. It then displays an offer to fix the user’s phone for a small fee. The alert message displayed on the phone reads, “Warning: Your device has been affected, please prepare a recharge card of RMB 50 yuan and connect QQ [ID removed] account or your phone will be paralyzed!!!” “With MultiDropper.CR, it appears that the author, with a lot of effort and testing, put together various malware-like pieces from a toolkit,” an engineer at McAfee Avert Labs said. “The author may have put in all this work to make a profit rather than increase his notoriety.” Users’ Symbian-based phones can become infected by visiting a malicious website and downloading apparently safe software.