Tuesday, April 22, 2008

Daily Report

• CNN reports a South Carolina high school senior arrested in an alleged bomb plot had the ingredients to assemble a bomb in minutes, police said Monday. The teenager was arrested Saturday after his parents called police when ten pounds of ammonium nitrate was delivered to their home. (See item 24)

• According to KOAT 7 Albuquerque, forestry officials said that the Trigo Fire in the Cibola National Forest had grown to 3,745 acres Monday morning, nearly triple the size it was early Sunday. The Torrance County, New Mexico, emergency manager called the situation severe. (See item 36)

Information Technology

30. April 21, IDG News Service – (International) Rock Phish gang adds second punch to phishing attacks. A notorious online gang known for its prolific phishing operations has expanded its means of attack, potentially putting more PC users at risk of losing personal data. The Rock Phish gang surfaced around 2004, becoming well-known for its expertise in setting up phishing sites, which seek to trick people into divulging sensitive data, as well as for selling phishing kits designed for less technical cybercriminals. Now, the phishing sites linked with the Rock Phish gang are being rigged with a drive-by download, a type of attack that can infect a PC with malicious software without any interaction by the user, researchers from vendor RSA said Monday. The one-two punch means that even people who go to the phishing site but are not fooled into inputting their personal details could still be infected, wrote a senior researcher, on RSA’s blog. The phishing Web site tries to exploit any software vulnerabilities, and if it finds one, will then load the Zeus Trojan onto the PC. Zeus is particularly dangerous: it can collect data on forms, take screen shots, pilfer passwords from browsers, and remotely control the computer, the researcher wrote. Zeus also comes in at least 150 flavors. One of the phishing kits being sold now for US$700 masks how Zeus appears to security programs. Source: http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/08/04/21/Rock-Phish-gang-adds-second-punch-to-phishing-attacks_1.html

31. April 21, vnunet.com – (National) Microsoft warns of web server flaw. Microsoft is investigating a newly reported flaw that could put websites at risk of attack. The company has issued an advisory on the vulnerability, which affects Windows XP Professional SP2, Windows Server 2003, Windows Vista, and Windows Server 2008. The problem exists in Windows’ handling of code within its Internet Information Services (IIS) and SQL Server. If exploited, the vulnerability could allow a user to elevate access privileges to that of the LocalSystem administration tool. Microsoft warned that companies that make extensive use of user-provided code, such as site hosts, are especially vulnerable. Microsoft has yet to receive any reports of the vulnerability being targeted, but security experts have already warned of a possible attack. “The vulnerability is limited to a local privilege escalation, but IIS’ susceptibility is concerning,” wrote a McAfee researcher. “The web server is widely used on the internet, and is a top pick by web-hosting providers. We might see web-hosting providers targeted, and their clients’ websites breached.” Microsoft is still investigating the reports and will make a decision on whether to issue a patch immediately or wait until its next scheduled security update on May 13. Source: http://www.vnunet.com/vnunet/news/2214722/microsoft-warns-web-server

32. April 19, ars technica – (International) EU states agree that inciting terrorism on the Internet is a crime. Representatives of the EU’s 27 member states formally agreed today to harmonize their respective countries’ definitions of criminally prosecutable acts of terrorism by expanding them to include three new types of crimes: “public provocation to commit a terrorist offence, [terrorist] recruitment, and training for terrorism.” The definition of “public provocation” was especially controversial, and it encompasses content posted on the Internet, including not only direct incitements to violence but also terrorist propaganda and bomb-making expertise. The decision was not without controversy, and misgivings about the possible limits on freedom of expression implied in the Amendment to the 2002 Council Framework Decision on combating terrorism were aired in a round-table session on Monday. An EU Parliament report on the round-table summarized the concerns of one British representative, who recounted how British law enforcement had allegedly threatened to use anti-terror laws to arrest some of the protesters at the London leg of the Olympic torch relay. Her concern, much like those who have been raising objections to this “public provocation” language since it was proposed last year, is that the Amendment will push member states down a slippery slope toward criminalizing legitimate political expression. Source: http://arstechnica.com/news.ars/post/20080419-eu-states-agree-that-inciting-terrorism-on-the-internet-is-a-crime.html

33. April 19, IDG News Service – (International) CNN cyberattack called off. A planned cyberattack against CNN’s Web site fizzled out Saturday as the group backing the event called it off. “Our original plan for 19 April has been canceled because too many people are aware of it and the situation is chaotic,” wrote a group called “Revenge of the Flame,” according to a translation posted on the Dark Visitor Blog. “At an unspecified date in the near future, we will launch the attack.” Pro-China hackers had called for the attack in protest of the news network’s coverage of Tibet, which they believe has been overly critical of China. Participants had been instructed to flood CNN’s Web site with Internet traffic in hopes of knocking it offline, something known as a distributed denial of service attack. Some had begun hitting the site ahead of the April 19 attack date. On Friday, CNN reported that it had been attacked Thursday causing the site “to be slow or unavailable to some users in limited areas of Asia.” The net effect of the attack was “imperceptible,” CNN said. Network monitoring company Arbor Networks observed that www3.cnn.com was hit with a minor 14-MB-per-second attack that lasted about 21 minutes, according to the company’s chief research officer. Source: http://www.networkworld.com/news/2008/041908-cnn-cyberattack-called.html

Communications Sector

34. April 19, IDG News Service – (National) EarthLink redirect service poses security risk, expert says. A vulnerability in servers used by EarthLink Inc. to handle mistyped Web page requests may have allowed attackers to launch undetectable phishing attacks against any Internet site, according to a noted Internet security researcher. The bug, which was patched earlier this week, underscores a fundamental security risk in the way that some Internet service providers are attempting to generate advertising revenue from mistyped Web addresses, said the director of penetration testing at IOActive Inc., a security consulting firm. The vulnerability was in a service called Barefruit, which EarthLink has been using since August 2006 to return Web pages with search terms and advertising to customers who mistype a domain name in their browser. With Barefruit’s servers, users are told that nonexistent addresses do exist and are then sent to a Web page that displays advertising and suggested search terms. Because of a bug in the software used to redirect users to these advertising and search pages, the researcher was able to get the pages to run his own JavaScript code, enabling him to steal users’ cookies, create fake Web sites that appeared to be hosted on legitimate domains, and even log into certain Web sites without authorization. EarthLink is not the only Internet service provider to be testing this system. The researcher said he found evidence of Barefruit or similar systems being tested on Verizon, Time Warner, Qwest, and Comcast, which outsources some of its network to EarthLink. “The security of the entire Web for these ISPs is right now limited by the security of some random ad server run by a British company,” he said. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079099&source=rss_topic17