Wednesday, May 14, 2008

Daily Report

• According to TIME’s sources a commando team posing as terrorists attacked and penetrated the Lawrence Livermore National Laboratory, a nuclear research facility in California, quickly overpowering its defenses to reach a mock payload of fissile material. The exercise exposed a number of security vulnerabilities at the Lab. (See item 10)

• ComputerWorld reports that over half a million Web sites have been compromised in a new round of attacks that hacked domains in order to infect PCs with malware. The hack exploits a vulnerability in “phpBB,” an open-source message forum manager. (See item 39)

Information Technology

37. May 13, ComputerWorld Malaysia – (International) US $13 million grant approved to fight cyber-terrorism. Malaysia’s Prime Minister has approved a US $13 million grant to lay the foundation of IMPACT, a not-for-profit global organization to rally efforts from governments, the private sector, and academia worldwide, against the growing threat of cyber-terrorism. IMPACT (International Multilateral Partnership Against Cyber-Terrorism) is the first collaborative global public-private initiative against cyber-terrorism. The start-up grant will be used to construct the IMPACT building in Cyberjaya, Malaysia, and operations are expected to start in December, 2008. The IMPACT initiative was formally announced in 2006 by Malaysia’s prime minister at the closing ceremony of the previous World Congress on Information Technology (WCIT) held in the US. The acting Chief Operations Officer and Head of the Center for Training & Skills Development of IMPACT said the original announcement acknowledged that cyber and online infrastructure could also be vulnerable to other conventional forms of terrorism. IMPACT is currently building two systems for its member countries. The Early Warning System will aggregate ‘feeds’ from its security partners and member countries, which will be redistributed across the world to member countries. The collaboration system is a secure electronic platform enabling experts from member countries to collaborate with one another based on their specialty and niche areas (such as to address security issues of legacy systems utilized by some member countries), such that members are able to collaborate in a secure way based on the fact that each expert is accredited to each government. “In the event of an issue among our members, IMPACT hopes to be able to quickly put together a team of experts from all over the world to address the issues or the challenges ahead,” said one representative. Source:

38. May 13, – (International) Srizbi grows into world’s largest botnet. The prodigious Srizbi botnet has continued to grow and now accounts for up to 50 percent of the spam being filtered by one security company. If the latest figures from security company Marshall can be taken at face value – their engines scan much the same traffic as do others in the industry – then Srizbi is now the biggest single menace on the Internet, dwarfing even the feared and mysterious Storm. Having compromised 300,000 PCs around the world, it was now sending out an estimated 60 billion spam e-mails per day, a torrent that consumes huge amounts of processing power to keep in check. “Srizbi is the single greatest spam threat we have ever seen. At its peak, the highly publicized Storm botnet only accounted for 20 percent of spam. Srizbi now produces more spam than all the other botnets combined,” said Marshall’s vice president of products. In March of this year, Marshall’s threat research and content engineering team reported the botnet as a growing problem among a small family of super-botnets, a sign that a few highly successful bots were starting to monopolize traffic. Srizbi appears to spread by as part of the spam messages it sends, meaning that its life cycle extends to reproducing itself and not just distributing e-mail. This is not a unique feature, but it could be that it is either evading detection at this stage or tricking people using more sophisticated social engineering. Source:

39. May 12, Computerworld – (International) Hackers hijack a half-million sites in latest attack. More than half a million Web sites have been compromised in a new round of attacks that hacked domains in order to infect unsuspecting users’ PCs with a variety of malware, a security researcher said today. “This is an ongoing campaign, with new domains [hosting the malware] popping up even this morning,” said a network architect at antivirus vendor Trend Micro Inc. “The domains are changing constantly.” According to the Trend Micro representative, over half a million legitimate Web sites have been hacked by Tuesday’s mass-scale attack, only the latest in a string that goes back to at least January. All of the sites, he confirmed, are running “phpBB,” an open-source message forum manager. He did not know how the sites were compromised; Trend Micro’s investigation is in progress, he said. “We’re not sure if it’s [because of] improper configuration of phpBB or a vulnerability. Open-source applications like phpBB tend to be targeted quite a bit.” Visitors to a hacked site are redirected through a series of servers, until the last in the chain is reached; that server then pings the PC for any one of several vulnerabilities, including bugs in both Microsoft’s Internet Explorer and RealNetworks’ RealPlayer media player. If any of the vulnerabilities is present, the PC is exploited and malware is downloaded. Source:

40. May 12, Dark Reading – (National) New intrusion tolerance technology treats attacks as inevitable. First there was intrusion detection, then intrusion prevention, and now, intrusion tolerance. A professor and researcher at George Mason University is readying the commercial rollout of a new, patent-pending technology that basically assumes an attack or infection on a server is inevitable, so it instead minimizes the impact of an intrusion. Called self-cleansing intrusion tolerance (SCIT), the new security method does not replace IDS, IPS, firewalls, or other traditional security tools, but rather adds another layer that minimizes the damage of an attack, says the professor of computer science and director of the Laboratory of Interdisciplinary Computer Science at GMU in Fairfax, Va. “An intruder is going to get through irrespective of how much investment you make [with security tools] and how hard you try. It’s about how you contain” an intrusion, he says. “Intrusion tolerance is different than intrusion detection and intrusion prevention – it doesn’t do any detection and prevention,” he says. “Today’s servers are all exposed… we try to contain the losses by reducing the exposure time of the server to the Internet.” The professor, who will outline his SCIT technology this week at IntrusionWorld in Baltimore, says the basic idea is to regularly rotate Web, DNS, or other servers on- and offline to “cleanse” the exposed machine to a previously unblemished state that has never been online – and automatically have another clean (virtual) machine take its place. This cycle would occur at regular intervals, regardless of whether an intrusion had occurred or not. It’s a fatalistic approach to Internet-borne attacks: “Because servers are online for such a long time, if someone wants to deliberately intrude, he has a sitting duck on which he can work,” he says. Source:

Communications Sector

Nothing to Report