Slashdot Mirror

An anonymous reader writes: Kim Zetter from WIRED writes an intriguing report about a vulnerability at the heart of our cell phone networks. It centers around Signaling System No. 7 (SS7), which refers to a data network -- and the protocols or rules that govern how information gets exchanged over it. Zetter writes, "It was designed in the 1970s to track and connect landline calls across different carrier networks, but is now commonly used to calculate cellular billing and send text messages, in addition to routing mobile and landline calls between carriers and regional switching centers. SS7 is part of the telecommunications backbone but is not the network your voice calls go through; it's a separate administrative network with a different function." According to WIRED, the problem is that SS7 is based on trust -- any request a telecom receives is considered legitimate. In addition to telecoms, government agencies, commercial companies and criminal groups can gain access to the network. Most attacks can be defended with readily available technologies, but more involved attacks take longer to defend against. T-Mobile and ATT have vulnerabilities with fixes that have yet to be implemented for example.

itwbennett writes: While many are still debating how much risk there is of a catastrophic cyber attack on power grid and other critical infrastructure, Israel's Minister of Infrastructure, Energy and Water, Yuval Steinitz has good reason for warning 'of the sensitivity of infrastructure to cyber-attacks, and the importance of preparing ourselves in order to defend ourselves against such attacks.' On Tuesday Steinitz told attendees at CyberTech 2016 that the country's Public Utility Authority had been targeted by malware just one day earlier, and that some systems were still not working properly. Not long after news of the attack started to spread, Robert M. Lee, the CEO of Dragos Security, published his thoughts on the matter over on the SANS ICS blog.

itwbennett writes: A new study of a recent cyberattack against Ukrainian power companies suggests malware didn't directly cause the outages that affected at least 80,000 customers. While malware was used to gain access to networks, the attackers then opened circuit breakers that cut power, according to information published Saturday by the SANS Industrial Control Systems (ICS) team. The attackers used direct intervention to try to mask their actions to the power systems operators and also conducted denial-of-service attacks on the utilities' phone systems to block complaints from affected customers, SANS said.

Reuben A. Paul, aka RAPstar, has something of a head-start when it comes to learning about computer security: his father, Mano Paul, has been a security researcher (and instructor) for many years. So Reuben grew up around computers, seeing firsthand that they're neither mysterious nor impregnable. Reuben, though, has a curious mind and his own computer security interests, and a knack for telling others about them; last month, he became the youngest-ever speaker at DerbyCon, and explained some of what he's picked up so far on what kids can learn about security, as well as what the security field can learn from kids. (One hard to dispute nugget: "Kids are the best social engineers, followed by puppies.") Ask of Reuben whatever you'd like, below (please, one question per post), and we'll get answers to selected questions when we catch up with him at next week's Houston Security Conference. (This year's conference is sold out, but there's always 2015.)

Orome1 writes "NetWars CyberCity is a small-scale city located close by the New Jersey Turnpike complete with a bank, hospital, water tower, train system, electric power grid, and a coffee shop. It was developed to teach cyber warriors from the U.S. military how online actions can have kinetic effects. Developed in response to a challenge by U.S. military cyber warriors, NetWars CyberCity is an intense defensive training program organized around missions. 'We've built over eighteen missions, and each of them challenges participants to devise strategies and employ tactics to thwart computer attacks that would cause significant real-world damage,' commented Ed Skoudis, SANS Instructor and NetWars CyberCity Director."

hankwang writes "The Internet Storm Center reported that one million web pages have been attacked by the Lilupophilupop SQL injection and contain a malicious Javascript link. Affected sites can be found using a Google search query. See also the technical details of the SQL injection. The attack is directed to sites running ASP or ColdFusion with an MSSQL backend. The payload of the Javascript leads, via redirects and obfuscated Javascript, to a fake download page for Adobe Flash and antivirus software."

CWmike writes "Exploiting an Apple interface design, identity thieves can hide URLs on the iPhone's limited screen real estate, tricking users into thinking they're at a legitimate site, a security researcher said on Monday. Nitesh Dhanjani demonstrated how criminals can easily hide the true URL of a site from users by building a malicious Web application. 'Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,' said Dhanjani on his personal blog and in an entry on the SANS Institute's blog. The ability to hide the address bar in iOS is by design, noted Dhanjani, who said he had reported the problem to Apple. 'I did contact Apple about this issue and they let me know they are aware of the implications but do not know when and how they will address the issue,' he said."

An anonymous reader writes "In this article, security researcher Nitesh Dhanjani shows how iOS insecurely launches third-party apps via registered URL handlers. Malicious websites can abuse this to launch arbitrary applications, such as getting the Skype.app to make arbitrary phone calls without asking the user. Dhanjani 'contacted Apple's security team to discuss this behavior, and their stance is that the onus is on the third-party applications (such as Skype in this case) to ask the user for authorization before performing the transaction.' He also discusses what developers of iOS apps can do to design their software securely and what Apple can do to help out."

Captain Eloquence writes "The next major version of Adobe's PDF Reader will feature new sandboxing technology aimed at curbing a surge in malicious hacker attacks. The initial sandbox implementation will isolate all 'write' calls on Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. Adobe security chief Brad Arkin believes this will mitigate the risk of exploits seeking to install malware on the user's computer or otherwise change the computer's file system or registry. In a future dot-release, the company plans to extend the sandbox to include read-only activities to protect against attackers seeking to read sensitive information from the user's computer."

Kohenkatz writes "A McAfee Update today (DAT 5958) incorrectly identifies svchost.exe, a critical Windows executable, as a virus and tries to remove it, causing endless reboot loops." Reader jswackh adds this terse description: "So far the fixes are sneakernet only. An IT person will have to touch all affected PCs. Reports say that it quarantines SVCHOST. [Affected computers] have no network access, and missing are taskbar/icons/etc. Basically non-functioning. Windows 7 seems to be unaffected." Updated 20100421 20:08 GMT by timothy: An anonymous reader points out this easy-to-follow fix for the McAfee flub.

Hugh Pickens writes "The Register reports that experts from some 30 organizations worldwide have compiled 2010's list of the 25 most dangerous programming errors along with a novel way to prevent them: by drafting contracts that hold developers responsible when bugs creep into applications. The 25 flaws are the cause of almost every major cyber attack in recent history, including the ones that recently struck Google and 33 other large companies, as well as breaches suffered by military systems and millions of small business and home users. The top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. Interestingly enough the classic buffer overflow ranked 3rd in the list while Cross-site Scripting and SQL Injection are considered the 1-2 punch of security weaknesses in 2010. Security experts say business customers have the means to foster safer products by demanding that vendors follow common-sense safety measures such as verifying that all team members successfully clear a background investigation and be trained in secure programming techniques. 'As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,' the introduction to the list states and includes a draft contract with the terms customers should request to enable buyers of custom software to make code writers responsible for checking the code and for fixing security flaws before software is delivered."

emeitner notes that folks at the Internet Storm Center wrote scripts that harvested 15,291 images from Twitpic and analyzed the EXIF information. This reader adds, "While mining EXIF data from images is nothing new, how many people would allow this data to leave their cell phone if they knew what it contained? The source code for the scripts is also available from the article." "399 images included the location of the camera at the time the image was taken, and 102 images included the name of the photographer. ... The iPhone is including the most EXIF information among the images we found. ... It not only includes the phone's location, but also accelerometer data showing if the phone was moved at the time the picture was taken and the readout from the [built-]in compass showing in which direction the phone was pointed at the time."

Christmas Shopping writes with this excerpt from Kaspersky Labs' threatpost: "Back in September, when Google launched the Google Chome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure. Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a 'high risk' security vulnerability that could allow an attacker to bypass cross-origin protections." "Google has hurried out a patch," he adds.

Not long after Firefox 3.5.1 was released to address a security issue, a new exploit has been found and a proof of concept has been posted. "The vulnerability is a remote stack-based buffer-overflow, triggered by sending an overly long string of Unicode data to the document.write method. If exploited, the resulting overflow could lead to code execution, or if the exploit attempts fail, a denial-of-service scenario." It's recommended that Firefox users disable Javascript until the issue is patched, though add-ons like NoScript should do the trick as well (unless a site on your whitelist becomes compromised).

Update: 07/20 00:09 GMT by KD : An anonymous reader informs us that the Mozilla security blog is indicating that this vulnerability is not exploitable; denial of service is as bad as it gets.

iago-vL writes "The long-awaited Nmap Security Scanner version 5.00 was just released (download)! This marks the most important release since 1997, and is a huge step in Nmap's evolution from a simple port scanner to an all-around security and networking tool suite. Significant performance improvements were made, and dozens of scripts were added. For example, Nmap can now log into Windows and perform local checks (PDF), including Conficker detection. New tools included in 5.00 are Ncat, a modern reimplementation of Netcat (with IPv6, SSL, NAT traversal, port redirection, and more!), and Ndiff, for quickly comparing scan results. Other tools are in the works for future releases, but we're still waiting for them to add email and ftp clients so we can finally get off Emacs!"

Zerimar points out a significant flaw in Apache that can lead to a fairly trivial DoS attack is in the wild. Apache 1.x, 2.x, dhttpd, GoAhead WebServer, and Squid are confirmed vulnerable, while IIS6.0, IIS7.0, and lighttpd are confirmed not vulnerable. As of this writing, Apache Foundation does not have a patch available. From Rsnake's introduction to the attack tool: "In considering the ramifications of a slow denial of service attack against particular services, rather than flooding networks, a concept emerged that would allow a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. The ideal situation for many denial of service attacks is where all other services remain intact but the webserver itself is completely inaccessible. Slowloris was born from this concept, and is therefore relatively very stealthy compared to most flooding tools."

Keldrin_1 writes "The discovery of 24 security vulnerabilities may have contributed to the death of the chief of LxLabs. A flaw in the company's HyperVM software allowed data on 100,000 sites, all hosted by VAserv, to be destroyed. The HyperVM solution is popular with cheap web hosting services and the attacks are easy to reproduce, which could lead to further incidents."

mbone writes "Earlier today there was a confirmed Google outage which got a lot of attention from network operators. From a post to NANOG after everything calmed down: 'Google ack'd a maintenance on their core network did not go as planned-Forced traffic to one peer link that was unable to handle all the traffic. Maintenance has been rolled back. Issue has been restored.' This is exactly what makes me nervous about cloud computing and data storage. It's bad enough when I screw up a config and it takes down my mail, but what about when it happens to the entire globe at once?" Several readers also point to CNET's coverage of the outage. Update: 05/14 19:25 GMT by T : CWmike adds this: "Steven J. Vaughan-Nichols writes that what may be happening is a massive DDoS attack. Based on the size of the attack that would be needed to interfere with Google, I believe that it's quite likely to be the result of an attack from the controllers of the Windows worm, Conficker. Another theory that has been put about — that the problem was due to AT&T NOC routing problems — does not appear to hold water, writes Steven." Update: 05/14 21:01 GMT by T : Google's put up a low-detail explanation on their blog that says "An error in one of our systems caused us to direct some of our web traffic through Asia, which created a traffic jam. As a result, about 14% of our users experienced slow services or even interruptions."

SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."

dew4au writes "A reader over at SANS Internet Storm Center pointed out a certified letter his organization received from ARIN. The letter notes that all IPv4 space will be depleted within two years and outlines new requirements for address applications. New submissions will require an attestation of accuracy from an organizational officer. It also advises organizations to start addressing publicly accessible assets with IPv6. Is ARIN hoping to scare companies into action with the specter of scarce resources? This may be what's needed to spur adoption since there appears to be no business case for IPv6 deployment."

wiedzmin writes "Another interesting article published by the SANS ISC Handler's Diary is describing a very unusual vector for malware distribution — windshield fliers and fake parking tickets. A website URL provided for "disputing a ticket" actually leads to a malicious website, and a "toolbar" required to find the photo of your violation is, you guessed it, a trojan posing as a fake antivirus. The best part is — according to the VirusTotal report, it doesn't look like most antiviruses have signatures for this one yet."

chiguy writes "There's been another break-in at Monster.com. It's surprising that there are still unencrypted passwords stored in database despite the previous hack, as is the decision to not email users — presumably so that no one will make a fuss. From PC World: 'Monster.com user IDs and passwords were stolen, along with names, e-mail addresses, birth dates, gender, ethnicity, and in some cases, users' states of residence. The information does not include Social Security numbers, which Monster.com said it doesn't collect, or resumes. Monster.com posted the warning about the breach on Friday morning and does not plan to send e-mails to users about the issue, said Nikki Richardson, a Monster.com spokeswoman. The SANS Internet Storm Center also posted a note about the break-in on Friday.'"

wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.

An anonymous reader writes "SANS' just-released list of the Top 15 most dangerous programming errors obscures the real problem with software development today, argues InfoWeek's Alex Wolfe. In More Than Coding Mistakes At Fault In Bad Software, he lays the blame on PC developers (read: Microsoft) who kicked the time-honored waterfall model to the curb and replaced it not with object-oriented or agile development but with a 'modus operandi of cramming in as many features as possible, and then fixing problems in beta.' He argues that youthful programmers don't know about error-catching and lack a sense of history, suggesting they read Fred Brooks' 'The Mythical Man-Month,' and Gerald Weinberg's 'The Psychology of Computer Programming.'"

dstates writes "AT&T left users across several Midwestern states without cellular phone service yesterday. The outage apparently resulted from a power failure at a Michigan switching center and spread to affect level3 Internet communications. The powerful windstorm also left 400,000 users without electricity. Interestingly, except for a few reports in Chicago and Indianapolis papers, AT&T has managed to keep this out of the mainstream media. Widespread communication failures also followed Hurricane Ike in Texas earlier this year. With the increasing trend for users to drop landlines and rely only on cell phones, this is becoming an emergency preparedness issue." Yes this included me. Still does. At least my office still has power — maybe we'll just camp here tonight. :)

dstates writes "AT&T left users across several Midwestern states without cellular phone service yesterday. The outage apparently resulted from a power failure at a Michigan switching center and spread to affect level3 Internet communications. The powerful windstorm also left 400,000 users without electricity. Interestingly, except for a few reports in Chicago and Indianapolis papers, AT&T has managed to keep this out of the mainstream media. Widespread communication failures also followed Hurricane Ike in Texas earlier this year. With the increasing trend for users to drop landlines and rely only on cell phones, this is becoming an emergency preparedness issue." Yes this included me. Still does. At least my office still has power — maybe we'll just camp here tonight. :)

silent wire writes "ZDNet is reporting on a pre-patch security advisory from Microsoft warning about an unpatched remote code execution vulnerability affecting its SQL Server line. Exploit code is publicly available so affected users should pay special attention to the workarounds from Microsoft."

miller60 writes "Three undersea cables in the Mediterranean Sea have failed within minutes of each other in an incident that is eerily similar to a series of cable cuts in the region in early 2008. The cable cuts are already causing serious service problems in the Middle East and Asia. See coverage at the Internet Storm Center, Data Center Knowledge and Bloomberg. The February 2008 cable cuts triggered rampant speculation about sabotage, but were later attributed to ships that dropped anchor in the wrong place."

CWmike writes "Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009." Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes "There is an even more serious flaw ... From SANS: 'There is a 0-day exploit for Internet Explorer circulating in the wild. At this point in time it does not appear to be wildly used, but as the code is publicly available we can expect that this will happen very soon. This is a brand new exploit that is *not* patched with MS08-073 that was released yesterday. I can confirm that the exploit works in a fully patched Windows XP machine. The exploit is a typical heap overflow that appears to be exploiting something in the XML parser.'"

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"

I Don't Believe in Imaginary Property writes "Malware writers have been obfuscating their JavaScript exploit code for a long time now and SANS is reporting that they've come up with some new tricks. While early obfuscations were easy enough to undo by changing eval() to alert(), they soon shifted to clever use of arguments.callee() in a simple cipher to block it. Worse, now they're using document.referrer, document.location, and location.href to make site-specific versions, too. But SANS managed to stop all that with an 8-line patch to SpiderMonkey that prints out any arguments to eval() before executing them. It seems that malware writers still haven't internalized the lesson of DRM — if my computer can access something in plaintext, I can too."

An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: "While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."

Ben Rothke writes "Security policies are like fiber, that is, the kind you eat. Everyone agrees that fiber is good for you, but no one really wants to eat it. So too with information security policies. They are sorely needed, but most users don't go out of their way to comply with them. And in many firms, they are not even trained in what they have to do. But failure to have adequate information security policies can lead to myriad risks for an organization." Keep reading for the rest of Ben's review. Building an Effective Information Security Policy Architecture author Sandy Bacik pages 340 publisher CRC rating 8 reviewer Ben Rothke ISBN 978-1420059052 summary Good book for information security policy development For the sake of a basic definition, a policy is a formal, brief, and high-level statement or plan that embraces an organization's general beliefs, goals, objectives, and acceptable procedures for a specified subject area. The purpose of information security is to protect an organization's resources. The cornerstone of any information security strategy is a robust set of policies, procedures, standards and guidelines.

There are many reasons what information security policies are needed. Some of the most imperative reasons are:

• To inform users of their information protection duties
• Advise them what they can and cannot do with respect to sensitive information.
• Define how users are permitted to represent the organization, what they may disclose publicly, and how they may use organizational computer resources for personal purposes.
• To clearly define protective measures for these special information assets. The existence of a policy may be a decisive factor in a court of law, showing that the organization took steps to protect its intellectual property.
• Define both acceptable and unacceptable behavior. For example, spending a lot of time surfing the web and downloading videos off the net are both generally unacceptable.
• Policies are needed to establish the basis for disciplinary action, up to and including termination.

Building an Effective Information Security Policy Architecture does a good job of showing the reader how to start from scratch and build their security policy infrastructure. The book starts off at a high-level about the need for policies, and then goes into details on how to develop, write and sell these policies to management.

The book is a good guide to the entire policy lifecycle, and how to use various means to get to the ultimate goal. At 340 pages, the first ten chapters comprise 155 pages and deal with creating the policy infrastructure, communicating with management, and putting the entire policy puzzle together. The final 185 pages comprise 21 appendices of various examples of different policies.

A most significant downside and frustrating part to the book is that there is no CD-ROM with it, or companion website in which to download and use the numerous policy and process examples. At $80.00, such an option should be de rigueur. The lack of electronic versions of the policies in a book such as this is senseless.

Also, this is the first technology book that I have ever seen that did not cite a single reference. It is hard to imagine writing a book on this topic without using some sort of external reference. While the author may not want to quote sources, she should at least point the reader to other sources of information about security policies. Two notable and essential sources in the information security policy space are the SANS Institute — SANS Security Policy Project, which is free, and Information Security Policies Made Easy from Information Shield, Inc., which is $795.00, but worth every penny for a serious security policy effort. Full disclosure: I am on the Information Shield Expert Panel, but get no financial incentives or compensation.

Overall, Building an Effective Information Security Policy Architecture is a good resource to use if you are tasked to create or modify your organizations set of information security policies. The book will likely find itself on the desk of many information security professionals.

While it is frustrating that the book makes you reinvent the wheel by not having electronic versions of the polices, its value still can't be underestimated. Let's hope future versions of the book will fix that anomaly.

Ben Rothke is the author of Computer Security: 20 Things Every Employee Should Know.

You can purchase Building an Effective Information Security Policy Architecture from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

I Don't Believe in Imaginary Property writes "The folks at Kaspersky labs are turning to distributed computing to factor the RSA key used by the GPcode virus to encrypt people's files and hold them for ransom. There are two 1024-bit RSA keys to break, which should require a network of about 15 million modern computers to spend a year per key factoring them. Unfortunately, there appear to be no vulnerabilities in the virus' use of RSA, unlike some previous cases. Perhaps more interestingly, there's some debate over whether people should bother cracking it. After all, what if they were trying to trick us into factoring the key for a root signing authority? Besides, there's a more direct method of breaking the encryption: track down the people who wrote the virus and force them to talk."

Fallen Andy notes that Comcast, one of the largest US ISPs, lost control of its domain name to what appeared to be juvenile social engineers of the old school — i.e. not in it for the money. The intruders got into Comcast's registrar account at Network Solutions and repointed the domain's DNS records. A blog entry at SANS points out how trivially easy this can be. Reader ElvenKnight points out an insightful interview up at Wired with the two young guys who perpetrated the hack.

Robellus writes "Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"

An anonymous reader writes "The Internet Storm Center notes that emails that look like subpoenas are being sent out to the CEOs of major US corporations. The email tries to entice the victim to click on a link for 'more information.' According to the ISC's John Bambenek: 'We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via email ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's [totally] bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his email directly. It's very highly targeted that way.'"

I Don't Believe in Imaginary Property writes "One of the more interesting tidbits in Symantec's Global Internet Threat Report (PDF, 105 pages) is the price sheet, which suggests that someone's 'full identity' is worth in the range of $1-$15. Your email password goes for $4-$30 and your bank account might fetch $10-$1000. With those prices, I wonder how often they pay more for the bank account than is actually in it? There's also an executive summary (PDF, 36 pages)."

UnderAttack writes "The SANS Internet Storm Center reports about an increasing number of sophisticated and targeted cyber attacks against Tibetan NGOs. These attacks appear to be related to attacks against other anti-chinese groups like Falun Gong. 'There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently. These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.'"

UnderAttack writes "The SANS Internet Storm Center reports about an increasing number of sophisticated and targeted cyber attacks against Tibetan NGOs. These attacks appear to be related to attacks against other anti-chinese groups like Falun Gong. 'There is lots of media coverage on the protests in Tibet. Something that lies under the surface, and rarely gets a blip in the press, are the various targeted cyber attacks that have been taking place against these various communities recently. These attacks are not limited to various Tibetan NGOs and support groups. They have been reported dating back to 2002, and even somewhat before that, and have affected several other communities, including Falun Gong and the Uyghurs.'"

alternative coup writes "eWEEK is running a story on the emergence of an anti-botnet market to fill a perceived need for software to deal with botnet-related malware (Trojans, keyloggers, rootkits, etc.). The article characterizes this as 'another black eye' for the existing anti-virus industry — asking consumers to pay twice for protection from things that anti-malware suites are missing. Venture capital money is flowing to these anti-bot products, an implicit statement that the AV giants are not doing their jobs. 'For companies such as Symantec, which sells the Sana-powered Norton AntiBot and anti-malware subscriptions, it's a nickel-and-dime situation. Symantec officials say Norton AntiBot is for a specialized, technical market segment looking for high-end tools to deal with botnets, but [Andrew Jaquith, an analyst with The Yankee Group] said it's a case of anti-malware companies double-dipping.'"

An anonymous reader writes "According to the Washington Post's Security Fix blog, cyber criminals are populating the Internet with Web sites designed to exploit several recently-discovered security holes in a half-dozen widely used ActiveX plug-ins for IE 6 and 7, most notably the one offered by Facebook and MySpace to help users upload photos. The sites, advertised via links in email and instant message spam, also 'probe for other vulnerable IE plug-ins, including two recently discovered from Yahoo! and one for QuickTime (this one attacks a vulnerability Apple patched just last month). The sites also throw in an exploit against a six-month-old IE flaw.' The article notes that the SANS Internet Storm Center has released a GUI tool to help users safely deactivate the vulnerable plug-ins in the Windows registry."

Scrabblous sends in this analysis of the Pushdo Trojan downloader's backend code and control server. Pushdo is a complex Trojan downloader that meticulously tracks its victims; much of its innovation is not in the Trojan itself but in its control infrastructure. Quoting: "The Pushdo controller also uses the GeoIP geolocation database in conjunction with whitelists and blacklists of country codes. This enables the Pushdo author to limit distribution of any one of the [421 different] malware loads from infecting users located in a particular country, or provides the ability to target a specific country or countries with a specific payload. Pushdo keeps track of the IP address of the victim, whether or not that person is an administrator on the computer, their primary hard drive serial number..., whether the filesystem is NTFS, how many times the victim system has executed a Pushdo variant, and the Windows OS version."

4 for 52 writes "ZDNet is reporting that Apple has fessed up to at least three serious design weaknesses in the new application-based firewall that ships with Mac OS X Leopard. The acknowledgment comes less than a month after independent researchers threw cold water on Apple's claim that Leopard's firewall can block all incoming connections. The firewall patches come 24 hours after a Mac OS X update that provided cover for at least 41 security vulnerabilities."

Kenny A. writes "Multiple news organisations are reporting on an in-the-wild Mac OS X malware attack that uses porn lures to plant phishing Trojans on Mac machines. The attack site attempts to trick users into download a disk image (.dmg) file disguised as a codec that's required for viewing the video. If the Mac machine's browser is set to to open 'Safe' files after downloading, the .dmg gets mounted and the Installer is launched. The target must click through a series of screens to become infected but once the Trojan is installed, it has full control of the machine."

stry_cat submitted a story about selecting a good DNSBL. It talks about some of the problems with DNS blacklists and the sorts of things that you should be looking for. Things like Speed, Selection Criteria, and Goals make the list. And of course not requiring payment to be removed from the blacklist.

yuna49 writes "Various people are reporting that the MS07-040 patch for .NET released on Tuesday can cause a variety of seemingly unrelated problems. According to the SANS Internet Storm Center 'the reports we got so far seem not to lead to any specific thing that happens in many cases, just various things going haywire.' Some commentators on The Register's report of this story indicate that the patch failed to install at all, while others report things like the mouse suddenly failing to work or long periods of hard drive thrashing. In some cases a hard reboot seems to fix the problem, but other reports suggest that a reinstallation of the .NET framework itself is required. The problems may be related to the MSCORSVW.EXE process which recompiles all the .NET assemblies when the patch is downloaded. While the recompilations are supposed to run as a background task, in some instances the recompilation will drive the processor to 100% usage."

Juha-Matti Laurio writes in with news that the Web site of ASUSTeK Computer (asus.com) has been compromised to spread exploit code. The original report from Kaspersky Lab claimed that the compromise lead to code exploiting the recently patched Microsoft Windows Animated Cursor (.ANI) 0-day vulnerability, but sans.org found no evidence of this. Apparently a malicious iframe was added to one of the machines in asus.com's DNS round-robin.

philos writes "According to SANS ISC, there's a vulnerability in Solaris 10 and 11 telnet that allows anyone to remotely connect as any account, including root, without authentication. Remote access can be gained with nothing more than a telnet client. More information and a Snort signature can be found at riosec.com. Worse, this is almost identical to a bug in AIX and Linux rlogin from way back in 1994."

bungee jumper writes "Microsoft released four bulletins with patches for 10 vulnerabilities but there are no fixes for known MS Word zero-day flaws that are under active attack, eWeek.com reports. The January batch covers critical bugs in Excel, Outlook, and Windows. The first confirmed Windows Vista flaw, a denial-of-service issue that was publicly released on an underground hacker site in Russia, also remains unpatched." eWeek notes that Microsoft originally scheduled eight bulletins for release, but pulled four last Friday without explanation.