Share |

InfoSec News

Microsoft released version 9 of its Internet Explorer web browser. You can download IE 9 from windows.microsoft.com.

Microsoft also set up a domain dedicated to the new browser: www.beautyoftheweb.com. Unfortunately, that site isn't hosted under the microsoft.com domain, nor does it have an SSL certificate to confirm that it belongs to Microsoft. Using this site to distribute the browser goes against the advice of downloading software only from known vendor websites. Copycat malicious sites claiming to distribute IE 9 will probably appear shortly, if they aren't around yet.
Internet Explorer 9 includes a number of security improvements that make the upgrade worth your consideration. These includeapplication reputation capabilities that are part of theSmartScreenfeature that helps protect the user against socially-engineered malware. The browser also supports the notion of Pinned Sites, which implements secure launch capabilities to safeguard users' sessions with important websites. Internet Explorer 9 also improves its resistance to exploits by embracing support for the messages are designed to make it easier for the users to assess the risk of opening such files.
Have you had a chance to experiment with Internet Explorer 9? Let us know what you think of its security capabilities.
-- Lenny Zeltser
Lenny Zeltser leads a security consulting team and teaches how toanalyzeandcombatmalware. He is activeon Twitterand writes a dailysecurity blog. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Windows Vista, 7 and Server 2008 includes a feature called integrity levels, which is arguably the most under-appreciated security mechanism built into the operating system. Yet, it provides powerful ways for mitigating the risks of computer attacks and malware infections. For instance, integrity levels can shield processes from keyloggers; they can also protect files from being accessed by malware running on an infected system.
Another potent benefit of integrity levels is the ability to limit the capabilities of an exploit that manages to compromise an application. This is what I'd like to discuss in the note below.
What Are Windows Integrity Levels?
Microsoft designed Windows integrity levels as a mechanism for enforcing mandatory access controls, which apply even when access would be granted according to the traditional discretionary controls that we're accustomed to.According to Microsoft:

The integrity level is a representation of the trustworthiness of running application processes and objects, such as files created by the application. The integrity mechanism provides the ability for resource managers, such as the file system, to use pre-defined policies that block processes of lower integrity, or lower trustworthiness, from reading or modifying objects of higher integrity. The integrity mechanism allows the Windows security model to enforce new access control restrictions that cannot be defined by granting user or group permissions in access control lists (ACLs).

This means that integrity levels can restrict one process from interacting with another process even if both processes are running under the same user account and even if the user has administrative privileges.
Protecting Higher Integrity Objects from Malware
A process running under the Low integrity level will be prevented by the OS from modifying the process running under the Medium integrity process or from modifying a file assigned the Medium integrity level. (By default, Windows assigns the Medium label to objects.)
This is why it's advantageous to run the processes that are likely to be targeted by exploits under the Low integrity level. For instance, if a browser running under the Low integrity level gets exploited, the attacker's payload will have a hard time injecting itself into the majority of other processes or modifying critical files.
Didier Stevens illustrated the effectiveness of integrity levels for mitigating DLL injection risksby showing how the OS blocked the injection attempt from a Low integrity level process to a Medium one. He concluded that integrity levels may be a good security feature to sandbox vulnerable, Internet facing applications.
Applications Designed to Run Under the Low Integrity Level
Though it may be possible to force an application to run under the Low integrity level if it wasn't designed for it, this will likely cause issues, such as the application not being able to load its configuration settings. Fortunately, some end-user applications are designed with Low integrity level in mind when they run on Windows Vista, 7 or Server 2008:
Internet Explorer's parent process runs under the Medium integrity level, while the process that represents each tab runs under the Low integrity level, thanks to the browser's Protected Mode feature:

Similarly, Google Chrome runs its tabs under the Low integrity level on Windows as part of its sandboxing capabilities:

Acrobat Reader 9 and lower runs under the Medium integrity level, like most processes in Windows:

Fortunately, most of the code of Acrobat Reader X runs under the Low integrity level. This is one of the security featuresbuilt into this version of Acrobat to limit the capabilities of exploits delivered to the application's users through malicious PDF files:

Running a process under the Low integrity level helps minimize the damage it can do when exploited by malicious code. Hopefully, more programs will be build to take advantage of this feature of Microsoft Windows (ahem.. Firefox?).
-- Lenny Zeltser
Lenny Zeltser leads a security consulting team and teaches how toanalyzeandcombatmalware. He is activeon Twitterand writes a daily security blog. (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apotheker, who took over in the wake of former CEO Mark Hurd's sudden departure, said on Monday that HP will 'provide seamless, secure, context-aware experiences for the connected world.' What does that mean?
 
Apotheker, who took over in the wake of former CEO Mark Hurd's sudden departure, said on Monday that HP will 'provide seamless, secure, context-aware experiences for the connected world.' What does that mean?
 
For starters, I wasn't dressed right. Last Friday was a relatively nice spring day in the San Francisco Bay Area, and I went to the Apple Store in Emeryville directly from a meeting, so my only outwear was a wool blazer. It wasn't nearly enough. A chilly wind gusted down Bay Street; as the sun fell, it only grew chillier.
 
HTC's ThunderBolt, the first smartphone to operate on Verizon Wireless's LTE network, will launch this Thursday, according to a document from Verizon received by the online retailer Wirefly.
 
XWork 'ParameterInterceptor' Class OGNL (CVE-2010-1870) Security Bypass Vulnerability
 
XWork 'ParameterInterceptor' Class OGNL Security Bypass Vulnerability
 
Apache Struts Multiple Cross Site Scripting Vulnerabilities
 
Struts Multiple Directory Traversal Vulnerabilities
 
Just for grins, I opened my spam folder on a gmail account I have and thought I'd take a look at what was in there since I hadn't looked lately. By the way, my spam folder is one of my first sources of new malware for those who ask quite regularly where they can find malware to analyze. In the last 30 days, I have approximately 707 spam emails, which averages to about 24 pieces of spam a day. I can find topics such as:
Please i need your assistance
and
YOUR EMAIL HAS WON $500,000.00 USD
to the more malware malicious ones (complete with attachments) such as:
Kindly open the attachment
or
You have 1 unread Message!
and those that ask me for my data like:
Fill Return For Claims
or
Fraud Alert!!!
This doesn't even include the ones where I can buy drugs, save my visa card from being canceled, update my password before it expires, open a greeting card from someone I don't know, etc.I even found one in there from a friend's email address so they are either compromised or their email address is being used (yes, I'll tell them and ask them to check their system). the amount of publicity on the topic of spam/phishing attempts, etc. that they would not work. However, the sad reality is that spam/phishing is so rampant because it does work. We are seeing again first hand the efforts to capitalize on the Tsunami disaster that Bojan wrote about in the diary entry isc.sans.edu/diary/Tsunami+in+Japan+and+self+modifying+RogueAV+code/10543. Antivirus vendors are reporting that on average that spam makes up over 80% of email traffic. That is a significant amount of email that is spam (no wonder my spam folder is so full) and just by shear numbers, it is going to work. Many organizations at work have email gateways to filter out the miscreants, but at the same time, many do not block web based email accounts which defeats the whole purpose of having an email gateway.
According to what I have been able to research (I didn't even have a computer then to know anything about it), the first spam email was sent on May 1st, 1978. It was sent by a DEC marketing representative to every ARPANET address. Spam in one form or another has been increasing every since then and really picking up steam in the 90s. One would think that with the passage of that much time, that we would have been able to educate people how not to fall prey to such events.
I still think education of the user is key and sadly SPAM/Phishing attempts have become part of the normal noise on the internet. As sad as this is there is one bright note, at least with my daily dose of spam, I'll be able to have all the fresh malware I can analyze.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The Opera Dragonfly debugger can grapple with sticky JavaScript and HTML5 errors
 
Hewlett-Packard CEO Leo Apotheker took a step out of Mark Hurd's shadow Monday, unveiling a new cloud computing platform that puts the company in competition with Amazon and Google.
 
For months now, online chatter has focused on whether Google is secretly working on its own social networking site.
 
A critical vulnerability in Adobe Flash Player is being targeted in attacks using Microsoft Excel files embedded with malicious Flash files.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Security training and education is one of the first investments made by an organizations after poor audit results or a data breach, experts say.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
The rapid growth of the smartphones business led to significantly lower costs for materials such as displays, processors and software in 2010, according to InStat.
 
Developers working on client applications that replicate Twitter.com's basic user functionality should turn their efforts elsewhere, because the company doesn't want any more such apps on the market.
 
A U.S. House subcommittee says efforts to increase federal government transparency are not yet meeting expectations.
 
Adobe today confirmed that attackers are exploiting an unpatched bug in Flash Player using Microsoft Excel documents.
 
The dual-screen Kyocera Echo, an Android smartphone, will sell for $199.99 with a two-year agreement starting April 17 exclusively from Sprint.
 
ABBS Audio Media Player Multiple Buffer Overflow Vulnerabilities
 
WebKit 'removeChild()' Remote Code Execution Vulnerability
 
Adobe posted a security advisory (http://www.adobe.com/support/security/advisories/apsa11-01.html) about a new 0-day vulnerability in Flash player. According to the post about this vulnerability (available at http://blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html), Adobe says that they had reports of this new vulnerability being used in targeted attacks. These attacks seem to be particularly sneaky the Flash exploit is embedded in an Excel file which is also used to setup memory so the exploit has a higher chance of succeeding.
We will keep an eye on this and if the 0-day starts being used in the wild. If you have more information that you can share about this let us know.
--

Bojan

INFIGO IS (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Criminals have jumped on Japan's twin earthquake and tsunami disasters at record speed, security experts said today.
 
Infor's roughly $1.8 billion offer for Lawson Software will likely be far from the only salvo in a bidding war for the ERP vendor that could see the likes of IBM, Hewlett-Packard and Oracle enter the fray, according to some analysts.
 
[security bulletin] HPSBMA02644 SSRT100284 rev.1 - HP Client Automation Enterprise (HPCA) Running on Windows, Remote Execution of Arbitrary Code
 
[DCA-2011-0004] - Trend WebReputation API Bypass
 
[DSECRG-11-010] SAP NetWeaver logon.html - XSS
 
[SECURITY] [DSA 2191-1] proftpd security update
 
Prices for DRAM and NAND flash memory shot up by as much as 20% Monday as concerns over fabrication plant shutdowns, power outages and supply shortages mounted in the wake of last week's earthquake in Japan, according to DRAMExchange.
 
Odds are, if you ask anyone waiting in line for an iPad 2, they'll list plenty of reasons why they're lusting after Apple's latest camera(s)-equipped tablet.
 
Google and NASA are releasing satellite images depicting the devastation last week's earthquake and tsunami caused in Japan.
 
Microsoft Windows Media Player/Windows Media Center '.dvr-ms' File Code Execution Vulnerability
 
IBM Informix Dynamic Server Oninit Remote Code Execution Vulnerability
 
Microsoft Internet Explorer Multiple Unspecified Remote Code Execution Vulnerabilities
 
Google Chrome prior to 10.0.648.127 Multiple Security Vulnerabilities
 
Accellion File Transfer Appliance Version Prior to FTA 8.0.562 Multiple Remote Vulnerabilities
 
Parts of coastal Japan have been so badly hit by earthquakes and tsunamis in recent days that the only communication about other possible dangers such as radioactive fallout from damaged reactors has been one way, coming to residents through portable, battery-operated FM radios.
 
Microsoft will launch Internet Explorer 9 (IE9), the first upgrade to its browser since 2009, Monday night at 9 p.m. PT.
 
Open source software is probably the most defining element of software innovation in the last decade. But the complexity of today's development environments makes open source license violations a real and common possibility.
 
Developers working on client applications that replicate Twitter.com's basic user functionality should turn their efforts elsewhere, because the company doesn't want any more such apps on the market.
 
Major U.S. wireless carriers are waiving fees on calls and text messages to Japan as well as texted mobile donations made to emergency relief efforts in Japan.
 
Libpurple Yahoo Protocol 'YMSG' NULL Pointer Dereference Denial of Service Vulnerability
 
The group of online activists known as "Anonymous" has released a batch of e-mail concerning Bank of America that was given to the group by a whistleblower who worked for a related mortgage and vehicle loan insurer.
 
Premier 100 IT Leader Kenneth Corless has advice for educating an old-school boss, and more.
 
Intel Mobile Communications said Monday that it has acquired most of the assets of SySDSoft to help accelerate its LTE efforts.
 
For quite a while I've been baffled by the inability of too many members of Congress to understand the importance of the network neutrality discussion. I'm not satisfied that I know for sure, but I may be getting closer.
 
The same glitch in the iPhone's clock that made loads of Europeans late to work last November has struck back with a vengeance. Instead of springing forward or standing still, many Verizon iPhone owners found that on Sunday their phones had fallen back, making them not only irritable and confused, but two hours off schedule.
 
[DSECRG-11-009] SAP NetWaver XI SOAP Adapter - XSS
 
ClubHACK Magazine: Call for Articles
 
BoutikOne Multiples SQL Injection Vulnerability
 
Joomla! 1.6.0 | SQL Injection Vulnerability
 
VUPEN Security Research - Apple Safari WebKit Iframe Event Handling Remote Use-after-free
 
Joomla! 1.6.0 | Cross Site Scripting (XSS) Vulnerability
 
VUPEN Security Research - Apple Safari WebKit Scroll Event Handling Remote Use-after-free
 
Oracle launched a Java development framework for industrial application developers.
 
Taiwan's major semiconductor manufacturers, a crucial link in the global tech supply chain, scrambled Monday to gauge how their access to raw materials from Japanese suppliers will be affected by the powerful earthquake in Japan.
 
Twitter has been a lifeline for Westerners both inside and outside of Japan as they try to keep up with fast-moving events following Friday's massive earthquake and the tsunami that followed.
 
Hoping to grab some of the $70 billion yearly worldwide market of electronic commerce software and services, IBM has launched an e-commerce practice focused on retail operation integration and analytics.
 
Smartphones are useful during an emergency: They have their own batteries, Internet connections and, best of all, smart apps that can help save your life, says Mike Elgan.
 
Google has patched a WebKit flaw in its Chrome browser that was exploited by a multinational team to hack the BlackBerry Torch smartphone at Pwn2Own.
 
Some would argue the relationship between IT and finance is naturally combative. So what happens when one person holds two titles -- CIO and CFO -- in the same company?
 
Chinese Internet users have reported greater difficulty accessing Gmail in recent weeks, prompting speculation that the Chinese government is again stepping up its efforts to control the flow of information on the Web.
 
Japan's major electronics companies took stock of their problems on Monday, as the country struggles to come to terms with the scale of devastation following Friday's massive earthquake and tsunami.
 
A lot of people are still surprised how quickly bad guys catch up with events in the real world - this is especially true for the RogueAV/FakeAV groups which constantly poison search engines in order to lure people into installing their malware.
We can also see even many AV vendors warning people to be careful when they search for this or that (currently, obviously the search query that generates most attention is related to the disaster in Japan). While it is good to constantly raise awareness and warn people about whats happening, one important thing to know is that the RogueAV/FakeAV guys poison search engines and modify their scripts automatically. This means that they are constantly on top of current trends and events in the world whatever happens, their scripts will make sure that they contain if you havent seen them before Id strongly recommend that you take a look, they are available at:
http://isc.sans.edu/diary.html?storyid=9085

http://isc.sans.edu/diary.html?storyid=9103
There are many RogueAV/FakeAV groups so the analysis posted above just concerns one of them (its interesting to see that they are still very much active).
With the disaster in Japan striking on Friday we saw another RogueAV/FakeAV group heavily poisoning the search engines even Google which normally removes them quickly still contains hundreds of thousands of such pages. Since this campaign can be easily identified, here is what the current count says:

Yes, 1.7 million pages (!!!). Keep in mind that there are multiple pages listed here with different search terms (they modify search terms through a single parameter), but the number is still staggering. According to Google, in past 24 hours there have been 14,200 such pages added so its clear that the bad guys are very active.
This RogueAV/FakeAV group uses different code than the one I previously analyzed. They actually drop pretty interesting, self modifying PHP code.

The code contains a list of current searches/trends. The list contains hundreds of such keywords, some of which are shown below:
$lastquery = keyscee-lo-green-grammyswhat-chilli-wants-finale japan-tsunami-newsokinawa-japan-tsunami-2011tsunami-and-earthquake-in-japan/keys


Notice how the list is delimited by keys tags. This allows the owner of the script to automatically update the keywords the script will react to by using a special parameter to identify himself, the owner can submit a new keyword and the script will modify itself by adding this parameter if it hasnt been found in the $lastquest list before:

Same function is used if Googles or another search engines bot visits the web page the main script checks the user agent that was submitted and even has a list of networks that can help the script owner identify visitors he or she does not want to get redirected to the final site hosting RogueAV.
But this is not all. When visited by a search engines bot, the script (among the other things) tries to create a very legitimate looking web page that should help poison the search engine. In order to create this legitimate looking web page, the script automatically queries Google to see related searches for the current search query (the hottrends web page at Google). Besides Google it will also use Yahoo to search for new pages and, whats probably the most interesting, will retrieve images from Google images that are related to the same query term!

This way the RogueAV/FakeAV guys can create very realistic pages that can, unfortunately as weve all witnessed, successfully poison search engines.
(to be continued)
--

Bojan

INFIGO IS
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
VMware's vCloud Connector (VCC) is a free VMware virtual appliance and vSphere plug-in that makes it a snap to transfer VMware virtual machines, templates and vApps between clouds.
 
InfoSec News: Murdoch reporter 'hired computer hacker': http://www.independent.co.uk/news/media/press/murdoch-reporter-hired-computer-hacker-2240975.html
By Cahal Milmo and Martin Hickman Independent.co.uk 14 March 2011
A senior journalist at Rupert Murdoch's News of the World allegedly paid a private investigator to hack into the computer of a former intelligence officer.
The BBC's Panorama programme, to be broadcast tonight, will claim that the hacking led to the interception of emails in July 2006, when the newspaper was being edited by Andy Coulson, who later resigned as the Prime Minister's communications director.
Mr Coulson, who is not the senior journalist who allegedly commissioned the hacking, has always denied any knowledge of lawbreaking at the title.
According to Panorama, one attempt centred on a former intelligence officer who had sensitive information about an informant in Northern Ireland who was the subject of a court order. Football managers are also said to have been the target of computer hacking.
So far allegations of hacking at the News of the World (NotW) have involved the illegal eavesdropping of mobile phone voicemails. The NotW's royal editor Clive Goodman was jailed alongside a private investigator, Glenn Mulcaire, four years ago for hacking the phones of royal aides.
[...]
 
InfoSec News: Industry association aims to bolster SCADA security: http://www.csoonline.com/article/676095/industry-association-aims-to-bolster-scada-security
By George V. Hulme CSO March 11, 2011
It's no state secret that industrial and automation control systems have a way to go before they're resilient from targeted and sophisticated malware attacks. [...]
 
InfoSec News: Backup Files Put Database Information At Risk: http://www.darkreading.com/database-security/167901020/security/storage-security/229300828/backup-files-put-database-information-at-risk.html
By Ericka Chickowski Contributing Writer Darkreading March 11, 2011
No matter how many safeguards organizations install to protect their [...]
 
InfoSec News: Politically motivated exploits target activists on Google: http://www.theregister.co.uk/2011/03/12/windows_bug_target_google_users/
By Dan Goodin in Vancouver The Register 12th March 2011
Politically motivated attackers are exploiting an unpatched flaw in all supported versions of Microsoft Windows to carry out highly targeted [...]
 
InfoSec News: Red Flag cyber operations: Part II - Cyber operators stand against red team 'aggressors': http://www.afspc.af.mil/news/story.asp?id=123246419
By Tech. Sgt. Scott McNabb 24th Air Force Public Affairs 3/11/2011
NELLIS AIR FORCE BASE, Nev. -- It's not supposed to be easy.
For the first time in Red Flag exercise history, cyber and space operators are a fully integrated part of the friendly forces "blue team" that defend the interest of the United States and her allies against the aggressors of the "red team."
"It's imperative that our operators are faced with difficult scenarios. The intent is that they learn from the high pressure scenarios to rapidly and deliberately integrate their unique skills and capabilities with air and space forces to better prepare them grow as cyber operators and as leaders," said Col. Mark Ware, 24th Air Force director of operations. "When the other Airmen participating in Red Flag see the impact on flying and space operations with and without cyber support, they should better understand what their cyber teammates bring to the fight and how we can all work together to defeat our adversaries."
Initial results from the realistic combat training exercise indicate the blue team's cyber operators made it through early struggles to reach mission success and, in some cases, shut down various red team capabilities before they were employed.
"The way I see it, in ancient Greek or Roman times, warriors wore 60 to 70 pounds of armor," said 2nd Lt. Louis Murphy, who belongs to the 33rd Network Warfare Squadron, but served as commander for the blue team, working out of the Information Operations range, located at Lackland Air Force Base, Texas. "Today in Iraq and Afghanistan, they also wear about 60 to 70 pounds of body armor. It's a lot better armor, but it's never perfect. The same is true for cyber. No matter what program you have, it won't be perfect. You adjust and get better."
Red team's cyber aggressors are formidable and push the blue team to their very limits. Elements of Red Flag's cyber red team include:
- Detachment 2, 318th Information Operations Group, charged with creating an exercise scenario that will allow for realistic cyber play and integration with standard kinetic operations;
- The 57th Information Aggressor Squadron provides the cyber targets for U.S. Air Force cyber warfighters;
- The 177th Information Aggressor Squadron, Kansas Air National Guard, is the sister squadron to the 57th IAS.
These units along with some individual Reserve Airmen provide a wide breadth of opposition for the blue team to lock horns with.
Capt. Christian Fisher, Det. 2 Exercise Flight commander, said he and others worked on scenarios for months to optimize the training experience.
"It is important for cyber operations to be included in Red Flag so that members of the cyber community can plan and execute a mission alongside the air and space operations communities," said Captain Fisher. "Without integrating those three, no one outside the cyber community is ever going to know where cyber operations are going to be beneficial because they will have no idea what the cyber community is capable of. In order to make cyber operations as effective as they can be they need to be integrated with air and space operations, and the first step of that integration is participating in large force exercises like Red Flag where non-cyber operators can see what cyber brings to the fight."
"Seamless integration of joint operations is the ultimate goal for these new efforts in Red Flag," said Maj. Gen. Richard Webber, 24th Air Force commander. "We are elevating the level of training to new heights, in order to learn how to best employ our operational forces to achieve desired effects for the joint and coalition teams."
Captain Fisher said the impact of including cyber operations in Red Flag is that it allows for more solutions to the tactical problems that are presented to the exercise participants.
"In some cases cyber operations may allow for a similar but less persistent effect on a target set than dropping a bomb, which may be more beneficial in the long term depending on what the desired end state is," he said. "It's really how Red Flag continues to be a premier training event for the Air Force even as the operational environment changes based on the evolution of technology."
Maj. Frank Lyons, 57th IAS team chief, gave an example of a possible scenario his red aggressors would test the blue team with.
"We (the red team) set up a cyber café where a terrorist is uploading the latest propaganda video to a server so all his buddies can see it," he said. "The blue forces would do something to either prevent the video from being seen, or to prevent the terrorist from having Internet access."
Each cyber aggressor team varies in size according to the mission. For Red Flag 11-3, there are 24 team members operating as the adversary.
Maj. Drew Bjerken, 177th IAS Weapons and Tactics Flight commander and overall Red Flag 11-3 red team mission commander, said he looks forward to presenting a cyber adversary that is reactive and in some cases aggressive rather than only providing targets as in years past. The majority of the red team offensive cyber operators come from the 177th IAS while the majority of the red team defenders belong to the 57th IAS.
"Allowing red to go offensive presents blue net defenders their first opportunity to integrate so deeply into Red Flag," said Major Bjerken. "This integration is key, as Air and Space Operations Centers commanders know what to do when they are under attack by air or ground forces, but often they are unaware of how to react and what needs to be done when under attack by cyber forces."
Chief Master Sgt. Kevin Slater, 24th Air Force command chief, said operations integration may be the most important success story of this exercise.
"Cyber's integration into Red Flag is as much about educating our air and space teammates on the critical mission assurance attributes of cyber as it is an opportunity to further our efforts to operationalize the cyber domain and the cyber warriors who operate in it," he explained.
Cyber operators taking part in Red Flag didn't happen overnight. Captain Fisher said he, personally, has been integrating cyber operations into U.S. Warfare Center exercises, to include Red Flag, for two years now. He said Det. 2, 318th IOG has been doing this for almost six years.
"This was the next logical step as we continue to mature Air Force cyber operations. We are building a "Culture of Cyber" in the Air Force, structuring cyber training in the model of air and space operations training," said General Webber. "Red Flag is the best tactical exercise in the world and adding cyber to the 'fight' made sense because the cyber domain is integral to the Air Force's ability to fly, fight and win. Our operators are getting right alongside their air and space counterparts, testing their abilities in realistic wartime situations. This will make Red Flag more realistic and train our Airmen to make the right decisions when things get tough."
Captain Fisher said a successful exercise is one where the participants learn something. He wants cyber operators to walk away from this exercise with a better understanding of operations outside of the cyber community, based on their interaction with everyone else during this exercise.
"I think the biggest area for improvement for the cyber community is going to come from the lessons that we learn in running the command and control of cyber operations within the AOC," he said. "Currently there exist a handful of theories on how to best integrate and control cyber operations within the AOC; this will be one of the first exercises where we will be executing operations based on some of those theories. When the exercise is done, we should be able to walk away with a much clearer understanding of where cyber operations fits into the AOC structure and what the best way to C2 cyber operations within the AOC is."
The final week of Red Flag 11-3 is underway and cyber inputs will add the crescendo to this unique exercise. General Webber said he looks forward to studying the results of the exercise, and is thankful the men and women in cyber operations will be able to take their experiences back with them.
"The red team is truly testing the skills of our blue team members, but the blue team continues to counter the attacks and strengthen the defense," he said. "As tactical cyber involvement grows within Red Flag and more of our operators get the opportunity to take part in the exercises, we will create a more seasoned, battle-ready cyber force. I hope that our cyber, space and air operators all come away from this exercise with an appreciation for each other's missions, and bring back to real-life operations a sense of how to better coordinate and integrate for greater operational results."
(Editor's Note: This is the second story in a series about Air Force cyber operators taking exercise inputs in Red Flag.)
 

Posted by InfoSec News on Mar 13

http://www.darkreading.com/database-security/167901020/security/storage-security/229300828/backup-files-put-database-information-at-risk.html

By Ericka Chickowski
Contributing Writer
Darkreading
March 11, 2011

No matter how many safeguards organizations install to protect their
production databases, all that work could be for naught if they aren't
layering security into their back-up processes. The potential fallout
from such a misstep was...
 

Posted by InfoSec News on Mar 13

http://www.theregister.co.uk/2011/03/12/windows_bug_target_google_users/

By Dan Goodin in Vancouver
The Register
12th March 2011

Politically motivated attackers are exploiting an unpatched flaw in all
supported versions of Microsoft Windows to carry out highly targeted
attacks against activists using Google, the company's security team
warned.

The unidentified attackers are wielding a serious vulnerability in the
way Windows parses...
 

Posted by InfoSec News on Mar 13

http://www.afspc.af.mil/news/story.asp?id=123246419

By Tech. Sgt. Scott McNabb
24th Air Force Public Affairs
3/11/2011

NELLIS AIR FORCE BASE, Nev. -- It's not supposed to be easy.

For the first time in Red Flag exercise history, cyber and space
operators are a fully integrated part of the friendly forces "blue team"
that defend the interest of the United States and her allies against the
aggressors of the "red team."...
 

Posted by InfoSec News on Mar 13

http://www.independent.co.uk/news/media/press/murdoch-reporter-hired-computer-hacker-2240975.html

By Cahal Milmo and Martin Hickman
Independent.co.uk
14 March 2011

A senior journalist at Rupert Murdoch's News of the World allegedly paid
a private investigator to hack into the computer of a former
intelligence officer.

The BBC's Panorama programme, to be broadcast tonight, will claim that
the hacking led to the interception of emails in July...
 

Posted by InfoSec News on Mar 13

http://www.csoonline.com/article/676095/industry-association-aims-to-bolster-scada-security

By George V. Hulme
CSO
March 11, 2011

It's no state secret that industrial and automation control systems have
a way to go before they're resilient from targeted and sophisticated
malware attacks. Just last week the International Society of Automation
(ISA) announced that the ISA99 standards committee on Industrial
Automation and Control Systems...
 


Internet Storm Center Infocon Status