InfoSec News

Two hackers convicted of defacing Comcast's website two years ago were sentenced Friday to 18 months in prison.
 
Orange Business Services appears poised to become a cloud service provider using pre-integrated "VBlocks" from Cisco Systems, EMC and VMware.
 
Google, Apple and several other companies have reached a settlement with the U.S. Department of Justice over charges that they agreed not to hire away high-profile workers from each other.
 
The Stuxnet worm, and its possible target, captured headlines this week and left us feeling queasy about the future of cyberwar. Fortunately, Oracle OpenWorld was also this week, providing the anticipated stream of stories to our IT news diet.
 

GovInfoSecurity.com

GovInfoSecurity.com Week In Review for Sept. 24, 2010
GovInfoSecurity.com
... critical infrastructure; don't ask, don't tell filibuster has impact on cybersecurity reform; White House deemed confused, disconnected on infosec. ...

 
Since the news of Stuxnet has reached the popular media, it's probably time for a quick diary on the subject.Securnia has write-ups on two of the unpatched security vulnerabilities that allow privilege escalation that Stuxnet relies on here and here. Symantec also has a series on Stuxnet that you can read up on here. While Stuxnet does use the LNK vulnerability, it existed before then using other modes of infection (for instance, via USB keys). Another interesting note is that it exploited one of the same vulnerabilities that Conficker did. Among other things, Conficker was a real problem for embedded systems (particularly those embedded systems that ran Windows). Hospitals and health care facilities had a lot of trouble with Conficker, for instance, with their equipment.
One of the working theories is that Stuxnet was designed to attack Iranian facilities and may have had it's origin in Israel. It's important to note that initial statistics showed that India and Indonesia made up a higher precentage of compromises than Iran but around the end of July, Iran had the bulk of infections.
Assuming it is an attempt to attack the Iranian facilities, I suppose it's better to launch a cyberattack than to go all Osirak circa 1981. But the moral and philosophical implications are probably best for another venue.
An important thing to note when it comes to cyberwar, there is a lot of hype that attempts to make this a more dangerous threat than it probably is (at this specific point in time). A healthy dose of skepticism is warranted, in part, because with any cyberattack it is very difficult to determine who is really behind an attack or why. Incident responders only have (and can only get) a piece of the information, what the attack attempts to do and the forensic details of that attack. Forensically examining a botnet CC to determine who was behind it and what happened historically gets to be much more difficult. The reasons for that are as much legal and practical as they are technical. Simply put, most bad people know to operate in jurisdictions least likely to cooperate with the good guys.
What we do know is that many countries and organizations are looking for ways to use electronic ifnrastructure to cripple opponents and that this is not a new development. Information systems have always been a rich target for espionage. Sabotage has always been an element of covert warfare as well. In so far as elements of our critical infrastructure depend and/or are controlled by information systems, electronic sabotage becomes a more real possibility. In the current case, however, Stuxnet being a tool of cyber-sabotage is a theory that fits the facts but far from the only theory. In short, the jury is still out.
At this point, most common malware detection tools will detect this. However, one of the key infection mechanisms early-on was USB keys. A popular mode of pen-testers to test an organization is to drop USB keys in a parking lot, send free keys in with vendor logos and the like to get individuals in an organization to plug USB keys into the organizations network. This is an easy to defect vector of attack by employing security education, USBport security and disabling AutoRun. It's trivial to use USB keys and to create custom malware that will bypass all AV. It's also easy (but not trivial) to shut down this vector. For larger organizations, the solution may be to simply distribute your own branded USB keys for users to move data around which may be a proper balance between security and usability.
--

John Bambenek

bambenek at gmail /dot/ com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
A Venezuelan man was sentenced to 10 years in prison Friday for stealing and then reselling more than 10 million minutes of Internet phone service.
 
After Facebook went down on Thursday, one thing was certain: People don't like to go without their favorite social networking site.
 
It's going to be all Zuckerberg, all the time for the next week or so, thanks to a confluence of events both planned and accidental that are putting Facebook and its barely-old-enough-to-shave founder in the spotlight.
 
Forthcoming Windows Phone 7 devices are expected to have most of the required features of today's smartphones -- an application store, a 5-megapixel or better camera, a touchscreen, gaming -- but there's one it won't have, and that's tethering.
 
The server market is showing signs of weakening, which could lead to a downturn in server chip shipments, further affecting the revenue of chip makers already hampered by lackluster demand for home PCs, financial analysts said Friday.
 
Romanian authorities have arrested a phishing scammer who broke into eBay systems and accessed confidential files, including data of eBay customers and their transactions.
 
With its iOS 4.1 update, Apple rolled out a fun new feature for iPhone 4 users -- a high dynamic range (HDR) setting for the phone's rear-facing camera. The setting takes three images at different exposure and combines them for photos that are closer to what the human eye really sees.
 
Our manager fields a request to allow an Internet-connected server on the network.
 
Beginning Sept. 30, Visa will require merchants and related businesses to conduct wireless security scans to prove compliance with version 1.2 of the PCI Data Security Standard (PCI DSS) which is designed to safeguard cardholder data from wireless threats.
 
Twitter adoption among CIOs increased significantly in the last year, according to a new survey. But 49 percent of CIOs say Twitter's biggest challenge in the enterprise is its reputation as a time-waster.
 
Research In Motion launched a blog focusing on business use of the BlackBerry. It features a post from its lead contributor, a RIM marketing employee identified only as 'Roger.'
 
Facebook CEO Mark Zuckerberg Friday plans to unveil an educational foundation and its initial $100 million donation to the struggling Newark, N.J., school system.
 
Back in January I wrote a series of posts aimed at novice users. (For example: Raise Your Windows IQ: Four Icons You Need to Know.) I think it's time to revisit that series, to help novices master more of the Windows basics many of us take for granted.
 
An Osterman Research white paper argues for defragmenting virtual machines
 
Google has integrated its Chrome Web Store with its Checkout online payment system, as it gets ready to open the application marketplace to end users later this year.
 
I continue to encounter an interesting phenomenon regarding cloud computing as I speak at conferences, present to IT groups, and talk to businesspeople interested in the subject. Most people recognize the importance of cloud computing, acknowledge the relevance to their environments, and describe their initiatives.
 
Panasonic has developed a hair-washing robot that uses 16 electronically controlled fingers to give a perfect wash and rinse, the company said Friday.
 
Setting up a NAS (network-attached storage) box for remote access can be difficult as well as costly. Ctera Networks' CloudPlug ($199 as of September 1, 2010) aims to solve both problems by permitting remote access to your local storage drives via the Internet. CloudPlug ups the ante with an online backup adjunct along with local administration and local network access to your files--capabilities not found in most competing devices.
 
Have some USB drives hanging out that you haven't used in a while? Tired of leaving a PC on just so you can stream media across your network? Don't want to pony up the cash for a full-on NAS box and more drives? Then Cirago's NUS1000 USB Network Storage Link ($70 as of September 1, 2010) could be what you're looking for. It lets you attach multiple USB storage devices so you can share files and stream media across your network.
 
Cloud Engines' stylish Pogoplug ($99 as of September 1, 2010) makes it easy to access and share files from home across the Internet, using your own local drives and Internet connection via the company's Website portal. Simply log on to your account, and any storage attached to the Pogoplug unit's USB ports will be accessible from a Web browser.
 
If you've read about the Cloud Engines Pogoplug, you know most of what you need to know about the Seagate FreeAgent GoFlex Net. This USB storage sharing device ($100 as of September 1, 2010)--which looks a little like the upper couple of inches of a compact black toaster--incorporates the same technology as the Pogoplug, so you get supereasy access to your files from any Internet connection, along with the ability to share them with others.
 
A U.K. organization is conducting a survey to gauge the prevalence of cyberstalking, an undocumented problem that may be becoming increasingly prevalent.
 
Apple's iPhone took first place for the fourth year running in J.D. Power and Associates' smartphone customer satisfaction rankings.
 

White Hat Rally heroes drive for NSPCC ChildLine – please donate!
Infosecurity Magazine
Follow the White Hat Rally teams on their journey through Europe on the 24—26 September on the www.infosec.co.uk website and on www.twitter.com ...
Information security industry rallies to support NSPCC, ChildlineSC Magazine UK

all 2 news articles »
 
Long before CDs, MP3s and streaming audio, there were vinyl records. Believe it or not, they're still selling.
 
As high-performance computing on Wall Street is driven by multicore processors, programmers need to rethink the way they write code if they want to hang onto their jobs.
 
China and other nations are beginning to challenge U.S. supercomputing leadership, something that has implications for every aspect of U.S. leadership in science and product development, say experts.
 
A veteran analyst said that JPMorgan chase's online banking site crashed last week due to a corruption in an Oracle database.
 
InfoSec News: National Assembly probe into IT security breach: http://www.walesonline.co.uk/news/welsh-politics/welsh-politics-news/2010/09/23/national-assembly-probe-into-it-security-breach-91466-27324949/
By Martin Shipton Western Mail WalesOnline.co.uk Sept 23 2010
NATIONAL ASSEMBLY officials have launched an investigation into how a [...]
 
InfoSec News: Stuxnet malware is 'weapon' out to destroy ... Iran's Bushehr nuclear plant?: http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant
By Mark Clayton Staff writer September 21, 2010
Cyber security experts say they have identified the world's first known cyber super weapon designed specifically to destroy a real-world target The cyber worm, called Stuxnet, has been the object of intense study since its detection in June. As more has become known about it, alarm about its capabilities and purpose have grown. Some top cyber security experts now say Stuxnet's arrival heralds something blindingly new: a cyber weapon created to cross from the digital realm to the physical world – to destroy something.
At least one expert who has extensively studied the malicious software, or malware, suggests Stuxnet may have already attacked its target – and that it may have been Iran's Bushehr nuclear power plant, which much of the world condemns as a nuclear weapons threat.
The appearance of Stuxnet created a ripple of amazement among computer security experts. Too large, too encrypted, too complex to be immediately understood, it employed amazing new tricks, like taking control of a computer system without the user taking any action or clicking any button other than inserting an infected memory stick. Experts say it took a massive expenditure of time, money, and software engineering talent to identify and exploit such vulnerabilities in industrial control software systems.
Unlike most malware, Stuxnet is not intended to help someone make money or steal proprietary data. Industrial control systems experts now have concluded, after nearly four months spent reverse engineering Stuxnet, that the world faces a new breed of malware that could become a template for attackers wishing to launch digital strikes at physical targets worldwide. Internet link not required.
[...]
 
InfoSec News: White House reviews nation's cybersecurity: http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092305431.html
By Ellen Nakashima Washington Post Staff Writer September 23, 2010
The White House is reviewing whether to ask for new authorities for the Defense Department and other government agencies to ensure that the [...]
 
InfoSec News: Cisco releases critical IOS security patches: http://www.computerworld.com/s/article/9187320/Cisco_releases_critical_IOS_security_patches
By Robert McMillan IDG News Service September 22, 2010
Cisco has released its twice-yearly set of security updates for its switches and routers.
There are six advisories in all, each one covering a different component of the Cisco Internetwork Operating System (IOS), which powers the routers. They cover IOS components such as Cisco's VPN software, the Session Initiation Protocol (SIP), and Internet Group Management Protocol, and Network Address Translation (NAT) software.
Released Wednesday, the updates fix 12 bugs. An attacker could possibly leverage some of them to crash the router, Cisco says.
[...]
 
InfoSec News: Secunia Weekly Summary - Issue: 2010-38: ========================================================================
The Secunia Weekly Advisory Summary 2010-09-16 - 2010-09-23
This week: 75 advisories [...]
 

Posted by InfoSec News on Sep 24

http://www.washingtonpost.com/wp-dyn/content/article/2010/09/23/AR2010092305431.html

By Ellen Nakashima
Washington Post Staff Writer
September 23, 2010

The White House is reviewing whether to ask for new authorities for the
Defense Department and other government agencies to ensure that the
nation's critical computer systems are protected in the event of a major
attack, the commander of the Pentagon's new Cyber Command said Thursday.

If an...
 

Posted by InfoSec News on Sep 24

http://www.computerworld.com/s/article/9187320/Cisco_releases_critical_IOS_security_patches

By Robert McMillan
IDG News Service
September 22, 2010

Cisco has released its twice-yearly set of security updates for its
switches and routers.

There are six advisories in all, each one covering a different component
of the Cisco Internetwork Operating System (IOS), which powers the
routers. They cover IOS components such as Cisco's VPN software,...
 

Posted by InfoSec News on Sep 24

========================================================================

The Secunia Weekly Advisory Summary
2010-09-16 - 2010-09-23

This week: 75 advisories

========================================================================
Table of Contents:

1.....................................................Word From...
 

Posted by InfoSec News on Sep 24

http://www.walesonline.co.uk/news/welsh-politics/welsh-politics-news/2010/09/23/national-assembly-probe-into-it-security-breach-91466-27324949/

By Martin Shipton
Western Mail
WalesOnline.co.uk
Sept 23 2010

NATIONAL ASSEMBLY officials have launched an investigation into how a
serious security breach occurred on the computer network used by AMs and
their staff.

The breach, which happened on Tuesday morning, could have led to
confidential...
 

Posted by InfoSec News on Sep 24

http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant

By Mark Clayton
Staff writer
September 21, 2010

Cyber security experts say they have identified the world's first known
cyber super weapon designed specifically to destroy a real-world target
-- a factory, a refinery, or just maybe a nuclear power plant.

The cyber worm, called Stuxnet, has been the object of intense study
since its...
 
Lenovo's IdeaPad U1 -- a hybrid PC that can function as both a laptop and a tablet -- will be launched in China early next year, pushing back its release date from this past June.
 
Mark Gibbs find Word is broken (again and in the same way!) and fixes his Mac (a year later).
 
Many Facebook users were unable to access the social networking site for up to two and a half hours on Thursday, the worst outage the website has had in over four years, Facebook said in a posting.
 

Internet Storm Center Infocon Status