Friday, September 11, 2009

In Passing: Larry Gelbart

Larry Gelbart
February 25, 1928 – September 11, 2009

Botnet C&C Commands Spread by Google Groups

Chuck Miller writes on SC Magazine U.S.:

A trojan targeting Google Groups turns newsgroups into a means for distributing command-and-control information for botnets.

“The trojan [dubbed Trojan.Grups] in this case is fairly simple,” wrote Gavin Gorman, security researcher for Symantec, in a post Friday on a Symantec blog. “But when executed, it logs onto a specific Google account and requests a page from a private newsgroup, which contains encrypted commands for the malware to carry out.”

In the past, Twitter has been used to deliver commands, by which an account was being used as a command-and-control hub to issue instructions to infected computers. Tweets coming from the malicious accounts were encoded and looked like a random combination of letters and numbers. But the tweets were actually being used to issue new instructions to bots.

“This is the first time a newsgroup being used as a command-and-control conduit,” Gerry Egan, director of Symantec Security Response, told Friday. “It establishes a two-way communications pipe, using a legitimate infrastructure.”

More here.

Net Hoax Convinces Germany of Fake U.S. Suicide Bombing Attempt

Moises Mendoza writes on Threat Level:

All of Germany was bamboozled Thursday by a bizarre scheme that tricked the country’s main wire service into reporting an attempted suicide bombing in a California town — an attack supposedly perpetrated by a non-existent rap group called the “Berlin Boys.”

The work of German filmmakers peddling a satirical movie called Short Cut to Hollywood, the elaborate hoax involved at least two faked websites, a faked Wikipedia entry and California phone numbers for “public safety” officials that were actually being answered by hoaxsters in Germany using Skype.

The hoax has transfixed this country. It prompted a 1,000-word tome on the website of Frankfurter Allgemeine Zeitung, Germany’s most respected newspaper, and even a press conference denouncing the incident by the DPA – the German wire service responsible for first disseminating the news about the “attack.”

The hoax’s effect was felt thousands of miles away, as a flood of concerned phone calls from Germany jammed the switchboards at the San Bernardino County Sheriff’s office, which has jurisdiction over the supposed bombing site in California.

“This is frustrating and a waste of our resources,” said office spokesman Arden Wiltshire, who was awakened at 5 a.m. Thursday to try and sort out the crisis. Wiltshire worries that dispatchers could have missed important calls to deal with the Germans.

More here.

SCADA Watch: Chinese Students Model How to Short-Circuit the U.S. Power Grid

Paul Marks writes in New Scientist:

Predicting how rumours and epidemics percolate through populations, or how traffic jams spread through city streets, are network analyst Jian-Wei Wang's bread and butter. But his latest findings are likely to spark worries in the US: he's worked out how attackers could cause a cascade of network failures in the US's west-coast electricity grid - cutting power to economic powerhouses Silicon Valley and Hollywood.

Wang and colleagues at Dalian University of Technology in the Chinese province of Liaoning modelled the US's west-coast grid using publicly available data on how it, and its subnetworks, are connected.

Their aim was to examine the potential for cascade failures, where a major power outage in a subnetwork results in power being dumped into an adjacent subnetwork, causing a chain reaction of failures. Where, they wondered, were the weak spots? Common sense suggests they should be the most highly loaded networks, since pulling them offline would dump more energy into smaller networks.

To find out if this is indeed the case, the team analysed both the power loading and the number of connections of each grid subnetwork to establish the order in which they would trip out in the event of a major failure. To their surprise, under particular loading conditions, taking out a lightly loaded subnetwork first caused more of the grid to trip out than starting with a highly loaded one.

More here.

Clamping Down on The 'Clampi' Trojan

Brian Krebs writes on Security Fix:

Finding the notorious Clampi banking Trojan on a computer inside your network is a little like spotting a single termite crawling into a crack in the wall: Chances are, the unwelcome little intruder is part of a much larger infestation.

At least, that's the story told by two businesses which recently discovered Clampi infections, compromises that handed organized cyber gangs the access they needed to steal tens of thousands of dollars.

In early August, attackers used Clampi to swipe the online banking credentials assigned to the Sand Springs Oklahoma School District. The thieves then submitted a series of bogus payroll payments, totaling more than $150,000, to accomplices they had hired throughout the United States.

Sand Springs Superintendent Lloyd Snow said the district has since been able to get about half of those transfers reversed, while the district's bank graciously covered the rest of the loss.

Initially, Snow said, suspicion fell on one school computer on which the Clampi Trojan was indeed found. But a forensic investigation later revealed that a large number of other systems on the board's network also were sickened with Clampi.

"It was all over the whole office complex," Snow said. "Unfortunately, like most schools, we need about three times the number of people in our IT department than we have now."

More here.

Never Forget: 11 September 2001

We will never forget.

Thursday, September 10, 2009

AusCERT: Cyber Crime Levels Are 'Pandemic'

Ben Grubb writes on

The head of Australia's computer emergency response team AusCERT stood before a Federal Government Inquiry into Cybercrime today, seeking both to highlight the pressing need for a national response to the problem whilst simultaneously defending his organisation's role as the nation's first line of defence.

AusCERT general manager Graham Ingram told the Cybercrime Inquiry today that it was impossible to defend Australia's computer systems without a nationally-coordinated approach.

“I’m not here to sell you ... the latest product that’s going to fix the internet,” Mr Ingram told the Standing Committee. "What I’m going to explain to you is where all of this is heading," he said.

Mr Ingram explained to the Federal Government how cybercrime required the full support of the nation and not just law enforcement agencies “because law enforcement agencies cannot address this issue," he said.

More here.

Off Topic: I'm So Happy....

..that the NFL Regular Season is back again!

And tonight's game between the Super Bowl defending champion Pittsburgh Steelers and the Tennessee Titans was a barn-burner, going into overtime.

Gotta love it.

- ferg

Wednesday, September 09, 2009

Mark Fiore: Balms Away

More Mark Fiore brilliance.

Via The San Francisco Chronicle.


- ferg

Cyber Thieves Steal $447,000 From Wrecking Firm

Brian Krebs writes on Security Fix:

Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag.

In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma's online bank account to 39 "money mules," willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes.

Ferma President Roy Ferrari said he learned of the fraud not from his bank but from a financial institution at which several of the mules had recently opened accounts. Ferma employees worked extensively with that bank and several others to reverse the fraudulent transfers before the mules could withdraw the funds, and Ferrari said they were able to block at least $232,000 worth of bogus transfers.

But Ferrari says his bank is withholding at least $50,000 in additional funds it recovered on its own, until he agrees to sign a document saying he won't sue the bank for for the remaining losses.

More here.

FireFox 3.5.3 Released

Get it now.

Security issues fixed in FireFox 3.5.3:

MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-47 Crashes with evidence of memory corruption (rv:

- ferg

Windows 7 Security Bug Emerges at Worst Time for Microsoft

Don Reisinger writes on eWeek:

In what could be a major issue for Microsoft as it prepares for the release of Windows 7 next month, the company announced that it has found a bug that could hijack PCs running Windows Vista, Windows Server 2008 and Windows 7.

Security researchers found that the issue affects the Windows 7 Release Candidate. However, the company was quick to assert that it has found that the bug won't harm Windows 7 RTM—the version on its way to store shelves.

"An attacker who successfully exploited this vulnerability could take complete control of an affected system," a Microsoft advisory said. "Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart."

Although it's nice to hear that the Windows 7 versions that will be shipping to store shelves won't face this problem, it underlies a major issue that Microsoft might need to face going forward: security issues, no matter the type or potential harm, could severely impact Microsoft's ability to attract consumers and especially the enterprise to the company's new operating system. At this point, a security issue that makes buyers think twice about Windows 7 could be a real hindrance to Microsoft as it tries to rebuild its operating system's standing in the marketplace.

More here.

Tuesday, September 08, 2009

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Tuesday, Sept. 8, 2009, at least 4,343 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes nine military civilians killed in action. At least 3,469 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is two more than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

As of Tuesday, Sept. 8, 2009, at least 742 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Tuesday at 10 a.m. EDT.

Of those, the military reports 566 were killed by hostile action.

More here and here.

Honor the Fallen.

SCADA Watch: How a Phishing Attack Exposed an Energy Company to Hackers

Brian Prince writes on eWeek:

It began with an e-mail sent to an employee at an energy company, and ended with a security breach that exposed critical systems to outside control.

It is an all too common scenario, and one just one example of the types of threats targeting not only critical infrastructure but organizations generally. The attack referenced above happened at the site of an energy company Intrepidus Group is keeping anonymous. In a discussion with eWEEK however, the security vendor outlined just how a malware attack broke into a critical network.

The attack began to unravel April 3, 2007. That’s when a fraudulent user account - complete with administrative privileges - was detected by the energy company. At that point, Intrepidus Group was called in to try to uncover what exactly happened. Working backwards, the company traced everything back to a phishing e-mail and a little bit of social engineering.

“What started off as a very strange attack where people couldn’t understand why these random administrative accounts were being added in the internal network ended up being two and a half days later us realizing the primary domain controller in the system – which is the keys to the system really with all the passwords and user accounts – had been compromised with this zero-day attack,” said Intrepidus CEO Rohyt Belani. “But the big thing that set off alarms…was that the attack had originated not from the outside big bad world but…from another machine inside their corporate network.”

More here.

Monday, September 07, 2009

Happy Labor Day

Happy Labor Day, America.

Sunday, September 06, 2009

Obama Administration Seeks to Keep Terror Watch-List Data Secret

Ellen Nakashima writes in The Washington Post:

The Obama administration wants to maintain the secrecy of terrorist watch-list information it routinely shares with federal, state and local agencies, a move that rights groups say would make it difficult for people who have been improperly included on such lists to challenge the government.

Intelligence officials in the administration are pressing for legislation that would exempt "terrorist identity information" from disclosure under the Freedom of Information Act. Such information -- which includes names, aliases, fingerprints and other biometric identifiers -- is widely shared with law enforcement agencies and intelligence "fusion centers," which combine state and federal counterterrorism resources.

Still, some officials say public disclosure of watch-list data risks alerting terrorism suspects that they are being tracked and may help them evade surveillance.

Advocates for civil liberties and open government argue that the administration has not proved the secrecy is necessary and that the proposed changes could make the government less accountable for errors on watch lists. The proposed FOIA exemption has been included in pending House and Senate intelligence authorization bills at the administration's request.

"Instead of enhancing accountability, this would remove accountability one or two steps further away," said Steven Aftergood, director of the Federation of American Scientists' Project on Government Secrecy.

More here.