May 2009 - Posts

VMWare Patches Released – SANS Internet Storm Center

VMWare Patches Released
Published: 2009-05-29,
Last Updated: 2009-05-29 14:25:20 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6487&rss'; digg_title = 'VMWare Patches Released'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

Patches were released yesterday to fix a DoS vulnerability and potential arbitrary code execution.  Here are the two vulnerabilities:

1.  VMWare Descheduled Time Accounting driver:

The issue affects the VMWare Descheduled Time Accounting driver and can cause a denial of service in Windows based virtual machines on the vulnerable versions.   This driver is an optional (non-
default) part of the VMware Tools installation.  However, if the following conditions are met and their tools are not upgraded, virtual machines that are migrated from vulnerable releases are still vulnerable if the following three conditions exist:

- The virtual machine is running a Windows operating system.

- The VMware Descheduled Time Accounting driver is installed
in the virtual machine.

- The VMware Descheduled Time Accounting Service is not running
in the virtual machine
 

2.  libpng package for the ESX 2.5.5 Service Console

The libpng package is used for creating and manipulating PNG (Portable Network Graphics) image format files.  A crafted PNG file loaded by an application and linked against libpng could cause the application to crash or to allow arbitrary code execution that would run with the priveleges of the user that is using the application.

Another flaw addresses PNG images that contain "unknown" chunks.  If an application linked against libpng
attempted to process a malformed, unknown chunk in a malicious PNG image, it could cause the application to crash.

Posted Friday, May 29, 2009 9:42 AM by cmosby | with no comments
Filed under: , , , ,

Microsoft DirectShow vulnerability – SANS Internet Storm Center

Microsoft DirectShow vulnerability
Published: 2009-05-28,
Last Updated: 2009-05-28 22:56:56 UTC
by Stephen Hall (Version: 1)
0 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6481&rss'; digg_title = 'Microsoft DirectShow vulnerability'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

Microsoft have recently announced a Microsoft DirectShow vulnerability via an advisory and multiple blog entries.

The advisory indicates that Microsoft are investigating public reports of a vulnerability within the DirectShow element of DirectX - CVE-2009- 1537 has been allocated to this vulnerability.

Microsoft have published quite a detailed set of actions which provide a temporary workaround for this issue to prevent the download of a crafted QuickTime formated file.

The following information has been posted:

http://blogs.technet.com/msrc/default.aspx
http://www.microsoft.com/technet/security/advisory/971778.mspx
http://blogs.technet.com/srd/

In the advisory Microsoft have indicated that a patch will be produced for this but give no timescales. To reduce the potential risk you should consider the impact of applying the workaround versus the period of nil-protection whilst it's MAPP/MSRA partners get definitions out for detection, etc.

SecurityFocus have reported that targeted exploits of this issue have been seen in the wild.

 

Posted Friday, May 29, 2009 7:50 AM by cmosby | with no comments
Filed under: , , ,

Microsoft Security Advisory Notification - Issued: May 28, 2009

********************************************************************

Title: Microsoft Security Advisory Notification

Issued: May 28, 2009

********************************************************************

Security Advisories Released Today

==============================================

* Microsoft Security Advisory (971778)

- Title: Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/971778.mspx

- Revision Note: Advisory published.

Posted Friday, May 29, 2009 7:41 AM by cmosby | with no comments
Filed under: , ,

H1N1 Themed Targeted Attack – F-Secure Weblog

H1N1 Themed Targeted Attack Posted by Response @ 13:02 GMT | postCount('00001688'); Comments (5)

The H1N1, formerly known as swine, flu continues to make headlines… though the trends peaked earlier this month.

And while there hasn't been widespread use of H1N1 themes for malicious attacks, we have seen some limited use. Here's something that our honeypots collected last week.

It's a malicious PDF file (that's nothing new).

When the PDF is opened, it exploits Adobe Reader, drops a backdoor, and shows a file referring to H1N1 flu.

Here's a screenshot.

H1N1

What happens behind the scenes? The exploit drops a malicious file called "AcrRd32.exe" into the computer's temp folder.

The malicious file connects to three IP addresses in order to "call home". These addresses are, or were, in Texas (207.200.45.12), Budapest (89.223.181.93) and Hyderabad (202.53.69.130).

The individuals targeted by this attack are unknown to us.

Posted Thursday, May 28, 2009 2:57 PM by cmosby | with no comments
Filed under: , , ,

From IM to Twitter: Weight-Loss Spam Gains Ground – TrendLabs Malware Blog

May26
by JM Hipolito (Technical Communications)

Click ClickA spam attack that has affected instant messaging users has found its way through Twitter, infiltrating users accounts to post messages with links connecting to weight-loss drugs.

Hacked Twitter accounts are being used to post messages that promote weight-loss drugs. The messages vary in the stated text, but generally states the same message and are all followed by a link that leads to websites where the drugs are being sold. Searches through Twitter for “$5 acai” yields the posts of users whose accounts were hacked.

The spammers even utilized TinyURL–a free URL redirection service that is used to turn long URLs into shorter ones. The service has been frequently used by Twitter users as it lets them use more of the 140 character limit for messages instead of links. This makes the spam posts even more convincing, making the message not much different from any other post, not to mention masking the actual spam URL with the one provided by TinyURL.

Worldometers states that there currently more than 1 billion overweight adults, with at least 300 million of them clinically obese. With such a huge number of concerned users as potential targets, a lure such as weight-loss drugs has good chances to become a hit.

Posted Wednesday, May 27, 2009 11:10 AM by cmosby | with no comments
Filed under: , ,

Bad Program Logic Amplifies Baofeng Attack – McAfee Avert Labs

Bad Program Logic Amplifies Baofeng Attack

Tuesday May 26, 2009 at 3:25 am CST
Posted by HongZheng Zhou


A distributed denial-of-service (DDOS) attack on DNS servers of a domain registrar coupled with bad program logic in a popular media application caused network outages in parts of China last week.

Baofeng is a widely popular media player in China, with a total of 200 million users and several million users online simultaneously. The player starts when Windows boots and connects to Baofeng’s online server; then it’s designed to send DNS queries to DNS servers to get the IP addresses of different online servers until it gets an answer. Because of its massive number of online users, it would be a powerful DDOS attack tool if all online Baofeng programs were to send continuous DNS queries at the same time, especially if the authoritative DNS server could not answer the queries.

Several DNS servers of DNSPod (a Chinese domain service provider and registrar) were hit by a DDOS attack on the night of May 18. These DNS servers became inaccessible. The assault was meant to be a targeted attack against one company, but one of the customers of DNSPod is Baofeng.com, whose authoritative DNS server was the server under attack. Because of a design flaw in Baofeng’s media player, all online Baofeng programs started continuously sending DNS queries after the DNS responses previously cached by other servers timed out on May 19. The massive number of DNS queries flooded the network of China Telecom (one of the biggest ISPs in China). As a result, users in parts of China were unable to access websites.

The initial DDOS attack that targeted a specific domain registrar now transformed into a DDOS attack on almost all DNS servers in China, so we can see how a bad design in a program “helped” the attacker(s) amplify the attack.

Posted Wednesday, May 27, 2009 10:59 AM by cmosby | with no comments
Filed under: , ,

Fight Diabetes, But Not With Spam's Help – Symantec Security Response Blog

Fight Diabetes, But Not With Spam's Help

05-26-2009 01:34 PM
Mayur Kulkarni Symantec Employee writes...

The latest figures from the World Health Organization (WHO) say that there are at least 170 million diabetic patients worldwide, and that number will double by the year 2030. The chronic nature of diabetes means that these patients constantly need to control their blood sugar level using medicines. Along with medicines, lab tests are necessary to check on the disease that will become part of a patient’s routine life. With the ongoing financial crisis affecting all walks of life, recurring expenditures on medical care can be costly for an individual and his or her family. Obviously these patients will look for discounts or offers to help them through their situation.

Online medical suppliers provide varying discounts or offers, one being a free glucose meter to visitors placing a supply order. Spammers have also read the picture well and are providing the same offer with the help of spam messages. They are using the name and look of a well-known medicine supplier in order to sound more authentic to the recipients. Users may be tricked into submitting their personal details such as name, email address, and phone number to the site in question. This website also bears the same look-and-feel of that of the original medical supplier site.

Spammers ensured that the supplier name appeared either in the subject line or sender field of the message. Here are some of the sample subject lines associated with these spam attacks:

 

 

[brand name removed] glucose meter at no-charge from [supplier name removed]
Manage your diabetes - Complimentary glucose meter from [supplier name removed]
Self-test your blood glucose with a complimentary meter from [supplier name removed]
Your free glucose meter is waiting for you
Manage your diabetes - free glucose meter from [supplier name removed]



Example image of the message:

 

When the users click for more information, they are directed to a look-alike website of the medical supplier and are asked to fill in their personal details. See the sample image below:



On submitting the information, users are informed that they will be contacted in the next five minutes. However, spammers are collecting this information for their own gain. Needless to say, the submitted email addresses may be used or sold for future spam campaigns. Users can avoid compromising their data by simply typing the legitimate URLs directly into the browser address bar when ordering their supplies. Also, with so many fake products associated with such unsolicited offers, users can never be assured that the medicine (if it is actually supplied) is genuine.

 

 

 

 

 

 

 

Message Edited by Mayur Kulkarni on 05-26-2009 01:45 PM
Posted Wednesday, May 27, 2009 10:50 AM by cmosby | with no comments
Filed under:

Put Your Passwords on a Post-it – F-Secure Weblog

<<< Tuesday, May 26, 2009  
 
Put Your Passwords on a Post-it Posted by Sean @ 16:07 GMT | postCount('00001691'); Comments (12)

Facebook is slowly but surely defending itself against aggressive spam runs.

There's some speculation among experts. Why Facebook? Has Facebook become a keystone from which to launch and steal all of an individual's passwords (i.e. banking and commerce sites)? Once you have Facebook, can you then compromise the primary e-mail account and everything else along with it?

Maybe so, but regardless of why — the sheer gravity of Facebook makes it a target. Its growth and size is tremendous.

Let's take Finland as an example. There are over one million estimated Facebook accounts and there are only 5.3 million people living in Finland. The regional network has over 544,000 members. Anything that size will be a target for scammers.

Wherever good people go, miscreants will follow.

So of course it's an excellent policy to maintain complex passwords that are unique to each site. Right?

Here's an idea. Write down your passwords. Seriously.

And once you write them down, put them in your wallet. Think about it. What else do you carry in your wallet? That's right, your bank cards. And your bank cards contain your account name and account number.

That's kind of like your online account names and passwords.

Only this is the key — It's a two part password. Because your account name and bank card number also requires your PIN.

So take a look at this screenshot. What do you see?

Passwords on a post-it

Passwords on a Post-it, only examples of course… non-dictionary ones at that.

Keep another three common characters in your head, and you'll have complex 10 character passwords. And you can insert those extra characters in the front, middle, or end.

What do we mean? It's like this.

The first three characters in this example are based on the website, "aMA" represents Amazon.com. And it can be written several ways, such as "AMa" or "aMa" or "AMA", etc. A good method should be easy for you to remember.

The next (or other) part, "2242" as in our example, should be something completely random. This is the part that you really need to write down and keep safe so that you don't forget it.

And then you should use a method to add three more characters (your "PIN") to every password. Something such as "35!" So the full password then becomes "aMA224235!" or "aMA35!2242" or "35!aMA2242".

Our other example would be "gMA35N135!".

Your PIN should never be written down, keep that bit of information in your head. Just like your bank card's PIN.

Note that our example does not include an e-mail address on the Post-it.

What happens if your wallet is stolen? You call the bank and cancel your cards.

And what about your Post-it? If it doesn't include your e-mail address or your PIN, you can reset your passwords in a timely fashion on a new piece of paper. You're good to go.

Using this methodology, you can maintain complex and unique passwords, and still have something handy for when you forget them. Because we all do forget stuff from time to time.

And if you're phished on one site, such as Facebook, your other accounts aren't sharing the same password.

Oh, one last piece of advice.

Don't put the Post-it on your monitor! And not on the underside of your keyboard either… everyone's familiar with that location too.

Posted Wednesday, May 27, 2009 10:10 AM by cmosby | with no comments
Filed under:

Your IM Account Information is Available on the Internet! – Symantec Security Response Blog

Your IM Account Information is Available on the Internet!

05-26-2009 10:00 PM
Security Response China Symantec Employee writes...

Instant messaging (IM) applications are widely used nowadays, and while more and more people use them, they’ve also become increasingly feature heavy. Besides the original chat function, IM applications have also integrated other useful features such as blogging, photo albums, online games, etc. More functions enhance the user’s Internet surfing experience, help people to share information and thoughts, and even allow users to manage their assets online.

While people are enjoying the convenience brought by advanced technologies and services, hackers are also aiming at the information that people are increasingly putting on the Internet, especially when the information is profitable. Online account information is definitely one of them.

A recent security event is a warning to us all. It was discovered that people’s IM account information is available online by searching keywords such as “[IM USERNAME] password txt filetype:txt.” Hundreds of search results are returned containing the details of the requested information. Moreover, some of the information has proven to be valid and could be used to log in and manipulate the accounts.

How did the stolen IM account information become available on search engine results? Analysis has shown that after attackers stole the account information using a Trojan horse, they stored the stolen information in the text file on certain FTP servers or transferred the file via email. And servers that store the information often have very loose access permits or sometimes have even no restrictions at all. Thus, once the files that contain the stolen information happen to be indexed by search engines, they’ll then become available to be queried, and could be easily downloaded and viewed.

There are a number of Trojan horses that aim to steal IM account information. We’ve analyzed one of those Trojans to show you how it works:

Firstly, the Trojan horse arrives on the compromised computer by masquerading itself to look like a real IM client. After the fake IM client is executed, it creates a shortcut on the desktop using exactly the same name and logo as the shortcut created by the real IM so that it looks like the real IM application. Meanwhile, a login window pops up and prompts the user for the login details. This window again looks the same as the real login interface, except that on the fake window, only “User ID”, “Password” and “Login” fields/buttons are active; all other buttons/links, such as “Password Stealer Scan”, “Apply For New Account” and “Forgot Your Password?” are disabled. This already differentiates the fake application from the authentic IM application login window. Unfortunately, users usually ignore these factors. Therefore, the fake login window could still fool a lot of users.

 

1_BlankLoginWindow_with_red_captions

 

We tested the fake IM application by entering a random ID “123456789” and password “test account.”

 

2_LoginTest_blurred

 

As soon as login is clicked, the malicious program starts to record the account information “user=123456789&pass=testaccount” and connects to the malicious server “qazx.ok[REMOVED].net” to transmit the stolen credentials.

 

3_InfoStealing_blurred

 

At the malicious server end, it collects all the information sent by Trojan horse clients, and stores them into a text file ala the text file mentioned at the beginning of the blog. If these text files are not well protected, the information would become available to everyone on the Internet, and the negative impact to the original account owner could be even worse.

To prevent such a security incident from happening, always download the IM application from the official website. Avoid downloading altered versions with alleged add-ons or fancy functions from unauthorized third-party websites. Furthermore, keeping your antivirus software up to date with the latest definitions is always recommended. Stay safe online, and have more fun by using IMs!

Big thanks to Xie Xiaojun for the virus analysis.

 
 
 
Message Edited by Trevor Mack on 05-27-2009 05:40 AM
Posted Wednesday, May 27, 2009 10:06 AM by cmosby | with no comments
Filed under: , , ,

Facebook phishing using Belgium (.be) domains – SANS Internet Storm Center

Facebook phishing using Belgium (.be) domains
Published: 2009-05-24,
Last Updated: 2009-05-25 20:01:20 UTC
by Raul Siles (Version: 6)
1 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6451&rss'; digg_title = 'Facebook phishing using Belgium (.be) domains'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

This is not new or exciting, but as we have received several reports during the weekend (thanks to all that wrote in - Kevin, Mike, Rick), you all should know what is going on. It seems a new Facebook phishing/spam/"worm" campaign is doing the rounds. It uses Belgium domains (.be) to impersonate the Facebook login page and steal the user credentials.

UPDATE 4: The malicious domains do not only impersonate Facebook but contain malicious "hidden" (1x1pixel) iframes, hosted on the same host, such as: "/tds/r.php?sid=2&pid=5511". Do not browse to them unless you know what you are doing!

UPDATE 5: (May 25, 22:00h CET) It seems there is a new variation moving around, using tinyurl links (thanks Charlie). For example, you get a Facebook message pointing to "tinyurl dot com /o5kblj/" that takes you to a link at "simplemart dot be". Remember you can enable/disable the tinyurl preview feature through "http://tinyurl.com/preview.php". You just need to enable cookies on your browser.

Some of the malicious domains being used are redfriend dot be, redbuddy dot be, picoband dot be... (at this point, none of them can be resolved).

UPDATE 1: Other domains: areps dot at, greenbuddy dot be (Thanks Derek)

UPDATE 2: You can check the owner of Belgium domains through www.dns.be (the whois search is on the top-right corner).

Just to provide a couple of examples, the greenbuddy dot be and redfriend dot be domains were registered on May 22, and the last update was May 24, by:

Name Andrey Sokolovsky
Language English
Address address
Email email

The redbuddy dot be was registered on May 21, last updated May 24 (both from people on the ".at" domain):

Name Petr Anisimov
Language English
Address address
Email email

UPDATE 3: As expected, more domains are coming (and some of them are still active right now - May 25, 0:00am CET) - thanks Kevin and Greg:

  • redfriend dot be, redbuddy dot be, picoband dot be, areps dot at, greenbuddy dot be
  • picoband dot be, vispace dot be, whiteflash dot be, bestspace dot be
  • There are other "more than suspicious" .be domains associated to the same IP address

The ones active do resolve to IP address 211.95.78.98. From APNIC:

inetnum:      211.90.0.0 - 211.97.255.255
netname:      UNICOM
descr:        China United Telecommunications Corporation
descr:        No.133,Taiyun Building,Xidan North Street
descr:        Xicheng District,Beijing,China
country:      CN
admin-c:      JY1446-AP
tech-c:       JY1446-AP
mnt-by:       MAINT-CNNIC-AP
mnt-lower:    MAINT-CNNIC-AP
mnt-routes:   MAINT-CNNIC-AP
status:       ALLOCATED PORTABLE
changed:      ipas@cnnic.cn 20070731
changed:      hm-changed@apnic.net 20070802
source:       APNIC

It's recommended to filter access to all them (and the others coming)!

--
Raul Siles
www.raulsiles.com

Posted Wednesday, May 27, 2009 9:59 AM by cmosby | with no comments
Filed under: , , ,

Analyzing malicious PDF documents – SANS Internet Storm Center

Analyzing malicious PDF documents
Published: 2009-05-24,
Last Updated: 2009-05-24 05:38:42 UTC
by Raul Siles (Version: 1)
2 comment(s) digg_url = 'http://isc.sans.org/diary.html?storyid=6445&rss'; digg_title = 'Analyzing malicious PDF documents'; digg_skin='compact'; digg_topic = 'security'; Facebookacebook witter

As we announced in a recent ISC diary, Adobe is changing its patching model and strategy, but it seems still JavaScript will be enabled by default in Adobe Acrobat and Reader. As a consequence, I foreshadow more PDF vulnerabilities, exploits and attacks in the near future (let's hope I'm wrong).

On the one hand, I've been actively using PDF exploits in recent penetration tests, emulating the real-world attacks we have seen in the wild and described in several ISC diaries during the last 2-3 years (you can get most of them using the following search in Google: "pdf site:isc.sans.org"). Both, the open-source Metasploit Framework, and commercial pen-testing tools, like Core Impact, include these capabilties.

On the other hand, we need to be able to disect these malicious files when we are the target . The Hakin9 magazine has made available this week (for free) a great introductory article on the internal formatting of PDF files and how to analyze malicious PDF documents, those exploiting a vulnerability in the embedded JavaScript interpreter (very common), by Didier Stevens (a well known PDF expert we've mentioned regarding previous PDF vulnerabilities):

"Anatomy of Malicious PDF Documents". Didier Stevens. Hakin9 magazine.

In order to get a copy of the article, in PDF format (What a coincidence! Is it malicious or not? ), you just need to provide an e-mail address. Do not forget to download the RTF document with the code listing (link on the right hand side).

This article is a must read and great starting point for incident handlers interested on increasing their skills to analyze malicious PDF documents. If you want to start practicing today, before being a target, generate a malicious PDF document in Metasploit and analyze it. For more advanced inspection, I encourage you to use some specific PDF analysis tools.

--
Raul Siles
www.raulsiles.com

Keywords: Acrobat adobe pdf
Posted Wednesday, May 27, 2009 9:56 AM by cmosby | with no comments
Filed under: , , ,

Microsoft Security Bulletin Major Revision - Issued: May 26, 2009

********************************************************************

Title: Microsoft Security Bulletin Major Revision

Issued: May 26, 2009

********************************************************************

 

Summary

=======

The following bulletins have undergone a major revision increment.

Please see the appropriate bulletin for more details.

 

  * MS09-003 - Critical

 

Bulletin Information:

=====================

 

* MS09-003 - Critical

 

 - http://www.microsoft.com/technet/security/bulletin/ms09-003.mspx

 - Reason for Revision: V3.0 (May 26, 2009): Added an entry in the section, Frequently Asked Questions (FAQ) Related to This

    Security Update, to announce a detection change to the update for Microsoft Exchange Server 2003 Service Pack 2 (KB959897).

    This is a detection change only. There were no changes to the security update files in this bulletin. Customers who have

    already installed the KB959897 update successfully do not need to reinstall. 

 - Originally posted: February 10, 2009

 - Updated: May 26, 2009

 - Bulletin Severity Rating: Critical

 - Version: 3.0

       

Posted Wednesday, May 27, 2009 8:23 AM by cmosby | with no comments
Filed under: , , , , ,

Microsoft Security Bulletin Minor Revisions - Issued: May 26, 2009

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: May 26, 2009

********************************************************************

 

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

 

  * MS07-026

 

Bulletin Information:

=====================

 

* MS07-026

 

  - http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx

  - Reason for Revision: V1.1 (May 26, 2009): Added an entry in the section, Frequently Asked Questions (FAQ) Related to This

    Security Update, to announce a detection change. The detection no longer offers the MS06-019 and MS06-029 updates,

    but instead will only offer MS07-026. There were no changes to the binaries. Customers who have already successfully

    installed the MS07-026 update do not need to reinstall.

  - Originally posted: May 8, 2007

  - Updated: May 26, 2009

  - Bulletin Severity Rating: Critical

  - Version: 1.1

Posted Wednesday, May 27, 2009 8:20 AM by cmosby | with no comments
Filed under: , , , , , ,

Urban ‘Attack’ on Infrastructure – McAfee Avert Labs Blog

Urban ‘Attack’ on Infrastructure

Friday May 22, 2009 at 6:59 am CST
Posted by Francois Paget


Supervisory Control and Data Acquisition, or SCADA, stands for large-scale distributed remote processing systems that gather data in real time to control critical industrial, infrastructure, or facility processes and equipment. SCADA is used in power plants as well as in oil and gas refining, telecommunications, transportation, and water and waste control.

Stories about intruders who damage the power grid or any other key SCADA infrastructure frequently make the headlines. In the past, and like in Mexico in 2007, extraterrestrial creatures and flying saucers were occasionally blamed.

Since then, our enemies have changed. The Wall Street Journal reported in April that a federal audit of critical infrastructure facilities in the U.S. power industry had been compromised with software that would allow the attackers to disable key elements of the national power grid. “The Chinese have attempted to map our infrastructure, such as the electrical grid,” a U.S. senior intelligence official said on the occasion. One year ago, the CIA claimed that a cyberattack had caused a multicity power outage at an unspecified location outside the United States. The CIA story broke on May 14. It’s rumored that Hydro-Quebec was also a target of cyberspies.

Last week, I discovered a video posted on YouTube in November 2008.
We can see two guys hacking a central light system and then playing space invaders on it!

I have some doubts about the technical aspects of these light-show “attacks” on unprepared buildings. But fake or not, the video confirms that hackers and cybercriminals have got their eyes on SCADA networks. Perhaps the first demo was just for fun, but the others will have less juvenile goals. An attack can involve nationwide damage, a terrible effect on the public’s morale, and huge financial losses. Modern SCADA networks are more vulnerable than ever because they use open networking standards (such as TCP/IP), are now deployed under less secure operating systems (Windows), are connected to other networks (including Internet), and cannot be easily updated and rebooted.

For SCADA, which typically allows only a closely defined list of applications to run, a security approach that includes whitelisting can be a good solution. McAfee’s recent acquisition of Solidcore will help our customers in this area.

Posted Friday, May 22, 2009 2:31 PM by cmosby | with no comments
Filed under:

Mysterious virus strikes FBI – ZDNet

Mysterious virus strikes FBI

By Steven Musil CNET News
Posted on ZDNet News: May 22, 2009 4:44:36 AM

The FBI and the U.S. Marshals Service were forced to shut down parts of their computer networks after a mystery virus struck the law-enforcement agencies Thursday, according to an Associated Press report.

A spokesperson for the U.S. Marshals Service confirmed that it had disconnected from Justice Department computers as a precaution after being hit with the virus, while an FBI spokesperson would only say that it was experiencing similar issues, according to the report.

"We too are evaluating a network issue on our external, unclassified network that's affecting several government agencies," FBI spokesman Mike Kortan told the AP.

The virus' type and origin are unknown, but spokespeople for both agencies said agencies' access to the Internet and e-mail was shut down while the issue was evaluated.

Government regulations require agencies to report any security issues to US-Computer Emergency Readiness Team (US-CERT), but a call to CERT late Thursday for comment was not immediately returned.

This article was originally posed on CNET News.

Posted Friday, May 22, 2009 2:29 PM by cmosby | with no comments
Filed under: , ,
More Posts Next page »