Hack Turns Application Code Against Itself ... New attack uses application flaws to force good code to go rogue

Turns out you don't need malware to exploit a security flaw in an application: A pair of researchers has found a way to automatically make good code do bad things.

Researchers from the University of California at San Diego (UCSD) have devised a technique that basically lets an attacker bypass built-in system defenses aimed at blocking malware, and then execute instructions from inside the application. The process uses an application's vulnerability to turn it against the system on which it runs.

An attacker could take advantage of a flaw in a Web browser, for instance, to force the browser to spam the user's address book using only the browser's own code, according to the researchers. .. More >>

Auditors rap IRS for weak information security

The Internal Revenue Service has failed to secure sensitive electronic taxpayer information properly, increasing the potential for identity theft, according to an audit report released on Thursday.

The inspector general review of three computer systems at the IRS Office of Research, Analysis and Statistics showed several weaknesses in control over access to applications containing sensitive information.

"Managers and system administrators had not placed sufficient emphasis on maintaining the security and privacy of the taxpayer data they are charged with protecting," the report stated. Furthermore, officials failed to provide guidance or monitor compliance with IRS information security policies, and did not supply software to scan for security weaknesses, the IG found. .. More >>

IRS finds unauthorized Web servers connected to its networks

The Internal Revenue Service found more than 1,000 unauthorized Web servers connected to its networks, leaving the agency's systems open to hackers, according to a report released on Thursday by the IRS inspector general.

In September 2007, the IRS Computer Security Incident Response Center scanned the agency's Web servers and identified 2,093 that had at least one security vulnerability. When the center matched those servers to the IRS database of registered Web sites and servers, an inventory of systems that the agency uses to perform security maintenance and apply patches, it found 1,811, or 87 percent, were not listed in the database.

Of the unregistered servers, the IRS identified 661 that were used for legitimate agency business, leaving 1,150 servers being used for potentially unauthorized activity, according to the report. .. More ..

Revealed: The Internet's Biggest Security Hole

Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.

The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness. .. More ..

European companies forced to own up to data losses

European companies will be forced to tell customers if their personal data has been lost or stolen, as part of a new EC directive.

The data breach notification provision is part of the ePrivacy Directive that is currently being debated by the EU. ... More ..

Hacked Texas National Guard site serves up malware

Attackers have hacked the Web site of the Texas National Guard and are using it to serve up offers of fake security software and plant rootkits on unpatched PCs. .. More..

GAO Report Slams US Cybersecurity, US-CERT, and DHS

The U.S. Government Accountability Office (GAO) is finalizing its report on the country's capability to protect and defend itself from cyber-attack, and its words are not kind. The primary responsibility for monitoring and securing the country's networks and digital assets falls to the United States Computer Emergency Readiness Team, or US-CERT, a partnership organization between the Department of Homeland Security (DHS) and both the public and private sectors. Founded in September 2003, US-CERT was responsible for the 2004 Einstein initiative, meant to detect and collect information on attacks at government agencies, and is currently backing the expanded (and hopefully more widely deployed) Einstein 2 program. .. More..

Hacker Shuts Down Government Computers

AN EXPERT hacker allegedly shut down the Northern Territory Government computer system and deleted thousands of employees' identities, a Darwin court heard yesterday.

And the court heard the Government could still be at risk of another cyber attack.

David Anthony McIntosh, 27, allegedly hacked in and shut down several NT Government databases on May 5, including servers for the Health Department, Royal Darwin Hospital, Berrimah Prison and Supreme Court using his laptop at a Palmerston home. >> More ..

Homeland Security reveals threats and the plans to counter the threats and attacks

The US Department of Homeland Security had a security summit where the Assistant Secretary of Cybersecurity and Communications, Greg Garcia, provided some remarks about the current challenges and threats and the need for all critical infrastructure entities to work together to share information to face the threats that are not merely increasing but alos has gone to another level of sophistication. More details can be found here .. >> More ..

India Cites Ongoing Chinese Cyber Attacks

A year and a half of electronic warfare against public and private network resources in India has been traced back to a variety of attacks and antagonists in China.

Botnets, keyloggers, and network mapping all plague India on a regular basis, as its gigantic rival in Asia seeks weaknesses within the country's information infrastructure. >> More ..

CNN Site Hit by China Attack

In the recent unrest between China and Tibet, the CNN site has been attacked.

At its peak, the attack has sucked up 100MB/S in bandwidth, enough to slow the news Web site for some visitors. >> More ..

Hackers find a way to crack popular smartcard in minutes

People are starting to wake up to the fact that RFID-enabled smartcards now can be far more easily, and cheaply, cracked than ever before, as a trio of young computer experts recently showed.

These are a particular type of processor-embedded cards, and are different from credit cards. The actual decryption work by the researchers was done on the widely deployed Mifare Classic wireless smartcard, now manufactured by a Philips spinoff, NXP Semiconductors. Decrypted, the cards can be counterfeited, and users' personal and bank data is exposed. >> More ..

US Law makers voice concerns over cybersecurity plan

Members of the House of Representative sought details, on Thursday, of a $30 billion plan to secure federal government systems and upgrade network defenses to ward off attacks from foreign nations and online criminals.

Known as the Cyber Initiative, the Bush Administration project would dramatically reduce the number of interconnections between federal government networks and the Internet and put more advanced network security in place to monitor data traffic for signs of malicious attacks. While the 5- to 7-year project could dramatically improve the network defenses of government agencies, law makers questioned whether the initiative will be too little, too late, and whether the resulting network monitoring could undermine privacy.

"It's hard to believe that this Administration now believes it has the answers to secure our federal networks and critical infrastructure," Representative Bennie Thompson (D-MS), chairman of the House Committee on Homeland Security, said in prepared remarks at the opening of the hearing on Thursday. "I believe cybersecurity is a serious problem -- maybe the most complicated national security issue in terms of threat and jurisdiction. This problem will be with us for decades to come." >> More ...

Trend Micro Hit by Massive Web Hack

Security vendor Trend Micro has fallen victim to a widespread Web attack that splashed malicious software onto hundreds of legitimate Web sites in recent days.

A Trend Micro spokesman confirmed that the company’s site had been hacked Thursday, saying that the attack took place earlier in the week. "A portion of our site -- some pages were attacked," said Mike Sweeny, a Trend Micro spokesman. "We took the pages down overnight Tuesday night -- and took corrective action." >> More ..

Chinese hackers: No site is safe

ZHOUSHAN, China (CNN) -- They operate from a bare apartment on a Chinese island. They are intelligent 20-somethings who seem harmless. But they are hard-core hackers who claim to have gained access to the world's most sensitive sites, including the Pentagon.

In fact, they say they are sometimes paid secretly by the Chinese government -- a claim the Beijing government denies.

"No Web site is one hundred percent safe. There are Web sites with high-level security, but there is always a weakness," says Xiao Chen, the leader of this group. >> More ..

Cyber Preparedness Symposium Leaves Unanswered Questions

WASHINGTON -- National Symposium on Unifying Cyber Preparedness Efforts -- Leaders of industry and academia today agreed that they need to work better together to prepare for cyber security threats. They just didn’t seem sure how to do it, or exactly what the threats are.

In a microcosm of the cross-industry, cross-disciplinary problems that it was called to help resolve, the symposium demonstrated a desire among some sectors to improve the security situation in the U.S., but few concrete ideas on how to coordinate the so-called “silos of excellence” that remain disconnected across the country.

Indeed, the panelists and participants showed little agreement on what “cyber preparedness” really means -- the half-day discussion meandered from defending against attacks on the nation’s government and infrastructure to resolving specific vulnerabilities on end-user PCs.

The idea was to discuss how government, industry, critical infrastructure providers, Congress, and academia can work together to build a cross-disciplinary effort to prepare for cyber threats.
>> More ..

Forgotten IT chores may have led to bank meltdown

While the protection of CII may often be focused on protection from external threats and internal threats, some of the simple and basic practices pertaining to security must be followed to ensure that there are no loopholes in the system that can be exploited. Employees should generally be trusted (if not you have a big problem in your organisation). However segregation of responsibilities and implementing management controls are still important practices that must be enforced.

In January 2008, a French Bank incurred huge losses due to poor enforcement of internal controls and segregation of responsibilities. The losses were result of an employee ... who was doing his job!!.

The huge losses reported by French bank Société Générale, apparently caused by a rogue trader with inside knowledge of the bank's procedures, don't necessarily point to an IT systems failure but rather to poor management of those systems, analysts say.

The bank has accused 31-year-old employee Jerome Kerviel of creating a fraudulent trading position in the bank's computers that ultimately caused it to lose around €4.9 billion (US$7.3 billion).

Kerviel achieved this by, among other things, misappropriating computer passwords, the bank said. It has revealed few other technical details of what caused the losses.

Management of passwords, including rescinding the old passwords of employees who move to different positions within the bank, or modifying the level of access those passwords allow, is often a task given to the lowest-level IT worker.

"It's dull and routine 99 percent of the time, but a vital backstop," said Bob McDowall, senior analyst at the TowerGroup. Senior IT managers should conduct more frequent reviews of password policies, he said.

In some cases, it may not have been the security of the passwords themselves that posed a problem, but rather the access those passwords allowed, said Ian Walden, professor of information and communications law at Queen Mary, University of London.

Organizations tend to think of access as being binary in nature: you get access to it all, or you don't, Walden said. In reality, there are many more levels of access. "In modern, complicated systems, the granularity has to be much more sophisticated."

To make the best use of systems with advanced access controls, the IT department must have a thorough understanding of how the business works and where there is risk.

IT departments and business managers have yet to find a way to wrap security into business processes so it is not an impediment, Walden said. >> More..

Half of 2006 vulnerabilities still unpatched

It is important that when vendors send patch updates, these are implemented to prevent weaknesses from being exploited and depending on the system set up, can cause major interruptions to infrastructure. Despite its importance organisations still lack the diligence to keep up in updating the patches.

More than 3600 vulnerabilities discovered last year remain unpatched, according to a study.

The IBM Internet Security Systems (ISS) X-Force report for 2007 found of the 6437 vulnerabilities discovered, 20 percent of those targeting Microsoft, Apple, Oracle, IBM and Cisco were still in the wild up to 12 months later.

More than 50 percent of remaining 6200 flaws targeting other solutions remain currently unpatched. >> More....

Idaho National Laboratory - Research on National Security

The Idaho National Laporatory's (INL) National and Homeland Security Division is one of serveral organisations inthe USA involved in CNII protection research.

The National and Homeland Security Division conducts sustainable programs focused in Global Security, Homeland Security, National Defense, Energy Security, and Special Programs.

Hackers Gone Wild ... Hacks on a massive scale

While previously hacks may be one off incidents posing threats to a small segment. Today the scenario is different.

We're looking at massive, well-organized plans to take over vast portions of the Net. Case in point: The SQL Injection exploit that infected more 70,000 sites .. more.

US plans to 'fight the net' revealed

A newly declassified document gives a fascinating glimpse into the US military's plans for "information operations" - from psychological operations, to attacks on hostile computer networks.

Should nations care and worry about this as a threat to their CNII, we dont really know. But apart from the US, it is possible that some other nations or organised entities have similar aspirations, if not plans. .. more..

Cut cable disrupts Internet in Middle East

Two underwater cables in the Mediterranean Sea were damaged in January 2008, dragging Internet connections throughout the Middle East and in parts of Asia to a crawl. This is a classic example of massive interruptions to CNII, though the scenario if one for which most would not have incorporated in the list of probabilities .. more..

Further questions are raised about the said vulnerability, possible but deemed improbable. more

The 5 Coolest Hacks of 2007

Hackers are creative folk, for sure. But some researchers are more imaginative and crafty than others. We're talking the kind of guys who aren't content with finding the next bug in Windows or a Cisco router. Instead, they go after the everyday things we take for granted even more than our PCs -- our cars, our wireless connections, and (gulp) the electronic financial trading systems that record our stock purchases and other online transactions. >> More ..

CISCO's 2007 Annual Security Report

CISCO has released its 2007 Annual Security Report which provides an overview of the combined security intelligence of the entire CISCO organisation. The report encompasses threat information and trends collected between January and September 2007, and provides a snapshot of the state of security for that period. The report provides recommendations from CISCO security experts and predictions of how identified trends will continue to unfold in 2008.

Security trends and recommendations are organized into seven major risk categories:

- Vulnerability
- Physical
- Legal
- Trust
- Identity
- Human
- Geopolitical

The report also provides a high-level perspective on the issues currently shaping the security space, as well as insights into how security professionals and businesses can expect the industry to change over the next several years. The report can be downloaded here.

Antivirus Protection Worse Than a Year Ago

The effectiveness of antivirus software has fallen off, and more and more pests can now slip past these barriers. This is the sobering conclusion the german computer magazine c't comes to in issue 1/08 with a test on 17 antivirus solutions. For the first time, c't also tested the behavioural blocking system they use. >> More ..

LOGIIC – Linking the Oil and Gas Industry to Improve Cyber Security

LOGIIC is a unique collaborative forum (initiated by the US Department of Homeland Security) where government and industry are focusing on cyber security issues for the oil and gas industry that are best addressed collaboratively. The needs of the infrastructure owners and operators are driving the formation of projects, supported by government and independent experts. The forms for future collaboration are currently being established, and new projects will be forthcoming.

One such project was the the LOGIIC 2005-2006 Correlation Project.

The LOGIIC Correlation Project was a 12-month technology integration and demonstration project jointly supported by industry partners and the U.S. Department of Homeland Security Science and Technology Directorate (DHS S&T). The project demonstrated an opportunity to reduce vulnerabilities of oil and gas process control environments by sensing, correlating and analyzing abnormal events to identify and prevent cyber security threats.

A detailed description of the LOGIIC Correlation Project can be downloaded from here.

This collaboration model between Government and industry can be similarly applied to other industry sectors.

SCADA Security and CNII - Digital Bond

This Digital Bond site is a site that has articles and blogs on SCADA security with a focus on CNII issues. There are several blog categories that discusses a wide range of related topics. Have a look at the site to get some key information and knowlegde about SCADA security. >> More ..

SCADA and Control System Security - Views From An Expert

Joseph Weiss is one of the leading experts in control system security. He provides some interesting insights about control systems and including SCADA, DCS and PLC and the security issues surrounding these in an interview found here.

He explains among other things that "A control system has several unique attributes. Number one, a control system must be absolutely highly reliable. It can't shut down very often. So, unlike a business system where you can shut it down over the weekend, the system that controls the power plant must have almost 100 percent reliability or some form of backup to maintain the 100 percent reliability. It is extremely important." This characteristic brings in itself a very unique perspective about security implementation related to control systems.

In a later part of the interview he has this to say about control systems getting hit: "My very, very, very strong feeling is, if and when we get hit, we will never know why we were hit. All we will know is breakers are opening, valves are closing, certain things are happening. But we won't have a clue as to why."

The interview contains a lot of other interesting insights and examples of incidents and lessons learnt that would be useful for anybody interested in CNII and control systems in particular. >> More ..

ICT Security Education and Awareness for Students

Learning to use the Internet safely should begin at a young age in school so that the generation of youth has the basic knowledge to practice and infuse or inculcate safe Internet use when they join the workforce. Some students have the ability to explore and find out the best practices themselves while yet the majority of others need to be taught or guided. The Hacker Highschool site is one of several websites that provides easy to follow materials on safe Internet use for school children.

The Hacker Highschool project is the development of license-free, security and privacy awareness teaching materials and back-end support for teachers.

Today's kids and teens are in a world with major communication and productivity channels open to them and they don't have the knowledge to defend themselves against the fraud, identity theft, privacy leaks and other attacks made against them just for using the Internet. This is the reason for Hacker Highschool.

In HHS, you will find lessons on utilizing Internet resources safely such as web privacy, chat protection, viruses and trojans (malware), and the over-all focus on how to recognize security problems on your computer. HHS is a great supplement to student course work or as part of after-school and club activities.The HHS program is developed by ISECOM, a non-profit, open-source research group focused on security awareness and professional security development and accreditation. >> More ..