Volume 13 Issue 1

U.S. Not Ready for Cyber Attack

Reuters (12/19/08) Mikkelsen, Randall

The results of a two-day cyberwar simulation involving 230 representatives from U.S. government defense and security agencies, private companies, and civil groups found that the United States is not prepared to defend itself against a major hostile attack against its computer networks. The war game simulated a surge in computer attacks during a time of economic vulnerability, and challenged participants to find a way to mitigate the attacks using real-life knowledge of tactics and procedures. The exercise took place almost a year after President Bush launched a cybersecurity initiative aimed at improving U.S. computer defenses. "There isn't a response or a game plan," says Mark Gerencser from Booz Allen Hamilton, which ran the simulation. "There isn't really anybody in charge." U.S. Rep. James Langevin (D-R.I.) says that a successful attack could cause the U.S.'s banking or national electrical systems to fail. Both the government and industry need to invest billions of dollars to improve security, says U.S. Rep. Dutch Ruppersberger (D-Md.). Homeland Security secretary Michael Chertoff told participants that cyberattacks will become a routine warfare tactic to damage command systems in preparation for a traditional attack, and that international law and military doctrines need to be updated to address cyberattacks.

View Full Article | Return to Top

Consortium Hopes to Attract Students to Computer Careers

Greenville News (SC) (12/19/08) Smith, Tim

The Consortium for Enterprise Systems Management will work with South Carolina's middle schools, high schools, and colleges to interest students in careers in computer science and mainframe computing. The goal of the consortium, which includes Clemson University, Furman University, IBM, the University of South Carolina (USC), and BlueCross BlueShield of South Carolina, is to foster the development of computer scientists and information technology managers, perform business research in information technology, and nurture management skills among existing computer professionals. Consortium officials say the partnership is the first of its kind in the United States. IBM will provide software for the consortium, which will be based at a privately built research facility on USC's Innovista campus. "This consortium represents the best of a public-private partnership," says USC president Harris Pastides. BlueCross CEO Ed Sellers says that more than 30 companies have been asked to participate in the partnership. Consortium officials note that five out of the nine fastest growing occupations in the United States are in computer science or engineering, yet students in both high school and college are moving away from information technology careers. IBM's Andy Bernardin says the decline of available mainframe professionals is a lost opportunity, and the situation will only worsen as new types of information are introduced.

View Full Article | Return to Top

Making Sense of the 'Semantic Web'

CNN (12/18/08) Mollman, Steve

The semantic Web could enable more interactive and accurate searches and is considered a crucial component of emerging Web 3.0 technology. Researchers are exploring ways of implementing the technology to improve contextual searching. For example, German researchers have developed an experimental kiosk that enables users to sync their iPhones, which are largely semantic in how they mark MP3 and other files with information that can be read by computers. The kiosk can automatically generate a list of songs arranged by artist, title, or genre based on the information in the iPhone. "Complex operations should be hidden," says Simon Bergweiler, who developed the kiosk with Matthieu Deru at the Advanced Tangible Interface Lab, part of the German Research Center for Artificial Intelligence. The researchers plan to launch a Web site version of the kiosk that will enable users to drag icons of artists and videos to automatically search for related content. The researchers also plan to develop interactive kiosks for German libraries that will enable users to initiate searches that involve context. The goal is to create a system that can be used for quick and precise interaction with any rich semantic content. The researchers say that semantic kiosks also could be used by mechanics, for example, who could hold mechanical parts with RFID tags next to the semantic device to instantly receive technical data on the part.

View Full Article | Return to Top

Why Don't We Read So Well on Screen

University of Stavanger (12/11/08) Toft, Trond Egil

Reading on a computer screen creates more brain stress than reading the same text on paper, wrote the Center for Reading Research's Anne Mangen, a professor at Norway's University of Stavanger, in an article for the Journal of Reading Research. In her article, "Digital fiction reading: Haptics and Immersion," Mangen said that touching and turning physical pages enhances a person's ability to absorb information, while reading on a computer disturbs that process. Mangen says that reading on a screen causes a new form of mental orientation that causes the reader to lose the completeness, tranquility, and constituent parts of reading a physical text. Mangen believes that learning requires time and mental exertion that new media forms cannot provide. Many people argue that children read less, and less well, than previous generations, but Mangen argues that even if young people do not read as many books as previous generations, it is still possible that they are actually reading more than before, as most of what they do on a computer or mobile device involves reading and writing in some manner. However, she notes that some researchers believe that we obtain a greater and more thorough understanding from reading text on paper, as we are not distracted, even subconsciously, by the navigation bars and banners that appear in online and electronic content. She says the most important difference is that when a text becomes digital it loses its physical dimension, which is unique to printed text, and the reader loses a feeling of totality.

View Full Article | Return to Top

'Smart' Surveillance System May Tag Suspicious or Lost People

Ohio State University Research News (12/16/08) Gorder, Pam Frost

Ohio State University (OSU) researchers are developing a computerized surveillance system that incorporates video cameras, large video screens, and geo-referencing software to detect when someone is acting suspicious or appears to be lost. OSU professor James W. Davis and doctoral student Karthik Sankaranarayanan say they have completed the first three phases of the project, including a software algorithm that creates a wide-angle panoramic view of a street scene, another that maps the panorama into a high-resolution aerial image, and a method for actively tracking a target. The final goal is a network of smart video cameras that will enable surveillance officers to quickly and efficiently observe a wide area, with computers managing much of the work. "In my lab, we've always tried to develop technologies that would improve officers' situational awareness, and now we want to give that same kind of awareness to computers," Davis says. The system is designed to analyze and model the behavior patterns of people and vehicles moving in an area. "We are trying to automatically learn what typical activity patterns exist in the monitored area, and then have the system look for atypical patterns that may signal a person of interest—perhaps someone engaging in nefarious behavior or a person in need of help," Davis says. The system takes a series of snapshots from numerous directions to create a 360-degree, high-resolution view of the camera's entire viewing area. The researchers are exploring adding touch-screen capabilities to the system.

View Full Article | Return to Top

Congress in the Cyber-Crosshairs

National Journal (12/20/08) Vol. 40, No. 51, P. 18; Harris, Shane

Two years ago, seven U.S. House panels and eight members' offices were compromised by malware that could pilfer files and messages, and both the targeted House members and the attackers' Internet addresses suggest that the intrusions originated in China. In a speech before the House, Rep. Frank Wolf (R-Va.), whose office was targeted by the hack, argued that the fear of admitting vulnerability might be one of the reasons underlying U.S. intelligence and national security's reluctance to publicize the breaches sooner. "I strongly believe that the appropriate officials, including those from the Department of Homeland Security and the FBI, should brief all members of Congress in a closed session regarding threats from China and other countries against the security of House technology, including our computers, BlackBerry devices, and phones," he said. There appears to be a strong degree of disinterest from members of Congress about discussing cybervulnerabilities because they have little understanding of such issues. Former director of the DHS' National Cyber Security Division Amit Yoran says members of Congress have to juggle many competing issues, and cybersecurity has had a historically low priority. There is evidence that the expertise of the House and Senate's IT and security departments is very strong, but Yoran says the decision to follow security procedures is left to members and their staffers, who may elect not to follow procedures because they consider it an imposition. The Center for Strategic and International Studies concluded in a recent study prepared for President-elect Barack Obama that Congress is unsuited for managing executive-branch cybersecurity due to the inconsistency and fragmentation of its oversight. The study group recommended that Obama take charge of cybersecurity and establish a new office for cyberspace in the Executive Office of the President that would collaborate closely with the National Security Council, "managing the many aspects of securing our national networks while protecting privacy and civil liberties."

View Full Article | Return to Top

Top 5 cybersecurity news stories of 2008

By Robert Westervelt, News Editor
Data breaches continued to make their very public mark on cybersecurity news in 2008. And this time it wasn't TJX making headlines. Despite being PCI compliant, Hannaford Brothers supermarkets announced that 4.2 million credit and debit card numbers were pilfered from its servers. We also learned in 2008 that attackers aren't necessarily becoming more sophisticated. The cause of many data beaches and the deluge of phishing, spam and malware attacks suggest something else is going on. Automated toolkits are being bought and sold in online forums fueling the scope of many attacks. Although it's an old-school method, SQL injection attacks work and hackers use them to pull off hundreds of thousands of successful attacks against vulnerable websites and their visitors. And finally, Dan Kaminsky signaled a dire warning about a major DNS cache poisoning vulnerability. It wasn't the apocalypse, but the security researcher demonstrated that weaknesses exist in the fundamental way the Internet works.
SQL injection attacks
It's an old-school method of attack, but hackers have figured out that if it's easy and profitable, keep doing it. SQL injection reared its ugly head into the news in May. Researchers said they tracked a massive wave of SQL injection attacks that find coding errors in websites and then use those sites to infect visitor's PCs with malware. The attacks seem to have originated in China, and today millions of Web pages are infected. Experts say automated scanning and infecting tools have made it simple for less technically savvy hackers to exploit SQL injection vulnerabilities. Even legitimate websites are not immune. The problem is so pervasive that Microsoft has stepped in to try to limit the threat. The software giant issued a security advisory in June, outlining some tools available to improve Web-based software coding and discover holes in websites. Experts are warning that the threat will continue in 2009.
Hannaford Brothers supermarket breach
Hannaford Brothers Co. disclosed a massive data breach on March 17. They later told state and federal investigators that someone managed to place malware onto servers at all of Hannaford's nearly 300 grocery stores. The software ran in the background between Dec. 7 and Mar. 10, stealing up to 4.2 million credit and debit card numbers from the supermarket's payment systems. Despite at one time being compliant with the PCI Data Security Standard (PCI DSS), experts say the company did not have enough protection in place for data in motion during a credit card transaction. Hannaford announced plans to bolster encryption and conduct 24-hour network monitoring.

View Full Article | Return to Top

Linux Kernel attack code worries security experts

By Bill Brenner, Senior News Writer

They can't be exploited remotely and they don't affect Windows systems, but security experts say there are at least two good reasons for IT administrators to worry about flaws in version 2.6 of the Linux Kernel:

First, a vulnerability researcher has released exploit code that could be fashioned into potent attacks against Linux-based environments. Second, a malicious insider could use the flaws to expose sensitive company data.

Multiple security organizations have released advisories for the kernel flaw since the weekend, including the French Security Response Team (FrSIRT) and Danish vulnerability clearinghouse Secunia. FrSIRT advisory 2008-0487 describes the flaw as a moderate risk, while Secunia advisory SA28835 describes it as less critical and exploitable from local systems only.

According to Debian Security Advisory DSA-1494-1, the specific problem is that parameters within the "vmsplice_to_user()," "copy_from_user_mmap_sem()" and "get_iovec_page_array()" functions aren't properly verified before being used to perform certain memory operations. Local attackers could exploit this to read or write to arbitrary kernel memory via a specially crafted "vmsplice()" system call. From there, the attacker could gain root system privileges.

The Debian advisory noted that certain versions of Linux have been fixed. For the stable distribution, the problem is fixed in version 2.6.18.dfsg.1-18etch1. The unstable and testing distributions will be fixed soon, and the old stable distribution is not affected by the problem, Debian said. As for the Linux Kernel itself, the Linux Kernel Web site says the most stable version to date is

Two researchers have been credited with finding the issues — Wojciech Purczynskiof iSEC Security Research and a researcher using the online name Qaaz. The latter researcher has released exploit code for the kernel via the MilwOrm.com site. At the time of writing, neither researcher had responded to emailed requests for comment.

View Full Article | Return to Top

New attacks reveal fundamental problems with TCP

By Dennis Fisher, Executive Editor

A pair of security experts are now discussing several fundamental issues with the TCP protocol that can be exploited to cause denials of service and resource consumption on virtually any remote machine that has a TCP service listening for remote connections.

The problems, which were identified as far back as 2005, are not simply vulnerabilities in products from one or two vendors, but are issues with the ways in which routers, PCs and other machines handle TCP connection requests from unknown, remote machines. The attacks can be carried out with very little bandwidth, such as that available on a cable modem, and there don't appear to be any workarounds or fixes for the problems at this point.

"So far there hasn't been a lot of activity on mitigation strategies," said Robert E. Lee, chief security officer of Outpost24, a Swedish vulnerability assessment firm. Jack Louis, a senior security researcher at Outpost24, developed the attacks. Louis discovered the TCP problems and he and Lee have developed an attack framework for the issues. The framework, called Sockstress, enables them to plug in the various attack types at will. "We've been talking to a major router vendor and a supplier of operating systems, but it hasn't gotten very far."

Lee and Louis, who will present their findings at the T2 Conference in Helsinki in mid-October, are not releasing the details of the flaws, but Lee said that they evolve from the way that Web servers and other machines handle the three-way TCP handshake at the beginning of a new connection. Their attacks enable them to consume all of the resources of a given TCP service. In some cases, the attacks can cause the remote machine to reboot.

Lee said that Louis discovered the issue when the pair were doing large-scale penetration tests that required them to scan tens of thousands of IP addresses. To make life easier, Louis wrote a tool called Unicornscan , which is a distributed TCP/IP stack that can be used for TCP scanning. It was while reviewing packet dumps from scans with the tool that Louis noticed some anomalies.

"We noticed that certain systems would start resending certain packet responses continuously until they were rebooted," Lee said. "That was the light bulb going off. We said, There's some sort of state mechanism that we're triggering here."

View Full Article | Return to Top

Digital picture frame viruses back for Christmas

By SecurityFocus.com

Purchasers of some models of Samsung digital picture frames received warnings earlier this week, following the discovery that a six-month-old computer virus had hitched a ride on the devices.

The file infecting virus, known as W32.Salty.AE, compromised version 1.08 of the Samsung Frame Manager software for Windows XP that comes preinstalled on some of Samsung's frames, according to an alert published earlier this month by the company. Some purchasers of the Samsung SPF-85H 8-Inch Digital Photo Frame from Amazon.com received a warning from the online retailer about the virus.

"The alert involves the SPF-85H 8-Inch Digital Photo Frames w/1GB Internal Memory, designed to work with Windows-based PCs via a USB connector," the warning states. "They were sold between October and December 2008 for about $150. … If you are using Vista or a different version of Frame Manager, this issue does not affect you."

Security experts first flagged digital picture frames as a danger a year ago, when several models of the devices were found to be carrying Trojan horses. Last holiday season, a number of consumers reported that photo frames — small flat-panel displays for displaying digital images — received over the holidays attempted to install malicious code on their computer systems. In January, consumer technology store Best Buy pulled its Insignia-branded 10.4-inch digital picture frame from store shelves, acknowledging that it found some devices infected with an older computer virus.

View Full Article | Return to Top

Server virtualization quiz: How much do you know?

By Malcolm Hamer
As a technology, virtualization is 36 years old. It first appeared in the form of the VM/370 operating system for IBM mainframes in 1972. VM/370 allowed a mainframe to be logically partitioned into a number of virtual machines, each effectively isolated from the others. The technology was reborn for other platforms in 1999, with the first version of VMware for desktop PCs. In 2001, VMware released the first server versions of its product, supporting Windows and Linux, and virtualization started to make a gradual return to the data center. Microsoft jumped into the fray with its Hyper-V software earlier this year.

View Full Article | Return to Top

20% discount off SANS@Home Network Pen Testing course

Just a quick note to let you know that the SANS Institute is offering a 20% discount off the upcoming SANS@Home webcast training course, "Security 560: Network Penetration Testing and Ethical Hacking" — exclusively for friends of Core Security Technologies.

- Course Title: Security 560: Network Penetration Testing and Ethical Hacking

- Instructors: Ed Skoudis & John Strand

- Start Date: Tuesday, January 13, 2009

- End Date: Thursday, February 19, 2009

- Meeting Times: Tuesdays and Thursdays, 1:00 PM - 4:00 PM EST

To receive your 20% discount, enter "CORE" into the Registration Code field under Step 3 of the registration process. The discount is only applicable for the January 13 - February 19 course. The discount cannot be applied retroactively to existing registrations.

Learn more and register: http://www.sans.org/info/33899

If you have any questions about the course or the discount, please contact SANS at +1 (301) 654-7267 or gro.snas|noitartsiger#gro.snas|noitartsiger.

Return to Top

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License