Internet Security Alliance Daily Brief (7/21/2011)

In Today's News 

Oracle patch day closes 78 security holes - H Security, July 20
Oracle released 78 security patches as part of its July Critical Patch Update. There are 13 fixes for the Oracle Database server, two of which could be remotely exploited by an attacker without authentication. Some of the most critical bugs fixed include holes in Oracle Secure Backup, JRockit, and the Sun SPARC server (Netra T3 and T3 Series). Each product contains vulnerabilities that have a Common Vulnerability Scoring System (CVSS) score of 10.0, the highest possible level of severity. Other vulnerabilities addressed by these updates include holes in, for example, Solaris, Oracle Fusion Middleware, and Oracle Enterprise Manager Grid Control. As several of the vulnerabilities allow an attacker to remotely exploit systems, Oracle recommends system administrators install the patches as soon as possible.
Source: http://www.h-online.com/security/news/item/Oracle-patch-day-closes-78-security-holes-1282472.html

DDoS bot hides as Java update - Softpedia, July 20
Antivirus vendor BitDefender warned a piece of malware designed for DDoS is being distributed as a Java update. "...[I]nvestigation on the file revealed more than meets the eye: a carefully-crafted piece of malware that is extremely viral [...] and can be used as a powerful tool to initiate distributed denial-of-service attacks," a BitDefender security expert said. Besides being distributed from legitimate compromised sites, the piece of malware, which BitDefender detects as Backdoor.IRCBot.ADEQ, is capable of spreading itself through a variety of methods. These include copying itself to folders shared by default by certain P2P applications, infecting USB drives, copying itself to network shares, and sending itself via Windows Messenger or e-mail. The trojan is designed to uninstall other DDoS bots including Cerberus, Blackshades, Cybergate, or the OrgeneraL DDoS Bot Cryptosuite which infect winlogon.exe, csrss.exe, and services.exe. The botmasters can schedule the bot to launch DDoS attacks against particular URLs at particular times, for predefined intervals of times, and with a specific frequency of requests. Some experts think this capability suggests the bot's creators might be running a pay-for-DDoS or botnet-for-hire business. Source: http://news.softpedia.com/news/DDoS-Bot-Hides-as-Java-Update-212583.shtml

Another cloud outage strikes Microsoft BPOS, Exchange Online - Computer Reseller News, July 19
Microsoft Business Productivity Online Suite (BPOS) suffered another outage July 19, adding to its recent streak of cloud outages and issues. The outage put the BPOS Exchange Online e-mail services out of commission for an unknown number of customers for more than 2 hours. Source: http://www.crn.com/news/cloud/231002122/another-cloud-outage-strikes-microsoft-bpos-exchange-online.htm?itc=refresh 44. July 19, threatpost – (International) Microsoft research team reports bugs in Facebook, Google Picasa. Microsoft's Vulnerability Research team disclosed a vulnerability in Google's Picasa photo editing and sharing application, and a bug in Facebook that could lead to the compromise of a victim's account. The bug in Picasa could allow an attacker to gain complete control of a user's machine if he/she could entice the victim into downloading a malicious JPEG file. The vulnerability in Facebook involves a problem with the way the site implemented its protection against clickjacking attacks. An attacker could use the vulnerability to gain full access to a victim's account. Facebook has since fixed the problem.
Source: http://threatpost.com/en_us/blogs/microsoft-research-team-reports-bugs-facebook-google-picasa-071911

Wireshark updates fix security vulnerabilities - H Security, July 19
Wireshark developers announced the release of versions 1.6.1 and 1.4.8 of their open source, cross-platform network protocol analyzer. The developers said these maintenance and security updates address multiple vulnerabilities that could cause Wireshark to crash "by injecting a series of malformed packets onto the wire or by convincing someone to read a malformed packet trace file." These include problems related to the Lucent/Ascend file parser and the ANSI MAP dissector, both of which were susceptible to an infinite loop bug. Wireshark 1.4.0 to 1.4.7 and 1.6.0 are said to be affected. A number of bugs in both versions were also fixed. Source: http://www.h-online.com/security/news/item/Wireshark-updates-fix-security-vulnerabilities-1282109.html

Anonymous' arrests tied to PayPal DDoS attacks, FBI says - Computerworld, July 19
The FBI said July 19 it arrested 14 people thought to belong to the hacking group known as Anonymous for alleged participation in a series of distributed denial-of-service (DDoS) attacks against PayPal in 2010 in retaliation for its perceived opposition to WikiLeaks. The defendants were arrested on no-bail arrest warrants in a series of raids in Alabama, California, Colorado, Washington D.C., Massachusetts, and five other states. All were charged in an indictment unsealed in federal court in San Jose, California, July 19. Two other individuals were arrested on related cybercrime charges. One was arrested in Florida on charges he illegally accessed files from a Tampa Bay InfraGard Web site in 2010, and then publicly posted information telling others how to break into the site. The other indictment unsealed in federal court in New Jersey charged a man from Las Cruces, New Mexico, with allegedly stealing roughly about 1,000 documents, applications and files with protected business information from an AT&T server in June 2011, and posting them on a public file-hosting site. The attacks, dubbed "Operation Avenge Assange," were coordinated by Anonymous using an open-source tool called Low Orbit Ion Cannon the group made available for public download. The 14 individuals named in the indictment have each been charged with conspiring to cause damage to a protected computer, and intentionally causing damage to a protected computer. The conspiracy charge carries a maximum of 5 years in prison and a $250,000 fine, while the intentional damage charge carries a maximum penalty of 10 years in prison and a $500,000 charge.
Source: http://www.computerworld.com/s/article/9218528/_Anonymous_arrests_tied_to_PayPal_DDoS_attacks_FBI_says

Fake banking E-mail targets your wallet, computer - Security News Daily, July 15
A new spin on an old cybercrime ploy is using a devious fake warning about users' bank account information to trick them into opening their wallets. Scam e-mails are spreading on the Web claiming to contain an important financial statement, researchers at the security firm BitDefender reported July 15. The supposed important data is located in what looks to be a Microsoft Word attachment called "Financial_Statement(dot)exe," BitDefender said. (Similar scams use a "Postal_document(dot)exe" attachment.) However, the financial statement attachment has no sensitive information; instead, it has a Trojan that copies itself onto the user's system. In this case, the rogue attachments attempt to trick users into purchasing anti-virus software they don't need. "The application floods the screen with lots of warning pop-ups to scare the user into buying a useless disinfection tool," BitDefender wrote. The offending Trojan also shuts down programs and informs victims that the programs are infected with a virus. BitDefender warns users to never open suspicious e-mail attachments, especially if they come from a bank, as banks will never send unsolicited e-mails about financial data.
Source: http://www.securitynewsdaily.com/fake-banking-email-targets-your-wallet-computer-0964/

Internet activist charged with hacking into MIT network - IDG News Service, July 19
The co-founder of online news site Reddit has been charged with computer intrusion, fraud, and data theft for allegedly stealing 4.8 million documents from an Massachusetts Institute of Technology (MIT) network, the U.S. Department of Justice (DOJ) said. In an indictment unsealed July 18, the man was charged in U.S. District Court for the District of Massachusetts with wire fraud, computer fraud, unlawfully obtaining information from a protected computer, and recklessly damaging a protected computer. If convicted, the man faces a possible 35 years in prison, and fines of up to $1 million. Between September and January, the man allegedly contrived to break into a restricted computer wiring closet in an MIT basement and access MIT's network from a computer switch there, the DOJ said in a press release. The man, a fellow at Harvard University's Center for Ethics, targeted documents provided to MIT by Journal Storage (JSTOR), a nonprofit archive of scientific journals and academic work, the DOJ alleged. The man accessed the MIT network through the university's free guest network service, the indictment said. When MIT and JSTOR attempted to block access from the man's laptop, he changed the IP address and spoofed the computer's MAC address to get continued access, the indictment said. He registered for network access using a throwaway e-mail address, the DOJ said. On October 9, the two laptops downloaded so many documents from JSTOR that some of the organization's servers crashed, the indictment said. JSTOR has archived and digitized more than 1,000 academic journals, the DOJ said. The man intended to distribute the documents he stole on file-sharing networks, the indictment alleged. Source: http://www.computerworld.com/s/article/9218519/Internet_activist_charged_with_hacking_into_MIT_network

UCF student arrested in national FBI roundup of cyberattack suspects - Orlando Sentinel, July 20
The FBI arrested a University of Central Florida (UCF) student on a computer-hacking charge July 19, the same day agents across the country arrested more than a dozen others for their suspected roles in cyberattacks reportedly linked to the group Anonymous. The 21-year-old computer engineering major from North Fort Myers, was arrested at his dorm on the UCF campus about 11 a.m. FBI agents said the suspect hacked into the Tampa Bay InfraGard site June 21 and uploaded three files. InfraGard is an FBI program designed to establish an alliance among academia, private industry and the federal agency, where members exchange information.
Source: http://www.sun-sentinel.com/news/local/breakingnews/os-fbi-ucf-police-cyber-investigation20110719,0,5956658.story

Local man allegedly stole, posted AT&T customer data - Las Cruces Sun News, July 20
A former Las Cruces, New Mexico call center employee was arrested July 19 by FBI agents for allegedly leaking confidential files that ended up in the hands of a computer hacking group, the Department of Justice and the FBI announced. While working as an AT&T customer support representative at Convergys in Las Cruces, he allegedly stole confidential business data stored on AT&T's servers and posted it on a public file sharing site, according to the complaint unsealed in the District of New Jersey, where AT&T is headquartered. On April 10, the 21-year-old allegedly downloaded thousands of documents, PowerPoint presentations, images, PDFs, applications, and other files that, on the same day, he allegedly posted on Fileape.com, a public file hosting site that promises user anonymity. AT&T's Chief Security Office Team in New Jersey discovered the breach April 16, and found the suspect had downloaded the material in question and accessed Fileape.com using an address on the company's internal network, according to court documents. He was terminated May 19. On June 25, the computer hacking group LulzSec publicized that they had obtained the confidential AT&T documents and made them publicly available on the Internet. Source: http://www.lcsun-news.com/las_cruces-news/ci_18512221

Upcoming Events

July 21 - Cybersecurity: Incentives and Governance at the Brookings institution
ISA will particpate in this two person discussion to clarify and refine policy discussions surrounding the risks built into our information technology systems. They will evaluate how economic concepts—including externalities, information asymmetries and the network effect—can help us understand how to reward good security practices and punish bad ones, and discuss how these concepts can be embedded in a range of governance mechanisms to better evaluate the alignment of public priorities and private incentives.

July 21 at 1:30pm: Protected Health Information Project Survey Subcommittee
The survey subcommittee will query chief security / privacy officers or consumers on what they consider to be sensitive data, and is being led Christine El Eris and Michael Morelli of Affinion Group, Larry Ponemon of the Ponemon Institute, Don Rebovich of the Center for Identity Management and Information Protection at Utica College; and  Andrew Serwin from Foley & Lardner LLP.

July 22 – NSTICK NOI Comments Due to NIST
The White House is working on a new phase in its drive to develop the National Strategy for Trusted Identities in Cyberspace (NSTIC).  White House Cybersecurity Coordinator Howard Schmidt briefed the ISA Board on early versions of this program and ISA provided substantial comments in the development stage.  NIST has released a Notice of Inquiry (NOI) on the program, and this round of comments are due on Friday, July 22. 
More more information about this project contact Stephanie Schaffer at sschaffer@isalliance.org.

July 22 at 2pm - Office of Infrastructure Protection Webinar: PPD-8 Progress Update for Critical Infrastructure Council Members  
It will be regarding development of the National Preparedness Goal required by Presidential Policy Directive 8 (PPD-8), National Preparedness. Federal Emergency Management Agency and DHS Office of Infrastructure Protection representatives will discuss PPD-8 implementation to date and highlight recent efforts and associated milestones.

July 26 from 8:00am-5:00pm: 2011 IT Sector Coordinating Council IT Summer Quarterly meeting

July 26 at 3:00pm: Protected Health Information Project Finale Subcommittee
The finale subcommittee will facilitate overall integration of the subcommittee input with a view toward producing a coherent final report, and it is led by Rick Kam of ID Experts and Ed Stull of Direct Computer Resources, Inc.

July 27 at 4:00pm: Protected Health Information Project Legal Subcommittee
The legal subcommittee will identify existing legal protections related to PHI, and is co-chaired by Christine Arevalo of ID Experts, Chris Cwalina and Steve Roosa of Reed Smith, LLP, and  Jim Pyles from Powers Pyles Sutter & Verville, PC.

July 28 at noon: Protected Health Information Project Financial Subcommittee
The financial subcommittee  will assess the financial impact of the disclosure of PHI, and is led by Larry Clinton of ISA, Sandeep Tiwari of Zafesoft, and Debbie Wolf of Booz Allen Hamilton.

July 28 at 1:30pm: Protected Health Information Project Survey Subcommittee
The survey subcommittee will query chief security / privacy officers or consumers on what they consider to be sensitive data, and is being led Christine El Eris and Michael Morelli of Affinion Group, Larry Ponemon of the Ponemon Institute, Don Rebovich of the Center for Identity Management and Information Protection at Utica College; and  Andrew Serwin from Foley & Lardner LLP.

August 2 at 2:00pm - ISA Summer Board Conference Call

September 26 &27: ACI Cyber and Data Risk Insurance
Larry Clinton will discuss the latest federal regulatory developments and enforcement actions and its impact on insurance coverage and litigation.

 Thought Leadership
US House Homeland Security Committee Hearing
ISA President, Larry Clinton has been ask to testify before the  Homeland Security subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies.  The hearing is entitled "Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal. The webcast can be viewed live through the following link: http://homeland.house.gov/hearing/subcommittee-hearing-examining-homeland-security-impact-obamaadministrations-cybersecurity

Summer 2011, Journal of Strategic Security
"A Relationship on the Rocks: Industry-Government Partnership for Cyber Defense" authored by Larry Clinton was published in a recent issue.  To view click here and then select the PDF file next to the article's title.

May 2011, Cutter IT Journal
ISA President Larry Clinton authored the article, "A Theory to Guide US Cyber Security Policy."  To view the article click here, download the issue and go to page 30.

Spring 2012 - Conflict and Cooperation in the Commons
Larry Clinton has authored the chapter "Cyber Security Social Contract".  This book is forthcoming from Georgetown University Press. 

 For more security news visit Infosec Island, an ISA partner organization. Infosec Island is a leading information security portal committed to serving the risk mitigation needs of SMBs, mid-market enterprises, government agencies, legal, financial, healthcare, educational, and nonprofit organizations by providing the latest in news, free network security tools, and insights from leading industry experts. 

Pass the ISA Daily Brief along to your colleagues.  They can create their own subscriptions by contacting mmorgan@isalliance.org