Monday, March 30, 2009

Monday 03/30/09

A good write up of some of the stuff Microsoft is doing to disrupt the Conficker worm.
http://blogs.technet.com/msrc/

----------

A write up from MS Security about ways to exploit the file gdiplus.dll, as in the recent EMF patch.
http://blogs.technet.com/srd/

----------

An interesting article on the method Conficker uses to patch machines after it infects them. Apparently it doesn't do a complete job of protecting the machines after it takes them over, so they can be detected.

' "Prior to our research, it was believed believed when Conficker infected computers, it patched them, so that one could not tell who's infected and who's not, and any vulnerable computer that was already infected was considered not vulnerable," Honeynet founder Lance Spitzner said.'

...

Over the weekend, the Cabal worked with the curators of a half-dozen organizations that maintain software vulnerability scanning tools, to help them build updates that would enable their tools to distinguish between Windows systems equipped with the official and rogue security patch. As a result, the new detection should be available now in free vulnerability scanners such as nMap, as well as vendor-driven scanning tools from Tenable, McAfee, nMap, nCircle and Qualys.

Posted by Brian Krebs Permalink

----------

Massive Chinese Espionage Network

The story broke in The New York Times yesterday:

In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

[...]

Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama's Tibetan exile centers in India, Brussels, London and New York.

The researchers, who have a record of detecting computer espionage, said they believed that in addition to the spying on the Dalai Lama, the system, which they called GhostNet, was focused on the governments of South Asian and Southeast Asian countries.

The Chinese government denies involvement. It's probably true; these networks tend to be run by amateur hackers with the tacit approval of the government, not the government itself. I wrote this on the topic last year.

It's only circumstantial evidence that the hackers are Chinese:

In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

And here's the report, from the University of Toronto.

Good commentary by James Fallows:

My guess is that the "convenient instruments" hypothesis will eventually prove to be true (versus the "centrally controlled plot" scenario), if the "truth" of the case is ever fully determined. For reasons the Toronto report lays out, the episode looks more like the effort of groups of clever young hackers than a concentrated project of the People Liberation Army cyberwar division. But no one knows for certain, and further information about the case is definitely worth following.

An excellent article on Wired.com, and another on ArsTechnica.

----------

I love IT timelines: Mary Jo Foley: Users already honing their IE 9 wish lists

----------

Ahh, so this is why Firefox came out with a new version all of a sudden:
Mozilla kills Firefox Pwn2Own bug

----------

Accenture: Some clients are operating without annual budgets
Larry Dignan: For a few months now, it seemed as if enterprise technology spending was a month-to-month affair. Accenture confirmed that theory and cut its outlook for the rest of the year.

----------

GhostNet spy network phishes international victims
Chuck Miller March 30, 2009
The recently uncovered cyberespionage network named GhostNet made use of phishing malware to attack the nearly 1,300 computers that are said to have been compromised by servers traced to China.

----------

New variant of RSPlug Mac trojan
Angela Moscaritolo March 30, 2009
A new variant of the RSPlug trojan, which targets Apple machines, was recently discovered in the wild, but quickly was fixed.

----------

Google: No significant security issues with Google Docs
Chuck Miller March 27, 2009
Despite apparent security issues in Google Docs, the company is playing down the risks.

----------

Fatal attraction: Latest "delivery notice" trojan spews forth
Greg Masters March 27, 2009
A new torrent of spam, disguised as a message from package carrier DHL, is making its way into inboxes.

----------

Washington D.C. Restaurants Become Credit Card Cloning Hot Spots
Four former servers at three upscale Washington D.C. restaurants blocks from the White House were arrested last week for allegedly using covert skimming devices to clone customer credit card data, in a year-long counterfeiting operation that's put $750,000 in fraudulent charges on the plastic of Washington's elite.

...

The servers often earn up to $50 per card if they work at an upscale eatery, down to just $10 each if, as in a recent Florida case, the cards were stolen from a Burger King.

----------

Electronic Spy Network Focused on Dalai Lama and Embassy Computers
...
More than 1,200 computers at embassies, foreign ministries, news media outlets and non-governmental organizations based primarily in South and Southeast Asia have been infiltrated by the network since at least the spring of 2007, according to the researchers' detailed 53-page report. So have computers in the offices of the Dalai Lama, the Asian Development Bank and the Associated Press in the United Kingdom and Hong Kong.

----------

No, The Recession Is Not Driving People To Dial-Up

----------

Legal Group’s Neutrality Is Challenged
By ADAM LIPTAK 1:35 PM ET
Studies suggest that the American Bar Association gives better ratings to liberal nominees than conservative ones.

----------

Europe’s Solution: Take More Time Off
Can the idea of shorter workweeks take hold in the U.S?

----------

McAfee blog post about another fake AntiVirus program:
Another Day, Another Rogue Security Program

----------

Microsoft To Shutter Encarta, Read All About It On Wikipedia
Microsoft is preparing to shut down Encarta, the digital encyclopedia it first launched in 1993...

----------

Poken Peek
The Poken is a little USB stick you keep on your keychain. You link it to your online identities. To befriend other Poken owners, you just have to hold your Pokens together for a second, and they’ll exchange IDs through RFID. The Poken is popular in The Netherlands, not only among children, but adults too. No more need to exchange business cards.

----------

A DLP Program That May Actually Prevent Data Theft
Motorola CSO Bill Boni, Disney Company Information Security Director Dan Swartwood and British Telecom Senior Security Advisor Jason Stradley discuss what they've done to keep data out of enemy hands (Audio).
Read more

----------

No comments: