Internet Security Alliance Review 8-22-09

August 22, 2009 by ADMIN

Share |

In The News…

August 21, US-CERT – Current Activity - Adobe Releases Security Bulletin for Flex SDK. Adobe has released security bulletin APSB09-13 to address a vulnerability in Flex 3.3 SDK and earlier versions. This vulnerability may allow an attacker to conduct a cross-site scripting attack. US-CERT encourages users and administrators to review Adobe security bulletin APSB09-13 and update to Flex 3.4 SDK to help mitigate the risks. Additionally, the bulletin indicates that this update includes the latest version of Adobe Flash Player.
Relevant Url(s):
http://opensource.adobe.com/wiki/display/flexsdk/Download+Flex+3
http://www.adobe.com/support/security/bulletins/apsb09-13.html

August 19, Internet Evolution – (International) Nasty malware attack targets web developers. There is a nasty bug going around the Web that targets developers. When a developer visits an infected site, the page installs a virus on their machine that silently copies the passwords stored in FileZilla, CuteFTP, and possibly other File Transfer Protocol (FTP) client software, and sends them to a central server. The server then runs a bot to access all sites for which credentials have been stolen and installs an iframe injection attack on many pages, further spreading the infection. Infected sites occasionally break if they use the Web scripting language PHP, but frequently they continue to operate, and thus infect more users with the virus. When a search engine such as Google detects the infection in a site, they may remove the site from their index, resulting in a financial loss to the site owner. Some browsers may flag the site as infected and show a warning that scares away users. This attack is interesting because of the way it spreads, and the risk to developers. No one would want to be the freelance Web professional who has to explain to a few dozen clients why their sites all got hacked. Presumably, this attack vector will eventually be used to install a payload, such as software for sending spam or executing denial-of-service attacks. After all, today’s best malware is all about making money.
Source: http://www.internetevolution.com/author.asp?section_id=732&doc_id=180663

August 19, The Register – (National) Obama site smackdown spam only offers malware. Spam messages offering links to a tool designed to knock out the website of the U.S. President lead only to malware. Junk mail ostensibly promoting software that allows anti-Obama-ists to become cyberactivists says: “If You don’t like Obama come here, you can help to ddos his site with your installs.” The terse spam message links to a website where prospective marks are offered money for installing the “packet flinging” tool. Visitors to the site advertised by the spam are told to come back regularly for updates and warned that security scanner software may come to identify the software on offer as malign, and consign it to quarantine. That is certainly true, though not for the reasons suggested. The spam was one theme of a larger spam run, reports email security firm Proofpoint. Other spam messages in the series offered more typical lures, such as pornography, while again pointing to the same malware download. As Proofpoint helpfully explains, users would be foolhardy to take the description offered by hackers at face value. Leaving aside ethical concerns and potential for prosecution, it is always more likely that any supposed U.S. President website attack tool would turn compromised machines into spam-relaying zombies than anything else. “Regardless of your political leanings — installing such software is a really bad idea,” Proofpoint concludes.
Source: http://www.theregister.co.uk/2009/08/19/obama_ddos_tool_ruse/

August 18, San Francisco Chronicle – (International) Apple looking into reports of exploding iPhone/iPod Touches. Apple’s iPhones and iPod Touches are being examined by the European Commission after a few incidents in which the devices exploded. There are reportedly two incidents in France involving an iPhone and one in Britain with an iPod Touch. A spokesperson for the commission said that Apple was cooperating and labeled the incidents “isolated.” An Apple spokesperson told Reuters that the company was aware of the reports but would not comment until receiving more information. In one case, a teenager in France was hurt when an iPhone overheated, hissed and shattered, sending glass into the boy’s eyes. A similar incident in Britain reportedly occurred with an iPod Touch that exploded and flew into the air. KIRO TV in Seattle obtained 800 pages of documents from the Consumer Product Safety Commission that found there have been 15 reports of burn and fire-related incidents involving iPods. Last year, after the Japanese government warned of fire risks from iPod Nanos, Apple offered to replace batteries in some of the devices.
Source: http://www.sfgate.com/cgi-bin/blogs/techchron/detail?blogid=19&entry_id=45742

August 19, Nextgov – (National) USDA unit bans browsers other than Internet Explorer. An Agriculture Department agency has begun enforcing a policy banning the use of Web browsers other than Microsoft’s Internet Explorer, to the surprise of employees who rely on other browsers, such as Mozilla’s Firefox, to help in developing Web sites for public use. An operations manager at USDA’s Cooperative State Research, Education and Extension Service on Friday e-mailed a memo to CSREES employees that stated, “In keeping with the requirements of the Federal Desktop Core Configuration, all third-party browsers will be removed from customer workstations beginning Tuesday, Aug.18. Internet Explorer is the standard browser and will be maintained. Netscape, Google Chrome and Firefox will be removed.” The Federal Desktop Core Configuration, a 2008 government-wide policy administered by the Office of Management and Budget, requires that agencies standardize operating system and browser settings to prevent security breaches. OMB officials said the configuration does not require agencies to bar non-IE browsers.
Source: http://www.nextgov.com/nextgov/ng_20090819_3426.php?oref=topstory

August 20, Data Center Knowledge – (National) State Dept. to consolidate data centers. The U.S. State Department has posted a notice indicating it will consolidate its data center, according to Federal Computer Week. The consolidation plans are described in a presolicitation notice on the Federal Business Opportunities Web site. The project “includes a broad range of services not limited to hardware and software evaluation and recommendations, configuration management system design and implementation, physical server virtualization and transition, and LAN administration support for server transition and consolidation,” the document states. The U.S. President’s stimulus plan includes $290 million for a “Capital Investment Fund” for the Department of State to beef up its IT security and mission-critical operations, with $38 million of that earmarked for the Agency for International Development.
Source: http://www.datacenterknowledge.com/archives/2009/08/20/state-dept-to-consolidate-data-centers/

August 19, Localtechwire – (North Carolina) ‘Cloud computing’ likely to be focus of Apple’s $1B NC data center. Apple’s new $1 billion data center that is to be built in western North Carolina reportedly will be a mammoth, 500,000-square-foot structure with a focus on ‘cloud computing.” So says the editor of Data Center Knowledge, a magazine focused on the data hosting market. In June, North Carolina’s General Assembly passed legislation awarding generous tax incentives if Apple chose to build its East Coast data center in North Carolina. However, Apple has been very tight lipped about some details of the project. “Apple is planning about 500,000 square feet of data center space in a single building,” the editor told the web site Cult of Mac. “That would place it among the largest data centers in the world â ¦ This would qualify as a big-aâ ¦data center.” The editor said the size of the facility implies that it would be for much more than supporting “apps,” or applications, for Apple devices. He therefore believes the data center would be built to host servers to provide cloud computing capacity. Apple’s existing data center in California covers 109,000 square feet. The new center will be built in Maiden, North Carolina on a 255-acre site.
Source: http://localtechwire.com/business/local_tech_wire/news/blogpost/5818065/

August 19, The Register – (International) Old-school virus threatens Delphi files. Virus writers have gone old school with the creation of a virus that infects Delphi files as they are built. When a Delphi file infected with Induc-A virus is run, it searches for Delphi programming installations on an infected machine and attempts to infect this installation. More specifically, the malware attempts to infect SysConst.pas, which it then compiles to SysConst.dcu. Once this process is completed the SysConst.dcu file is programmed to add the Induc-A virus to every new Delphi file that gets compiled on the system. Even the vast majority of computer users that are not Delphi developers can be affected by running programs written in Delphi that happen to have been contaminated. Up until August 18 the labs at Sophos have received more than 3,000 infected files, submitted by users who have found infections. “This makes us believe that the malware has been active for some time, and that a number of software houses specialising in developing applications with Delphi must have been infected,” writes a senior technology consultant at Sophos. Examples of infections have included applications described as “a tool for downloading configuration files onto GSM modules” and “a compiler interface that operates between our third-party design software and our CNC woodworking machinery.”
Source: http://www.theregister.co.uk/2009/08/19/delphi_malware/

August 19, Information Management Online – (International) Ghosts in the machine: Attacks may come from inside computers. The next wave of hacking into computers and stealing data will not be requests or code coming from remote points across the Web, security experts are warning. Instead, the most sophisticated Trojan Horses appearing on Wall Street financial systems may be threaded into the silicon of integrated circuits by design, their malicious instructions baked right into the tiny physical aspects and intricate mapping of the chip itself, according to scientists and academics working with the National Institute of Standards and Technology, the White House and the Financial Services Information Sharing and Analysis Center in Dulles, Virginia. Detecting such malware after a chip is fabricated will be extremely difficult, if not impossible, these experts say, because the microchips that run servers have millions to billions of transistors in them. Adding a few hundred or even just tens of transistors can compromise an integrated circuit can serve attackers’ purposes and escape notice. “You can never really test every single combination on the chip. Testing a billion transistors would take a very long time. It would be very difficult to detect hardware Trojans without having some idea of what you’re looking for to begin with,” said a associate professor of electrical engineering at the University of Arkansas, co-author of a 2007 paper which described a “Hardware Threat Modeling Concept for Trustable Integrated Circuits.” Tweaking chips themselves will make them prone to manipulate data, shut down a critical function, or turn a system into a bugged phone that steals and relays vital information, the experts say. To combat the threat, the National Institute of Standards and Technology (NIST), the federal government’s technical standards laboratory, is releasing in September an inter-agency report meant to serve as the first set of best practices for government and industry to mitigate security risks to hardware included in the IT supply chain.
Source: http://www.information-management.com/news/security_computers_data_web-10015938-1.html

August 18, The Register – (International) Adobe patches ‘critical’ flaws in ColdFusion, JRun. Adobe Systems has released updates that patch vulnerabilities in two widely used web development applications, several of which let attackers steal sensitive data or take complete control of users’ machines. In all, the patches fix seven flaws in versions 8.0.1 and earlier of ColdFusion and JRun 4.0. The most serious of them are XSS, or cross-site scripting, bugs that allow attackers to execute malicious code on an underlying system by supplying a target with a booby-trapped web link. Adobe engineers also fixed a separate management console flaw. It allowed unauthenticated users to traverse restricted directories, a vulnerability that could lead to information disclosure. Proof-of-concept code released August 18 showed the flaw could be exploited using a URL.
Source: http://www.theregister.co.uk/2009/08/18/adobe_coldfusion_jrun_patches/

August 18, SearchSecurity.com – (International) SQL Injection continues to trouble firms, lead to breaches. SQL Injection, one of the most basic and common attacks against websites and their underlying databases, offer an easy entry point for cybercriminals, according to security experts. The hackers responsible for the largest data security breach in U.S. history allegedly used a SQL Injection attack. The coding error was cited as the starting point in the indictment handed down against a Miami man and two Russian hackers, enabling them to allegedly bilk Heartland Payment Systems Inc. and Hannaford Brothers Co. of more than 130 million credit and debit card numbers. But security experts say that while SQL Injection errors are relatively easy to find, as simple as finding a poorly coded input field in a Web form, they are often difficult and costly to fix. A vulnerability scan is likely to turn up thousands of errors that lend themselves to SQL Injection, said the chief technology officer of Citigal Inc., a software security and quality consulting firm. New defenses for automated SQL injection attacks: By automating SQL injection attacks, hackers have found a way to expedite the process of finding and exploiting vulnerable websites. “Sometimes there’s one problem that results in a thousand possible cross-site scripting issues and if you fix that problem they’ll all be fixed, but that’s not always the case,” the chief technology officer said. “There been a lot of bugs that built up behind the dam and now we’re seeing the dam starting to rumble.”
Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1365263,00.html

August 17, CNN – (International) Study warns of cyberwarfare during military conflicts. An independent research group predicts that cyberwarfare will accompany future military conflicts and is recommending international action to blunt its impact. Computers can become victims in future military conflicts, says the nonprofit U.S. Cyber Consequences Unit, which studied the cybertactics used against the country of Georgia during its military conflict with Russia last year. Cyberattacks in August 2008 shut down the Web sites of crucial Georgian government agencies, the media, and banks. “The Russians have developed a model here that is very effective,” said the director of US-CCU. “We can expect to see the Russians use it in the future, and other countries as well.” Because of the sensitive nature of much of the information, the full 100-page report is being released only to U.S. government officials and selected cybersecurity professionals. CNN was provided a nine-page summary. The study concludes that the cyberattacks against Georgian targets were carried out by civilians, many of them recruited via social networking forums devoted to dating, hobbies, and politics. “There was a large-scale collaboration on these forums,” said the US-CCU’s chief technical officer. “They were used to recruit potential actors to launch attacks, to collaborate on what types of attacks worked and what types of attacks didn’t work. They were used to collaborate on how to bypass security controls and share attack codes.” As a result, the technical officer said, Russian sympathizers who were not hackers, and who didn’t even know much about computers, could participate. The hackers did not carry out physically destructive cyberattacks, although they probably had the technical expertise to do so, suggesting that “someone on the Russian side was exercising considerable restraint,” the report says. The report also notes that media and communications facilities, which might have been attacked by missiles and bombs in a conventional war, were spared “presumably because they were being effectively shut down by cyberattacks.”
Source: http://edition.cnn.com/2009/US/08/17/cyber.warfare/

August 17, Softpedia – (International) Two Facebook phishing attacks in one day. Facebook was the target of two independent and non-related phishing attacks through its applications service. Two security experts discovered, investigated and reported these attacks to the social network’s admins, who took all the protection measures. The first one was was an application called Customer Dispute. The application link did not open an actual app page, but managed to clone a Facebook URL (apps.facebook.com/customer_dispute/ ). Instead of the standard application install screen, it printed a “404 – Page not found” error. The detail that triggered the expert’s interest was the fact that the error was NOT FROM FACEBOOK, but from a hosting company called Ripway. A researcher had this to say about Ripway: “The entire content is taken up by a ‘Page not found’ message served up by Ripway hosting (who are often used and abused by script kiddies with phish pages and rogue executable storage).” The second attack was about another Facebook application. The app sent out countless notifications informing users of a comment on one of their posts that they needed to check out. The link (when hovering the mouse over it) redirected to a page from the fucabook.com domain name that contained some info-stealing content. According to a second researcher, “The server at fucabook.com loads up a JavaScript before immediately using HTTP meta refreshtags to pull up the real Facebook website and prompting the victim for their login credentials.” He also added, “The attack site is registered to an Arsen Tumanyan who allegedly resides in Armenia, the domain is registered through GoDaddy and the URL leads to an IP address that resolves to the Amazon Elastic Compute Cloud (EC2) cloud.
Source: http://news.softpedia.com/news/Two-Facebook-Phishing-Attacks-in-One-Day-119424.shtml

August 17, Wall Street Journal – (International) Hackers stole IDs for attacks. Russian hackers hijacked American identities and U.S. software tools and used them in an attack on Georgian government Web sites during the war between Russia and Georgia in 2008, according to new research to be released on August 17 by a nonprofit U.S. group. In addition to refashioning common Microsoft Corp. software into a cyber-weapon, hackers collaborated on popular U.S.-based social-networking sites, including Twitter and Facebook Inc., to coordinate attacks on Georgian sites, the U.S. Cyber Consequences Unit found. While the cyberattacks on Georgia were examined shortly after the events in 2008, these U.S. connections were not previously known. The research shows how cyber-warfare has outpaced military and international agreements, which don’t take into account the possibility of American resources and civilian technology being turned into weapons. Identity theft, social networking, and modifying commercial software are all common means of attack, but combining them elevates the attack method to a new level, said a former cybersecurity chief at the Department of Homeland Security. “Each one of these things by itself is not all that new, but this combines them in ways we just haven’t seen before,” said the former cybersecurity chief, now CEO of computer-security company NetWitness Corp. The cyberattacks in August 2008 significantly disrupted Georgia’s communications capabilities, disabling 20 Web sites for more than a week. Among the sites taken down were those of the Georgian president and defense minister, as well as the National Bank of Georgia and major news outlets. Taking out communications systems at the onset of an attack is standard military practice, said the chief technical officer at the USCCU and a former cyber-sleuth at the National Security Agency and the Central Intelligence Agency.
Source: http://online.wsj.com/article/SB125046431841935299.html

August 17, PC World - Georgia Cyberattacks Linked to Russian Organized Crime. The cyberattacks against Georgia a year ago were conducted in close connection with Russian criminal gangs, and the attackers likely were tipped off about Russia’s intent to invade the country, according to a new technical analysis, much of which remains secret. The stunning conclusions come from the U.S. Cyber Consequences Unit, an independent nonprofit research institute that assesses the impact of cyber attacks. A 100-page technical analysis is only being made available to the U.S. government and some cybersecurity professionals, but the organization did release a nine-page summary early Monday. The report in part confirms some of the suspicions of observers, who theorized that the distributed denial-of-service attacks (DDOS), which crippled many Georgian Web sites, had its roots in Russia. “Many of the cyber attacks were so close in time to the corresponding military operations that there had to be close cooperation between people in the Russian military and the civilian cyber attackers,” the report said. “Many of the actions the attackers carried out, such as registering new domain names and putting up new Web sites, were accomplished so quickly that all of the steps had to be prepared earlier.” The code used to command those machines to attack the Web sites appeared to be customized specifically for the Georgia campaign, the report said. Three of the software programs used were designed to test Web sites to see how much traffic they can handle. Further evidence showed that Georgia could have been hit much harder. Some of Georgia’s critical infrastructure was accessible over the Internet. While the civilian cyber attackers had signs of considerable expertise, “if the Russian military had chosen to get directly involved, such attacks would have been well within their capabilities,” the report said. “The fact that physically destructive cyberattacks were not carried out against Georgian critical infrastructure industries suggests that someone on the Russian side was exercising considerable constraint,” it said.
Source: http://www.pcworld.com/article/170289/georgia_cyberattacks_linked_to_russian_organized_crime.html

August 14, Dark Reading – (National) New virus appears as response to Craigslist ad. Email security experts at Red Condor are warning email users about a new virus currently undetected by most virus scanners. The virus is embedded in an email that appears to be a response to a craigslist advertisement. The email containing the virus, which was detected August 12, 2009 by Red Condor’s Zero Minute Defense Network, includes the subject line, “Re: Car For Sale on craigslist.” The email content suggests that the user requested pictures for a car being sold on craigslist and invites the recipient to view the images in a Picasa album. Clicking on the link to the album installs a virus. “Only 13 out of 41 virus scanners detected the file as a virus when Red Condor first identified it,” stated the chief executive officer of Red Condor. “This means that if the message was delivered and a user clicked on the link, they’d likely be infected even if they had an anti-virus program running on their desktop computer. With increasingly more ways to get malicious content onto computers and corporate networks, it is important that companies’ security solutions are capable of responding quickly and appropriately to eliminate potential threats. Traditional signature-based virus engines are simply not enough protection against today’s spammers and cybercriminals. After all, it only takes one click.”
Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=219400086&subSection=Vulnerabilities+and+threats

August 14, SCMagazine – (International) Microsoft leads browsers in malware, phishing defense. It appears that the comprehensive security features built into Internet Explorer 8 (IE are paying off for Microsoft. The browser, released in March with a number of enhanced phishing and anti-malware components, blocked an average of 81 percent of socially engineered malware and stopped 83 percent of suspected phishing sites — topping four other major browsers, according to new tests conducted by NSS Labs. NSS based its findings on two weeks of analyzing 593 phishing sites and 608 unique URLS that contained malicious software, the company’s president told SCMagazineUS.com on August 13. “Everyone thinks Microsoft stinks at security,” he said. “They need to get some credit for some of the good stuff they’ve done. Microsoft has been a big target for attacks for a long time, and that’s actually a benefit to them. They’ve learned how they can turn that around and protect themselves better.” In catching and stopping socially engineered malware, a significant drop-off occurred after the Microsoft browser. Firefox 3 was next in line, blocking 27 percent. Apple’s Safari 4 thwarted 21 percent, followed by Google Chrome (seven percent) and Opera 10 (one percent). The browsers, as a group, performed relatively better in offering phishing protection. Firefox deterred 80 percent of suspected fraud sites, Opera caught 54 percent, followed by Chrome (26 percent) and Safari (two percent).
Source: http://www.scmagazineus.com/Microsoft-leads-browsers-in-malware-phishing-defense/article/146505/

August 14, The Register – (International) Hacktivist vuln still plagues UN.org. The official website of the United Nations has yet to fix a vulnerability that more than two years ago allowed hacktivists to replace official content with their own activist messages. According to the Errata Security CEO, the same SQL injection flaw that plagued the site in August of 2007 remains unfixed now. It is invoked by doing nothing more than adding a stray character to the ASP parameter of a un.org link, such as http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=10’5. “Despite the fact a high-school intern can fix the bug in 5 minutes, the bureaucracy means that the organization must spend tens of thousands of dollars to fix the bug,” the CEO wrote. “The other lesson is that the cost of NOT fixing the bug is low. The UN can simply live with the problem, and clean up after every hack.” As The Register reported in 2007, hacktivists used the bug on the UN’s Apache-powered website to replace speeches by the Secretary-General with pacifist messages. While that attack appeared to be the work of activist critics of the global organization, it is not a stretch to imagine criminals hacking the site to surreptitiously send visitors to sites that push malicious drive-by exploits.
Source: http://www.theregister.co.uk/2009/08/14/united_nations_website_vulnerable/

August 14, IDG News Service – (International) Twitter used to manage botnet, says security expert. A security researcher has found that hackers are using Twitter to distribute instructions to a network of compromised computers, known as a botnet. The traditional way of managing botnets is to use IRC, but botnet owners are continuously looking for new ways to keep their networks up and running, and Twitter seems to be the latest trick. A now-suspended Twitter account was being used to post tweets that had links new commands or executables to download and run, which would then be used by the botnet code on infected machines, wrote a manager of security research at Chelmsford, Massachusetts-based Arbor Networks Inc., in a blog post on August 13. “I spotted it because a bot uses the RSS feed to get the status updates,” the manager wrote. The account, called “Upd4t3”, is under investigation by Twitter’s security team, according to the manager. But the account is just one of what appear to be a handful of Twitter command and control accounts, he wrote. The botnet the manger found is “an infostealer operation,” a type that can be used to steal sensitive information such as log-in credentials from infected computers.
Source: http://www.computerworld.com/s/article/9136659/Twitter_used_to_manage_botnet_says_security_expert?taxonomyId=17

August 14, The Register – (International) MS Zero-day security bug was two years in the making. A flaw in Office Web Components which Microsoft fixed on August 11 was first reported to the software giant over two years ago, it has emerged. The time taken to release a patch has security vendors speculating that security only got around to fixing the software flaw at all because hackers have begun exploiting it over recent weeks. The arrival of the MS09-043 patch addressed a zero-day flaw that had become the fodder of drive-by download attacks from malicious web pages. The patch addressed four vulnerabilities in Office ActiveX control in total, including the zer0-day flaw. Users previously had to rely on workarounds published by Microsoft in a July advisory. The 0day security bug was discovered by a researcher and first reported to Microsoft in March 2007 via the Tipping Point Zero Day initiative scheme, which pays researchers for security exploits. Tipping Point uses this information to add signature detection against exploits based on the bug to its intrusion protection products. It also passes along the information to the relevant software developers, in this case Microsoft. Responding to question on the long delay, a ZDI manager told heise Security, “they [Microsoft] kept finding the need for more time to ensure the issue was completely addressed.”
Source: http://www.theregister.co.uk/2009/08/14/ms_zero_day_long_gestation/

August 13, Internetnews.com – (International) Craiglist, AutoCAD threats show virus variety. Malware authors continue showing their creativity, with new viruses making the rounds by targeting Craigslist fans and AutoCAD users. One of the new attacks is being spread by malicious links in spam purporting to be a message from Craiglist about a car sale, the product marketing manager at antivirus firm Red Condor, told InternetNews.com. The virus also escaped detection by a number of AV outfits, she added. “When we detected it, only 13 of 41 antivirus companies had detected it as a virus,” she said. “It takes companies a while to update their patterns. We’re more able to quickly update patterns.” Other viruses are attacking AutoCAD, raising eyebrows simply because there are so few viruses written for the software. One such virus surfaced last month, followed by a second last week. That could spell trouble, considering that AutoCAD security is not always in the headlines. “The last time Sophos wrote about AutoCAD malware was over two years ago,” a Sophos security expert wrote in his blog. “The typical AutoCAD user doesn’t place much importance in considering the security implications of what they’re doing and the script they’re running — which could lead to an unfortunate infection if you were unlucky enough to be in the firing line.”
Source: http://www.internetnews.com/security/article.php/3834476

August 12, SCMagazine – (International) DNS changing Trojan hits Apple Macs when disguised as a MacCinema installer. A domain naming system changing Trojan that targets Apple Macs is spreading disguised as a MacCinema Installer. A technical communications spokesperson at Trend Micro claimed that this is the latest variant of OSX_JAHLAV.C, which was identified in June. It is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg, and as with earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address 91.214.45.73. Once infected, a victim’s web traffic can then be diverted to the website of the attacker’s choosing. The spokesman said: “The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.” A Trend Micro advanced threats researcher claimed that the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts. The company warned Mac users to be wary of prompts to download software updates that do not come from Apple’s legitimate website.
Source: http://www.scmagazineuk.com/DNS-changing-Trojan-hits-Apple-Macs-when-disguised-as-a-MacCinema-Installer/article/141503/

This Week at the ISAlliance…

Monday, August 24: 5th Annual GFIRST National Conference. GFIRST is a group of technical and tactical practitioners from incident response and security response teams responsible for securing government information technology systems and providing private sector support. GFIRST members work together to understand and handle computer security incidents and to encourage proactive and preventative security practices across government agencies. GFIRST promotes cooperation among the full range of Federal, State and local agencies, including defense, civilian, intelligence, and law enforcement. The GFIRST Conference is open to all interested in learning more about cyber security and incident response. GFIRST is a great place for public and private sector leaders serving in non-technical roles to become familiar with the fundamentals of cyber security and incident response. GFIRST is also an excellent resource for practitioners in incident response and information security from the public and private sectors.

Tuesday, August 25: ISAlliance/NIST/DHS VoIP & Unified Communications Automated Security and Assurance Project Applicability Workgroup meeting at 1. This workgroup is focusing on documenting the SCAP Goals for a VoIP solution, identifying SCAP gaps and determine how SCAP may, or may not be applied to a non-desktop environment. The group will also review the SCAP components and standards and determine gaps and short falls of the SCAP components for applicability to a VoIP solution. This work will result in a whitepaper that captures the analysis, its results and makes recommendations regarding SCAP applicability to a VoIP Solution. The goal of this project is to provide a secure playing field for corporations as they deploy VoIP and related technologies.

Tuesday, August 25: 5th Annual GFIRST National Conference. GFIRST is a group of technical and tactical practitioners from incident response and security response teams responsible for securing government information technology systems and providing private sector support. GFIRST members work together to understand and handle computer security incidents and to encourage proactive and preventative security practices across government agencies. GFIRST promotes cooperation among the full range of Federal, State and local agencies, including defense, civilian, intelligence, and law enforcement. The GFIRST Conference is open to all interested in learning more about cyber security and incident response. GFIRST is a great place for public and private sector leaders serving in non-technical roles to become familiar with the fundamentals of cyber security and incident response. GFIRST is also an excellent resource for practitioners in incident response and information security from the public and private sectors.

Wednesday, August 26: ISAlliance/NIST/DHS VoIP & Unified Communications Automated Security and Assurance Project Leadership meeting at noon.

Wednesday, August 26: IT Sector Coordinating Council Communications and Outreach Committee working group meeting at 10. The Communications and Outreach Committee creates and maintains all communications documents. These documents include the ITSCC 101 presentation, the IT Sector Scorecard, the PCIS Handbook, and the website. This working group reaches out across both sectors and states, spreading awareness of IT SCC efforts and accomplishments. Some of these tasks are supported by the Executive Secretariat.

Wednesday, August 26: 5th Annual GFIRST National Conference. GFIRST is a group of technical and tactical practitioners from incident response and security response teams responsible for securing government information technology systems and providing private sector support. GFIRST members work together to understand and handle computer security incidents and to encourage proactive and preventative security practices across government agencies. GFIRST promotes cooperation among the full range of Federal, State and local agencies, including defense, civilian, intelligence, and law enforcement. The GFIRST Conference is open to all interested in learning more about cyber security and incident response. GFIRST is a great place for public and private sector leaders serving in non-technical roles to become familiar with the fundamentals of cyber security and incident response. GFIRST is also an excellent resource for practitioners in incident response and information security from the public and private sectors.

Thursday, August 27: ISAlliance/NIST/DHS VoIP & Unified Communications Automated Security and Assurance Project Baseline Standards Workgroup meeting at 1. This workgroup is focusing on documenting the SCAP Goals for a VoIP solution, identifying SCAP gaps and determine how SCAP may, or may not be applied to a non-desktop environment. The group will also review the SCAP components and standards and determine gaps and short falls of the SCAP components for applicability to a VoIP solution. This work will result in a whitepaper that captures the analysis, its results and makes recommendations regarding SCAP applicability to a VoIP Solution. The goal of this project is to provide a secure playing field for corporations as they deploy VoIP and related technologies.

Thursday, August 27: 5th Annual GFIRST National Conference. GFIRST is a group of technical and tactical practitioners from incident response and security response teams responsible for securing government information technology systems and providing private sector support. GFIRST members work together to understand and handle computer security incidents and to encourage proactive and preventative security practices across government agencies. GFIRST promotes cooperation among the full range of Federal, State and local agencies, including defense, civilian, intelligence, and law enforcement. The GFIRST Conference is open to all interested in learning more about cyber security and incident response. GFIRST is a great place for public and private sector leaders serving in non-technical roles to become familiar with the fundamentals of cyber security and incident response. GFIRST is also an excellent resource for practitioners in incident response and information security from the public and private sectors.

Friday, August 28: 5th Annual GFIRST National Conference. GFIRST is a group of technical and tactical practitioners from incident response and security response teams responsible for securing government information technology systems and providing private sector support. GFIRST members work together to understand and handle computer security incidents and to encourage proactive and preventative security practices across government agencies. GFIRST promotes cooperation among the full range of Federal, State and local agencies, including defense, civilian, intelligence, and law enforcement. The GFIRST Conference is open to all interested in learning more about cyber security and incident response. GFIRST is a great place for public and private sector leaders serving in non-technical roles to become familiar with the fundamentals of cyber security and incident response. GFIRST is also an excellent resource for practitioners in incident response and information security from the public and private sectors.

Speaking Opportunity for ISAlliance members: The Illinois Institute of Technology’s Center for Professional Development will be hosting the 5th Annual VoIP Conference and Expo Wednesday and Thursday October 28 and 29, 2009. This two-day conference, where industry and academia meet, will bring together technical professionals and executives from the data and telecommunications industry, standards bodies, government agencies, as well as the business community. ISAlliance members interested in participating as a panelist discussing the practical side of VoIP Security, how IT security is being practiced today to protect VoIP and what important new steps need to be taken in the near future should contact bfoer@isalliance.org.

Introducing the ISAlliance Information Security Resources News Feed
In our continued effort to provide membership with access to the latest developments and relevant issues being addressed by compliance, IT and security professionals today, the ISAlliance would like to introduce the addition of the Information Security Resources News Feed to our website selections.

Information Security Resources strives to bring together security thought leaders by providing a forum for security issues across all sectors and industries. ISR’s concern is centered around the failure of organizations to adequately protect regulated systems and data, with a focus is on the exposure of private info and sensitive systems during the financial meltdown, including identity theft, privacy breach, info stolen, credit card fraud, and other enormous liabilities. In addition to the obvious threat to market stability, the financial debacle has the added element of national and global security concerns. ISR’s editors and contributors strongly believe that system integrity is the next major national security, shareholder derivative, D&O liability, regulatory, consumer product safety, and class-action issue our nation will face. ISR is led by Kevin M. Nixon, MSA, CISSP®, CISM®, CGEIT®, who is a former ISalliance Board member, and managed by Anthony M. Freed.

The link for the news feed in located at the top of the “Business Services” column on any ISAlliance website page. Enjoy!

Download a complete copy of The Cyber Secuirty Social Contract: Policy Recommendations for the Obama Administration and 111th Congress.

: Learn More About the ISAlliance

The Internet Security Alliance (ISAlliance) was created to provide a forum for information sharing and thought leadership on information security issues. The ISAlliance represents corporate security interests before legislators and regulators, in so doing the alliance aims to identify and standardize best practices in Internet security and network survivability, while creating a collaborative environment to develop and implement information security solutions.

* * *

Stay Informed With ISR News Feeds and Email Alerts Here:

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.