Full Story:
http://www.networkworld.com/news/2010/030810-energizer-bunnys-software-infects.html?hpg1=bn

Wave of ransom malware hits Internet
Criminals reused an attack from 2008 to hit the Internet with a huge wave of ransomware in recent weeks. In the space of only two days, February 8 and 9, the HTML/Goldun.AXT campaign accounted for more than half the total malware detected for February, which gives some indication of its unusual scale. The attack itself takes the form of a spam e-mail with an attachment, report.zip, which if clicked automatically downloads a rogue antivirus product called Security Tool. It is also being distributed using manipulated search engine optimization (SEO) on Google and other providers.

Full Story:
http://www.pcworld.com/article/190967/wave_of_ransom_malware_hits_internet.html

Microsoft gives dates for the end of support for Windows XP Service Pack 2 and Windows 2000.
Microsoft is to address eight vulnerabilities on its monthly Patch Tuesday, with no critical flaws expected to be addressed. The vulnerabilities are in Windows and Microsoft Office and are remote code execution problems. Microsoft confirmed ending support for legacy operating systems in the coming months. Windows XP Service Pack 2 will no longer be supported after  July 13, and on the same date extended support for Windows 2000 will finish. Windows Vista RTM will no longer be supported after  April 13, although service pack one will still be supported until the  July 12^th 2011.

Full Story:
http://www.scmagazineuk.com/microsoft-will-cover-eight-important-vulnerabilities/

Opera says bug probably can’t commandeer machines
A security vulnerability identified in Opera can be exploited to crash users’ browsers, but probably can’t lead to the remote execution of malware, a company spokesman said. The buffer overflow bug was disclosed by Vupen Security on Thursday, and the report has since been picked up by others, including Secunia and Sans. The advisories have said the vulnerability is critical because it can be exploited to remotely execute malicious code on end user machines. Users should be sure to enable a security feature known as DEP, or data execution prevention.

Full Story:
http://www.theregister.co.uk/2010/03/05/opera_vulnerability/

Smartphone weather app builds a mobile botnet
A pair of researchers has amassed nearly 8,000 iPhones and Android smartphones in an experimental mobile botnet that demonstrates the ease of spreading potentially malicious applications on these devices. The security researchers with TippingPoint’s Digital Vaccine Group demonstrated how their seemingly innocuous weather app — called WeatherFist — gathers information on the users who downloaded it, including their GPS coordinates and phone numbers. The researchers wrote the app to prove how such an app could steal or modify a user’s contacts, read his files, and access his Facebook and Twitter accounts, as well as email and passwords.

Full Story:
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=223200001

Phishing reaches record high in January
January marked a record high for phishing attacks, seeing a 21 percent increase over the month before, according to security vendor RSA. The firm’s monthly Online Fraud Report showed that recorded phishing attacks reached 18,820, more than double the figure a year ago. Fast-flux attacks, accounted for 24 percent of phishing incidents in January, up four per cent on December. Standard phishing attacks, meanwhile, showed a 12 percent increase compared with December. The number of attacked brands climbed by just two percent compared to December, but 35 new organizations suffered their first attack in January, more than triple the number reported in December.

Full Story:
http://www.v3.co.uk/v3/news/2259037/january-sees-phishing

RSA Online Fraud Report:
http://www.rsa.com/solutions/Online_Fraud_report_0210.pdf

Read the Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_030910.pdf

Full Story:
http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=223101626

Glitch prompts VA to shut e-health data exchange with Department of Defense
The Veterans Affairs Department closed off access to the Defense Department’s electronic health record system on March 1 because it found errors in some patients’ medical data. The glitch did not cause harm to any patient, but “the potential exists for decisions regarding patient care to be made using incorrect or incomplete data,” said the director of the Veterans Health Administration’s Information Technology Patient Safety Office, in an alert issued on March 3.

Full Story:
http://www.nextgov.com/nextgov/ng_20100304_9977.php?oref=topstory

Campus urged to beware of new phishing scams
The Office of Campus Information Security (OCIS) is aware of two new phishing emails targeting University of Wisconsin’s NetID login service. If users click the link in the phishing email, they are directed to fake NetID login sites that are very realistic and well replicated. Users could easily be fooled by these phishing attempts.

Full Story:
http://www.news.wisc.edu/17764

Microsoft plans to patch 8 Windows, Office bugs next week.
Microsoft announced it will ship two security updates on March 9th to patch eight vulnerabilities in Windows and Office. In its monthly advance notification, Microsoft spelled out next week’s two updates, a far cry from February’s roll-out of 13 security bulletins that fixed 26 flaws. Both bulletins will be pegged as “important,” Microsoft’s second-highest severity rating in its four step scoring system.

Full Story:
http://www.computerworld.com/s/article/9166158/Microsoft

Chinese attacks like the one against Google are on pace to double this year
Recent Internet attacks from China against Google and other U.S. companies will more than double this year if the pace during the first two months continues, said the chief research officer for F-Secure. This type of attack has been increasing over the past two years. Unlike other malware attacks, these are fashioned for specific targets and are used only once.

Full Story:
http://www.networkworld.com/news/2010/030410-rsa-chinese-attacks.html?hpg1=bn

Researchers dissect ZeuS botnet blueprint
A little knowledge and a few thousand dollars is all it takes to build a fully functional botnet, according to security experts. Cisco researchers told delegates at the 2010 RSA conference that a botnet running the infamous ZeuS malware could be built for $2,500. ZeuS is primarily a data-gathering and botnet control tool. It is dangerous because it directly injects content into pages and intercepts credentials before they are sent to legitimate sites.

Full Story:
http://www.v3.co.uk/v3/news/2258969/rsa-2010-researchers-dissect

Read the Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_030810.pdf

Full Story:
http://blogs.bankinfosecurity.com/posts.php?postID=469

Hacking human gullibility with social penetration
Security penetration testers rely plenty on technical attacks that exploit weaknesses in websites and servers, but social penetration techniques are more reliable and easier to use in identifying chinks in fortresses.  That’s true even for organizations that place a high premium on security and train their employees to resist the most common attempts to trick them into letting down their guard, according to the principals of Mad Security.

Full Story:
http://www.theregister.co.uk/2010/03/04/social_penetration/

Wi-Fi could lead thieves right to your laptop
Stuffing a company laptop into the car trunk or even a locker, without turning off its Wi-Fi radio, can be an open invitation to thieves, according to Credant Technologies. Thieves with increasingly sophisticated, directional Wi-Fi detectors can home in on the laptop’s radio, tracking it down even when the PC is hidden away. 

Full Story:
http://www.pcworld.com/article/190674/wifi_could_lead_thieves_right_to_your_laptop.html

Database security lacking at financial services firms
Sloppy operating practices across the financial services sector leave firms vulnerable to breaches that could expose sensitive data according to a new study from the Ponemon Institute. The report identified several key areas where financial services companies could take a hit from loose data policies, including damage to the corporate brand and the erosion of consumer trust. “One of the most important things a company can do to assure their future success is to plug the holes in their security policies that were demonstrated in this study,” the head of the Ponemon Institute, said in a statement.

Full Story:
http://www.esecurityplanet.com/trends/article.php/3868381/Database-Security-Lacking-at-Financial-Services-Firms.htm

RSA 2010 Highlights: Hackers using legitimate cloud services for Dark Ends
Cyber criminal groups are using legitimate cloud offerings such as Amazon Web Services to facilitate malware creation and password cracking, delegates at RSA 2010 were told. The Russian Business Network (RBN), one of the most powerful and extensive malware and hacking organizations, has been buying time on Amazon’s EC2 platform to build malware and attack passwords, according to the founder of security consultancy InGuardians. The RBN, based in northern Russia, is one of the biggest and most professional hacking groups in the world. The organization started in the pornography business, but quickly moved to crime and now offers malware-as-a-service and hosting services, and provides credit card data and false identities. Other security professionals have confirmed the use of mainstream cloud services by the hacking and malware community.

Full Story:
http://www.v3.co.uk/v3/news/2258919/rsa-2010-hackers-legitimate

Source code management a weak spot in Aurora attacks
Companies should take extra steps to secure their source code from the type of targeted attacks that hit Google, Adobe, Intel and others over the past few months, according to security vendor McAfee. “We saw targeted attacks against software configuration management products,” said McAfee’s chief technology officer (CTO.) In many of the attacks company engineers and technical staff were targeted with malicious software. And in some cases, source code management systems were accessed and code was downloaded outside of company firewalls, the CTO said.

Full Story:
http://www.computerworld.com/s/article/9165718/

 Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_030510.pdf

Full Story:
http://www.theregister.co.uk/2010/03/02/microsoft_charney_rsa/

Spain busts global botnet masterminds
Spanish police have arrested three men accused of masterminding one of the biggest computer crimes to date — infecting more than 13 million PCs with a virus that stole credit card numbers and other data. The men were suspected of running the Mariposa botnet, named after the Spanish word for butterfly.

Full Story:
http://www.reuters.com/article/idUSTRE6214ST20100303

White House declassifies parts of US Cybersecurity Plan
At the RSA conference in San Francisco on this week, the White House Cyber Advisor declassified parts of the  previous U.S. Presidential Administration’s secretive plan to defend the nation’s computer networks. Howard A. Schmidt  announced that the current Presidential Administration was partially declassifying the 2008 Comprehensive National Cybersecurity Initiative - 20 - (CNCI) in the name of transparency. The declassified portion of the CNCI includes descriptions of 12 broad initiatives of the CNCI, but few details. The document largely focuses on efforts to secure the federal government’s vast computer networks with the use of its Einstein system to detect unauthorized attempts to access government computers.

Full Story:
http://www.csmonitor.com/USA/2010/0302/White-House-declassifies-parts-of-US-cybersecurity-plan

Microsoft Pushes another Patch linked to Windows Blue Screens
Microsoft on March 2 said it had restarted distribution of a security update that had crippled some Windows PCs last month with reboot problems and Blue Screen of Death error screens. The update, dubbed MS10-015, originally shipped on February 9, but was pulled from Windows Updates’ automatic update two days later after complaints flooded Microsoft’s support forum from users whose machines refused to restart after they had installed the patch.

Full Story:
http://www.computerworld.com/s/article/9164518/

Zombie Tactics threaten to Poison honeypots
Innovations in botnet technology threaten the usefulness of honeypots, one- of the main ways to study how cybercrooks acting as bot herders control networks of zombie PCs. Computer scientists at the University of Central Florida warn that bot herders can now avoid honeypots – which are unprotected computers outfitted with monitoring software. Cybercrooks can program servers to disable or simply ignore honeypots, thus depriving security firms of vital intelligence in how zombie botnets are operating in the real world. The scientists are working on techniques to make stealthier honeypot traps to trick bot herders.

Full Story:
http://www.theregister.co.uk/2010/03/02/

Read the Full DHS Infrastructure Report:
www.enclavesecurity.com/blogresources/cdr_030410.pdf

Full Story: http://www.ibtimes.com/articles/9195/20100301/resembling-cartels-hackers-become-more-industrialized-imperva-report.htm

Gmail security enhancements expected this week
Google will roll out a number of security enhancements to Gmail the week of March 1, and perhaps as early as March 2, says a source with knowledge of the new 20 features. The changes are specifically designed to cut down on phishing and hacking attacks on Gmail accounts.

Full Story:
http://techcrunch.com/2010/03/01/gmail-security-enhancements-expected-tuesday/

Microsoft warns of new bug affecting IE users
Steer clear of the F1 key while surfing the Web, at least for a little while. Microsoft warned on March 1 of a new vulnerability that affects Internet Explorer users, saying that it could be exploited by hackers to install malicious software on a victim’s computer.

Full Story:
http://www.networkworld.com/news/2010/030210-microsoft-warns-of-new-bug.html?hpg1=bn

Report: Aurora attack was tested last summer
The attacks on Google and others late last year weren’t as sophisticated as initially believed and appears to have cropped up last summer, according to a report to be released Tuesday by security firm Damballa. Damballa is just the latest company to analyze the attacks and offer an opinion. McAfee dubbed the attacks “Operation Aurora” and said they were highly complex and advanced. While ‘Aurora’ was a very damaging attack that breached some of the most sophisticated networks in the world, it is a ‘garden variety’ botnet and can be traced back to July 2009 when the criminal operators first began testing.

Full Story: http://news.cnet.com/8301-27080_3-10461935-245.html

Word of Warcraft authenticators bypassed by middlemen hackers
Crooks have developed a man-in-the-middle-attack designed to circumvent authentication kit used by dedicated World of Warcraft gamers. World of Warcraft players are reporting that the new infection file is managing to intercept login data (getting around the authenticator) and send it elsewhere, by means of a “Man in the middle attack.” The approach of the gaming fraudsters is broadly similar to man-in-the-middle attacks against online banking accounts, where users are obliged to input a code generated by an authentication device as well as their password.

Full Story:
http://www.theregister.co.uk/2010/03/02/warcraft_account_hack/

Read the Complete DHS Infrastructure Report
www.enclavesecurity.com/blogresources/cdr_030310.pdf

Full Story: http://www.v3.co.uk/v3/news/2258650/wyndham-hotels-hacked-again

Microsoft warns over rogue Security Essentials
Microsoft has warned Windows users to be on their guard against a piece of rogue antivirus software passing itself off as Microsoft Security Essentials. The fake Security essentials 2010 installs a fake virus scanner on your machine and monitors and blocks processes it doesn’t like. The software will also block access to websites of antivirus and malware companies and flag up a warning message. You can see the list of blocked sites here.

Full Story: http://www.theregister.co.uk/2010/02/26/microsoft_security_essentials_rogue/

State of Application Security: Nearly 60 percent of Apps Fail first security test
Most software applications remain riddled with security holes, according to a new report released today about the actual security quality of all types of software. Around 58 percent of the applications tested by application security testing service provider Veracode in the past year-and-a-half failed to achieve a successful rating in their first round of testing.

Full Story:
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=223100875 

Vericode Report: http://www.veracode.com/reports/index.html 

New zero-day involves IE, puts Windows XP users at Risk
Microsoft on Sunday confirmed it’s investigating an unpatched bug in VBScript that hackers could exploit to plant malware on Windows XP machines running Internet Explorer (IE). The flaw could be used by attackers to inject malicious code onto victims’ PCs. Users running IE7 or the newer IE8 are at risk.

Full Story:
http://www.networkworld.com/news/2010/030110-new-zero-day-involves-ie-puts.html?hpg1=bn

Grum and Rustock botnets drive spam to new levels
Two highly active botnets have pushed spam levels up by five per cent this month, according to Symantec. The company’s MessageLabs branch, now called Symantec Hosted Services, said in a new report that spam accounted for 89.4 percent of email traffic in February, an increase of 5.5 per cent over last month.

Full Story: http://www.v3.co.uk/v3/news/2258689/pair-botnets-drive-spam-levels

 Read the Complete DHS Report
www.enclavesecurity.com/blogsresources/cdr_030210.pdf

http://www.darkreading.com/vulnerability_management/security/antivirus/showArticle.jhtml?articleID=223100622

Russian cyber-hackers stopped by local bank
In Eau Claire County, Wisconsin a worker in the treasurer’s office and a local bank prevented computer hackers from stealing almost $800,000. Eau Claire County says the incident happened in late January,via a software attack, but in the end, no money was lost. “The PC got a virus and as a result, the credentials were compromised and that’s how they were able to get in,” said Information Systems Director Dave Hayden.

http://www.weau.com/news/headlines/85432692.html

Scareware scams ride the back of killer whale tragedy
Supposed footage of the February 24 fatal Sea World killer whale attack in Florida points at sites distributing scareware. Search engine manipulation is being used to drive traffic to these sites, by planting links to malware portals in Google results.

http://www.theregister.co.uk/2010/02/25/killer_whale_scareware/

IBM report: Vulnerabilities fell in ‘09, attacks rose
There were 6,601 new vulnerabilities discovered last year, an 11 percent decrease compared to 2008, according to the annual “X-Force Trend and Risk Report. “The computer industry is getting better at building secure software and being responsive to vulnerabilities,” Tom Cross, manager of IBM X-Force Research, told SCMagazineUS.com on Thursday. “But the volume of attack activity is expanding at a very rapid pace.

http://www.scmagazineus.com/ibm-report-vulnerabilities-fell-in-09-attacks-rose/article/164547/

To Read the Complete DHS Report:
http://www.enclavesecurity.com/blogresources/cdr_030110.pdf

We decided to hit another hot topic this week, so we decided to talk about virtualization. I mean, when you’re not talking about cloud computing security over the family dinner table, you’re probably most likely talking about virtualization security and how it impacts your daily lives (Honey, can you install that new garbage disposal? Of course I can dear, but couldn’t we just virtualize it?). So we’re hoping that these audit checklists will help you as you’re evaluating the controls that protect these environments. You know you’re using them, might as well protect them!

Audit Checklists for Auditing Virtualized Environments: 

DISA

Tripwire

VirtualizationAdmin.com

Microsoft

DarkReading

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

For this week’s checklists we’re going to be returning to the world of more operational controls. Specifically we’ve been investigating audit checklists for evaluating cloud computing environments. Come on, we know you’ve been thinking about it and talking about it both in your IT departments and in your corporate board rooms. Heck, you’ve probably been chatting up other parents at your kid’s little league and talking with them about it! So this week we’re listing off some helpful checklists we’ve found for auditing cloud computing environments. Enjoy!

Audit Checklists for Auditing Cloud Computing Providers: 

ENISA

Cloud Security Alliance

Grid.org.il

SNIA

FUMSI

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

So many of you are thinking, yes James, that’s right, I was thinking about that. Of course you were. That’s why twice a year, right before each of the CISA exams, we hold a CISA review class via our online vLive delivery system to help people prepare to pass the exam. Click here to learn more http://tr.im/MGnD.

The class itself doesn’t start until April, but it’s a good idea to sign up now to start preparing early. In fact, SANS has told me for people that are signing up early, and pay attention to our blogs, that they’ll give an additional discount. If you sign up this week with the discount code IN423 you’ll end up saving a little over $1000 off the retail price of the class.

So sign up now. Send me a note on twitter (@jamestarala or @isaudit) if you have any questions and I can’t want to meet you in class soon!