Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

German intelligence agency blasted for cyber espionage

Eight months after the nation’s chancellor accused China of information attacks, Germany now faces criticism over its intelligence agency’s use of software designed to spy on other countries’ officials.

The latest incident, which began in June 2006, involved Germany’s intelligence agency—the Bundesnachrichtendienst (BND)—launching an information attack against the Ministry of Commerce and Industry of Afghanistan, ostensibly an ally, according to media reports. Using a Trojan horse, the intelligence agents were able to read an Afghan government official’s e-mail, including his correspondence with a reporter working for the German news magazine Der Spiegel, and data stored on the compromised PC’s hard drive. The German Constitution protects the secrecy of telecommunications, but BND’s legal counsel concluded that, because the messages were stored communications, they did not fall under the constitutional protection, Der Spiegel reported.

The operation ended on November 2006, when a whistleblower sent a letter to his superiors warning of the surveillance, the magazine reported. In February 2008, an anonymous BND employee notified two members of Germany’s parliament of the intelligence agency’s wiretapping activities. The incident only recently came to light during a Parliament hearing two weeks ago.

German’s Interior Minister Wolfgang Schaeuble raised the specter of terrorism during a TV interview to defend the cyber-espionage tactics as necessary. “It’s about a few isolated cases,” he said, according to an Associated Press report.

The revelations that German intelligence stole information from another country using malicious code is the latest incident of national spying. In November, Germany accused Chinese intelligence officials of spying on its government computer systems. In the United States, the government agency responsible for spying on other countries—and defending American communications against eavesdropping –remains accused of wiretapping communications between US citizens and foreign terrorism suspects. This week, four private investigators in Israel were sentenced to prison for their role in using Trojan horse programs to spy on clients’ rivals.

In a previous controversial incident in Germany, BND agents used a Trojan horse to compromise computers of the Democratic Republic of the Congo, aiming to gather information to help German peacekeepers stationed in the troubled nation.

Der Spiegel is considering filing a lawsuit against the intelligence agency, the magazine stated in its coverage of the incident.

Experts warn over SQL injection attacks

Attackers are increasingly exploiting common database vulnerabilities to leave behind code on thousands of sites, redirecting visitors to servers that host malicious downloads, security experts warned.

The attacks, which apparently started at the beginning of April, attempt to use any field on a Web site that accepts user input to execute commands on the database that stores the site’s information. Since most databases use some variant of the structured query language (SQL), the attack is known as SQL injection.

In the latest spate of compromises, unknown attackers used SQL injection techniques to create malicious iframe blocks on legitimate Web sites. Visitors to a compromised Web site could find their browser executing a Javascript file—simply named 1.js or 1.htm—embedded in the iframe, leading to another site that would attempt to install keylogging software by exploiting several different vulnerabilities.

Estimates of the number of compromised Web pages varied between tens of thousands and just under 200,000—the latter tally based on the number of hits returned in a Yahoo! search.

The most recent spate of SQL injection attacks resembles those that have occurred on and off over the past two years. In January 2007, the attacks gained notoriety when the Web site of Dolphin Stadium, the venue of that year’s Superbowl, was compromised with a similar iframe attack. Earlier this year, the Internet Storm Center, a network-threat monitoring group, warned that such attacks had once again risen in prominence. The ISC issued a warning on Thursday about the latest rounds of attacks.

In November 2007, a survey of Web site databases concluded that a half million were at risk of attack. In its analysis of the attacks, the Shadowserver group predicted that SQL injection will likely become more popular.

Microsoft: Vulnerabilities down, threats up

The total number of vulnerabilities disclosed in 2007 fell nearly 5%, while the amount of malicious code detected jumped more than 40%, according to Microsoft’s latest Security Intelligence Report released on Tuesday.

The report, released twice a year by Microsoft, found that vulnerability disclosures sank approximately 15% in the second half of 2007, and 5% for the year as a whole. The news was not so rosy for high-severity vulnerabilities, the company found. While the number of High-rated vulnerabilities fell in the second half of 2007, the total for the year topped 2006’s tally. Approximately a third of all vulnerabilities in Microsoft products had publicly available exploit code in 2007, the same as the previous year.

While vendors appear to be taming their vulnerabilities, PC users should worry more about malicious code. The amount of malware removed from PCs by Microsoft’s Malicious Software Removal Tool (MSRT) jumped 40% during the last six months of 2007. The most common type of harmful program appears to be Trojan horses that download or drop additional code. Microsoft observed a 300% rise in the incidence of such programs during the second half of 2007.

“Clearly, this category of malware has become a tool of choice for some attackers,” Microsoft stated in the report.

Microsoft’s semi-annual report uses data from various public sources as well as Microsoft’s Malicious Software Removal Tool (MSRT), Windows Defender, Windows Live OneCare, and Exchange Hosted Services. At the RSA conference earlier this month, Microsoft called for an information-technology industry strategy to increase trust in the Internet.