HD Moore has just released an upgrade for his popular Metasploit attack application, complete with a new Windows interface that will allow more researchers to use it. Moore says in his Metasploit blog that Version 3.1 features a graphical user interface, full support for the Windows platform and over 450 modules, including 265 remote exploits.

The latest version includes a “bristling arsenal” of exploit modules that are sure to put a smile on the face of every information warrior, Moore says in a press release. “Notable exploits in the 3.1 release include a remote, unpatched kernel-land exploit for Novell Netware, written by toto, a series of 802.11 fuzzing modules that can spray the local airspace with malformed frames, taking out a wide swath of wireless-enabled devices, and a battery of exploits targeted at Borland’s InterBase product line,” he adds.

Remember ChoicePoint? Four years ago the data broker kicked off what became a years-long deluge of enterprise data breaches by allowing more than 160,000 customer records to be stolen. It seems like small potatoes today, but back in 2005 things were so bleak that ChoicePoint landed at the top of our 2005 IT winners and losers year-in-review column. Hint: it wasn’t a winner.

Today, things are looking up for ChoicePoint, at least in part. This following word that ChoicePoint has settled a class-action lawsuit over the theft, agreeing to fork over $10 million to make it go away. I’m not a math genius, but 10 million divided by 160,000 or so (minus legal costs) doesn’t seem like a very satisfying outcome for the victims.

Adding insult to injury, the SEC has decided against pursuing legal action against CEO Derek Smith and COO Doug Curling, who together pocketed more than $16 million in profit by selling ChoicePoint stock after the company found out about the data breach — but before word of the breach was disclosed to the public.

So as the story closes, victims get enough scratch for a few cups of coffee at Starbucks, and rich executives ride off into the sunset. Hmmm, Hollywood might want to rewrite the ending to this one.

Once upon a time, it was fairly simple for security researchers to identify and eliminate phishing sites or sites hosting malware. Most of them were hosted on sketchy domains, often in countries such as Brazil, Russia or the Czech Republic. If researchers couldn’t get the owner of the domain to take the site down, they could usually isolate it and divert traffic away from it. But these days, most of the sites that host rootkits, Trojans and other malware are otherwise-legitimate sites that have been compromised. Once an attacker has compromised the server on which a site is hosted, he can park whatever malware he wants on the server and then serve up to ignorant users through browser exploits.

This has been going on for some time, but now researchers at Sophos say they’re seeing about 6,000 new compromises of this kind every day. That’s a fairly obscene number and it doesn’t paint a very flattering picture of the state of Web server security at these sites. And with that kind of volume it’s all but impossible to notify all of the site owners about the compromises. So instead, it’s apparently up to the users, as usual, to protect themselves from all of this. Why does that sound so familiar…

Cisco has delivered a security update for flaws in its popular PIX 500 Series Security Appliance (PIX) and 5500 Series Adaptive Security Appliance (ASA).

Says Cisco: “A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL) decrement feature is enabled.”

Secunia deemed this issue “moderately critical” in Secunia advisory SA28625, saying that the bad guys can exploit this to launch denial-of-service attacks.

“The vulnerability is caused due to an unspecified error in the processing of IP packets,” Secunia said. “This can be exploited to reload an affected device via specially crafted IP packets.”

In case there was any doubt left out there that attackers–whether state-sponsored or acting on their own–are aiming at high-value targets such as financial systems and large-scale control systems, a CIA analyst late last week told attendees at a conference that the agency has confirmed that a direct computer attack caused a multi-city blackout recently. The analyst, Tom Donahue, did not specify when the attack took place or which cities were affected, but did say it was outside the United States.

In a statement released through The SANS Institute, Donahue said the CIA carefully considered whether to release any information about the incident.

“We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States,” Donahue said. “In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.”

Security experts, government officials and others for years have been speculating about the potential for such an attack, and many experts have said that the computer systems that control water, electric and other utilities are vulnerable to sophisticated cyber attacks. However, there has been little in the way of concrete data or even anecdotal evidence of such attacks, until now. The question now is whether this is an isolated incident or just the first public acknowledgment of a more widespread problem that has been bubbling under the surface for some time. Based on conversations I’ve had with former government security officials and industry experts who track these things, I tend to think it’s the latter. But we’ll probably never know the full size and shape of the problem, given the need for discretion on these topics.

Microsoft has added yet another big name to is Windows Security team: Crispin Cowan. These hirings have become old hat at this point, but this one has an interesting twist in that Cowan is renowned as a Linux security expert. He is the brains behind the StackGuard compiler, which is designed to turn out applications that are resistant to buffer overflows. Cowan also was the CTO and founder of Immunix, which produced a hardened Linux OS and was acquired by Novell in 2005.

Here’s what Microsoft’s Michael Howard had to say about Cowan’s hiring:

He’s well published, wicked smart, a non-zealot and brutally pragmatic. In my opinion, AppArmor is shining example of his pragmatism, it’s simple and it works. What excites me the most is he’ll bring a different perspective to the Windows team, and I’m a big believer in stirring the pot! Crispin will work in the same team that worked on User Account Control (UAC) and integrity levels, an area he knows a great deal about.

Cowan is probably as respected as anyone in the security community and he is unafraid to speak his mind. It should be fascinating to see how he works inside the ropes in Redmond and what effect his open-source background will have on the ways things work.

The latest entity to report the loss of a laptop with sensitive data is Her Majesty’s Royal Navy. The BBC reported that police are investigating the theft of a laptop from a Royal Navy officer that had the personal details of 600,000 new and potential recruits to the Royal Marines, Navy and Air Force. The data included doctors’ addresses for people who submitted an application to the forces, national insurance numbers, family and passport details; and bank details on at least 3,500 people.

Early reports are that the data was not encrypted.

This latest news comes as I’m finishing up a feature for Information Security magazine on laptop encryption. The main lesson, security experts tell me, is that these missing laptops would not rate a headline if only they had full-disk encryption.

Putting encryption on every laptop isn’t easy if you’re a company with limited financial resources and bandwidth. But in my view, there’s no excuse for an organization the size of the British Royal Navy to be putting unencrypted laptops in the field.

Now they get to learn the lesson the hard way.

Information security hit the big screen — well, not so big screen — with the debut of Fortify Software’s documentary, “The New Face of Cybercrime” Thursday in San Francisco.

Billed as a “world premier,” the showing of the short film was in a small, private theater inside a movie complex, and attended by about 130 people. The slick film, which features security experts like Marcus Ranum, Gary McGraw and Howard Schmidt, along with corporate executives and an ominous soundtrack, is a basic primer for the general public on information security.

Director Frederic Golding told the audience during a panel discussion after the showing that the film is intended to generate awareness of information security threats for the masses (although the film did make a point to convey the importance of application security — Fortify’s business). “To a lot of you here, it probably seemed very simple,” he said.

Still, the audience of mostly IT security professionals were harsh critics. “You didn’t make it scary enough,” a network security engineer told the filmmakers during a Q&A after the panel. The movie touched on issues like cross-site scripting but should have delved deeper, he said, adding, “The only way to get people to open their eyes is through shock.” Others said the film didn’t discuss enough of the end user experience, or show how laws haven’t caught up to modern cybercrime.

Golding and Roger Thornton, Fortify founder and CTO and the film’s executive producer, took turns defending the film and both said they would have liked to include interviews with cybercriminals but were warned by law enforcement that it was too dangerous.

At a reception afterwards, Craig Rosenberg, a network engineer at Serena Software, said the movie was good but didn’t go into as much depth as he’d like. Some details on what end users can do to protect their PCs might have been good, he said.

No word on a sequel, and there’s no Hollywood premier slated for the film — private screenings are scheduled for later this month in New York and London.

Security Wire Weekly Video Edition

Valentine’s Day isn’t for another month, but that’s not stopping controllers of the Storm Trojan from using the holiday theme to trick users into downloading the malware.

A posting on the SANS Internet Storm Center Web site describes another wave of Storm emails with a subject designed to catch the recipient’s attention and an email body with a URL consisting of only an IP address. Once a user visits the Web site he is “served with a nice web page and a link to download an executable,” the ISC says — the same trick used in previous attacks. The user will see something like this:

The advice here is the same as always: Don’t click on URLs and email attachments from sources you don’t know and trust.