DHS Daily Open Source Infrastructure Report

Daily Report Wednesday, January 17, 2007

Daily Highlights

The Departments of Homeland Security and State have issued a reminder that beginning January 23, citizens of the United States, Canada, Mexico, and Bermuda are required to present a passport to enter the United States when arriving by air from any part of the Western Hemisphere. (See item 14)
·
The Associated Press reports an MD.10 cargo jet equipped with an anti.missile system took off from Los Angeles International Airport on a commercial flight Tuesday, January 16, marking the start of operational testing and evaluation of the laser system designed to defend against shoulder.fired anti.aircraft missiles. (See item 15)

Information Technology and Telecommunications Sector

28. January 16, VNUNet — Oracle flags 52 security flaws. Oracle has issued its first pre.release security patch announcement, flagging up no fewer than 52 critical updates, just as a security company has highlighted the vulnerability of many databases. However, security firm Secerno warned that weaknesses in the development process are often more serious than any vendor vulnerabilities. "This is another step in the right direction by Oracle. As ever, forewarned is forearmed and this move allows IT managers to get to grips earlier with essential patching," said Secerno chief executive Paul Davie. "But users need to beware that it is not the vendor vulnerabilities that they need to focus on, but the critical weaknesses in their development processes." Vulnerabilities in vendor solutions can be mitigated to some extent by timely patching, but users cannot rely on patch management to solve database security problems, according to Davie. Secerno believes that the continuous pressure on developers to drag more and more functionality out of their database should be a much greater cause for concern. Deployment errors caused by poorly configured databases, inappropriate access permissions or badly engineered applications accessing the database are an increasingly worrying trend.
Source: http://www.vnunet.com/vnunet/news/2172616/databases.come.und er.security

29. January 15, SecurityFocus — Rainbow table targets Word, Excel crypto. Office workers looking to protect their documents may want to select a higher grade of encryption. Swiss information.technology firm Objectif Sécurité announced last week that its latest pre.generated list of passwords and their hashes, known as a rainbow table, can now crack the standard encryption on Word and Excel documents in about five minutes on average. Using about four gigabytes of data, the program .. named Ophcrack_office .. can quickly defeat almost 99.6 percent of all passwords, according to the company. "What happens is that we actually crack the 40.bit key that is used to encrypt Word and Excel documents," Philippe Oechslin, CEO of Objectif Sécurité and the inventor of rainbow tables. "We found a way to use the same tables for both Word and Excel, although they have different file formats." Rainbow tables sidestep the difficulty in cracking a single password by instead creating a large data set of hashes from nearly every possible password.
Source: http://www.securityfocus.com/brief/407

30. January 13, IDG News Service — Hackers looking forward to iPhone. Within hours of Apple's iPhone unveiling on Tuesday, January 9, the iPhone was a hot topic on the Dailydave discussion list, a widely read forum on security research. Much of the discussion centered on the processor that Apple may have chosen to power its new device and what kind of assembly language "shellcode" might work on this chip. In an e.mail interview, one of the hackers behind the "Month of Apple Bugs" project, which is disclosing new Apple security vulnerabilities every day for the month of January, said he "would love to mess with" the iPhone. "If it's really going to run OS X, [the iPhone] will bring certain security implications, such as potential misuses of wireless connectivity facilities [and] deployment of malware in a larger scale," the hacker known as LMH wrote in an e.mail. Because the device could include a range of advanced computing features, such as Apple's Bonjour service.discovery protocol, it could provide many avenues of attack, according to LMH. "The possibilities of a worm for smartphones are something to worry about," he wrote. "Imagine Bonjour, and all the mess of features that OS X has, concentrated in a highly portable device which relies on wireless connectivity."
Source: http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9008038

31. January 12, CNET News — CA addresses backup software flaws. CA, formerly known as Computer Associates International, on Thursday, January 11, issued updates for its BrightStor ARCserve Backup software to address several security vulnerabilities. The most serious of the flaws could be exploited to compromise a vulnerable system. "CA BrightStor ARCserve Backup contains multiple overflow conditions that can allow a remote attacker to execute arbitrary code," CA said in an alert. The problems affect only Windows systems, the company said. The BrightStor ARCserve Backup Tape Engine service, Mediasvr service, and ASCORE.dll file are affected, it said.
CA Alert: http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx? cid=97428
Source: http://news.com.com/CA+addresses+backup+software+flaws/2110.7349_3.6149978.html