Daily Report Friday, January 12, 2007

Daily Highlights

Reuters reports a new study casts doubt on nuclear waste storage safety, and materials that scientists had hoped would contain nuclear waste for thousands of years may not be as safe and durable as previously thought. (See item 2)
The Sun−Herald reports that all 16 counties in the Southwest Florida Water Management District are experiencing a "severely abnormal" drought, and are now under a "Phase 2 water shortage," that will remain in effect until July 31 unless conditions improve. (See item 25)

Information Technology and Telecommunications Sector

30. January 11, IDG News Service — Google irks Website owners over malware alerts. Some Website operators are complaining that Google is flagging their sites as containing malicious software when they believe their sites are harmless. At issue is an "interstitial" page that appears after a user has clicked on a link within Google's search engine results. If Google believes a site contains malware, the page will appear, saying "Warning − visiting this Website may harm your computer!" Google does not block access to the site, but a user would have to manually type in the Website address to continue. Organizations are complaining their sites do not contain malicious software, and the warning is embarrassing. Google's warning page contains a link to Stopbadware.org, a project designed to study legal and technical issues concerning spyware, adware, and other malicious software. Organizations should work with their Web hosting provider to check for security problems, Stopbadware.org said.
Source: http://www.infoworld.com/article/07/01/11/HNgooglemalwareale rtsirk_1.html

31. January 11, New York Times — Firms fret as office e−mail jumps security walls. Companies spend millions on systems to keep corporate e−mail safe. If only their employees were as paranoid. A growing number of Internet−literate workers are forwarding their office e−mail to free Web−accessible personal accounts offered by Google, Yahoo and other companies. Their employers, who envision corporate secrets leaking through the back door of otherwise well−protected computer networks, are not pleased. It is a battle of best intentions: productivity and convenience pitted against security and more than a little anxiety. Corporate techies want strict control over internal company communications and fear that forwarding e−mail might expose proprietary secrets to prying eyes. Employees just want to get to their mail quickly, wherever they are, without leaping through too many security hoops. So far, no major corporate disasters caused by this kind of e−mail forwarding have come to light. But security experts say the risks are real. Also, because messages sent from Web−based accounts do not pass through the corporate mail system, companies could run afoul of federal laws that require them to archive corporate mail and turn it over during litigation.
Source: http://www.nytimes.com/2007/01/11/technology/11email.html?_r=1&ref=technology&oref=slogin

32. January 11, VNUNet — Bug found in Apple security patch software. The group behind the Month of Apple Bugs (MoAB) project has found a flaw in software designed to fix security issues on Apple Macs. The vulnerability affects the Application Enhancer (Ape) software, which was designed by a rival group trying to combat the flaws highlighted by MoAB. The bug could allow malicious users on a local system to replace Ape's binary code and take control of the root privileges on a computer. "Like the previous local exploits, this could be combined with a remote exploit to gain root privileges from an administrator account without user interaction," said Landon Fuller, author of the Ape software, on his blog. "There are also a number of alternative exploit conditions that could occur due to the admin−writability of other directories in /Library."
Source: http://www.vnunet.com/vnunet/news/2172335/apple−flaw−found−s ecurity−patch

33. January 10, eWeek — Hosted VoIP services grow, report shows. In−Stat, a technology research firm, released its latest research study Wednesday, January 10, that showed that hosted Voice over IP (VoIP) telephony usage has increased among small businesses. The study, "Hosted VoIP: Steady Growth, But Will the Boom Come?" found that small businesses have the most hosted VoIP deployments in the 20−to−50−seat range and that hosted VoIP will continue to grow over the next few years with revenues expected to exceed $2 billion by 2010. "Most business customers adopt hosted VoIP with the expectation of cost savings, but soon come to value the feature functionality and integration with data networks the application provides," said David Lemelin, senior analyst at In−Stat. "As a result, hosted VoIP solutions are becoming more valuable." The study from In−Stat found the following: 1) U.S.−hosted VoIP seats in service are expected to continue to increase consistently to more than 3 million in 2010; 2) For hosted VoIP services, cost savings is the main appeal; 3) Businesses that have several office locations as well as the mobile worker are most attracted to hosted VoIP solutions.
Source: http://www.eweek.com/article2/0,1895,2081954,00.asp

34. January 10, eWeek — VeriSign offers hackers $8,000 bounty on Vista, IE 7 flaws. VeriSign's iDefense Labs has placed an $8,000 bounty on remote code execution holes in Windows Vista and Internet Explorer (IE) 7. The Reston, VA, security intelligence outfit threw out the monetary reward to hackers as part of a challenge program aimed at luring researchers to its controversial pay−for−flaw Vulnerability Contributor Program. The launch of the latest hacking challenge comes less than a month after researchers at Trend Micro discovered Vista flaws being hawked on underground sites at $50,000 a pop and illustrates the growth of the market for information on software vulnerabilities. iDefense isn't the only brand−name player in the market. 3Com's TippingPoint runs a similar program, called Zero Day Initiative, that pays researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code. The companies act as intermediaries in the disclosure process −− handling the process of coordinating with the affected vendor −− and use the vulnerability information to beef up protection mechanisms in their own security software, which is sold to third parties.
Source: http://www.eweek.com/article2/0,1895,2082014,00.asp

35. January 10, IDG News Service — NSA helped Microsoft make Vista secure. The U.S. agency best known for eavesdropping on telephone calls had a hand in the development of Microsoft's Vista operating system, Microsoft confirmed Tuesday, January 9. The National Security Agency (NSA) stepped in to help Microsoft develop a configuration of its next−generation operating system that would meet Department of Defense requirements, said NSA spokesperson Ken White. This is not the first time the secretive agency has been brought in to consult with private industry on operating system security, White said, but it is the first time the NSA has worked with a vendor prior to the release of an operating system. By getting involved early in the process, the NSA helped Microsoft ensure that it was delivering a product that was both secure and compatible with existing government software, he said. Still, the NSA's involvement in Vista raises red flags for some. Part of this concern may stem from the NSA's reported historical interest in gaining "back−door" access to encrypted data produced by products from U.S. computer companies like Microsoft.
Source: http://www.infoworld.com/article/07/01/10/HNnsamadevistasecu re_1.html

36. January 10, Security Focus — Acer ships laptops with security hole. Computer maker Acer has shipped its notebook computers with an ActiveX control that lets any Website install software on the machine, security researchers warned this week. The ActiveX control −− named LunchApp.ocx −− appears to be a way for the company to easily update customer laptops, but also allows others to do the same thing, anti−virus firm F−Secure stated in a blog post on Tuesday, January 9. The security problem, first discovered in November by security researcher Tan Chew Keong, was confirmed by antivirus F−Secure. "The library, named LunchApp.ocx, is probably supposed to help with browsing the vendor's Website, enable easy updates and such," wrote F−Secure's research team. "It turns out it also makes all those machines vulnerable to a specially crafted HTML file that could instantly download malicious file(s) onto the user's machine and then execute them."
Source: http://www.securityfocus.com/brief/404