Tuesday, April 24, 2007

Daily Highlights

The Transportation Security Administration, American Association of Airport Executives, Airports Council International−−North America, and National Air Transportation Association have announced a six−point plan to maximize the effectiveness of screening employees at airports. (See item 16)
The General Services Administration has unveiled a redesign of USA.gov, the federal government’s official Web portal, which provides a centralized place to search for information on hundreds of government services, from checking tax refund status to contacting elected officials. (See item 27)

Information Technology and Telecommunications Sector

33. April 23, USA TODAY — Cyberspies exploit Microsoft Office. Cyberspies have a new secret weapon: tainted Microsoft Office files. A rising number of cyberattacks are taking aim at specific individuals at critical government agencies and corporations −− enticing them to unwittingly open a corrupted Word, Excel or PowerPoint file sent as an e−mail attachment. Clicking on the file relinquishes control of the PC without the user's knowledge. The attacker then uses the compromised PC as a base from which to roam the organization's internal network. Federal agencies and defense and nuclear contractors are under assault. Security firm MessageLabs says it has been intercepting a series of attacks from PCs in Taiwan and China since November. In early 2006, security experts detected one or two such attacks a week. Last month, MessageLabs intercepted 716 e−mails carrying corrupted Office files aimed at 216 different agencies and companies. Assaults are coming from China and perhaps other countries in the hunt for military, trade and infrastructure intelligence, says Alan Paller, research director at The SANS Institute, a security think tank. The goal: strategic advantage over the USA. "The attacks are working," says Paller. "Penetrations are deep and broad."
Source: http://www.usatoday.com/tech/news/computersecurity/2007−04−22−cyberspies−microsoft−office_N.htm

34. April 23, eWeek — Oracle issues database patch postponed for testing. Oracle has released a missing fix for the database flaw rated most deadly in the Critical Patch Update the company released last week. The flaw, dubbed DB01 in the update issued April 17, is in the Core RDBMS (relational database management system) and can be remotely exploited over the network by an attacker sans user identification or password authentication. The flaw is specific to the Windows operating system and affected the version of the database. On Friday, April 20, Eric Maurice of Oracle posted a note on a company blog announcing the Critical Patch Update for the Windows 32−bit version of the database is now available.
Oracle blog: http://blogs.oracle.com/security/2007/04/20#a59
Source: http://www.eweek.com/article2/0,1895,2120914,00.asp

35. April 20, IDG News Service — Hacker shows Mac break−in. A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver. In winning the contest, he exposed a hole in Safari, Apple's browser. "Currently, every copy of OS X out there now is vulnerable to this," said Sean Comeau, one of the organizers of CanSecWest. The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e−mail. Dino Di Zovie, who lives in New York, sent along a URL that exposed the hole. Because the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on. The URL opened a blank page but exposed a vulnerability in input handling in Safari.
Source: http://www.infoworld.com/article/07/04/20/HNmachackedatconfe rence_1.html

36. April 20, IDG News Service — Kickbacks on federal IT contracts widespread, involved millions, DOJ charges. An alleged multimillion−dollar kickback scheme involving work on numerous U.S. government contracts touches dozens of IT vendors and systems integrators, according to court documents unsealed Friday, April 20. The allegations set up a major confrontation between the U.S. government and virtually the entire U.S. IT industry. The U.S. Department of Justice (DOJ) filings list improper kickbacks on a number of contracts, including ones from the U.S. Army, the Air Force, the FBI, the Department of State, the General Services Administration, the Department of Education and the U.S. Postal Service. The DOJ announced it had joined three whistle−blower lawsuits against Hewlett−Packard Co., Sun Microsystems Inc. and Accenture Ltd. The DOJ's complaints allege that the three companies, through "alliance partnerships" with dozens of other vendors, exchanged millions of dollars in illegal rebates and other payments since the late 1990s. The DOJ complaints accuse Accenture and other systems integrators of collecting money from IT vendors in exchange for preferential treatment on government contracts they were working on, or exchange for strong recommendations to potential government customers. The defendants did not report these kickbacks to the U.S. government, the DOJ alleges.
DOJ press release: http://www.usdoj.gov/opa/pr/2007/April/07_civ_265.html
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017361&intsrc=hm_list

37. April 20, Network World — Nortel warns of three VPN Router product flaws. Nortel last week warned of several backdoors, and other flaws, in its VPN and secure routing products that could allow unauthorized remote access to an enterprise network. User accounts used for diagnostics on Nortel VPN routers (formerly known as Contivity) could be used to gain access to a corporate VPN. In another potential vulnerability, unauthorized remote users could also gain administrative access to a VPN router through a Web interface. A third vulnerability could result in someone cracking users' VPN passwords. Nortel says it has issued software that fixes these flaws. Product versions affected include all Nortel VPN router models −− 1000, 2000, 3000, 4000 and 5000.
Source: http://www.networkworld.com/news/2007/042007−nortel−vpn−rout er−flaw.html