Wednesday, May 16, 2007

Daily Highlights

Boston NOW reports critics and nuclear security experts charge that three nuclear research reactors operated by Massachusetts colleges and universities could be easy targets for terrorist attacks because they lack the stringent security required of larger commercial nuclear power plants. (See item 1)
The Associated Press reports two commuter trains collided in Philadelphia in a downtown tunnel at the beginning of the evening rush hour Monday, May 14, slightly injuring nearly three−dozen people. (See item 15)

Information Technology and Telecommunications Sector

34. May 15, eWeek — Vendor: Cisco IOS Server backdoor may have been planted. A security vendor is questioning whether the IOS FTP Server vulnerabilities Cisco reported on May 9 may constitute an intentionally planted backdoor, as opposed to a series of programming errors that inadvertently led to a backdoor. Chris Eng, director of security services at Veracode, is suggesting that possibility given that a remote attacker would need one of the flaws −− improper authorization checking in IOS FTP −− in order to exploit the second flaw −− an IOS reload when transferring files via FTP. In essence, an attacker can bypass authentication and avoid giving credentials because of the first flaw. The attacker then has to overwrite the critical startup configuration file, then has to cause the router itself to reboot in order to execute the rewritten configuration file. "Is it a coincidence that both flaws happen to be there at same time?" Eng asked. "Multiple things have to fall into place to really exercise the full extent of the attack. That seems a little bit odd. It kind of has the trademarks of what you'd expect from [an intentionally planted] backdoor." Together, the flaws open the door for an attacker to retrieve or write any file from the device file system.

35. May 15, IDG News Service — Tech groups support new cybersecurity bill. A tech trade group and a leading cybersecurity vendor applauded new legislation introduced in Congress that would broaden penalties for cybercrime, including first−time penalties for botnet attacks. The Cyber Security Enhancement Act, introduced Monday, May 14, would create for the first time criminal penalties for botnet attacks often used to aid identity theft, denial−of−service attacks, and the spread of spam and spyware. The bill would also allow prosecutors to pursue racketeering charges against cybercriminal groups, would expand sentencing guidelines for cybercrime by allowing the forfeiture of property used to commit the crime, and would add $30 million a year to the budgets of federal agencies fighting cybercrime. The Business Software Alliance, a trade group, and Symantec, a security vendor, both offered support for the legislation.
Source:−cybersecurity− bill_1.html

36. May 15, IDG News Service — Samba developers quash serious bug. Users of the open−source Samba software are being urged to patch their code following the discovery of a critical bug in the file−and−print software. The bug is one of three vulnerabilities that were patched Monday, May 14, by the Samba team in the Samba 3.0.25 release. The flaw is considered to be particularly worrisome for two reasons: It could be remotely exploited by an attacker to run unauthorized code on the Samba server and there is no known work−around for the flaw. Samba ships with Linux and Unix operating systems and is a popular way of allowing Windows clients to print and store files using a Linux or Unix machine.
Source:−quashes−seri ous−bug_1.html

37. May 15, IDG News Service — AOL buys company to boost mobile ad business. AOL has acquired Third Screen Media to strengthen its position in mobile advertising, a small component of online advertising expected to shoot up in coming years and become a multibillion dollar market. Third Screen Media, which has a mobile ad network and an ad management platform, will become a subsidiary of AOL's division, AOL announced Tuesday, May 15.

38. May 14, IDG News Service — SAP fills gaps with two Nordic acquisitions. In line with its acquisition strategy to fill technology gaps, SAP has purchased two privately held Scandinavian software companies. SAP acquired identity management software MaXware and Wicom Communications, which designs call−center applications based on IP technology, the German business software maker announced Monday, May 14. Financial details were not disclosed. SAP intends to integrate MaXware's identity management features into its NetWeaver integration middleware in a move to allow businesses to centralize identity management and increase security across their various processes.
Source:−nordic−acquisi tions_1.html