Wednesday, August 8, 2007

Daily Highlights

Web scammers are turning to online property forums −− where renters and buyers post phone numbers, instant messenger nicknames, and e−mail addresses along with descriptions of the property they want −− to collect personal information about users for later attempts to swindle them out of money. (See item 6)
·
The Associated Press reports New Orleans' 3,200−mile system of water and sewer lines −− old, leaky and in need of improvements before Hurricane Katrina −− was further damaged by the torrent of pipe−corroding salt water, and is now losing at least 50 million gallons of water a day to leaks. (See item 20)
·
Information Technology and Telecommunications Sector

27. August 07, ComputerWorld UK — E−voting must stop, warns UK Electoral Commission. The UK Electoral Commission has called for a halt to electronic voting unless major changes are made to the way the voting systems are implemented and secured. The watchdog has issued a series of reports on pilot projects commissioned by the Ministry of Justice that allowed Internet and telephone voting in some areas of England in last May's local elections. A second set of reports examined electronic counting pilots. A report by independent observers from the Open Rights Group, published in June, painted a grim picture of crashed computers and concerns about the systems' security and reliability. The group's concerns are echoed in the new reports. E−voting "should not be pursued any further without significant improvements to testing and implementation and a system of individual voter registration," the commission said. Although remote voting systems had "in broad terms" proved successful and facilitated voting, "the level of implementation and security risk involved was significant and unacceptable," the watchdog found.
UK Electoral Commission: http://www.electoralcommission.org.uk/
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9029240&intsrc=hm_list

28. August 06, CNET News — Qualcomm cell phone ban to take effect. Qualcomm is running out of options as a trade ban goes into effect that will prohibit the import into the U.S. of any 3G handset using Qualcomm chips that have been found to infringe on patents owned by rival Broadcom. President Bush's administration said Monday, August 6, that it would not veto a decision handed down in June by the International Trade Commission that would prohibit the import of cell phones using the chips that infringe on Broadcom patents. The ban went into effect Tuesday. But Qualcomm said that it's not giving up. The company still maintains that Broadcom's patents are not valid. And it said it's still working on an appeal and stay request with the Federal Circuit Court of Appeals. Qualcomm is the dominant semiconductor manufacturer for two next−generation technologies −− EV−DO and WCDMA −− that are being used today by three of the four major U.S. operators to build their next generation of high−speed wireless networks. Under the ban, cell phone manufacturers and mobile operators will not be allowed to import any future models of phones that use this technology.
Source: http://news.com.com/Qualcomm+cell+phone+ban+to+take+effect/2100−1036_3−6201079.html?tag=nefd.lede

29. August 06, University of California−San Diego — Computer scientists find way to fight spam scams. Computer scientists from University of California−San Diego (UCSD) have found striking differences between the infrastructure used to distribute spam and the infrastructure used to host the online scams advertised in these unwanted e−mail messages. This discovery should aid in the fight to reduce spam volume and shut down illegal online businesses and malware sites. While hundreds or thousands of compromised computers may be used to relay spam to users, most scams are hosted by individual Web servers, computer scientists from the UCSD Jacobs School of Engineering have found. Based on an analysis of over one million spam e−mails, 94 percent of the scams advertised via embedded links are hosted on individual Web servers, according to new peer−reviewed research to be presented at the USENIX Security 2007 conference in Boston on Thursday, August 9. “A given spam campaign may use thousands of mail relay agents to deliver its millions of messages, but only use a single server to handle requests from recipients who respond. A single takedown of a scam server or a spammer redirect can curtail the earning potential of an entire spam campaign,” write the UCSD computer scientists in their paper.
Report: http://www.cse.ucsd.edu/users/voelker/pubs/spamscatter−secur ity07.pdf
Source: http://www.jacobsschool.ucsd.edu/news/news_releases/release. sfe?id=679

30. August 06, SecurityFocus — Stanford Security Lab investigates domain−name service rebinding. On a summer day seven weeks ago, a small group of software architects and network engineers descended on Stanford University, worried. The group had been summoned by a team of student researchers and professors at Stanford's Security Lab. The researchers had investigated reports that a critical part of browser security could be bypassed, allowing an online attacker to connect to browser−accessible resources on a victim's local network. While previous attacks using JavaScript could send data to a network, the attack investigated by Stanford −− known as domain−name service rebinding −− could send and receive data from the local network, completely bypassing the firewall. To prove the danger, the Stanford students bought placement for a Flash advertisement on a marketing network and found that, for less than $100, an attacker could have hijacked as many as 100,0000 Internet addresses in three days. David Byrne, security architect with EchoStar Satellite, and Dan Kaminsky, director of penetration testing at IOActive −− gave separate presentations on the subject at the Black Hat Security Briefings and the DEFCON hacking conference. Their warning: Corporate firewalls and virtual private networks could easily be penetrated using this technique, and any permanent fix will take time.
Source: http://www.securityfocus.com/news/11481