Thursday, August 23, 2007

Daily Highlights

The U.S. House Committee on Transportation and Infrastructure will hold a hearing on deficient bridges nationwide starting on September 5; there are 73,784 bridges in the United States rated "structurally deficient" by the Department of Transportation. (See item 11)
·
The St. Louis Post−Dispatch reports a 29−member task force on campus security has presented a report on emergency instructions for college classes to Missouri Governor Matt Blunt. (See item 25)
·
Information Technology and Telecommunications Sector

30. August 22, Register (UK) — Two security flaws uncovered in Cisco IP phones. Cisco has advised users to update the firmware on some of its IP phones following the discovery of two security flaws. A brace of Session Initiation Protocol (SIP) vulnerabilities in Cisco 7940/7960 IP Phones create the potential for hackers to crash −− but not to run exploit code −− on vulnerable handsets. Cisco IP Phone 7940/7960 SIP firmware versions prior to 8.7(0) are vulnerable to the denial−of−service attacks, Cisco warns. Users are advised to update their firmware to version 8.7(0).
Cisco Advisory: http://www.cisco.com/warp/public/707/cisco−sr−20070821−sip.s html
Source: http://www.theregister.co.uk/2007/08/22/cisco_ip_phone_vuln/

31. August 21, eWeek — Report: Mobile users often lax about security. When it comes to securing a wireless workforce, enterprises may have their hands full, according to a study performed by the research firm InsightExpress. Their research found that 73 percent of mobile users admitted they are not always cognizant of security threats and best practices. More than 25 percent also conceded they either hardly ever or never consider security risks and proper behavior, offering reasons such as "I'm busy and need to get work done" and "It's IT's job, not mine" as justifications. The online survey included responses from 700 mobile workers in seven countries, including China, Germany, India and the United States. In the United States, 36 percent of those surveyed said they were unconcerned or hardly concerned with threats when using wireless devices. Employees in the U.S. were the third most likely to have received IT training on security risks and controls, with 46 percent reporting they had. China was first with 58 percent, while India was second with 55. Forty−four percent of all mobile users surveyed admitted to opening e−mails and or attachments from unknown or suspect sources.
Source: http://www.eweek.com/article2/0,1895,2173823,00.asp

32. August 21, VNUNet — Security flaw hits Symantec Enterprise Firewall. Symantec's Enterprise Firewall can be compromised by hackers via a username enumeration vulnerability, security experts warned Tuesday, August 21. NTA Monitor said that the flaw can occur when the devices are configured for remote access (client−to−gateway) VPNs using pre−shared key authentication. The devices respond differently to valid and invalid usernames, allowing an attacker to exploit this difference to determine whether a given user exists. It is also possible to use the vulnerability to enumerate valid users on the system, either by brute force or by trying likely usernames, the security firm warned.
Symantec Advisory: http://securityresponse.symantec.com/avcenter/security/Content/2007.08.16.html
Source: http://www.vnunet.com/vnunet/news/2197071/symantec−enterpris e−firewall

33. August 21, SecurityFocus — Storm Worm pursues more 'members'. The group responsible for propagating the malicious program commonly known as the Storm Worm changed tactics this week, using e−mail messages masquerading as verification announcements from online Websites and clubs to lure victims. The e−mail messages use a fairly regular format, including a brief greeting, a supposed temporary login name and password, and a link to a malicious Website, according to antivirus firms. The destination site will tell the user that, to log on, they need to download a secure login applet. Victims that do install the software will become infected with the Storm Worm bot software. The names of the online Websites used in the e−mail messages appear to be constructed from two randomly chosen words and include names "Fun World," "Internet Dating," and "MP3 World." In addition, there is some evidence that the Storm Worm is using the MPack infection tool kit to compromise systems.
Source: http://www.securityfocus.com/brief/573

34. August 21, Websense Security Labs — Malicious Code / Malicious Website: EDB Business Partner site compromise. Websense Security Labs has discovered that the Website of EDB Business Partner (www.edbbusinesspartner.com) has been compromised and infects visitors with malicious code that attempts to drop two files. Both files dropped are of malicious intent. The first file is a World of Warcraft trojan. The second file is designed to detect anti−virus protection. The malicious code drops the malware through an old vulnerability in Internet Explorer (Microsoft Data Access Components Remote Code Execution, MS06−14). The compromised site contains a link to an external .js file that is hosted on a Website that Websense Security Labs had previously categorized as malicious.
Source: http://www.websense.com/securitylabs/alerts/alert.php?AlertI D=798

35. August 21, IDG News Service — State says e−voting machines weren't certified. Election Systems & Software (ES&S) sold nearly 1,000 electronic−voting machines that were not certified to five California counties in 2006, Secretary of State Debra Bowen said Tuesday, August 21. "Given that each machine costs about $5,000, it appears ES&S has taken $5 million out of the pockets of several California counties," Bowen said in a statement. ES&S sold 972 of its AutoMark Phase 2 Model A200, even though the company never submitted that version of the AutoMark machine to Bowen's office for certification in California, she said. ES&S delivered hundreds of the Model A200 to the California counties before it was certified by federal election officials in August 2006, she said. A public hearing on the matter is scheduled for September 20. Earlier this month, Bowen mandated new security standards for the state's e−voting systems, following an independent review that slammed the security of the technology. ES&S machines were decertified because ES&S was late in providing access to their products.
Source: http://www.infoworld.com/article/07/08/21/State−says−evoting