Wenesday, November 7, 2007

Daily Report

• The Cybercast News Service reports that at least 1,800 mechanics received false certification from St. George Aviation near Orlando, Florida between October 1995 and January 1999. About 1,000 mechanics have still not been accounted for by the Federal Aviation Administration and could be working for the nation’s airlines. (See items 14)

• The Associated Press reports that an advisory commission created in response to concerns about recalls of dangerous toothpaste, dog food and toys has recommended that the Food and Drug Administration be empowered to order mandatory recalls of products deemed a risk to consumers. The commission recommended several other changes such as increasing the presence of U.S. inspectors from Customs, the Border Patrol, the Consumer Product Safety Commission and other agencies in countries that are major exporters to the United States. (See item 17)

Information Technology

30. November 6, Computerworld – (National) Hackers exploiting bug in DRM shipped with Windows. Microsoft Corp. Monday said it would patch a vulnerability in third-party anti-piracy software bundled with Windows after it acknowledged that hackers are already exploiting the bug. In a security advisory issued late Monday, Microsoft said it would issue a fix for a vulnerability in an older edition of “secdrv.sys” -- a file also known as Macrovision Security Driver – that is part of the SafeDisc copy-protection scheme that Macrovision licenses to game publishers. “The driver, secdrv.sys, is a dispatch driver developed by Macrovision and shipped on supported editions of Windows Server 2003, Windows XP, and Windows Vista,” Microsoft said in the advisory. “This vulnerability does not affect Windows Vista.” Computerworld confirmed that secdrv.sys is present on stock installations of both Windows XP and Vista, but that the file creation dates -- Feb. 28, 2006 and Nov. 1, 2006, respectively -- differ, with the newer version included in Vista. Microsoft also said that attacks were in progress. “We are aware of limited attacks that try to use the reported vulnerability,” the advisory continued. “Microsoft will take the appropriate action [which] will include providing a security update through our monthly release process.” Until then, Windows XP and Server 2003 users can download a more recent version of the driver – marked with a creation date of Sept. 13, 2006 -- from Macrovision’s Web site.
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9045660&taxonomyId=17&intsrc=kc_top

31. November 5, Computerworld – (National) Update: Apple patches seven QuickTime bugs, zaps Java. Apple Inc. patched seven bugs in QuickTime Monday as it updated the media player to version 7.3 for both Mac OS X and Windows. To quash yet another Java-related vulnerability, Apple zapped QuickTime for Java. All but one of the vulnerabilities would be ranked critical by other vendors, but Apple does not rate flaws or assign an urgency score to patches. Two of the seven vulnerabilities are in QuickTime’s rendering of PICT images, one in how the player handles the QTVR (QuickTime Virtual Reality) file format, three in its movie file management, and one in how it works with Java applets. The six flaws that involve image or video file formats can be exploited by attackers able to dupe users into opening malformed files, while the seventh -- the one related to Java -- could be leveraged simply by getting a user to a Web site with a malicious applet. That vulnerability, however, can only result in remote code execution if the attacker has some, if only limited, access rights to the target Mac or PC, said Apple. To reduce the player’s attack surface, Apple essentially gave up on Java. Rather than patch the code yet again, it simply disabled QuickTime for Java in most situations. “This update addresses the issues by making QuickTime for Java no longer accessible to untrusted Java applets,” the accompanying advisory read.
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9045599&taxonomyId=17&intsrc=kc_top

32. November 5, Computerworld – (National) Problem-driver database gets ticketed for security flaws. The U.S. Department of Transportation is not adequately protecting personal data stored in a national database that state motor-vehicle departments use to identify problem drivers, according to a report released last week by the Department of Transportation’s inspector general. The National Driver Register (NDR), which is administered by the National Highway Traffic Safety Administration (NHTSA), was designed to allow state motor-vehicle agencies to exchange information on drivers who have been convicted of operating under the influence and other offenses. The database contains personal information such as the name, date of birth, sex, height and eye color of drivers. When state workers are processing driver’s license applications, they can access the NDR via a network that is managed by the American Association of Motor Vehicle Administrators (AAMVA). According to the inspector general’s report, the 42 million records contained in the NDR have been properly secured via data encryption. However, similar controls are not being applied when the data is transmitted to and between state agencies as required by federal minimum security standards, the report claimed. The current failure to meet that requirement is exposing the network transmissions to possible unauthorized access and unapproved use, it added. The report blamed the situation on a failure by the NHTSA to contractually require the AAMVA to apply encryption during the data transmission process. The NHTSA also said that by next June, it plans to have completed the encryption of all data transmissions between its own facilities and those of the contractor that manages the NDR database.
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9045625&taxonomyId=17&intsrc=kc_top

Communications Sector

33. November 6, Reuters – (International) Experts say West can’t stop Web radicalization. After using the Internet from his London home to spread al-Qaeda propaganda, recruit suicide bombers and promote Web sites that encouraged the killing of non-Muslims, a Moroccan-born student and two accomplices, one of whom he had never met in person, became the first to be jailed in Britain for inciting terrorism over the Internet. In September, a Scottish student was imprisoned for eight years for owning terrorism material and distributing it via Web sites. The two cases are examples of what Western authorities believe is the dangerous and growing role the Internet plays in spreading extremist propaganda and recruiting sympathizers to Islamist militant causes. The perceived threat has prompted much talk from governments of the need for action. On Tuesday, the European Commission urged the EU’s 27 states to crack down on militant sites. “The Internet serves ... as one of the principal boosters of the processes radicalization and recruitment and also serves as a source of information on terrorist means and methods, thus functioning as a virtual training camp,” the commission’s proposal said. However, many governments disagree about what should actually be done, and experts express serious doubts about what would be effective, saying little research has been carried out. A senior researcher at Dublin’s Institute of International and European Affairs, said users could easily circumvent any restrictions imposed by the authorities. “A workable Internet censorship system, even if one were desirable, is not possible within the EU, or anywhere else in the world with a comparable infrastructure or legal norms,” he told Reuters. Web sites could relocate from one country to another unless there was international agreement, while the controversial content was often distributed through services that are hard to block, such as legitimate chat rooms. “In China, where censorship is a more serious business, users have developed a series of tools to break through government Internet blocks,” he said.
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9045701&taxonomyId=17&intsrc=kc_top

34. November 6, The Trucker News – (International) FMCSA: Safety rules reinforced with satellite technology for Mexican, U.S. trucks. Starting later this month, trucks crossing the U.S.-Mexico border as part of the new demonstration program will have equipment on board that allows them to be monitored as they pick up and deliver their loads, the government stated Monday. The Federal Motor Carrier Safety Administration (FMCSA) noted the decision to require the installation of satellite tracking technology on trucks in the program was made after members of Congress expressed a desire to know whether participants are complying with federal safety and trade laws. The agency will initially spend approximately $367,000 to outfit all trucks from the U.S. and Mexico that take part in the program, and “use the information gathered from the equipment to ensure trucks comply with Hours of Service and rules that govern the trips into and out of the country,” said the FMCSA statement. “The GPS-based technology also will allow real-time tracking of truck location, documenting every international border and state-line crossing.” The satellite-based technology, developed by San Diego-based Qualcomm Inc., will be used to track trucks by vehicle number and company only — no driver information will be collected, FMCSA added. According to FMCSA, the technology will help continue to ensure that trucks operating as part of the program are complying with the agency’s safety standards and U.S. trade laws.
Source:
http://www.thetrucker.com/News/Stories/2007/11/6/FMCSASafetyrulesreinforcedwithsatellitetechnologyforMexicanUStrucks.aspx