Friday, November 16, 2007

Daily Report

• According to the Associated Press and a GAO report made public Wednesday, government investigators were able to smuggle liquid explosives and detonators past security checkpoints in covert tests conducted at 19 airports earlier this year. The investigators learned about improvised explosive device components on the Internet, purchased the parts at local stores for less than $150, and used published security guidelines to help conceal the devices through security. They concluded that terrorists could use publicly available information and easily obtainable supplies to damage an airplane. (See item 11)

• The Associated Press also reported that an office tower blaze in Manhattan’s financial district left six firefighters with minor injuries early Thursday. More than 130 firefighters were dispatched to the 40-story building that is a block from Wall Street and houses insurance companies, money management firms and other businesses. The cause was under investigation, and no civilian injuries were reported. (See item 27)

Information Technology

24. November 14, IDG News Service – (National) With Web 2.0, a new breed of malware evolves. Web 2.0 technologies may be laying the groundwork for a new generation of hacker tools, a noted security researcher said Wednesday. Google Mashups, RSS feeds, search, all of these can be misused by hackers to distribute malware, attack Web surfers and communicate with botnets, said a security researcher speaking at the Open Web Application Security Project (OWASP) U.S. 2007 conference, held on eBay’s campus. Tools like the downloadable MPack hacker toolkit have made it easier for the bad guys to deploy malicious code, but some of these emerging technologies promise to take hacking to a whole new level, he said. “Now people can use and abuse Web 2.0 technologies to construct something much larger,” he said. “When you look at it from a hacker perspective, you’ll see there are a whole lot of opportunities,” he said. For example, it took the researcher just one day to build a Web-based attack infrastructure using Google Mashup Editor, Google’s invite-only Web application development service. And even if Google decided to shut down this type of attack service, its open and distributed design makes it very easy to set up a new account and launch an identical service. This kind of Web 2.0 malware is in its infancy, but it is starting to be used, said the CEO of Web security firm Armorize. He says he has seen attackers use Google alerts to scan the Web for sites that are running software with known vulnerabilities, and that criminals are also starting to use RSS-to-e-mail conversion services to have an untraceable way of controlling their networks of hacked computers, called botnets. Researchers believe that criminals are only beginning to experiment with Web 2.0 hacking techniques like these, but that if they do catch on, it could become a nightmare for the Web 2.0 world.

25. November 14, Computerworld – (National) Apple patches 41 bugs in monster day of fixes. In one of its biggest update days in memory, Apple Inc. late Wednesday patched 41 vulnerabilities in Mac OS X, rolled out the long-anticipated (and likely last) update for Tiger, quashed 10 bugs in the Windows version of Safari and upgraded a slew of other applications. Only an update to iPhoto, one of the Apple-branded applications bundled with Macs, is relevant to users running Leopard, the new operating system introduced three weeks ago. Both Security Update 2007-008 and the update to Mac OS X 10.4.11 include the 41 fixes, 15 of which could be considered critical by virtue of Apple’s designating them capable of “arbitrary code execution,” its terminology for an attack that could result in a compromised Mac. The more than two dozen remaining patches fixed flaws that could crash the system or applications, poison the Mac’s DNS cache, allow malicious Web sites to conduct drive-by downloads, or let hackers steal information or look at files on the hard drive. Many of the vulnerabilities were in the third-party components included with Apple’s operating system. Internet-related vulnerabilities also accounted for a large number of the bugs.

Communications Sector

26. November 14, Computerworld – (Texas; National) Two unrelated calamities disrupt Rackspace’s service. This past weekend, it seemed everything that could go wrong, did go wrong for San Antonio-based Rackspace Ltd. and its customers. Early Sunday morning, a mechanical failure hit the Web hosting company’s Dallas/Fort Worth data center, knocking some customers’ Web sites offline intermittently, said Rackspace’s president and CEO. The company managed to fix the problem and get customers back online relatively quickly, he said. But before Rackspace Managed Hosting could figure out exactly what caused the minor meltdown, a truck driver rammed into the transformer that was feeding power into the data center, he said. The backup generators kicked in as intended, but data center’s cooling system started cycling back up. However, the truck driver was trapped in his truck, and in order to safely extricate him from the vehicle, emergency workers asked the utility company to shut down all the power – without notifying Rackspace. Again, the backup generators kicked in immediately, but the transfer to backup power triggered the chillers to stop cycling and then to begin cycling back up again. Rackspace’s CEO said that process would take about 30 minutes, during which time the temperature in the data center, which is filled with thousands of servers, continued to rise. In order to make sure the increase in temperature did not damage customers’ servers, Rackspace took them offline. The company is now trying to determine what caused the initial mechanical failure in order to devise an action plan for the future. As of yesterday, all of the servers were back online, and customer Web sites were up, he said.