Tuesday, November 27, 2007

Daily Report

• The Washington Times reports that officials from Fort Huachuca, Arizona, the nation’s largest intelligence training center, changed security measures last May, after sources warned that possibly 60 Afghan and Iraqi terrorists were to be smuggled into the U.S. through underground tunnels with high powered weapons to attack the post. (See item 21)

• The Associated Press reports that firefighters in major cities are being trained to take on a new role as lookouts for terrorism. The Homeland Security Department is testing a program with the New York City fire department to share intelligence information so firefighters are better prepared when they respond to emergency calls. Homeland Security also trains the New York City fire service in how to identify material or behavior that may indicate terrorist activities. (See item 23)

Information Technology

26. November 25, Computerworld – (National) New QuickTime bug opens XP, Vista to attack. Security researchers warn that attack code targeting an unpatched bug in Apple Inc.’s QuickTime has gone public, and added that in-the-wild attacks against systems running Windows XP and Vista are probably not far behind. There was no word as of Sunday whether the Mac OS X versions of the media player are also vulnerable. The critical bug in QuickTime 7.2 and 7.3 (and perhaps earlier editions as well) is in the player’s handling of the Real Time Streaming Protocol, an audio/video streaming standard. According to alerts posted by Symantec Corp. and the U.S. Computer Emergency Readiness Team (US-CERT), attackers can exploit the flaw by duping users into visiting malicious or compromised Web sites hosting specially-crafted streaming content, or by convincing them to open a rigged QTL file attached to an e-mail message. Symantec credited a Polish researcher with first reporting the zero-day vulnerability on the milw0rm.com Web site Friday. By Saturday, he and another unnamed researcher had followed up with separate proof-of-concept examples that executed on Windows XP SP2 and Windows Vista machines running QuickTime 7.2 or 7.3. A successful exploit would let the attacker install additional malware -- spyware or a spambot, say -- or cull the system for information like passwords. An attack that failed would likely only crash QuickTime. A gaffe by Apple’s developers, however, makes an attack easier on Vista, said one of the researchers, who claimed that the QuickTimePlayer binary does not have Address Space Layout Randomization (ASLR) enabled. ASLR is a Vista security feature that randomly assigns data and application components, such as .exe and .dll files, to memory to make it tougher for attackers to determine the location of critical functions or vulnerable code. A Symantec analyst noted: “This makes reliable exploitation of the vulnerability a lot easier.”


27. November 23, Computerworld – (National) Once-fixed bug pops up again in Leopard’s Mail. Apple Inc. reintroduced a critical vulnerability in Leopard, the newest version of Mac OS X, that it had patched more than 20 months ago in Tiger, security experts said last week. Attackers can use the new-old vulnerability to hide malicious code in seemingly harmless file attachments and get Apple Mail to run the malware without warning the user, as it is designed to do, said Symantec in a warning to customers of its DeepSight threat management service. The Heise Security Web site first noted the returned flaw and said attackers could disguise their code as a benign file – a JPG image file, for example -- then exploit the file’s “resource fork” to launch Terminal, the Mac OS X command line interface, which in turn would run a camouflaged code. The site even produced a harmless proof-of-concept e-mail attachment that demonstrated an exploit of the bug. “The bug causing this has to do with the way Leopard manages [download] quarantines,” Intego said in an alert. “The first time a user opens an attachment, Mail opens the file directly without passing through the quarantine system.” Until Apple fixes Leopard, Symantec told users to use caution when handling e-mail attachments received in Mail.


Communications Sector

28. November 24, Reuters – (International) EU agrees to public funding for satellite project. European Union nations clinched a deal late on Friday to fund an ambitious satellite navigation project to rival the U.S. Global Positioning System using unspent cash from the EU budget, a presidency spokesman said. The Portuguese spokesman said budget ministers agreed to finance a 2.4 billion euro ($3.55 billion) shortfall in start-up costs of the Galileo system by redeploying unspent money for farm subsidies and competitiveness projects. The EU executive warned it would have to drop the prestigious industrial project if there was no agreement among member states on public funding by the end of this year. Supporters say it is a vital technological platform for Europe, but critics say it could be a costly white elephant because the U.S. system already has a dominant market position and Russia and China are working on their own systems.

29. November 24, RCR Wireless News – (National) Katrina decision could cost industry millions. The mobile-phone and tower sectors could take a significant financial hit as a result of a new Federal Communications Commission (FCC) mandate requiring backup power sources at key facilities. The FCC rule, which industry sources claim could cost wireless carriers hundreds of millions of dollars to implement, flows from recommendations of the Independent Panel Reviewing the Impact of Hurricane Katrina on Communications Networks. The FCC softened the blow to industry somewhat by giving carriers six months to conduct inventories to determine which assets comply with the new guidelines and which either do not comply with the backup power rule or are precluded because of safety reasons and conflicts with federal, state or tribal laws. Carriers with wireless facilities covered by the new rule, but not in compliance, must rectify the situation, or file an action plan within 12 months on how they intend to meet new federal requirements. The FCC said it does not regard the reporting requirements as overly burdensome, but the cellular and tower industries call them brutal. It is even questionable whether compliance is reasonably achievable under terms laid out by the FCC, given physical and practical limitations related to the amount of space at sites and the need to modify structures with cell transmitters. The wireless industry argues roofs of some structures are not tall enough to accommodate requirements of the backup power rule and floors may be unable to support added weight of new generators. Moreover, the introduction of hazardous materials (gas, diesel, propane, batteries) associated with backup power sources could be prohibited in some leases involving cell sites on private and public property.