Wednesday, November 28, 2007

Daily Report

• As reported by The Associated Press, delegates from more than 40 nations pledged Tuesday to boost information exchanges on food safety and outbreaks of contamination in response to growing concern about the overall security of the global supply chain. The agreement came at the conclusion of a two-day international food safety conference in Beijing. (See items 15)

• According to WIVB News in Buffalo, New York, two area residents in need of medical care waited at least 19 minutes for ambulances to arrive Monday night, because all the ambulances were busy on other calls at area hospitals. Emergency officials say the whole system needs to be re-examined. Officials say calling 9-1-1 for real emergencies can go a long way to help the system. A local 2-1-1 hotline for non-emergency calls is being developed, but is not expected until next year at the earliest. (See item 23)

Information Technology

24. November 27, Computerworld UK – (International) ‘Man in the browser’ is new threat to online banking. Criminals infecting PCs with malware that is only triggered when they access their bank accounts are the latest threat to online banking, according to security software supplier F-Secure. Perpetrators act as a ‘man in the browser’ by intercepting HTML code in the Web browser. As bank security measures curb more traditional threats such as keystroke logging, phishing and pharming, F-Secure warned, the ‘man in the browser’ attacks will increase. Once a user’s PC is infected, the malicious code is only triggered when the user visits an online bank. The ‘man in the browser’ attack then retrieves information, such as logins and passwords, entered on a legitimate bank site. This personal data is sent directly to an FTP site to be stored, where it is sold to the highest bidder. Security products using behavioral analysis were the best solution against such attacks, because the malware was only distributed to the users of specific banking sites the chief research officer at F-Secure. This meant anti-malware software vendors were unlikely to be able to quickly release code to tackle all the new threats. Following the enhancements that banks have made to authentication on their sites, “phishing attacks are becoming less and less effective and attacks of the ‘Man in the Browser’ are set to increase,” he warned.

25. November 27, Computerworld – (National) Mozilla patches overdue Firefox protocol handler bug. Mozilla Corp. on Monday patched six vulnerabilities in Firefox, including a flaw that gained notoriety because it went unfixed for most of the year. Firefox, the ninth security update to the open-source browser this year, patched two bugs associated with the jar: uniform resource identifier (URI) protocol handler. The original flaw was reported in early February, but work on a fix languished until three weeks ago, when a U.K. researcher reported that applications that allow uploading of jar or Zip files are vulnerable to cross-site scripting attacks. Cross-site scripting vulnerabilities are most often used by identity thieves and malware authors to steal passwords or spread malicious code. Days later, another researcher upped the ante and produced exploit that combined the jar: vulnerability with a separate bug in Google Inc.’s Gmail to let him access another user’s Web e-mail address book. Firefox also fixed a flaw that could be used to launch cross-site request forgery attacks, which inject malicious commands into legitimate Web sites. Additionally, Mozilla said it patched three unspecified memory corruption bugs that posed immediate stability problems -- in some situations they could cause the browser to crash -- and might be exploitable enough to create attack opportunities. The new version of the browser can be downloaded from Mozilla in versions for Windows, Mac OS X and Linux. Current Firefox users should be notified of’s availability in the next day or two by the browser’s automatic update tool.

Communications Sector

26. November 26, TMCnet – (National) U.S. broadband infrastructure to reach maximum capacity by 2010. Nemertes Research recently predicted that the broadband infrastructure in the United States will reach maximum capacity by 2010. The study says that the system will collapse because of this overload, but, more importantly, says the situation is inevitable unless there is a 60 to 70 percent increase in investment in broadband infrastructure. The report, titled “The Internet Singularity, Delayed: Why Limits in Internet Capacity Will Stifle Innovation on the Web”, says that, although the dynamic nature of the Internet will prevent a total breakdown, users will experience “Internet brownouts,” which are defined as periods of low connectivity speeds. According to Nemertes Research, the situation will definitely hurt innovation on the Internet -- a lack of reliability of connection speeds, will likely mean another Google or YouTube will have difficulty making inroads. The study points out that the lack of investment could be holding back the time at which the internet reaches a ‘singularity’ (a point at which accelerating change creates an unpredictable outcome, such as the Internet becoming independently sentient). Nemertes Research expects the corporate and personal demand for Internet connectivity to grow exponentially during the next two years. Nemertes estimates that the financial investment required by access providers to bridge the gap between demand and capacity ranges from $42 billion to $55 billion, or roughly 60-70 percent more than service providers currently plan to invest.