Tuesday, January 22, 2008

Daily Report

• The According to Network World and other sources, the Federal Energy Regulatory Commission Friday approved eight “critical infrastructure protection” standards intended to protect the electric-power grid operated by the nation’s utilities from coming under cyberattack. The final, complete text of FERC’s regulatory order is expected out in the next few days, and the commission did indicate it expected the energy industry to improve its power-control systems, if need be, to meet the new security guidelines, in spite of previously voiced concerns. (See item 2)

• CBS News reported that the FAA called an emergency meeting after another near mid-air collision at New Jersey’s Newark Liberty Airport Wednesday, the second near miss in two months. The FAA is investigating the incident and the possibility that a “procedural error” caused a temporary loss of communication with one of two Continental Airlines flights that at one point came within 600 feet of each other. (See item 13)

Information Technology

25. January 18, Computerworld – (International) Skype plugs critical bug with temp move. Hackers can exploit newly uncovered vulnerabilities in Skype Ltd.’s popular chat and VoIP software to overtake a Windows PC, security researchers said Thursday. By Friday morning, Skype had confirmed one of the bugs, slapped the highest-possible vulnerability rating on it and temporarily disabled the feature used to exploit the flaw. Early on Thursday, a noted Israeli researcher had spelled out what he called a “cross-zone scripting vulnerability” in Skype that could be leveraged by attackers armed with malicious video files. The way in, he explained, was through a security door that Skype left wide open. “Skype uses [Microsoft Corp.’s] Internet Explorer Web control to render internal and external HTML pages,” he said Thursday. If an attacker manages to inject a malicious script into any of those HTML pages, he can completely compromise the machine. In a demonstration, he posted a video file to the Dailymotion video-sharing service that, when called using the software’s Add Video to Chat feature, runs harmless arbitrary code. The exploit relied on a separate cross-site scripting vulnerability on Dailymotion, which is one of Skype’s video partners. The innocuous demo, however, could be replaced by attack code of the hacker’s choice. “An attacker can now upload a movie, set a kewl popular keyword, and own any user that will search for a video with those keywords through Skype,” he noted. Early Friday, Skype posted a security advisory that acknowledged the cross-zone scripting bug, saying that it affected all Windows versions of the software, including 3.5 and the most-up-to-date 3.6. Skype also pegged the flaw as a “10” in the Common Vulnerability Scoring System, the highest rating allowed by the security industry’s standard bug ranking system. Skype does not yet have a patch in place; so instead, it simply shut off access to Dailymotion. “Skype has temporarily disabled users’ ability to add videos from Dailymotion gallery until an official fix has been made available,” the security bulletin said. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057778&source=rss_topic17

26. January 17, IDG News Service – (National) Attack code released for critical Windows flaw. In what may be the first step toward a major security problem, security researchers have released attack code that will crash Windows machines that are susceptible to a recently patched bug in the operating system. The code is not available to the general public. It was released Thursday to security professionals who use Immunity’s Canvas computer security testing software. It causes the Windows system to crash, but does not let the attacker run malicious software on the victim’s system. “It reliably crashes Windows machines,” said Immunity’s chief technology officer. “In fact, it blue-screened our print server by accident -- this is a broadcast attack, after all.” That is the biggest concern for security experts who worry that a more dangerous attack may soon follow as researchers dig further into the vulnerability. The bug is particularly troublesome for two reasons. First, it affects a widely used Windows component that is turned on by default. Worse, no user interaction is required to trigger the flaw, meaning that it could be exploited in a self-copying worm attack. Microsoft patched the flaw in its MS08-001 update, released last week, but it takes time for enterprise users to test and install Microsoft’s patches. The flaw lies in the way Windows processes networking traffic that uses IGMP (Internet Group Management Protocol) and the MLD (Multicast Listener Discovery) protocol, which are used to send data to many systems at the same time. The protocols are used by a range of applications including messaging, Web conferencing and software distribution products. Source: http://www.networkworld.com/news/2008/011708-attack-code-released-for-critical.html

27. January 17, InformationWeek – (National) Yahoo’s CAPTCHA security reportedly broken. Yahoo may soon see a surge in spam coming from Yahoo Mail accounts. “John Wane,” who identifies himself as a Russian security researcher, has posted software that he claims can defeat the CAPTCHA system Yahoo uses to prevent automated registration of free Yahoo Mail accounts. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It is a technique that presents an image depicting distorted text that people, but not machines, can identify. Large e-mail service providers like Google, Microsoft, and Yahoo present CAPTCHA images to users signing up for new accounts to make sure that there is a real person behind the registration information. These companies do so to discourage spammers from using automated methods to register thousands of free online accounts to send spam. CAPTCHAs are also used to prevent spam in blogs and other online forums, automated ballot stuffing for online polls, and automated password guessing attacks. “Few months ago, we received information that [a] Yahoo CAPTCHA recognition system exists in the wild with the recognition rate about 30%,” Wane says in a blog post. “So we decided to conduct few experiments. We explored Yahoo CAPTCHA and designed a similar system with even better recognition rate (about 35%).” Various automated methods exist to defeat CAPTCHA schemes, but the CAPTCHAs used by Google, Microsoft, and Yahoo have remained difficult for computers to crack. If the software works as advertised, and it is not clear that it does, it could force Yahoo and other companies to spend yet more money to defend against spammers. Source: http://www.informationweek.com/management/showArticle.jhtml;jsessionid=OABRKDXIVXPNAQSNDLPSKH0CJUNN2JVN?articleID=205900620

Communications Sector

28. January 18, RCR Wireless News – (National) National Research Council calls for further studies on cellphone radiation. A National Research Council report calls for more research into the potential health effects of long-term exposure to radiation emitted by cellphones and other wireless devices, with U.S. scientists anxious to gather more data on any risks posed to children, pregnant women and fetuses by handsets as well as base station antennas. “Although it is unknown whether children are more susceptible to radio-frequency exposure, they may be at increased risk because of their developing organ and tissue systems,” the NRC stated in a press release. “Additionally, specific absorption rates for children are likely to be higher than for adults, because exposure wavelength is closer to the whole-body resonance frequency for shorter individuals. The current generation of children will also experience a longer period of RF field exposure from mobile-phone use than adults, because they will most likely start using them at an early age. The report notes that several surveys have shown a steep increase in mobile-phone ownership among children, but virtually no relevant studies of human populations at present examine health effects in this population.”
Source: http://www.rcrnews.com/apps/pbcs.dll/article?AID=/20080118/FREE/192540885/1005

No comments: