Friday, January 11, 2008
• The Houston Chronicle reported that a Government Accountability Office report found that the Coast Guard lacks the resources to meet its own security standards to protect against terrorist assaults at American ports, even as the nation is to dramatically expand imports of liquefied natural gas. Among its recommendations, the GAO urged the Department of Homeland Security, which includes the Coast Guard, to develop a national plan to balance the need to meet its new LNG security burdens while also handling all of its existing security responsibilities. (See items 13)
• According to Computerworld, Microsoft Corp. urged Windows Vista users to download a new security tool that automatically disables suspicious or malicious “gadgets,” the small applets that mimic the “widgets” popular on Mac OS X. There are no known vulnerabilities in any existing gadgets, claimed a director in the Windows client product management group, stressing that Microsoft knows of no purposefully malicious gadgets, either. (See item 25)
24. January 10, IDG News Service – (National) Printers vulnerable to spamming attacks. A U.S.-based security manager in the financial industry has figured out how to send spam to a person’s printer from an infected Web page by using a little-known capability found in most Web browsers. Using this, he can make a Web page launch a print job on just about any printer on a victim’s network. The website could print annoying ads on the printer and theoretically issue more dangerous commands, like telling the printer to send a fax, format its hard drive, or download new firmware. The security expert described what he calls “cross site printing” in a research paper published Tuesday on the Ha.ckers.org website. He has launched the attack successfully with both Internet Explorer and Firefox browsers. Because the attack only works on network printers, a printer plugged directly into a PC would not be vulnerable. The researcher said concerns that his research might unleash a new blight on the Internet caused him to hesitate before publishing his paper and hold off on publishing the complete exploit code.
25. January 9, Computerworld – (National) Microsoft preps Vista to thwart rogue gadgets. Microsoft Corp. today urged Windows Vista users to download a new security tool that automatically disables suspicious or malicious “gadgets,” the small applets that mimic the “widgets” popular on Mac OS X. Dubbed “Windows Sidebar Protection,” the 1MB download was added to Windows Update on Tuesday and classified as a “highpriority” update. Microsoft customers running Vista RTM -- the initial version that launched in late 2006 to businesses and early 2007 to consumers -- saw the update on the list starting Tuesday. The update is optional, but depending on what settings have been selected in Windows’ Automatic Updates, it may be downloaded and installed without any additional user interaction. Windows Sidebar is a Vista-only panel that holds the miniature applications known as gadgets -- small single-purpose tools that, for instance, display the time and date or RSS feeds. The Windows gadgets are composed of HTML and various scripts. In other words, gadgets could be dangerous, even malicious. The small applications are crafted not only by Microsoft but also by third-party developers and users; Microsoft distributes gadgets on its Web site, but it does not vet them. There are no known vulnerabilities in any existing gadgets, claimed a director in the Windows client product management group, stressing that Microsoft knows of no purposefully malicious gadgets, either. “The update gives us a mechanism to prevent a malicious gadget from being installed first of all, and if it’s installed, to block the gadget [from running],” he said. After a gadget has been identified as bad, its icon gets swapped out with one labeled “Bad Gadget.” The icon also can’t be dragged, and the tool tip shows it as a security risk.
26. January 9, Security Focus – (National) Malware hitches a ride on digital devices. In the past month, at least three consumers have reported that photo frames -- small flatpanel displays for displaying digital images -- received over the holidays attempted to install malicious code on their computer systems, according to the Internet Storm Center, a network-threat monitoring group. Each case involved the same product and the same chain of stores, suggesting that the electronic systems were infected at the factory or somewhere during shipping, said the director of the Internet Storm Center. The incidents underscore that the proliferation of electronic devices with onboard memory means that consumers have to increasingly be aware of the danger of unwanted code hitching a ride. While many consumers are already wary of certain devices, such as digital music players, USB memory sticks, and external hard drives, that include onboard memory, other types of electronics have largely escaped scrutiny. While a compromise at the manufacturer is the most likely scenario, the director of SANS Institute’s Internet Storm Center also pointed to retailers as a possible point of infection. Returned products, which could have been infected by the consumer, are frequently put back on the shelf, if they are in sale-able condition, and attackers could take advantage of a store’s poor digital hygiene, he said. Consumers will have to be careful with any device that can be connected to a PC, including USB thumb drives, GPS devices, mobile phones, video players, set top boxes, portable hard drives, memory card readers, and eventually even microwave ovens and other appliances, he said.
27. January 9, InformationWeek – (National) Phony iPhone upgrade hides malware. Apple iPhones could be infected with potentially malicious Trojan software because of a fake upgrade download, computer security officials with US-CERT warned Wednesday. “This Trojan claims to be a tool used to prepare the device for an upgrade to firmware version 1.1.3,” the US-CERT advisory said. “When a user installs the Trojan, other application components are altered. If the Trojan is uninstalled, the affected applications may also be removed.” The Trojan appears to be timed to exploit rumors that began in early December about new features in an upcoming iPhone firmware upgrade. Various online news sites and blogs cited a report published by CNET France that claimed an imminent iPhone update would feature a disk mode, for using the iPhone as a portable flash drive, and a voice recording mode. Malware authors now regularly craft attacks that play off current news and events. With the Consumer Electronics Show this week and the Macworld Conference & Expo next week, malware masquerading as an iPhone upgrade will likely dupe more people than it would otherwise. On Monday, Symantec identified the malicious software as “iPhone firmware 1.1.3 prep.” In a blog post, a Symantec security researcher observes that installing the software does not appear to have much of an effect on the iPhone, but warned that uninstalling it could overwrite other iPhone applications.