Thursday, February 28, 2008

Daily Report

• According to CNN, Power was restored Tuesday for most of Florida after a failed switch and fire at an electrical substation outside Miami triggered widespread blackouts across the state. The president of Florida Power & Light (FPL) said a disconnect switch failed at 1:08 p.m. at the automated substation west of Miami, and a piece of equipment that controls voltage caught fire about the same time. (See item 1)

• The Associated Press reports LAX will be getting the equivalent of street lights to prevent potential accidents. The system — called runway status lights — will rely on radar technology and red lights on the pavement at one of Los Angeles International Airport’s four runways and at various taxiways to tell pilots when it is safe to cross them or take off. (See item 12)

Information Technology

28. February 27, The Register – (National) InfoJack Trojan burrows into Windows CE machines. Hackers have created a Trojan capable of infecting mobile devices running Windows CE. The InfoJack Trojan spreads by either tricking mobile users into installing seemingly legitimate application installation files or if punters inadvertently use an infected memory card on vulnerable devices. The malware has been spotted circulating in China. InfoJack disables Windows Mobile application installation security. It sends the infected device’s serial number, operating system, and other information to the author of the Trojan (a factor that explains the name of the malware). Infected devices are left vulnerable to the injection of further malware strains by allowing unsigned applications to be installed without a warning. Once infected, the homepage on a device’s browser is changed. The malware contains a number of features designed to frustrate clean-up efforts by copying itself back onto disk to protect itself from deletion. Internet security firm McAfee warns that the Trojan has been distributed with Google Maps, applications for stock trading, and games. It adds that the Trojan’s website is no longer reachable, due in part to an investigation by Chinese law enforcement officials. InfoJack is not unprecedented. A very small number of PocketPC viruses have been created over the last four or five years and, in at least one case, a Trojan capable of infecting Windows CE has been seen in the lab. InfoJack differs from its predecessors because it has been spotted in circulation, albeit to a modest extent. The spread of the malware provoked security clearing house US CERT to issue an alert:

29. February 27, BBC News – (International) Details emerge on YouTube block. Pakistan has rejected claims that it was responsible for blocking global access to the YouTube video clip site. YouTube was hard to reach this week following action by Pakistan to block access inside its borders for its hosting of a “blasphemous” video clip. Analysis suggests the block was taken up by net hardware that routes data effectively cutting off the site. But a spokeswoman for Pakistan’s telecoms authority said the problem was caused by a “malfunction” elsewhere. The Peshawar office of the PTA issued a blocking order for YouTube last week in a bid to block access to a video clip the Pakistani government regarded as “very blasphemous.” Analysis by net monitoring firm Renesys shows that the problems getting through to YouTube began as a result of the action taken by Pakistan Telecom to implement the block. Essentially, Pakistan Telecom took over some of the net addresses assigned to YouTube. Crucially the path it offered to this group of addresses was faster than the usual one used by the hardware, or routers, that speed traffic around the internet. Pakistan Telecom let this address change propagate to the routers of one of its partners – PCCW. Routers are constantly in search of faster ways to get the data passing through them to its destination so news about this faster path started propagating across many of the net’s routers. However, because Pakistan Telecom was stopping the traffic reaching YouTube all the data reached a dead end. “While it is hard to describe exactly how widely this hijacked prefix was seen, we estimate that it was seen by a bit more than two-thirds of the internet,” said a Renesys company blog.

30. February 26, Computerworld – (National) ‘Cold Boot’ encryption hack unlikely, says Microsoft. Users can keep thieves from stealing encrypted data by changing some settings in Windows, a Microsoft Corp. product manager said as he downplayed the threat posed by new research that shows how attackers can inspect a “ghost” of computer memory. A senior product manager for Windows Vista security reacted Friday to reports last week about a new low-tech technique that could be used to lift the encryption key used by Vista’s BitLocker or Mac OS X’s FileVault. Once an attacker has the key, of course, he could easily access the data locked away on an encrypted drive. The method – dubbed “Cold Boot” because criminals can boost their chances by cooling down the computer’s memory with compressed gas or even liquid nitrogen –
relies on the fact that data does not disappear instantly when a system is turned off or enters “sleep” mode. Instead, the bits stored in memory chips decay slowly, relatively speaking. Cooling down memory to -58 degrees Fahrenheit (-50 degrees Celsius) would give attackers as long as 10 minutes to examine the contents of memory, said the researchers from Princeton University, the Electronic Frontier Foundation and Wind River Systems Inc. And when they pushed the envelope and submersed the memory in liquid nitrogen to bring the temperature down to -310 degrees Fahrenheit (-190 degrees Celsius), researchers saw just 0.17 percent data decay after an hour. But the Vista security blog contended that such a risk is unlikely, as an attacker would need physical access to a machine in “sleep” mode, rather than in “hibernate” mode or powered off. But even as the Vista security blog downplayed the chance of an attack, it also spelled out ways users of BitLocker – the full-disk encryption feature included in Vista Ultimate and Vista Enterprise – could protect their laptops from a Cold Boot.

31. February 26, CNET – (National) Security experts warn of potential malicious AIR code. On Monday, Adobe Systems rolled out its new Web 2.0 development tool, Adobe Integrated Runtime, or AIR. Following its release were some concerns from the security community. AIR, formerly Adobe Apollo, is a runtime environment that allows developers use HTML, Flash, AJAX, Flex, and other Web 2.0 tools to create desktop applications. One such application built using Adobe AIR comes from Nickelodeon Online. But some security experts are concerned about local file access by AIR applications. Recently, Firefox experienced a vulnerability that could have allowed remote attackers to access a targeted file system. To mitigate this, Adobe says it implemented a sandboxing environment, however, Adobe’s documentation suggests that the sandboxes are less secure than a Web browser’s sandbox. Additionally, Adobe says that AIR applications need to be digitally signed, however, these certificates can be self-signed. And many users will ignore the warnings and run untrusted applications. Finally, there is the potential for Cross-Site Scripting (XSS), SQL injection, and local link injection. While these threats are not limited to Adobe AIR, developers could gain a false sense of security by relying only on AIR’s weaker sandbox protection. Adobe has also provided the following: an informative article titled “Introduction to AIR security” and a white paper; “AIR Security” (PDF). But the Sans Internet Storm Center site, notes that “many developers will be unaware of Adobe AIR security best practices or will knowingly take shortcuts that expose end users to attacks.”

Communications Sector

Nothing to Report