Wednesday, April 9, 2008

Daily Report

• According to Mercury News and the Associated Press, security has been beefed up at the Golden Gate Bridge and other well-known San Francisco landmarks in anticipation of Wednesday’s Olympic torch relay and accompanying protests. San Francisco’s mayor called on law enforcement and bridge officials to reassess their overall security strategy. (See item 12)

• The Times reports alarm about a flu pandemic has been restarted by clear evidence that bird flu can be transmitted person to person. A team of doctors led by a researcher from the Chinese Center for Disease Control and Prevention in Beijing reports that a man infected with the H5N1 virus passed the infection to his father, probably at the hospital. The two cases were detected in the family from Nanjing in December last year. (See item 22)

Information Technology

28. April 8, Techworld – (International) Outsourcing blamed for rising security woes. The world has a new culprit to blame for the rising tide of software vulnerabilities – code outsourcing. The trend to outsource the coding of applications is now a major contributor to making business software more vulnerable, a survey-cum-report by analyst group Quocirca has claimed. According to their survey of 250 IT directors and executives in the US, the UK and Germany for Fortify Software, ninety percent of the organizations that admitted to having been ‘hacked’ had outsourced more than 40 percent of their applications to third parties. The rush to benefit from the speed, convenience and lower cost of outsourced applications left security as an afterthought in an alarming number of cases. Sixty percent of respondents reported not mandating security from scratch, while 20 percent of those surveyed in the UK failed to accommodate security at all in the outsourced applications. The report mainly blames the way companies have become enamored with relatively poorly-understood Web 2.0 technologies, and the parallel rush to use service-oriented architectures (SOA) to open up software to partners. As to outsourcing itself, according to Fortify, the problem here is that the client company has no visibility on the coding behavior of the company carrying out the work, no matter how good the relationship appears to be. “These survey results help explain the recent, sudden rise in data breaches and should serve as a wake-up call to any executive whose company sits on a pile of mission-critical application code,” said a Fortify board member and former White House cyber-security advisor. Source:

29. April 8, Computerworld – (International) Malware count blows past 1M mark. Symantec Corp.’s malware tally topped 1 million for the first time in the second half of 2007 as the number of new malicious code threats skyrocketed, the company said in its semiannual report on the state of security. Of the 1.1 million code threats that Symantec has detected since it began writing signatures more than a quarter-century ago, 711,912 were discovered in 2007; 499,811 were picked up in the last six months of the year alone. In other words, nearly two-thirds of all the threats that Symantec has ever uncovered were found last year. Symantec credited the explosion in threats to a shift to specialization by malware makers and the existence of well-oiled – and well-financed – organizations that hire those programmers to write exploits and craft attacks. “This [six-month] reporting period has seen the strongest evidence yet of this,” said a senior research manager with Symantec’s security response team. He ticked off a slew of traits now common in the malware industry, from the development of what he called “crime management kits” to proof that hackers work in a market-driven economy where threats are the coin of the realm. He called 2007’s tsunami of threats a “tipping point,” and said that it is clear that security vendors –and their users – will soon need to switch to “whitelisting” legitimate code rather than “blacklisting” threats, as is now the practice. Source:

Communications Sector

30. April 8, IDG News Service – (International) Browser hack renders routers insecure. A security researcher plans to show how a web-based attack could be used to seize control of certain routers. The researcher, also the director of penetration testing at IOActive, has spent the past year studying how design flaws in the way that browsers work with the Internet’s Domain Name System (DNS) can be abused in order to get attackers behind the firewall. At the RSA Conference in San Francisco, he will demonstrate how this attack would work on widely used routers, including those made by Cisco’s Linksys division and D-Link. The technique, called a DNS rebinding attack, would work on virtually any device, including printers, that uses a default password and a web-based administration interface, he said. The victim would visit a malicious web page that would use JavaScript code to trick the browser into making changes on the web-based router configuration page. The JavaScript could tell the router to let the hacker remotely administer the device, or it could force the router to download new firmware, again putting the router under the hacker’s control. Either way, the attacker would be able to control his victim’s Internet communications. The technical details of the attack are complex, but essentially the attacker is exploiting the way the browser uses the DNS system to decide what parts of the network it can reach. Although security researchers had known that this type of hack was theoretically possible, the demo will show that it can work in the real world, said the CEO of DNS service provider OpenDNS. Source: