Friday, April 18, 2008

Daily Report

• The Galveston County Daily News reports the U.S. Department of Labor cited Valero Energy Corp.’s Port Arthur, Texas, refinery for 16 safety violations and proposed penalties of $101,750. Thirteen of the 16 citations are classified as “serious,” meaning they have the potential to cause death or serious injury. (See item 3)

• According to the Associated Press, waves have eaten a chunk five feet deep and ten to 12 feet wide in the Montegut Marsh Management levee in Louisiana. Terrebonne Parish levee officials have set aside $35,000 to plug the hole with rocks before the winds change and waters rise higher. (See item 35)

Information Technology

30. April 17, – (National) Apple patches critical Safari holes. Apple has patched four security vulnerabilities in Safari affecting the Mac OS X and Windows versions of the web browser. The vulnerabilities range from cross-site scripting to remote code execution. For Windows XP and Vista users, the update addresses four flaws. Two of the vulnerabilities, a memory overflow error in the browser itself and a buffer overflow in the JavaScript component, could be exploited by an attacker to remotely install and execute malware on a target system. Another flaw in the browser could allow for a URL to be displayed without the page itself being loaded. Apple warned that this could be exploited by an attacker to spoof legitimate sites by displaying normal URLs with forged web pages. The fourth vulnerability is a flaw in the browser’s WebKit component. An attacker could use a malformed URL to exploit the vulnerability and perform a cross-site scripting attack. Mac users will receive updates for just two of the four flaws. Apple patched the JavaScript remote code execution flaw as well as the cross-site scripting vulnerability in the OS X version of the Safari patch. Users can download the Safari update through Apple’s Software Update application or from the company’s Safari download site. Source:

31. April 17, Associated Press – (National) Most computer users repeat passwords, at their peril. Using the same password for multiple Web pages is the Internet-era equivalent of having the same key for your home, car, and bank safe-deposit box. Even though a universal password is like gold for cyber crooks because they can use it to steal all of a person’s sensitive data at once, nearly half the Internet users queried in a new survey said they use just one password for all their online accounts. At the same time, 88 percent of the 800 people interviewed in the U.S. and the U.K. for the survey by the Accenture consultancy, which is to be released Thursday, said personal irresponsibility is the key cause of identity theft and fraud. Researchers say the findings suggest that many users underestimate the growing threat from organized cyber criminals who can reap big profits from selling stolen identities. “There’s a lot of confusion out there – a lot of people don’t think there’s a problem,” said a senior executive in Accenture’s global security practice. He said the problem with repeating passwords is that a hacker who successfully breaks into one account then has an easy time guessing how to get into all the user’s other accounts. Source:;_ylt=AnKf5Jj8hmkE4G9HTD.qDFoRSLMF

32. April 17, BetaNews – (National) Latest Firefox update causes crashes, possible hole. While there is no evidence of an exploit as of yet, Mozilla is taking a proactive measure to fix the issue before it could be. A problem with stability which resulted in crashes and evidence of memory corruption was remedied in Firefox, however apparently the fix did not completely close any holes. In fact, it seems as if it introduced new stability issues, where crashes occurred during JavaScript garbage collection. That feature allows a developer to reclaim the memory occupied by strings, objects, arrays, and functions that are no longer in use. “We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past,” Mozilla said in an advisory. Thunderbird is vaScript needs to be enabled. By default, this is not, and s users from running scripts within mail. JavaScript garbage cropped up in the past. In February 2006, Mozilla addressed ox 1.5 which also posed a memory corruption and arbitrary also affected, however, JaMozilla said it discourage collection problems have several issues within Firefcode risks.

Communications Sector

33. April 16, IDG News Service – (International) Survey: 12 percent of consumers ‘borrow’ free Wi-Fi. Although it is illegal in some parts of the world, 12 percent of U.S. and U.K. respondents to an Accenture survey have logged on to someone else’s unsecured Wi-Fi connection. Data that is sent via unsecured wireless routers is unencrypted and could theoretically be read by anyone who had the right network sniffing tools, but many people have tried logging on to unsecure Wi-Fi. Logging on to open Wi-Fi signals is most popular with 18- to 34-year-olds, Accenture said. Nearly a third of them said they had done this at some point. The practice is apparently more common in the U.S., where one in seven have piggybacked on free Wi-Fi networks, than in the U.K., where Accenture found that it was attempted by one in 11. In some parts of the world, Wi-Fi piggybacking is considered to be a form of criminal hacking. In August, police arrested a 39-year-old man for using his laptop to connect to an unsecured Wi-Fi connection as he sat on a garden wall in the London suburb of Chiswick. And in a case that was widely publicized in the U.S., a Sparta, Michigan, man was charged after using a cafe’s wireless connection to check his e-mail. Source: