Tuesday, May 20, 2008

Daily Report

• The Washington Post reports that security specialists and members of Congress fear that the new State Department issued RFID electronic passport cards pose a security risk as they “will be vulnerable to alteration or counterfeiting.” (See item 21)

• According to the Canadian Press, the U.S. military in Naples, Italy, is sampling tap water and soil for pesticides and other pollutants because of worries that tons of uncollected garbage poses a health risk for its personnel based in the city. (See item 28)

Information Technology

35. May 19, IDG News Service – (National) Service Researchers find new ways to steal data. In two separate pieces of research, teams at the University of California (UC), Santa Barbara, and at Saarland University in Saarbrucken, Germany, describe attacks that seem ripped from the pages of spy novels. In Saarbrucken, the researchers have read computer screens from their tiny reflections on everyday objects such as glasses, teapots, and even the human eye. The UCSB team has worked out a way to analyze a video of hands typing on a keyboard in order to guess what was being written. Computer security research tends to focus on the software and hardware inside the PC, but this kind of “side-channel” research, which dates back at least 45 years, looks at the physical environment. UC researcher’s “Clear Shot” can analyze video of hand movements on a computer keyboard and transcribe them into text. It’s far from perfect – a graduate student at UCSB says the software is accurate about 40 percent of the time – but it is good enough for someone to get the gist of what was being typed. Source: http://www.infoworld.com/article/08/05/19/Researchers-find-new-ways-to-steal-data_1.html

36. May 19, IDG News Service – (International) Update: Mass SQL injection attack targets Chinese Web sites. First detected on May 13, a large scale SQL attack is coming from a server farm inside China, which has made no effort to hide its IP (Internet Protocol) addresses, said the chief executive officer of Armorize Technologies, in Taipei. “The attack is ongoing, ... even if they can’t successfully insert malware, they’re killing lots of Web sites right now, because they’re just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim Web sites,” he said. A screenshot of a Web site belonging to the Mackay Memorial Hospital in Hsinchu, Taiwan, showed the rendering of the site had been affected and displayed the SQL string injected by the attack, he said. Thousands of Web sites have been hit by the attack, he said, noting that 10,000 servers alone were infected by malware last Friday. Most of those servers are located in China, while some are in Taiwan. The attackers appear to be using automated queries to Google’s search engine to identify Web sites vulnerable to the attack, he said. Among the sites hit on Friday were Soufun, a real estate Web site, and Mycar168, a site for automobile enthusiasts. The attackers are not targeting a specific vulnerability. Instead they are using an automated SQL injection attack engine that is tailored to attack Web sites using SQL Server. The malware the attack injects comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plugins that are popular in Asia, he said. Source: http://www.infoworld.com/article/08/05/19/Mass-SQL-injection-attack-targets-Chinese-Web-sites_1.html

Communications Sector

37. May 17, CNet News Blog – (National) Cell phone, VoIP technologies lack security, experts say. Be careful what you say over that mobile phone or VoIP system. The most widely used mobile phone standard, GSM, is so insecure that it is easy to track peoples’ whereabouts and with some effort even listen in on calls, a security expert said late on Saturday at the LayerOne security conference. “GSM security should be come more secure or at least people should know they shouldn’t be talking about (sensitive) things over GSM,” said the expert, who has cracked the encryption algorithm the phones use. “Somebody could possibly be listening over the line.” GSM is used in Nokia and other phones from carriers AT&T and T-Mobile, for instance. For as little as $900, someone can buy equipment and use free software to create a fake network device to see traffic going across the network. “You can see all the cell phones connected to the base station,” he said. “You can’t see calls, but people associated with the calls. You can also do location tracking. If you know somebody is on the network you can see how close to the base station they are.” That is possible because the subscriber identifier, which is basically the user identification number, can easily be seen on the traffic, although the identifiers are never supposed to be transmitted in plain text, he said. “I know exactly where you are on the network.” Earlier in the day, attendees learned about issues with VoIP systems, which can reduce communications costs for corporations and consumers but typically “have little to no security,” said a senior security consultant with security firm Netspi. VoIP systems based on open standards are not encrypting the traffic, which leaves them at risk for eavesdropping, forged or intercepted calls and bogus voice messages, he said, adding that there are numerous tools for doing that, with names like “Vomit” and “Cain and Abel.”