Daily Report Tuesday, January 9, 2007

Daily Highlights

The New Mexican reports a $24 million road security project began Monday morning, January 8, as part of the government's effort to better protect Los Alamos National Laboratory; all vehicles including recreational and motor homes are subject to inspection. (See item 4)
The Coast Guard says a package that was going to be loaded onto a cruise ship at the Port of Miami tested positive for plastic explosives and was destroyed Monday, January 8; the FBI is monitoring the situation. (See item 17)
New York City Mayor Michael Bloomberg said Monday, January 8, that the source of a mysterious gas smell that covered a wide area of the city and was also detected across the Hudson River in New Jersey remains unknown, but there was no indication that air is unsafe to breathe. (See item 38)

Information Technology and Telecommunications Sector

32. January 08, VNUNet — Cisco patches Clean Access flaws. Cisco Systems has acknowledged a pair of vulnerabilities in its Clean Access networking software that could allow for unauthorized access and viewing of database files. Users can remove the vulnerabilities by upgrading their software or by installing a patch, said the company. Clean Access is a pair of software applications that allows servers to scan any systems that attempt to access a network for required patches and software. The vulnerabilities affect Shared Secret, a log.on authentication component, and Readable Snapshots, a system for manually backing up databases. Users can remove both of the vulnerabilities by upgrading their Clean Access software, said Cisco. Versions, 4.0.4, 4.1.0 and later all contain a fix for the vulnerability. The company has also made a patch available for users who do not want to upgrade.
Source: http://www.vnunet.com/vnunet/news/2172005/cisco.patches.flaw s.clean

33. January 08, IDG News Service — Wi.Fi body to simplify security. The group that certifies Wi.Fi products aims to make more wireless LANs secure by taking some of the work out of locking them down. The Wi.Fi Alliance announced on Monday, January 8, at the International Consumer Electronics Show its Wi.Fi Protected Setup (WPS) specification, which lays out an easier process for setting up a secure wireless LAN. The group also revealed the first devices certified under WPS, though it will take a few more months for consumer products to reach store shelves. Wi.Fi security has greatly improved since home users first embraced wireless LANs a few years ago, but most consumers still don't use the available tools because they are too hard to set up, said Frank Hanzlik, managing director of the Wi.Fi Alliance. WPS cuts the number of steps required to secure a new network, he said.
Source: http://www.infoworld.com/article/07/01/08/HNwifialliance_1.h tml

34. January 07, New York Times — Attack of the zombie computers is growing threat. With growing sophistication, botnets are being blamed for the huge spike in spam that bedeviled the Internet in recent months, as well as fraud and data theft. Security researchers have been concerned about botnets for some time because they automate and amplify the effects of viruses and other malicious programs. What is new is the vastly escalating scale of the problem .. and the precision with which some of the programs can scan computers for specific information to drain money from online bank accounts and stock brokerages. Although there is a wide range of estimates of the overall infection rate, the scale and the power of the botnet programs have clearly become immense. In recent years, botnet attacks have increasingly become endemic, forcing increasingly stringent security responses. “It represents a threat but it’s one that is hard to explain,” said David J. Farber, a Carnegie Mellon computer scientist who was an Internet pioneer. “It’s an insidious threat, and what worries me is that the scope of the problem is still not clear to most people.”
Source: http://www.nytimes.com/2007/01/07/technology/07net.html?_r=1&ref=technology&oref=slogin

35. January 06, eWeek — Mac OS X developers watch Month of Apple Bugs. Developers of applications for Apple's Mac OS X have been watching the Month of Apple Bugs (MOAB) project closely, and are generally in favor of the project's goal of uncovering OS flaws. But they, and security companies, have questions about the MOAB group's method, which involves making their findings public immediately, instead of first alerting Apple Computer. "In the long term, this project is making OS X more secure," said Gus Mueller, a developer who sells his software through his company Flying Meat. "However, in the short term, these bugs, once shown, can be used destructively," he added. "I think the correct way to handle the exploits would have been to inform Apple, and give them something like four to six weeks to get a fix out," Mueller said.
Source: http://www.eweek.com/article2/0,1895,2079624,00.asp

36. January 05, IDG News Service — Changes in e.voting likely coming, experts say. Rules requiring independent audit mechanisms for electronic.voting machines are likely coming, but the changes won't happen overnight, a group of advocates said Friday, January 5. More than 18,000 undervotes in a still.disputed Florida congressional election from November show the need for independent audit mechanisms, said panelists at an event sponsored by several advocacy groups, including the Electronic Frontier Foundation and Common Cause. "We're at this point...where I believe there's a consensus that we need to do something," said Trey Grayson, secretary of state in Kentucky. "However, the consensus is ahead of the solution." While many e.voting security critics have called for printouts to back up e.voting results, printers currently in use have encountered problems in recent elections, said Courtenay Strickland.Bhatia, president and chief executive of the Verified Voting Foundation. Some printers have jammed, and with some e.voting machines printouts weren't easily accessible for voters who wanted to double.check their votes, she said. But e.voting machines need audit mechanisms and a "transparent" design that allows voters to understand how votes are counted, she added. Without an audit mechanism, "it simply is not possible to know if a problem has happened" in an e.voting machine, she said.
Source: http://www.infoworld.com/article/07/01/05/HNevotingfix_1.htm l

37. January 05, CNET News — Microsoft pulls four planned patches. Microsoft has pulled four bulletins from its announced list of Patch Tuesday fixes, but did not specify why it was backpedaling on the security releases. It now plans to issue four security bulletins on Tuesday, January 9, rather than the eight originally announced, the software giant said Friday in an updated notice on its Website. Three bulletins will contain fixes for Office, at least one of which will be rated "critical," Microsoft said.
Source: http://news.com.com/Microsoft+pulls+four+planned+patches/2100.1002_3.6147705.html