Monday, April 23, 2007

Daily Highlights

The Associated Press reports Mohammad Alavi, a former engineer at the nation's largest nuclear power plant −− Palo Verde power plant west of Phoenix −− has been charged with taking computer access codes and software to Iran and using it to download details of plant control rooms and reactors. (See item 1)
The New York Times reports the Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Department of Agriculture programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations. (See item 17)

Information Technology and Telecommunications Sector

39. April 20, eWeek — RIM: Software upgrade caused BlackBerry failure. BlackBerry maker Research In Motion (RIM) announced late Thursday, April 19, that it has determined the apparent cause of the shutdown that stopped e−mail service to BlackBerry users throughout North America earlier in the week. According to a statement from the Waterloo, Ontario−based company, the shutdown on April 17 was related to a software upgrade that went awry, followed by a failover process that also didn't work properly. The BlackBerry blackout happened when the company introduced a new, noncritical system routine into its database, officials said. The routine, according to RIM, was designed to improve cache optimization but instead caused a series of interaction errors between the databases and the cache.

40. April 19, IDG News Service — Spammers, hackers seize on Virginia Tech shootings. Spammers and hackers are using the slayings at Virginia Tech as a gory lure to infect computers with malicious software, security experts noted Thursday, April 19. While the video made by gunman Cho Seung−hui prior to the killing of 33 people on Monday was widely posted on news Websites and, spam e−mails were intercepted Wednesday night purporting to link to the footage on a Brazilian Website, said Graham Cluley, senior technology consultant, at security vendor Sophos. If clicked, the link caused a computer to automatically download a malicious screensaver, called TERROR_EM_VIRGINIA.scr by Sophos, which installs a Trojan horse program that collects banking details, Cluley said. It's unclear yet what banks the Trojan is engineered to exploit, Cluley said. The e−mails are unlikely to mean much to English speakers since they're written in Portuguese, Cluley said. But hackers have repeatedly used breaking news events to try to trick users into opening malicious programs.

41. April 19, CNET News — Cyberattacks at federal agencies draw House scrutiny. As new details emerged about cyberattacks against networks at the State and Commerce departments last year, politicians on Thursday, April 19, said they're concerned many federal agencies are ill−prepared to fend off such intrusions. Members of a U.S. House of Representatives cybersecurity subcommittee said they weren't confident that the computer systems at bureaus within the State and Commerce departments were adequately secured and scrubbed of backdoors that could allow cybercrooks to re−enter. They also questioned agency representatives on whether they could truly guarantee that sensitive information hadn't been accessed or copied. Twenty−one of 24 major federal agencies had weak or deficient information security controls in place during the last fiscal year, according to audit reports, said Gregory Wilshusen, director of information security issues for the Government Accountability Office (GAO). Pitfalls ranged from failing to replace well−known vendor−supplied passwords on systems to not encrypting sensitive information to not creating adequate audit logs to track activity on their systems, according to a new GAO report he summarized at the hearing.

42. April 19, Government Accountability Office — GAO−07−751T: Information Security: Persistent Weaknesses Highlight Need for Further Improvement (Testimony). For many years, the Government Accountability Office (GAO) has reported that weaknesses in information security are a widespread problem with potentially devastating consequences −− such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information. In reports to Congress since 1997, GAO has identified information security as a governmentwide high−risk issue. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the information security program, evaluation, and reporting requirements for federal agencies. FISMA also defines responsibilities for ensuring centralized compilation and analysis of incidents that threaten information security and providing timely technical assistance in handling security incidents. In this testimony, GAO discusses the continued weaknesses in information security controls at 24 major federal agencies, the reporting and analysis of security incidents, and efforts by the Department of Homeland Security to develop a cyber threat analysis and warning capability. GAO based its testimony on its previous work in this area as well as agency and congressional reports.

43. April 19, CNET News — Bug hunter targets routers, other gadgets. Software that runs home routers, cell phones and personal digital assistants is rife with security bugs, an expert said Thursday, April 19. Barnaby Jack, a Juniper Networks security researcher, gave a tutorial at the CanSecWest conference on how bug hunters can find exploitable vulnerabilities in such devices and demonstrated an attack on a D−Link router using a yet−to−be−patched hole. "Security flaws are abundant on these devices," Jack said. "Security needs to reach further than a home PC. Insecure devices pose a threat to the entire network. Hardware vendors must take security into consideration." There hasn't yet been a large amount of security research into the type of software Jack looks at. This is code that runs gadgets equipped with ARM, MIPS, XScale and PowerPC microprocessors. However, researchers appear increasingly interested in finding ways to attack routers and other such "embedded" devices. In examining software from various devices, Jack found that there are many exploitable "null pointers" in the code. "Vulnerabilities that are near dead in the PC realm are abundant," he said. "This is a new class of attack...This is a remote attack the same way as a buffer overflow or a heap overflow, but it is more reliable."