Friday, June 1, 2007

Daily Highlights

The U.S. Department of Energy on Wednesday outlined a number of steps that the Department is taking to strengthen its hurricane response system in the United States. (See item 6)
·
US−CERT has released Technical Cyber Security Alert TA07−151A: Mozilla Updates for Multiple Vulnerabilities (See item 36)

Information Technology and Telecommunications Sector

36. May 31, US−CERT — Technical Cyber Security Alert TA07−151A: Mozilla Updates for Multiple Vulnerabilities. Mozilla has released new versions of Firefox, Thunderbird, and SeaMonkey to address several vulnerabilities. An attacker could exploit these vulnerabilities by convincing a user to view a specially−crafted HTML document, such as a web page or an HTML email message. Support for Firefox 1.5 is scheduled to end in June 2007. These vulnerabilities are addressed in Mozilla Firefox 2.0.0.4, Firefox 1.5.0.12, Thunderbird 2.0.0.4, Thunderbird 1.5.0.12, SeaMonkey 1.0.9, SeaMonkey 1.1.2. By default, Mozilla Firefox, Thunderbird, and SeaMonkey automatically check for updates.
Updates: http://www.mozilla.org/security/announce/
Source: http://www.us−cert.gov/cas/techalerts/TA07−151A.html

37. May 31, Associated Press — Spam flows despite high−profile arrest. Junk e−mail continued to land in mailboxes around the world Thursday, May 31, despite the arrest on Wednesday of a man described as one of the world's most prolific spammers. Even if Robert Alan Soloway is ultimately convicted and his operations shuttered, spam experts say dozens are in line to fill the void. Soloway, 27, was once on a top 10 list of spammers kept by The Spamhaus Project, an international anti−spam organization. Others have since topped him, mostly based in Russia and other countries out of reach of U.S. or European law. Soloway was arrested on charges of mail fraud, wire fraud, e−mail fraud, aggravated identity theft and money laundering. Prosecutors say Soloway has sent millions of junk e−mails since 2003 and continued even after Microsoft Corp. won a $7 million civil judgment against him in 2005 and the operator of a small Internet service provider in Oklahoma won a $10 million judgment. Soloway could face decades in prison, though prosecutors said they have not calculated what sentence range he might face.
Source: http://www.washingtonpost.com/wp−dyn/content/article/2007/05/31/AR2007053100310.html

38. May 30, SecurityFocus — Insecure plug−ins pose danger to Firefox users. A security weakness in the update mechanism for third−party add−ons to the Firefox browser could give an attacker the ability to exploit unsecured downloads and install malicious code on the victim's computer, a security researcher warned on Wednesday, May 30. The vulnerability affects any third−party add−ons that use an unsecured download site as part of the update process, according to Indiana University graduate student Christopher Soghoian. While using the standard secure communications protocol available in major browsers, known as secure sockets layer (SSL) encryption, could prevent the attacks, many major companies failed to do so, Soghoian said. The Mozilla development team is currently considering ways that they could prevent insecure updates in the next version of the browser, Firefox 3.0.
Source: http://www.securityfocus.com/news/11467

39. May 30, InfoWorld — Attackers get chatty on VoIP. The recent spate of malware attacks propagating throughout the user base of the Skype Internet calling system illustrates a broader trend toward cyber−criminals moving to take advantage of VoIP platforms as they become increasingly popular. Security researchers tracking the latest worm viruses moving through the Skype community's chat system said that the threats are nearly identical to attacks that have plagued users of other publicly−available messaging applications for years. The potential to use such programs to infiltrate business networks and carry out attacks will drive malware code writers and other schemers to similarly increase their focus on VoIP platforms, researchers said. Chris Boyd, a researcher at FaceTime Communications, believes that the endgame of hacking Skype is to steal valuable data from infected users and pass it back to themselves over Skype's encrypted messaging system. Boyd said that there is also growing evidence of attackers building proof−of−concept botnet threats aimed specifically at Skype users.
Source: http://www.infoworld.com/article/07/05/30/Attackers−get−chat ty−on−VoIP_1.html