Thursday, June 14, 2007

Daily Highlights

The Department of Homeland Security has released a Fact Sheet: Securing Our Nation's Chemical Facilities, stating that chemical security is not solely a federal responsibility; it is a shared responsibility among federal, state, and local governments, and also with the private sector. (See item 8)
The Associated Press reports the head of the FBI's Boston office is warning the region's top universities to be on the lookout for foreign spies or potential terrorists who might be trying to steal unclassified, yet sensitive, research. (See item 27)
The St. Louis Post−Dispatch reports explosives, including dynamite and C−4, capable of causing extensive damage have been stolen from a St. Charles County, Missouri, firing range used by the sheriff's office and the FBI. (See item 35)

Information Technology and Telecommunications Sector

29. June 12, US−CERT — Technical Cyber Security Alert TA07−163A: Microsoft Updates for Multiple Vulnerabilities. Microsoft has released updates to address vulnerabilities that affect Microsoft Windows, Windows Secure Channel, Internet Explorer, Win32 API, Visio, Outlook Express and Windows Mail as part of the Microsoft Security Bulletin Summary for June 2007. The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system. Microsoft has provided updates for these vulnerabilities in the June 2007 Security Bulletins. The Security Bulletins describe any known issues related to the updates. Administrators are encouraged to note any known issues that are described in the Bulletins and test for any potentially adverse effects. System administrators may wish to consider using an automated patch distribution system such as Windows Server Update Services (WSUS).
June 2007 Security Bulletins:−jun.mspx

30. June 12, Federal Computer Week — Air Force moves to populate Cyberspace Command. The Air Force is developing plans for a dedicated force to populate the ranks of the service’s new Cyberspace Command, its commanding general said Tuesday, June 12. Lt. Gen. Robert Elder, commander of the 8th Air Force and chief of the new command, said the service will finish deliberations on a force structure for the command within a year and then start filling those positions. Once service officials have laid out career paths and training guidelines for the jobs, Elder said, recruits will be able to join what he called the Air Force’s cyberforce just as they could opt to become fighter pilots or navigators. He estimated there are now 40,000 men and women in the service conducting cyberoperations in one form or another. He said the question will be defining which of those service members would fall under the ranks of the new Cyberspace Command.

31. June 12, Security Focus — Flaw hunters go off on Safari. Less than a day after Apple released a beta version of its Safari Web browser for Windows, three vulnerability researchers have already found a handful of bugs, many which appear to work against the currently shipping version of the browser for Mac OS X. Security researcher David Maynor, infamous for his row with Apple over three wireless flaws he presented at the Black Hat Security Briefings in 2006, claims to have found six vulnerabilities in Safari. Four of the vulnerabilities are simple denial−of−service bugs that crash the browser, but two of the flaws allow remote execution, he said. Two other researchers have found bugs as well. Thor Larholm, a well−known Danish security researcher, claims to have discovered another remotely exploitable flaw, while Israeli researcher Aviv Raff described a memory corruption that may be exploitable.

32. June 11, Government Computer News — Standard for Web−based digital signatures completed. A standard to enable digital signing of electronic documents via a Web application has been finalized by the Organization for the Advancement of Structured Information Standards (OASIS). Digital Signature Services Version 1.0 (DSS), approved by OASIS this month, defines an Extensible Markup Language interface to process digital signatures for Web services and other applications without complex client software. The Web−based scheme should simplify the creation and verification of digital signatures and could improve security by centralizing storage and management of cryptographic signing keys. A digital signature uses cryptography to bind the creator’s signature or assertion to an electronic document or other form of data, which in turn can be used by others to authenticate the source of the data and ensure that it has not been tampered with since its creation. This serves much the same purpose as a traditional written signature and enables electronic transactions at a level of trust and assurance similar to paper−based transactions. Because digital signatures require creation and management of cryptographic keys, implementation can be complex, especially in large enterprises. The goal of DSS is to help overcome the complexity.

33. June 11, TechWorld (UK) — Law puts damper on Web security research. Web security research is being seriously hampered by laws that punish researchers for even attempting to locate flaws in Web software, much less disclosing those flaws, according to a new study. The report is the first by the Computer Security Institute, a research and training organization under the aegis of CMP Technology. It draws on discussions by a broad working group, including security researchers and representatives of U.S. law enforcement agencies. The upshot is that current legal frameworks designed to allow prosecution of Web attackers also make it next to impossible to legally spot security flaws in the "Web 2.0" applications quickly becoming ubiquitous on the Internet. Those researchers who do feel safe probing Web software for flaws are probably not aware of their real legal position, the report said.
Free PDF of the report is available (registration required):
Source: &pagtype=all