Tuesday, July 31, 2007

Daily Highlights

VNUNet reports the Department of Homeland Security has set out security requirements for automated control systems, principally in the power industry, to protect installations against physical and cyber−attacks. (See item 1)
United Press International reports an incomplete job by a pest control contractor sparked an FBI terror investigation and forced the temporary shutdown of three of Washington, DC's Metro stations on Sunday, July 29. (See item 11)
Information Technology and Telecommunications Sector

37. July 30, eWeek — Core Security to reveal new database attack vector. Researchers at Core Security Technologies have donned their black hats and are preparing a presentation about a new database attack vector that relies solely on the inherent characteristics of the indexing algorithms. The attack, which will be demonstrated Wednesday, August 1, against the MySQL database engine at Black Hat USA in Las Vegas, affects database management systems using BTREE, the popular database indexing algorithm and data structure. Traditionally, database security breaches are mostly due to the abuse of wrongly configured authorization and actual control permissions or the exploitation of bugs in front−end Web applications through SQL injection, said Core Security Chief Technology Officer Ivan Arce. The presentation will involve the use of timing attacks, a common technique for breaking cipher system implementations, on database engines. Researchers from CoreLabs will explain how this technique can be used to extract information from a database by performing record insertion operations, which are typically available to all database users – including anonymous users of front−end Web applications.
Source: http://www.eweek.com/article2/0,1895,2164067,00.asp

38. July 30, InformationWeek — Verizon Wireless to acquire Rural Cellular for $2.67 billion. Verizon Wireless said it will acquire Rural Cellular Corporation for about $2.67 billion in the latest example of the new attractiveness of rural wireless services. Announced Monday, July 30, Verizon Wireless said the acquisition will increase its customer base by more than 700,000. Rural Cellular's networks range across areas in Maine, Vermont, New Hampshire, New York, Massachusetts, Alabama, Mississippi, Minnesota, North Dakota, South Dakota, Wisconsin, Kansas, Idaho, Washington, and Oregon. While the thought of acquiring small rural wireless providers would have been shunned not too long ago, the transactions are becoming a way for major mobile phone service providers to grow their subscriber rolls.
Source: http://www.informationweek.com/management/showArticle.jhtml;jsessionid=VJPIV3BK13WSSQSNDLRCKH0CJUNN2JVN?articleID=201201813

39. July 30, Sophos — Virus plays on Nintendo Mario game nostalgia. IT security and control firm Sophos is warning of a new mass−mailing worm that is capitalizing on users' enthusiasm for Nintendo's iconic character, Mario. Once they open the e−mail, recipients are requested to click on an attachment that promises to run one of the classic Super Mario Bros games. E−mails sent by the worm use the following text in the message body: "Hi There, Do You Like Mario Bross ? Test it, and you'll like it ;] !" Attached to the e−mails is a file containing the Romario−A worm, which in addition to launching a game starring the portly Italian plumber, also attempts to infect other unprotected computers via mass−mailing itself as a file attachment, as well as spreading via removable shared drives. Sophos experts note that Romario−A aims to cause maximum impact by scheduling a daily task to ensure the worm runs regularly at a specified time.
Source: http://www.sophos.com/pressoffice/news/articles/2007/07/mari o.html

40. July 28, Los Angeles Times — Three voting systems faulted. Three of California's electronic voting systems −− including those used in Orange, Riverside, San Bernardino and Ventura counties — can be easily hacked into, potentially compromising millions of votes, according to a detailed review announced Friday, July 27. Makers of Los Angeles County's InkaVote system did not submit its equipment in time, so it wasn't included, said Secretary of State Debra Bowen, who requested the study. The three systems evaluated, used by more than two−thirds of California's counties, also had problems with accessibility requirements for disabled and non−English−speaking voters. The findings of what some believe to be one of the most comprehensive electronic voting studies to date come as California registrars rush to prepare for the state's presidential primary election February 5. Over two months, dozens of experts in information technology organized by the University of California tested machines made by Diebold Election Systems, Hart InterCivic and Sequoia Voting Systems. The analysts tried to infiltrate the three systems physically and electronically, without the safeguards that voting machine vendors or counties might use. "Under these conditions, the technology and security of all three systems could be compromised," the review said.
Report: http://www.sos.ca.gov/elections/elections_vsr.htm
Source: http://www.latimes.com/news/local/la−me−vote28jul28,0,1784391.story?coll=la−home−center

41. July 27, IDG News Service — Hotmail maintenance glitch locks users out. Microsoft's Windows Live Hotmail Webmail service remained inaccessible to a portion of its users for several hours on Friday, July 27, but the problem has been resolved. Windows Live Hotmail, which has about 310 million active users worldwide, became unavailable between approximately 6:30 a.m. U.S. Pacific Time and "late morning," a spokesperson for Microsoft said. She declined to specify how many users were affected, saying only that the problem affected "a limited set of customers." The problem, which erupted during maintenance work for Windows Live Hotmail, didn't lead to any loss of data for users, according to the spokesperson.
Source: http://www.infoworld.com/article/07/07/27/Hotmail−maintenance−glitch−locks−users−out_1.html

42. July 27, Government Accountability Office — GAO−07−837: Information Security: Despite
Reported Progress, Federal Agencies Need to Address Persistent Weaknesses (Report). For many years, the Government Accountability Office (GAO) has reported that weaknesses in information security are a widespread problem with potentially devastating consequences −− such as intrusions by malicious users, compromised networks, and the theft of personally identifiable information −− and has identified information security as a governmentwide high−risk issue. Concerned by reports of significant vulnerabilities in federal computer systems, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which permanently authorized and strengthened the information security program, evaluation, and reporting requirements for federal agencies. As required by FISMA to report periodically to Congress, in this report GAO discusses the adequacy and effectiveness of agencies’ information security policies and practices and agencies’ implementation of FISMA requirements. To address these objectives, GAO analyzed agency, inspectors general, Office of Management and Budget (OMB), congressional, and GAO reports on information security. GAO is recommending that OMB strengthen FISMA reporting metrics. OMB agreed to take GAO’s recommendations under advisement when modifying its FISMA reporting instructions.
Highlights: http://www.gao.gov/highlights/d07837high.pdf
Source: http://www.gao.gov/cgi−bin/getrpt?GAO−07−837