Friday, August 3, 2007

Daily Highlights

According to a new study by risk management firm ID Analytics, ID thieves are increasingly targeting U.S. individuals living in rural communities, and critical areas include the cities of Springfield, Illinois, and Bozeman and Missoula, Montana. (See item 10)
USA TODAY reports divers and rescue workers battled strong currents and floating debris Thursday, August 2, in an effort to reach more than two−dozen cars submerged after the collapse of an eight−lane bridge across the Mississippi River in Minneapolis. (See item 17)
Information Technology and Telecommunications Sector

35. August 02, IDG News Service — Project WOMBAT looks to manage online threats. Researchers are looking for formal European Union sponsorship of a new project that would keep an eye on malicious software and computer attacks around the world. Project WOMBAT (Worldwide Observatory for Malicious Behavior and Attack Tools) is a threat management system being backed by European technology companies and research institutions, including France Telecom SA, the Institut Eurecom, and Hispasec Sistemas, said Stefan Zanero, a researcher with the Institut Politecnico di Milano, who is involved with the project. WOMBAT will serve as an early warning system where security researchers and professionals can get data on emerging threats, but the team will also develop new technologies designed to automate the collection and analysis of malware, Zanero said. Some of the WOMBAT data will be made available to the public, but only those who have been previously vetted will get access to the complete data set.

36. August 02, IDG News Service — Web browser attack skirts corporate firewall. A 10−year−old security problem has come back to haunt corporate IT, a security researcher told an audience at the Black Hat conference in Las Vegas Wednesday, August 1. Dan Kaminsky, director of penetration testing for IO Active, showed how problems in the way browser software works with the Internet's domain name system (DNS) could be exploited to give attackers access to any resources behind the corporate firewall. He described a multistep attack that could be used to scan corporate networks for data or vulnerabilities. But at the heart of the attack is a 1996 paper by Princeton researchers showing how a Java applet could be used to access systems on a victim's network. "It's one of the few things that's actually come back from the dead," Kaminsky said. The fundamental problem, according to Kaminsky, is in the way that Web browser software decides how to trust other computers. This decision is based on the Internet domain name of the computer, and that DNS information can be misused, Kaminsky said. "It's a binding problem," he said during an interview after his talk. "They assume a value is not changing, but the attacker can change it whenever he chooses."
Princeton paper:−scenario.html

37. August 02, ComputerWorld — Researchers: Premature rush to AJAX a security threat. Software developers using Asynchronous JavaScript and XML (AJAX) techniques to jazz up corporate Websites are failing to pay attention to some very fundamental security issues, researchers warned at the Black Hat USA conference Wednesday, August 1. Among the biggest of these threats, said Billy Hoffman, lead research and development engineer at SPI Dynamics Inc, is the opening that poorly coded AJAX sites can provide for malicious attackers to change the order in which a program executes functions. Poorly designed AJAX implementations often push program code that used to be stored and executed only on the server out to client browsers. This allows attackers to access the code and to manipulate the order in which a program's functions are executed, Hoffman said. The availability of too much program code on the client side also allows attackers to perform actions such as changing the value of certain parameters or deleting certain program calls entirely. AJAX environments can also present more opportunities for hackers to inject malformed SQL queries and compromise applications if proper validation measures are not taken.

38. August 02, Sophos — Spammed out 'shocking photos' contain malicious payload. IT security and control firm Sophos is urging computer users to think before opening unsolicited e−mail attachments following a widespread malicious spam campaign that claims to contain shocking nude pictures of female celebrities. The e−mails, which typically have an attached file called or, contain a message similar to: "Good morning, old chap! Shocking video of nude Angelina Jolie. See it in your attachment. Best Regards." The e−mails are exploiting the fame of Hollywood stars such as Nicole Kidman, Angelina Jolie and Natalie Portman in their attempt to get computer users to open the attached file on their computers. "These e−mails are masquerading as pornographic content, tempting the unwary into opening a file on their Windows computer which will install a rootkit and download further malicious code from the Internet," said Graham Cluley, senior technology consultant for Sophos.
Source: −celebs.html

39. August 01, ComputerWorld — Diebold e−voting flaws could compromise elections. Optical scan voting devices slated to be used in presidential primary elections in Florida next year are significantly flawed and could compromise the outcome of the contest, according to a report released Tuesday, July 31, by Secretary of State Kurt Browning. The report was compiled by researchers at Florida State University who were hired by Browning in May to conduct an independent review of optical scan and touch−screen devices made by Diebold Election Systems, one of the largest voting machine vendors in the country and a major supplier of gear to Florida. The report cited a number of security gaps in the Diebold systems. For example, it said, Diebold's Accuvote OS optical scan machine is vulnerable to vote manipulation by illicitly inserting a preprogrammed memory card into a voting terminal. The report said that the card could be coded to flip votes from one candidate to another without detection. Browning also said he intends to have the Florida State researchers conduct similar studies of machines from other voting system vendors, including Elections Systems & Software Inc.

40. August 01, ComputerWorld — Apple issues mega patch batch. Apple Inc. on Tuesday, July 31, released a security update for Mac OS X that patched 45 vulnerabilities, including several in the open−source Samba file−sharing code that researchers recently warned still threatened users more than 10 weeks after the discovery of critical bugs. The 2007−007 update for Mac OS X 10.3, also known as "Panther," and 10.4, a.k.a. "Tiger," fixes a total of 45 bugs, at least 17 of which Apple acknowledged could lead to hackers executing attack code. Although Apple does not rate vulnerabilities as Microsoft Corp. and other companies do, the flaws it pegs as possibly leading to "arbitrary code execution" would rank as "critical" in other vendors' threat−scoring systems.
2007−007 Apple update: