Tuesday, August 14, 2007

Daily Highlights

InformationWeek reports law enforcement officials have arrested at least 10 people since the beginning of the year for their roles in using stolen information to commit fraud, after the theft of 45.7 million customer records from TJX. (See item 6)
The Associated Press reports a 25−pound chunk from United Express Flight 7350, a commuter jet headed to Washington's Dulles International Airport, landed in a grassy area between houses and soccer fields near Boyds, Maryland. (See item 12)
Information Technology and Telecommunications Sector

30. August 13, VNUNet — Black hat IPS reverse engineering poses 'serious threat'. A recently disclosed Black Hat hacker technique for reverse engineering intrusion prevention system (IPS) data poses a “serious risk” for thousands of enterprises, Gartner has warned. The analyst firm’s warning comes after a speaker at the recent Black Hat Briefings conference in Las Vegas demonstrated a method of reverse−engineering IPS signatures for zero−day vulnerabilities. The demonstration used signatures from 3Com's TippingPoint IPS, but Gartner notes that there is “an implication” that all IPS vendor's signatures are at risk. Paul E. Proctor, research vice president at Gartner, explained that enterprises use IPS technologies, which interpret external files containing signature definitions, to protect against the exploitation of vulnerabilities. However, when these patterns contain signatures for zero−day vulnerabilities, hackers can use this data to create exploit code based on vulnerabilities for which no protection exists. They can also use the signature file to write an exploit that bypasses the zero−day signature undetected, Proctor warned.
Source: http://www.vnunet.com/vnunet/news/2196512/black−hat−ips−reve rse

31. August 13, Register (UK) — Germany enacts controversial anti−hacker law. Germany has introduced anti−hacker measures that criminalize the creation or possession of dual−use security tools. An update to the country's computer hacking laws makes denial−of−service (DoS) attacks and hacking assaults against individuals clearly criminal. Gaining access to data, without necessarily stealing information, would also become an arrestable offense. The most serious offenses are punishable on conviction by up to 10 years' imprisonment. Controversy centers around a provision in the laws that make it an offense to create or distribute "hacking tools," a notoriously ambiguous term. The distinctions between, for example, a password cracker and a password recovery tool, or a utility designed to run DoS attacks and one designed to stress−test a network, are not covered by the new law, critics argue. Possession of dual−use tools −− port scanners such as nmap or security scanners like nessus −− is punishable by imprisonment of up to 12 months and a fine.
Source: http://www.theregister.co.uk/2007/08/13/german_anti−hacker_l aw/

32. August 12, ComputerWorld — UN Website goes offline hours after SQL injection attack. "Hackers" defaced the United Nations' (UN) Website early Sunday, August 12, with messages accusing the U.S. and Israel of killing children. As of late afternoon, some sections, including the area devoted to Secretary General Ban Ki−Moon, remained offline. The attack, spelled out by an Italian software developer on his blog and later reported by the BBC, replaced blurbs of recent speeches by Ban with text attributed to a trio of would−be hackers. The section of the UN's site dedicated to Ban was still offline as of 5 p.m. EDT Sunday. Giorgio Maone, a software developer from Palermo, Italy, noted the incident timeline and posted several screenshots of the defacement on his blog. Maone pegged the attack as an SQL injection exploit, which let the attackers add their own HTML code to the site.
Maone's blog: http://hackademix.net/2007/08/12/united−nations−vs−sql−injec tions/
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9030318&intsrc=hm_list

33. August 10, InformationWeek — Toshiba recalls more laptop batteries. Toshiba has issued its second recall in a month of Sony notebook batteries that could overheat and burst into flames. The latest recall, announced Thursday, August 9, by the U.S. Consumer Product Safety Commission, affects about 1,400 notebooks. The models include the Satellite A100 and A105, and the Tecra A7, which sell for as little as $680. The recall stemmed from three reports outside of the United States of notebook batteries overheating.
Source: http://www.informationweek.com/news/showArticle.jhtml?articl eID=201400284