Friday, August 31, 2007

Daily Highlights

According to the Reuters News Agency, Dangerous chemicals that were removed from Iraq in the 1990s were found in a U.N. office in New York. (See item 2)

The Leader Times reports Armstrong County in southern Pennsylvania is set to begin issuing smart cards to about 1,000 emergency personnel and volunteers throughout the county in compliance with Presidential Directive 12 for the Department of Homeland Security's Counter Terrorism Task Force. (See item 31)

Information Technology Sector

34. August 30, Computerworld – Researchers spot rootkits on more Sony USB drives. A second line of USB drives sold by Sony Electronics Inc. that uses rootkit tactics to hide files has been identified, and the devices' software remains on the Web, a researcher said today. Hackers using just one of the package's files can mask their attack code from some security scanners, said the chief research officer at F-Secure Corp. "This new rootkit [which can still be downloaded] can be used by any malware author to hide any folder,” he said. On Monday, FSecure announced that the fingerprint-reader software included with Sony's MicroVault USMF flash drives stores files in a hidden directory that could be used by hackers to cloak their malicious code. F-Secure noted that the USM-F models were difficult, but not impossible to find. Sony has since confirmed that the line has been discontinued. But its replacement, the USM512FL, is widely available and shares the rootkit-like techniques of its predecessor. Sony has removed the download links for the USM-F and USM512FL software from its MicroVault support site, but researchers said today that they were still able to locate a live link with the information.
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9033798&taxonomyId=17&intsrc=kc_top

35. August 29, Computerworld – Retail point-of-sale systems riddled with security flaws, warns researcher. Retail point-of-sale (POS) systems pose a clear but often overlooked danger to consumer credit card data, a security researcher warned this week. A white paper released by Hacker Factor Solutions described several relatively easily exploited vulnerabilities in POS technologies. "The vulnerabilities disclosed in this document denote a set of fundamental flaws in the point-of-sale process," the author said, adding that “even if a solution were available today, it would take years to be fully deployed." POS terminals that read credit card information, perform card transactions, and receive the confirmation code make attractive targets for hackers, the report notes, calling attention to the need for security standards at the payment level for POS devices and software.
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9033620&taxonomyId=17&intsrc=kc_top

36. August 29 Computerworld – Microsoft blames WGA meltdown on human error. Microsoft Corp. said late Tuesday that last weekend's failure of the antipiracy process it requires of Windows XP and Vista was due to "human error" and shouldn't be called an "outage" since the servers didn't go off-line. The company also promised that changes have been made to avoid a repeat.
Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9033603&taxonomyId=17&intsrc=kc_top

37. August 29, Infoworld – Monster outlines anti-fraud measures. One week after hackers stole personal information from millions of people who had posted their resumes to Monster.com, the company has warned its users to be vigilant about online fraud because the breach was not an isolated incident. In an e-mail message sent to users, Monster shared antifraud advice and pledged to improve its security practices through enhanced surveillance of site traffic and tighter access to the Web site. Monster disclosed on August 23 that it had discovered a data breach caused by hackers who posed as employers, then illegally downloaded the names, addresses, phone numbers, and e-mail addresses of 1.3 million job-seekers. The hackers then sent e-mail to the users in an attempt to collect their passwords to financial sites or to install viruses on their PCs.
Source: http://www.infoworld.com/article/07/08/29/Monster-outlines-anti-fraudmeasures_1.html

38. August 28, Federal Times – Hackers steal info on USAJOBS.gov subscribers. Hackers have stolen the names, e-mail addresses and telephone numbers of about 146,000 subscribers to USAJOBS.gov, the Office of Personnel Management said Wednesday. The hackers accessed the information from the resume database run by Monster.com, which provides the technology for USAJOBS.gov, OPM said. Monster Worldwide told OPM that no Social Security numbers were compromised. OPM said that because of the breach, job seekers could find themselves targeted by so-called “phishing” e-mails, possibly disguised as Monster.com or USAJOBS.gov messages. Phishing e-mails try to trick people into revealing sensitive information such as passwords or downloading malicious software. Monster has identified and shut down the server that was accessing and collecting the information, OPM said.
Source: http://federaltimes.com/index.php?S=3001571

Communications Sector

39. August 29, CNet – Security group voices concerns over VoIP. A member of the Jericho Forum security group has criticized the security of voice over IP technology after researchers revealed that it was possible to eavesdrop on VoIP conversations. An eavesdropping vulnerability was revealed on the Full Disclosure mailing list on Wednesday. Vulnerability researchers claimed the exploit could allow a remote attacker to turn a VoIP phone into an eavesdropping device. A Jericho Forum board member said that VoIP is not yet ready for use in businesses. "We don't consider VoIP to be enterprise-ready," he said. "You can't run VoIP on a corporate network because you can't trust every single device on that network. VoIP as it stands certainly isn't secure. Going forward, everybody should be using inherently secure protocols."
Source: http://news.com.com/Security+group+voices+concerns+over+VoIP/2100-7355_3-6205178.html?tag=cd.top