Friday, September 14, 2007

Daily Reports

The Associated Press is reporting that a terminal at Detroit Metropolitan Airport has reopened after an unattended package forced its closure. It was unclear why the package was considered suspicious, but the terminal’s check-in lobby and baggage claim were evacuated, and traffic to an adjacent parking garage was diverted, according to reports on local TV and radio. (See item 13)

According to several reports, Hurricane Humberto weakened to a tropical storm over southwestern Louisiana today after crashing into the Texas coast with 85-mile-an-hour winds, killing one person and knocking, closing refineries and leaving at least 100,000 without power. (See items 1 and 42)

Information Technology

37. September 13, Reuters – Germany arrests 10 in global Internet scam raids. German police have arrested 10 people suspected of being involved in an international Internet scam which could have cost victims hundreds of thousands, Germany’s Federal Police Office said on Thursday. An 18-month-long probe resulted in raids in several German cities and the arrests of 10 Russians, Ukrainians and Germans who police think were involved in “phishing” – or tricking people into revealing personal or financial details. The group targeted bank customers, who received emails purportedly from organizations like eBay Inc. and Deutsche Telekom, said the office. Attached to the emails was so-called Trojan horse software which records data entered in computers. “This case shows that criminal organizations are using the Internet more and more to gain enormous amounts of money with a supposedly low risk of being caught,” said the Crime Office’s President in a statement.;_ylt=Aq_VHCvLy7hT0Dg5..czD7cjtBAF

38. September 13, Computerworld – Despite 9/11, IT is ‘overconfident’ about disaster recovery. Six years after the events of 9/11, many corporate IT operations are overconfident about their ability to handle a disaster, according to a Forrester Research, Inc. report released on Tuesday. The survey of 189 data center decision makers found a severe lack of IT preparation for natural and manmade disasters. For example, the report found that 27 percent of the respondents’ data centers in North America and Europe do not run a failover site to recover data in the event of a disaster. About 23 percent of respondents said they do not test disaster recovery plans, while 40 percent test their plans at least once a year. About 33 percent of respondents described their operations as “very prepared” for a manmade or natural disaster while 37 percent called their sites simply “prepared” for such events. A senior analyst at Forrester said she was surprised at how “overly confident” enterprises are about their ability to confront disasters when they their preparation is actually minimal. “Without regular testing, the chance that your disaster recovery plan will execute flawlessly during a disaster is pretty slim,” said the report’s author.

39. September 13, Computerworld – Exploit code appears for Microsoft Agent bug. It took less than 24 hours for attackers to crank out proof-of-concept code targeting the one critical vulnerability disclosed – and patched – Tuesday morning by Microsoft, security researchers warned. Early Wednesday, analysts with Symantec Corp.'s DeepSight threat network alerted customers the JavaScript exploit code for the critical vulnerability in Windows 2000 that was revealed in Microsoft's monthly patch cycle. The proof-of-concept was posted to the Internet by someone with a Brazilian e-mail address. An hour-and-a-half later, Symantec updated its alert to say that additional exploit code was also available to users of Immunity Inc.'s popular CANVAS penetration testing (“pentest”) software. To call attention to the added danger, Symantec also raised the vulnerability's threat score from Tuesday's initial 7.1 (out of a possible 10) to 8.5 today. The Windows 2000 bug – the only one rated critical of the four patched Tuesday – is in Windows Agent, the component that drives the operating system's interactive animated help characters. Symantec advised users who were unable to immediately apply the patch to disable their browser's script-handling capabilities.

40. September 12, Computerworld – Landmark data breach bill awaits California Governor’s OK. A closely watched California data breach bill that would require retailers to reimburse data breach-related costs to banks and credit unions is now one signature away from becoming state law. On Monday, the California State Assembly unanimously ratified amendments to the bill that were incorporated by the state Senate last week. The Consumer Data Protection Act, as the bill is known, now heads to the governor’s desk for approval. Analysts expect the California bill, if signed into law by the governor, to have the same ripple effect on data breach laws as the state's data breach notification law. That law was one of the first such notification laws in the country and has been adopted and imitated in one form or the other by several other states. The amended measure would take effect in July 2008 – not in January as originally proposed, thereby giving retailers more time to implement the security controls required under the law. The California law is just one of several data breach laws being eyed by multiple states in the wake of a string of high-profile retail security breaches earlier this year. Minnesota has already passed a law similar to the one in California.

Communications Sector

41. September 13, RCR Wireless News – FCC rules on E-911 spark broad debates. The Federal Communications Commission took dramatic steps to improve the location accuracy of wireless 911 services, but the mobile-phone industry and some telecom regulators complained the agency was taking action before the completion of FCC studies on emergency calling. The agency clarified that cellular carriers must meet enhanced 911 location accuracy requirements at the public-safety answering point service-area level, directing them to meet interim and annual benchmarks over the next five years to ensure full compliance by Sept. 11, 2011. Public-safety groups aggressively lobbied for PSAP-level E-911 compliance to remove confusion over wireless carriers’ embrace of statewide-averaging to meet FCC requirements. The FCC, cellular carriers and the public-safety community have been struggling to improve wireless E-911 for more than a decade, a situation complicated by technological capability, local and state budgets and shifting trends that have Americans increasingly making mobile phones their primary communications devices. Cellular operators today must locate emergency callers anywhere between 50 meters and 300 meters, depending on whether GPS handset or network-based E-911 technology is used. The FCC has fined a number of national mobile phone operators in recent years for failure to meet E-911 obligations. But the cellular industry and several FCC members, including those who voted for the changes, voiced concern about the government effectively imposing a new E-911 regime without considering a range of factors.