Tuesday, October 16, 2007

Daily Report

· The Associated Press reports that California has become the first state to pass a bill banning toys and baby products containing more than one tenth of one percent of phthalates -- a chemical used to soften plastics that scientists have linked to health problems. Oregon, Maryland and New York are considering similar bills on phthalates. (See item 3)

· The Associated Press reports that all lanes were reopened Monday on I-5 near Los Angeles, California, following a fiery Friday night accident involving several dozen trucks and other vehicles. Two men and an infant died and at least 10 people were injured, according to authorities. Investigators are still looking into the cause of the accident. (See item 13)

Information Technology

30. October 15, Computerworld – (Ohio) ‘Management Glitch’ is blamed in Ohio tape theft. An Ohio state official must surrender a week of future vacation time as punishment for a “management glitch” that led to the theft of a backup tape holding Social Security numbers and other personal data on more than 100,000 state employees and taxpayers. The state issued the punishment late last month to the payroll team leader for the Ohio Administrative Knowledge System ERP project of the Ohio Department of Administrative Services, according to the department’s communications office. The tape was stolen in June from an intern’s car. An official from the office also noted that although the tape was his department’s responsibility, it was regularly handled by individuals from other agencies. “Part of the problem is that [the data] was outside of any one person’s hands. There were people coming in from agencies to do data migration and testing” who were adding data to the drive, he said. “One lesson that the state learned is that we need to throw more resources at security and privacy when we have an issue like that,” he added. An analyst at Enterprise Strategy Group Inc. in Milford, Massachussets, said the minimal punishment indicates that there is not a widespread security problem. “If there was a pattern of incompetence,” she said, “then typically the person would lose their job.”
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=305393&taxonomyId=17&intsrc=kc_top

31. October 15, IDG News Service – (National) Researcher: Mac OS, Linux probably have URI issues too. The problems with URI protocol handlers that are registered unnecessarily and with little thought given to security are not just limited to Windows, researchers say. In fact, an analyst at Ernst & Young Global, and one of the researchers who has been studying the problem most closely, says he hopes to present more details on how other Unix-based operating systems like Linux and Mac OS X may also be susceptible to what are known as URI (Uniform Resource Identifier) protocol handler flaws at the Toorcon hacking conference, being held next week in San Diego. In an interview, he said that he had not yet found a way to run unauthorized code on Unix-based operating systems, but that he and his fellow researchers had discovered a number of issues that looked like they could be grounds for further research. The problem they have been researching over the past few months has to do with the URI protocol handling technology, used to launch programs from within Web browsers. Probably the best known of these protocols is mailto, which is used to launch the mail client from within the browser. But any software developer can register their own application with the operating system. To date, hackers have found ways to run unauthorized software on the PC by sneaking commands into specially crafted Web links that use the URI protocols of several well-known applications. Microsoft had originally said that it was up to software developers to make sure their programs check the links so that they do not include malicious code, but this week it agreed to put some checks within the Windows operating system as well.
Source: http://www.thetimesherald.com/apps/pbcs.dll/article?AID=/20071015/NEWS01/710150307/1002

32. October 15, Computerworld – (National) Commerce bank thwarts a major database hack. A Midwestern bank last week said it was able to deflect most of a hacking attempt on its database, but not before some customer information was divulged. Commerce Bank NA, which operates in Missouri, Kansas, Illinois, Oklahoma and Colorado, last week said a hacker had breached a database with about 3,000 customer records and accessed 20 of them. The hacking was quickly detected and stopped, said the unit of Kansas City, Missouri-based Commerce Bancshares Inc. Officials added that law enforcement agencies were notified of the breach. The bank said that it is contacting all customers who may have been affected and that it will provide them with free credit monitoring services for 24 months. Commerce Bank did not disclose how the hackers accessed its database.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=305311&taxonomyId=17&intsrc=kc_top

33. October 12, IDG News Service – (National) Critical Oracle patches coming this week. Oracle Corp. will release security updates for its products next week fixing 51 vulnerabilities in its products. Included in the Critical Patch Update, set to be released Tuesday, will be critical updates for the company’s flagship Oracle Database. Twenty-seven database bugs will be fixed, but five of the bugs can be “exploited over a network without the need for a username and password,” Oracle said in a note on next week’s patches. Fixes are also planned for Oracle’s Application Server, E-Business Suite and Enterprise Manager software. There will also be patches for three vulnerabilities in the company’s PeopleSoft Enterprise products. After the database software, the Application Server and E-Business suite will get the most patches with 11 and 8 bug fixes, respectively. No patches are planned for Oracle’s Collaboration Suite and JD Edwards products. Oracle’s 10g and 9i databases will both be patched next week. The software vendor releases its updates on a quarterly basis, meaning that these updates typically contain a lot of patches. For example, July’s updates contained 45 fixes. Following next Tuesday’s release, the next Critical Patch Update is set for January 15.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9042438&taxonomyId=17&intsrc=kc_top

Communications Sector

34. October 15, RCR Wireless News – (National) VZW intros new opt-out policy for dissemination of calling records. Verizon Wireless is requiring customers to opt out of allowing the carrier to share their customer proprietary network information (CPNI), a new policy that could spark protest from the carrier’s customers. CPNI comprises users’ calling records and includes the numbers of incoming and outgoing calls and time spent on each call, among other data. Verizon Wireless last week began sending letters notifying customers that they have 30 days to opt out of the program by calling an 800 number before their information would be shared. “In order to better serve your communications needs and to identify, offer and provide products and services to meet your requirements, we need your permission to share this information among our affiliates, agents and parent companies (including Vodafone) and their subsidiaries,” the company informed subscribers. “Unless you provide us with notice that you wish to opt out within 30 days of receiving this letter, we will assume that you give the Verizon Companies the right to share your CPNI with the authorized companies as described above.” CPNI has become a contentious issue in recent years as telecommunications firms and others seek to leverage their networks by delivering highly targeted ads. The Federal Communications Commission earlier this year strengthened its privacy rules regarding CPNI following the pretexting scandals that darkened the industry last year.
Source: http://www.rcrnews.com/apps/pbcs.dll/article?AID=/20071012/FREE/71012004/1002

35. October 15, Computerworld – (National) Privacy concerns dog IT efforts to implement RFID. Privacy concerns related to the use of radio frequency identification technology are reaching new heights, as legislators increasingly look to restrict RFID deployments and corporate employees criticize efforts to use it in identification badges. At the same time, champions of the technology contend that not enough is being done to promote the value of RFID. For example, they say, it can be used to track tainted foods or counterfeit drugs or to reduce inventory-tracking costs. IT executives attending the RFID World conference in Boston last month said employee fears have forced some companies to change or even cancel plans to use badges embedded with RFID technology. The manager and counsel for technology policy and state government affairs at the AeA, formerly known as the American Electronics Association, noted that more and more state legislatures are seeking to limit the use of RFID technology. While RFID privacy concerns “are taken very seriously in state governments across the U.S.,” most legislators do not understand the value of the technology, he contended. Aderson said 50 bills aimed at limiting RFID were introduced in 19 states in 2007, and three became law.
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=305197&taxonomyId=17&intsrc=kc_top