Thursday, November 1, 2007

Daily Report

USA Today reports that, nationwide, more than 8,000 lakes, rivers and bays are compromised by mercury’s toxic effects. However, the electric power industry insists that it is behaving responsibly by retrofitting old plants and building new ones with pollution control equipment. (See items 2)

• The New York Times reports that pharmaceutical ingredients exported from China are often made by chemical companies that are neither certified nor inspected by Chinese drug regulators. American and Chinese health officials held their first high-level meeting to discuss the issue in May, and hope to sign a memorandum of agreement in December. (See item 21)

Information Technology

27. October 31, Computerworld – (National) Storm Trojan dupes users with dancing Halloween jig. The Storm Trojan were flooding mailboxes with a Halloween spam blitz, security companies said Wednesday morning, just the latest example of the bot-building malware’s use of events to dupe people into infecting their PCs. The newest campaign arrives in messages with subject heads such as “Dancing Bones” and “The most amazing dancing skeleton,” said U.K.-based Sophos Plc. in an alert posted to its site. The messages include a link to a malicious URL posing as a Halloween-themed site; once there, users can click on a file, “halloween.exe,” which purports to be a dancing skeleton game, but which actually fires off Storm in the background. Visitors running unpatched machines can also be hit by Storm after a multi-strike exploit package pings the PC for vulnerabilities, and if it finds one, compromises the computer and as the slips in Storm. “This is just the latest incarnation of the poisoned e-card attack, also known as Storm, which has dominated the malware scene for months,” a senior technology consultant at Sophos said in a statement. “The gang responsible are experts at choosing topical disguises or crafting alluring e-mails,” he said.

28. October 31, Computerworld – (National) Researchers give Leopard security low marks. Security experts said the features that Apple Inc. added to Leopard look were nearly useless. And those features will not protect Mac users when they log onto the Internet, they said. Apple touts more than a dozen new security features and tools in Leopard, from anti-exploit memory randomization and an application defense dubbed sandboxing, to a guest account for shared machines and tighter control over input managers, long-abused operating system components that could be used by hackers to jack Macs. Some of the features, like the new restrictions on input managers, were hailed, but security vendors claimed that Apple has left much room for future improvement in the internet security applications.

29. October 30, IDG News Service – (National) Audio-spam pitch rode eight-figure Storm wave. The Storm Worm botnet network may be shrinking in size, but it has managed to send 15 million audio spam messages in October, according to the antispam vendor MessageLabs. The messages didn’t seem to be particularly effective. Recipients had to first click on an attachment -- usually given a misleading name like beatles.mp3 or Britney.mp3 -- to hear the stock pitch, which featured a robotic voice advising people to invest in online car seller Exit Only. This kind of scam, called “pump-and-dump,” tries to nudge up the price of penny stocks by a cent or two, giving the spammers a window to make a quick buck by selling the stock before it crashes. Spammers have been delivering their messages in different formats, including .pdf and Excel files, over the past few years as part of a cat-and-mouse game with spam blockers. This latest move to MP3 spam is the latest development in this battle, observers say. The spam run began on October 17, and lasted about 36 hours, using infected computers in the Storm Worm network to send out the e-mails, MessageLabs said in a statement released Tuesday. The spam sounded strange and warbly because the voice in the message was “synthesized using a very low compression rate of 16KHz to keep the overall file size small, at around 50 KB, to avoid detection,” the company said.

30. October 30, Computerworld – (National) Hartford Financial misplaces back-up tapes with personal data on policy holders. The Hartford Financial Services Group Inc. has notified about 237,000 policy holders of a potential compromise of their personal data. The warning followed the loss of three backup tapes containing the names, addresses, Social Security numbers and driver's license numbers of customers of the company's personnel lines claims center. The tapes were discovered to be missing on Sept. 27. So far, there is no evidence that the tapes were stolen or that the information has been misused, a company spokeswoman said. The company does not know if the tapes were misplaced while in transit to another location or if they went missing inside the company. But the information contained on them could only be read with “the use of sophisticated and expensive equipment,” she added. The Hartford breach is similar to scores of others in recent years involving the loss or theft of computers and media containing sensitive personal data. Security analysts have recommended that companies use encryption to mitigate potential data loss in such situations. Many companies that have been reluctant to do so because of cost concerns end up paying significantly more in notification and other costs when a breach occurs, analysts have previously noted.

Communications Sector

31. October 31, RCR Wireless News – (National) New bill would outlaw sale of cell phone numbers. A U.S. congressman introduced legislation today to ban the sale of cellphone numbers by third parties without the consent of wireless subscribers. “This legislation is not just about protecting the privacy of your cellphone number against unsolicited calls being charged to your account,” he said. “This is a security risk to every wireless subscriber because the information being sold often includes your personal credit history, including access to a person’s parents’ names and numbers, spouse's names and numbers, past ten residences, and other personal identification information used in identity theft cases.” The Consumer Cellphone Number Distribution Protection Act of 2007 would be enforceable if the cellphone number is not already publicly available and was obtained by the discloser as a condition of completing a commercial transaction. The cellphone industry attempted to create an opt-in directory several years ago, but the effort failed because of congressional privacy concerns, differences among major carriers and other factors.

32. October 30, Network World – (National) New cross-site scripting attack targets VoIP. Security researchers have found a way to execute cross-site scripting attacks through VoIP clients, introducing a dangerous new threat almost no one is guarding against, according to vendor Secure Computing Corp. “Few [people], if anyone, bother filtering the VoIP communications happening over SIP because they don’t want any performance degradation. Hence, these types of attacks are going to grow,” said the vice president of strategic accounts at Secure Computing. VoIP desktop clients using the Session Initiation Protocol, or SIP, are the problem area, he added. Security researchers discovered the flaw on October 8 and posted a proof-of-concept code on the Internet describing the vulnerability, which they found in a Linksys VoIP product. Secure Computing said it is not yet aware of the attack being used against real users but said it is just a matter of time now that the proof of concept is out there. This particular cross-site scripting attack could be used to install software on a PC allowing hackers to record and listen to VoIP phone calls, said the Secure Computing rep. For example, a financially motivated hacker might listen to the conversations of the chief financial officer at a large public company toward the end of a quarter to learn information useful in stock trading. The same attack could also target mass audiences by installing keyloggers that steal usernames, passwords and other information that could help a criminal raid a bank account, he said.