Friday, November 23, 2007

Daily Report

  • The Daily Press reports that the Nuclear Regulatory Commission gave the Virginia-based Dominion power plant the permit to build a new power plant next to its existing North Anna reactors. The construction will be the first new nuclear power plant in the country since the Three Mile Island disaster in 1979. (See item 6)
  • The Associated Press reports that the nation’s oldest subways are in dire need of repairs and upgrades. Transit officials say problems abound in subway systems in New York City (the nation’s largest), Boston, Washington, D.C., and, most of all, Chicago. (See item 11)

Information Technology

25. November 21, IDG News Service – (National) Firefox plans bug fix release for next week. Mozilla plans to release a bug fix for its Firefox browser next week, repairing a long-standing security flaw in the software. The update is in testing right now and should be released to the public next week, following the Thanksgiving holiday in the U.S. “We are giving it a couple of days to make sure that there are no issues found and we’ll release it after Thanksgiving,” said Mozilla’s vice president of engineering. Mozilla is calling on the Firefox community to test the browser during a quality assurance “testday” this Friday. The issue was first reported last February, but it gained widespread attention earlier this month when another prominent researcher pointed out on his blog that the flaw could be used to launch a cross-site scripting attack against the Firefox browser. The flaw has to do with the fact that Firefox does not properly check files that are compressed using the .jar (Java Archive) format. Attackers could sneak malicious code into the Jar-compressed documents, which would then be run by the victim. Shortly thereafter, yet another researcher showed how this attack could be launched against Google users, giving them access to victims’ Gmail accounts, Google searches and other sensitive data stored on the Google Web site. Though both vulnerabilities are related to the way Firefox handles .jar files, Mozilla considers them to be two separate issues, both of which are set to be patched in next week’s release.

26. November 20, Computerworld – (National) Are XP, Vista vulnerable to random number generator attack? The flaw in Windows 2000’s random number generator uncovered by Israeli researchers is a vulnerability -- but not a security vulnerability, Microsoft Corp. said late last week, as it left users wondering if newer versions of the operating system shared the same problem. In a paper published earlier this month, a professor from the University of Haifa and two Hebrew University graduate students described how attackers could exploit a weakness in Windows’ pseudo-random number generator (PRNG) to predict encryption keys generated by the operating system and its applications. After reverse-engineering the algorithm used to power the PRNG, they found that they could easily predict its future results and reveal what it had produced in the past. They could then compute both future and previously used encryption keys. The past was most important. “For you as a user, it means that if you are managing sensitive information today, it is not enough for you to verify that your computer hasn’t been compromised in the past,” said the group’s leader Monday. “You should also worry about future attacks, since a compromise in the future might reveal the sensitive information used today.” “In the security world, this is called an attack on ‘forward secrecy,’ and is taken very seriously,” he added for emphasis. Microsoft acknowledged that the PRNG has a “local information disclosure vulnerability,” though in a recent statement the company’s security response communications manager said “there is no security vulnerability.” “Information is not disclosed inappropriately to unauthorized users on any supported Windows systems. In all cases discussed in the claim, information is visible only to the users themselves or to another user logged on to the local system with administrator credentials,” he said. Symantec Corp. issued a low-level alert for it Tuesday to customers of its DeepSight threat network, calling it a design error.

27. November 20, Computerworld – (New Jersey; National) Commerce Bank breached – don’t tell. Commerce Bank of Cherry Hill, New Jersey, has notified an unspecified number of its 3 million customers of a recent data breach involving the potential compromise of their personal data. In an e-mailed statement to a query regarding the incident, a Commerce Bank spokesman only confirmed that a “security matter” had taken place recently that impacted “only a small segment” of its three million customers. Without referring to what happened, the statement said that immediate actions had been taken to address “this matter,” including an extensive internal investigation by the bank’s corporate security team as well as notification about the incident to federal and state law enforcement authorities. The email alluded to a letter sent by the bank to the affected customers, but did not say what information on them might have been compromised in the incident. “If customers did not receive a specific letter regarding this incident there is no need for them to be concerned,” the statement said. Local media reports suggested that the compromise resulted when a bank employee apparently handed over customer information such as Social Security numbers and account information to an external third party. There was no indication, however, whether that happened inadvertently or was the result of a malicious action on the part of the employee. One blogger on LiveJournal, who claimed to be a customer of the bank, said that a Commerce Bank representative had told her about 3,000 people had been affected in the incident. Commerce was targeted by hackers earlier in the year. According to reports earlier in the fall, the bank was able to deflect most of a hacking attempt on its database, but not before some customer information was divulged.

Communications Sector

28. November 20, IDG News Service – (National) FCC awards spectrum to public safety group. The U.S. Federal Communications Commission (FCC) has awarded the license for 10 MHz of valuable wireless spectrum to a public safety organization in anticipation of the spectrum being used to build out a nationwide emergency communications network. The FCC yesterday awarded the license for the spectrum in the 700-MHz band to the Public Safety Spectrum Trust Corp. (PSST), a nonprofit organization with representatives from several public safety groups, including the International Association of Chiefs of Police, the International Association of Fire Chiefs and the National Sheriffs’ Association. The 10 MHz awarded to the PSST will be combined with an adjacent 10 MHz of spectrum that will be auctioned in early 2008, with the winning bidder required to create a nationwide wireless network for both public safety agencies and commercial use. The FCC award to the PSST was expected. The PSST was the only applicant for the nationwide license. The group will negotiate a network-sharing agreement with the winning bidder on the adjacent 10 MHz of spectrum, and it will administer usage fees for the nationwide network. The organization will also review requests for early build-outs and will manage public safety access to the commercial portion of the spectrum during emergencies, according to the FCC. The PSST spectrum is part of a chunk of spectrum being abandoned by U.S. television stations after Congress in late 2005 required them to move to all-digital broadcasts by early 2009. Several lawmakers and groups pushed for part of the spectrum to be used for an emergency communications network. During the September 11 terrorist attacks, and in more recent disasters, emergency response agencies found they couldn’t talk to one another because they were using a variety of equipment on different spectrum bands.