Friday, December 7, 2007

Daily Report

• USA Today reported on a new Government Accountability Office report, which states that the nation faces “a high risk of a catastrophic runway collision,” and efforts to improve the problem have stumbled due to lackluster federal leadership, technology glitches, and poor data collection. The GAO also called on the FAA to address fatigue among its air-traffic controllers. (See item 9)

• According to the International Herald Tribune, the U.S. Agriculture Department recently announced its twentieth recall of ground beef this year because of contamination with E. coli. The recall count is one shy of a record set in 2000 and matched in 2002, and is surprising because in the two previous years recalls were in single digits. The cause for the jump remains unclear, but a number of theories have been offered. (See item 11)

Information Technology

25. December 6, BetaNews – (International) Canada’s passport application system has security hole. An Ontario man discovered last week that the Web site meant to allow Canadians to apply for passports was allowing access to information on other applicants. By changing a single character in the URL while filling out the application, he was able to pull up data on another applicant. He told The Globe and Mail that doing so was effortless, and the site did nothing to prevent him from viewing the data. This leak provides enough data to essentially commit identity theft, it includes names, addresses, dates of birth, social insurance (Canada’s social security) numbers, phone numbers, and drivers license data. The extent of the data breach is not known as Passport Canada did not give details on how many applicants may be sitting in queue on the site at any given time. It is also not clear if the data continues to sit on the site, accessible by its unique URL, after an application has been approved. In any case, access to the online application was disabled after the man informed the agency of the problem, and Passport Canada said it had the problem fixed by last Friday. However, a test on Monday by Globe and Mail reporters indicated that the hole still existed, and they were able to access further private data. This was despite Passport Canada’s assurances that the application was indeed secure. Unlike many parts of the US, there is no law requiring government agencies or companies to disclose security breaches to consumers. Supporters of such legislation in Canada are using the incident as an example of why laws in this area are needed.
Source:

http://www.betanews.com/article/Canadas_passport_application_system_has_security_hole/1196966059

26. December 06, Computerworld – (National) Duke Law School applicants warned of possible ID theft. About 1,400 Duke Law School applicants and two current students are being warned about identity theft concerns after hackers broke into the law school’s Web site, where their Social Security numbers were stored in a connected database. In an announcement yesterday, the school said those affected are being notified of the incident via e-mail and letters sent by mail. “We have no evidence that the intruders actually downloaded or acquired any of this information,” wrote the law school’s associate dean of admissions in the email Tuesday. “Nonetheless, we know they had the opportunity and the tools to do so,” he conceded. The incident was discovered by school officials last week, and the site -- which collects information from would-be applicants who want information about Duke from the admissions office -- was taken offline, according to the school. Those potentially affected by the breach had provided their Social Security numbers online. While investigating the breach, school officials said they also discovered that a second database could also have been accessed by hackers, potentially affecting another 1,900 people who filed online admissions applications to the law school. That database didn’t included Social Security numbers, but held home addresses, phone numbers, e-mail addresses and passwords created as part of the application process, according to the school. Those 1,900 applicants were also notified of the breach on Tuesday via e-mail and were advised to change their account passwords. A spokeswoman for Duke said an investigation into the incidents is continuing. So far, she said, investigators have learned that the intruders apparently gained access to the databases through third-party applications on the Web site. “We have some ideas about what they are but we don't want to say until we finish the investigation,” she said. Other databases at the law school, including those containing email addresses or personal information about current students, employees and alumni, were unaffected by the incident, according to the school.
Source:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9051420&taxonomyId=17&intsrc=kc_top

27. December 05, Computerworld – (National) Privacy alert: Cookie variants can be used to skirt blockers, anti-spyware tools. Just because your Web browser is set to block third-party tracking cookies, that doesn’t mean all of them are being blocked. A growing number of Web sites are quietly resorting to the use of “first-party,” subdomain cookies to skirt anti-spyware tools and cookie-blockers and allow third-party information-gathering and ad-serving, according to some privacy advocates and industry analysts. Though the cookies are not fundamentally different from other third-party cookies, they are very hard to detect and block, said a research engineer with CA’s anti- spyware research team. The result: companies could theoretically use the cookies to quietly gather and share consumer information with little risk of detection, he said. So far, the use of first-party, subdomain cookies appears to be less prevalent than standard third-party cookies, “but it’s the kind of thing that might catch on quickly,” he said. The growing, but largely hidden, issue of online consumer-tracking and information-sharing burst into the open in recent days because of the controversy generated by Facebook’s Beacon ad-serving technology. First-party, subdomain cookies are those that appear to be served up by the primary Web site a user is visiting; in reality, they are being issued by an external third party. For example, a company whose primary domain name is xyz.com could create a subdomain called trackerxyz that falls within the xyz.com domain so it would look like this: www.trackerxyz.xyz.com. This subdomain actually points to a third party’s server. But because the parent domain names are the same, the user’s browser sees that server as belonging to the parent -- and treats cookies from both equally. In many cases, first-party, subdomain cookies serve legitimate purposes, said a marketing director at TRUSTe, a San Francisco-based online privacy certification organization. For instance, a bank might have a relationship with an external bill payment vendor, and it might set cookies that appear to come from the bank but actually have been set by the bill payment vendor.
Source:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9051219&taxonomyId=17&intsrc=kc_top

Communications Sector

28. December 5, Associated Press – (Northwest) Officials: ham radio operators are storm's 'unsung heroes.’ When parts of Oregon were overwhelmed by wind and water during the recent storm, vital communication often was lacking, with trees down and across phone lines and cell coverage limited. Even the state police had difficulty in reaching some of their own troops. But ham radio worked. In fact, amateur radio operators were heralded by state emergency officials as heroes. Ham radio is more than just a hobby to some. It can set up networks for government and emergency officials to communicate when other communication services fail. “One of the problems in this is always communication,” said Oregon’s governor Tuesday. “I’m going to tell you who the heroes were from the very beginning of this...the ham radio operators. These people just came in and actually provided a tremendous communication link to us.” A network of at least 60 volunteer amateur radio operators working along the coast and inland helped from keep crucial systems such as 911 calls, American Red Cross and hospital services connected. They relayed information about patient care and relayed lists of supplies needed in areas cut off by water. In addition to getting an FCC license to operate, certain groups of operators are cleared by the federal government to work as emergency responders. The Oregon Office of Emergency Management said the radio operators were tireless in their efforts to keep the systems connected. It was ham radio that kept New York City agencies in touch with each other after their command center was destroyed on 9-11, according to the National Association for Amateur Radio. When hurricanes like Katrina hit, amateur radio helped provide life-and-death communication services when everything else failed.
Source:
http://www.kptv.com/weatheralert/14776224/detail.html

29. December 6, vnunet.com – (National) VoIP must connect to emergency services. VoIP services that allow users to make calls to normal national phone numbers must also have the ability to connect to emergency numbers 999 and 112 from 8 September 2008. Ofcom wants to ensure that users who have switched to VoIP services from traditional landline or cellular phone companies can still access the relevant people in emergencies. The watchdog expressed concern that consumers needing to locate an ordinary landline or mobile phone in an emergency might face a delay of seconds or even minutes in getting through. “As new voice services develop and become more mainstream, regulation must evolve too,” said the entity’s chief executive. “Consumers must be confident that, if they can make calls to ordinary national numbers using their VoIP service, they will be able to call 999 or 112 in an emergency.” Ofcom found that 78 per cent of VoIP users who cannot currently call 999 or 112 either believed that an emergency call was possible, or did not know whether or not this was the case. The ruling attempts to protect consumers amid increasing use of VoIP services and the trend to look and feel more like traditional fixed and mobile phone services. Some commentators have voiced concerns over a reliance on VoIP technology, following the Skype outage earlier this year.
Source:
http://www.vnunet.com/vnunet/news/2205253/ofcom-voip-connect-emergency