Thursday, March 20, 2008

Daily Report

• According to the New York Times, when a New York woman died aboard an American Airlines flight last month, her death raised concerns among passengers about the level of medical treatment available at 30,000 feet. Medical emergencies happen on planes more often than people might think. (See item 13)

• The Associated Press reports police arrested more than a dozen people who crossed a barricade and blocked entrances at the Internal Revenue Service building Wednesday, the start of a day of protests marking the fifth anniversary of the U.S. invasion of Iraq. (See item 31)

Information Technology

36. March 19, Computerworld – (National) Apple issues mega-monster security update. Apple Inc. Tuesday issued a record-breaking security update that patched nearly 90 vulnerabilities in both its own code and the third-party applications it bundles with its Tiger and Leopard operating systems. Security Update 2008-002 plugged 87 holes in the client and server editions of Mac OS X 10.4 and Mac OS 10.5. This single update’s total patch count nearly equaled half of all the fixes Apple released in 2007, and easily dwarfed the biggest updates that year, both which saw 40 or more bugs patched. Apple also updated its Safari browser for both Mac and Windows, patching 13 vulnerabilities. The much larger security roll-up fixed flaws in 30 different applications or operating system components in Mac OS X, from AFP Client and Apache to the Wiki Server and X11, the Mac’s version of the X Window System.

37. March 19, IDG News Service – (Pennsylvania) Pennsylvania pulls plug on voter site after data leak. With voting in Pennsylvania’s presidential primary just a month away, the state was forced to pull the plug on a voter registration Web site Tuesday after it was found to be exposing sensitive data about voters in the state. The problem lay in an online voter registration application form that was designed to simplify the task of registering to vote. State residents used it to enter their information on the Web site, which then generated a printable form that could be mailed to state election officials. Pennsylvania’s Department of State disabled the registration form late Tuesday after being informed of the vulnerability by IDG News Service. Because of a Web programming error, the Web site was allowing anyone on the Internet to view the forms, which contained data such as the voter’s name, date of birth, driver’s license number, and political party affiliation. On some forms, the last four digits of Social Security numbers could also be seen. The flaw was first reported by a reader of, who stumbled upon the bug after filling out a voter registration form. The bug did not expose all registration data – just the information supplied by those who used the Web site’s online form. About 30,000 voter registration records appeared to be available on the site.

38. March 19, Financial Times – (National) Beware: Printing can be data security’s Achilles Heel. Since January 2005, more than 218 million records involving sensitive personal information belonging to U.S. citizens have been exposed by security breaches. Drill down into the data, collected by U.S. lobbying group the Privacy Rights Clearinghouse, however, and it is clear that it is not only electronic media that are to blame. Last year, more than a dozen serious data protection breaches resulted not from the loss of a laptop, a disk, or memory drive, but from printed data. Some of the breaches resulted from errors in bulk or commercial printing houses, such as inadvertently printing customers’ social security numbers on envelopes or labels. But others were the result of employees printing sensitive data, which was subsequently lost or stolen - often because the paperwork was in the same bag or case as a laptop targeted by thieves. The true number of cases of data loss from paper documents could be far greater.

39. March 19, ZDNet UK – (International) RSA sees increase in fast-flux botnets. Security vendor RSA has reported that it has seen an increase in the use of sophisticated techniques that hide command-and-control servers in networks of compromised computers. However, University of Cambridge researchers have disputed the claim, saying fast-flux use has remained constant over the past year. Fast-flux is a DNS technique that distributes command-and-control by constantly reallocating the servers controlling peer-to-peer botnets. It makes those servers difficult to identify and shut down, as they “move” around the network. Fast-flux can also be associated with the allocation of proxy servers to hide static command-and-control servers in botnets. RSA said on Monday that the technique, widely reported as being used by the controllers of the Storm botnet, is now being used by at least three other compromised networks. RSA refused to name the botnets or the gangs involved, and said naming them would compromise its surveillance.

40. March 18, Computer Weekly – (National) Cyber Storm 2 exercise reveals security preparedness. Cyber Storm II, the world’s largest international cyber security exercise so far, ended on March 15. Undoubtedly, the U.S. Department of Homeland Security-sponsored event will report it as a resounding success and learning experience in its final report due in late summer. The exercise simulated a coordinated cyber attack on information technology, communications, chemical, and transportation systems and assets. It simulated a crash of the US and international telephone system, which in turn caused problems for top level domains such as .com, .net, and .gov. Crisis managers had to identify, evaluate, and respond to more than 1,800 malware incidents. These included botnet, phishing, and denial of service attacks. Some were “white noise.” These were relatively harmless events designed to mask or confuse more serious attacks on the systems. Cyber security is one of four priorities at DHS, which is responsible for securing the government’s IT and critical national infrastructure. Federal departments use an intrusion detection system called Einstein, as well as US-Cert, a 24x7 public-private operation that monitors and defends against malware attacks. DHS also plans to cut the number of internet access points that link to federal systems from about 4,000 to 50 to make the federal IT system easier to guard.

Communications Sector

41. March 19, Reuters – (National) Google sees surge in Web use on mobile phones. Google has seen an acceleration of Internet activity among mobile phone users in recent months since the company has introduced faster Web services on selected phone models, fueling confidence the mobile Internet era is at hand, the company said on Tuesday. Early evidence showing sharp increases in Internet usage on phones, not just computers, has emerged from services Google has begun offering in recent months on Blackberry e-mail phones, Nokia devices for multimedia picture and video creators and business professionals and the Apple iPhone, the world’s top Web search company said. Google made the pronouncement as it introduced a new software download for mobile phones running Microsoft Corp’s Windows Mobile software that conveniently positions a Google Web search window on the home screen of such phones. The software shortcuts the time it takes for people to perform Web searches on Google by eliminating initial search steps of finding a Web browser on the phone, opening the browser, waiting for network access, and getting to By making a Google search box more convenient, mobile phone users have begun using the Internet more, the company said. Source:;_ylt=AgxMlVSbRsdKquDIjfiubC767rEF

No comments: