Monday, January 14, 2008

Daily Report

• The Associated Press reported that Americans born after December 1, 1964, will have to get more secure driver’s licenses in the next six years under ambitious post-9/11 security rules. Over the next year, the government expects all states to begin checking both the Social Security numbers and immigration status of license applicants. (See items 10)

• According to the Summit Daily News, the Denver Water and Summit County officials have closed Dillon Dam Road due to suspicious activity after police found two men on the dam who said they were filming a music video. Information collected at the scene was forwarded to the Denver Field Office of the FBI, which is the normal protocol when dealing with any suspicious activity involving a public infrastructure like a dam. (See item 34)

Information Technology

24. January 11, IDG News Service – (National) Oracle to ship critical security patches next week. Oracle plans to fix dozens of flaws in its software products next Tuesday, including critical bugs in the company’s database, e-business suite, and application server. In its first security update of 2008, Oracle will ship 27 security fixes, some of which will affect several products. Oracle outlined some details of the upcoming patches in a pre-release announcement posted to the company’s Web site Thursday afternoon. Oracle releases security patches every three months, a process known as the Critical Patch Update (CPU). Oracle’s next most-patched product will be the E-Business Suite, which will receive seven updates, three of which are for bugs that can be remotely exploited by attackers who do not have usernames or passwords for the system. The Oracle Application Server will get six bug-fixes, addressing flaws in components such as the product’s BPEL (Business Process Execution Language), Worklist Application, Oracle Forms, and Oracle Internet Directory software. Finally, Oracle is planning four updates for its PeopleSoft and JD Edwards products, as well as one fix each for Oracle Enterprise Manager and the Oracle Collaboration Suite.

25. January 10, Computerworld – (National) Eight-day IT outage would cripple most companies. A Gartner Inc. poll shows that most business continuity plans could not withstand a regional disaster because they are built to overcome severe outages lasting only up to seven days. A Gartner analyst said that the results of the poll show that organizations must “mature” their business continuity and disaster recovery strategies to enable IT operations and staffers to endure outages of at least 30 days. Such efforts would require additional IT budget spending and collaboration across enterprise business units at most corporations, she noted. Gartner surveyed 359 IT professionals from the U.S., U.K., and Canada during 2007 on their business continuity efforts, and nearly 60 percent said that their business continuity plans are limited to outages of seven days or less. Further, results showed most companies focus on rebounding from internal IT disruptions, not from regional disasters that could also damage facilities. The survey found that 77 percent of companies have come up with a business continuity plan covering power outages caused by fire, while 72 percent have a plan to get up and running after a natural disaster. Only 50 percent of companies are prepared to rebound from terrorism-related IT outages. The survey showed that 29 percent of organizations now have pandemic recovery measures in place, up from just 8 percent in 2005.

26. January 10, Computerworld – (National) Researcher spots year’s first QuickTime bug. An Italian security researcher who ferreted out the year’s first vulnerability for Apple Inc.’s QuickTime media player posted on Thursday proof-of-concept exploit code to security mailing lists and Web sites. The researcher said that the most recent version of QuickTime is prone to a buffer overflow that, if successfully exploited, gives the attacker free rein over a user’s computer. He posted information and proof-of-concept code on, his own Web site and multiple mailing lists. About three hours after he posted his findings on the Bugtraq security mailing list, another Italian researcher reported that his tests indicated only the Windows version is vulnerable. “Tried on QuickTime 7.3.10 running on OSX 10.5.1, and the player doesn’t try to connect to port 80 if 554 is closed,” said Barnaba. “So the bug should lie somewhere in the ‘fallback’ that [QuickTime] employs on Windows when finding out that the [RTSP] port is closed.” Apple officials did not immediately respond to a request for comment.

Communications Sector

27. January 10, USA Today – (National) Hope remains for national wireless network. Government and public safety officials said Wednesday they remain committed to plans for a national wireless network that could solve critical communication problems during emergencies, even though the most likely builder of the network has shut down. Industry analysts said Frontline Wireless’ demise throws into doubt the viability of the ambitious plan, which would impose unusual constraints on a private operator by forcing it to share airwaves with public safety agencies. The Federal Communications Commission is offering to sell relatively cheaply a chunk of spectrum to a carrier that will agree to share the airwaves with police and fire agencies during crises. Public safety agencies often have been unable to communicate with each other during disasters such as Hurricane Katrina because they use different frequencies. Frontline, backed by Silicon Valley heavyweights and co-founded by the former FCC chairman, was the only prospective bidder that voiced interest in buying the spectrum and sharing it with public safety. But the official said this week the company has ceased operations.