Thursday, January 17, 2008

Daily Report

• According to the Daily Mail, America is considering forcing Britons and other visitors to go through tougher checks when they enter the country, due to the growing threat of terrorists from Europe. The head of the Department of Homeland Security explained that he had no plans to scrap the visa waiver program, but could force Britons and others to register online before traveling. (See items 11)

• The Associated Press reported that, in a plan announced Tuesday, more than 300 miles of salmon runs would be restored along the Klamath River. The proposal calls for the removal of four aging hydroelectric dams that have stood on the river for nearly a century; providing electricity for 70,000 customers, but also blocking salmon from reaching their spawning grounds. The proposal must be reviewed by federal agencies and the dams’ owner, PacifiCorp, which must agree to their removal. (See item 31)

Information Technology

23. January 16, IDG News Service – (National) Oracle fixes critical flaws in quarterly update. Oracle Corp. released 26 fixes across its product line in its latest critical patch update, nine of which repair flaws that are remotely exploitable. In an advisory listing the problems, Oracle advised administrators to patch their machines as quickly as possible. Five of the six vulnerabilities in Oracle’s Application Server can be exploited over a network without the need for a username or password, the company said. The same danger applies to three of seven vulnerabilities in the E-Business Suite and Applications and one of four problems in PeopleSoft Enterprise PeopleTools, Oracle said. In other products, the update includes one patch for Oracle’s Collaboration Suite and eight for various database products. Oracle fixed 51 vulnerabilities in its last critical patch update in October.

24. January 15, Infoworld – (International) Cyber-espionage moves into B2B. The practice of cyber-espionage is rapidly moving beyond the government sector and finding its way into the world of international business, according to experts with SANS Institute. While the United States and Chinese governments, most notably, have accused each other in recent years of carrying out surreptitious hacking campaigns aimed at stealing strategic information from their respective IT systems -- and many security experts believe that both countries, and many others, are actively engaging in such electronic warfare -- leaders with SANS maintain that the practice has recently begun to spill over into the private sector with greater frequency. According to the training institute’s latest research, cyber-espionage efforts funded by “well-resourced organizations” – including both government-backed and private efforts -- will expand significantly during 2008, in particular as overseas companies look to gain an upper hand in negotiating business deals with large companies based in the U.S. and Europe. In one common scenario, said the director of research for SANS, organizations in the process of establishing legitimate partnerships with such companies are willing to pay hackers to break into those firms’ IT systems to gather competitive information to gain an advantage at the bargaining table. More companies than ever before are finding that they have been victimized in such a manner based on the discovery of their sensitive data in the hands of hackers and other fraudsters who have been apprehended by law enforcement officials, the expert contends. “Cyber-espionage is clearly growing across the board. It was much bigger in 2007 than in previous years, and it is expanding slowly into economic espionage involving both businesses and government entities,” he said. “This really has a lot of significant implications because people who have never thought of themselves as targets for this type of attack have suddenly become a sweet spot, and many are not prepared to defend themselves.”

25. January 15, IDG News Service – (National) Flash attack could take over your router. Security researchers have released code showing how a pair of widely used technologies could be misused to take control of a victim’s Web browsing experience. The code, published over the weekend by two researchers, exploits features in two technologies: The Universal Plug and Play (UPnP) protocol, which is used by many operating systems to make it easier for them to work with devices on a network; and Adobe Systems’ Flash multimedia software. By tricking a victim into viewing a malicious Flash file, an attacker could use UPnP to change the primary DNS (Domain Name System) server used by the router to find other computers on the Internet. This would give the attacker a virtually undetectable way to redirect the victim to fake Web sites. For example, a victim with a compromised router could be taken to the attacker’s Web server, even if he typed directly into the Web browser navigation bar. “The most malicious of all malicious things is to change the primary DNS server,” the researchers wrote. “That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it.” Because so many routers support UPnP, the researchers believe that “ninety nine percent of home routers are vulnerable to this attack.” In fact, many other types of UPnP devices, such as printers, digital entertainment systems and cameras are also potentially at risk, they added in a Frequently Asked Questions Web page explaining their research. The attack is particularly worrisome because it is cross-platform -- any operating system that supports Flash is susceptible -- and because it is based on features of UPnP and Flash, not bugs that could be easily fixed by Adobe or the router vendors.

Communications Sector

26. January 15, – (New York) Wireless LAN scan finds big security holes in NYC retailers’ wireless nets. There is bad news for some retailers at this week’s National Retail Federation trade show in New York City, where WLAN security company AirDefense disclosed the findings of its four-day scan of local retailers’ wireless nets. Security for retail wireless nets is still bad, though improving, AirDefense found after scanning nearly 800 stores in the five NYC boroughs between Thursday, January 10, and Sunday, January 13. About one third of the stores had no security at all, not even the minimal encryption provided by the flawed Wired Equivalent Privacy (WEP) protocol. Another third had weak encryption, such as WEP or the pre-shared key mode of the Wi-Fi Protected Access (WPA PSK) specification, which was originally intended as basic security for home or SOHO WLANs. The final third showed a quantum improvement, according to AirDefense’s chief security officer: the more advanced WPA2 specification, with 802.1X authentication brought down to every device, including handhelds, on the WLAN, and AES encryption, the strongest commercially available today. “These are the first retail stores we’ve seen with bulletproof [wireless] security,” he says.