Tuesday, March 11, 2008

Daily Report

• The New York Times reports a China Southern passenger jet that departed Friday morning from the heavily Muslim region of Xinjiang was forced to make an emergency landing after the flight crew apprehended at least two passengers who authorities say intended to sabotage the airplane. The plane, heading for Beijing, was diverted to the city of Lanzhou after an onboard incident. (See item 14)

• According to an Associated Press investigation, a vast array of pharmaceuticals – including antibiotics, anti-convulsants, mood stabilizers, and sex hormones – have been found in the drinking water supplies of at least 41 million Americans in 24 major metropolitan areas. Researchers do not yet understand the exact risks from decades of persistent exposure to random combinations of low levels of pharmaceuticals. (See item 20)

Information Technology

32. March 10, IDG News Service – (National) Rise in Gmail spam indicates more solved CAPTCHAs. Spam originating from Google’s Gmail domain doubled last month, indicating that spammers are still defeating the CAPTCHA, the distorted text used as a security test to thwart mass registration of e-mail accounts and other Web site abuse. Gmail spam went from 1.3 percent of all spam e-mail to 2.6 percent in February, according to data released by e-mail security vendor MessageLabs on Monday. The new statistics are another nail in the coffin for CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Google is the latest free Web mail provider to be victimized by spammers’ efforts to create software to solve the codes, or at times, also employ people to solve the codes en masse. “It’s only a matter of time before [CAPTCHAs] are comprehensively defeated,” said a senior analyst at MessageLabs. Last month, security vendor Websense ascertained that spammers were using two hosts to crack Gmail’s CAPTCHAs. The method appeared to be successful only 20 percent of the time. But if the procedure is repeated thousands of times, many new accounts can be generated and used to send spam. Most of the messages use links and images to advertise adult entertainment sites, he said. While other spammy domains can simply be blocked by antispam software, businesses are reluctant to cut off the domains of free Web mail providers because of their legitimate use, he said. Spam from Web mail providers comprises 4.2 percent of all spam. Google’s CAPTCHA system is considered hard to crack, but so was Yahoo’s, which is also regularly beaten. MessageLabs said 88.7 percent of the spam from free Web mail providers comes from Yahoo’s domains. Microsoft’s CAPTCHA, used for registering accounts on its Windows Live Mail service, has also been cracked. Websense believes the same group of spammers is responsible for breaking both Google and Microsoft’s system.

33. March 10, IDG News Service – (National) Security must evolve, CERT official says. Security has to evolve into something that supports business, rather than the other way around, according to a senior member of the technical staff at Carnegie Mellon University’s Computer Emergency Response Team. The tendency is to want to start locking things down, so security is something that disables, not enables, business, and remains an area where boxes and technology rule, she said in Stockholm at the European Computer Audit, Control and Security Conference. Solving your security problems by buying another box is just wishful thinking. People just haven’t thought of security as a discipline that can be measured, managed and mapped. It’s a new way of looking at it,” she said. Security requirements have to spring from business-process needs, she stressed, saying, “Requirements should be driven by owners of business processes, not the caretakers of technology.” To simplify efforts to make changes to security strategy, her development team at CERT has developed the Resiliency Engineering Framework (REF), which was launched last year. It does not compete with other frameworks, such as ITIL. REF identifies enterprise-wide processes for managing operational resiliency – including everything from training to compliance management – and provides a structure from which an organization can start to improve. “You can reduce cost, eliminate duplicate efforts and improve compliance efforts, for example,” she said.

34. March 9, Network World – (International) IT security lacking in best practices. The need for best practices knowledge was identified by 16 percent of respondents as the top IT security challenge affecting organizations today, according to a recent survey of 322 IT security professionals, undertaken by the Canadian Advanced Technology Alliance (CATA) in partnership with Microsoft. Coming in a close second was data protection, cited by 15 percent of respondents, followed by access management, cited by 13 percent. “The lack of best practices being one of the primary challenges was certainly one we weren’t anticipating when we started this study,” said CATA’s vice-president of research. Another finding indicated that IT security professionals believe that their organizations do not put enough emphasis on IT security challenges and often react after the problem arrives on their doorstep. “I see a lot of basic processes like simple hardening of servers that still isn’t being done as the norm, so while some organizations get it, many others don’t,” said an executive officer at the Federation of Security Professionals in Toronto. “Larger organizations tend to understand security better and it also depends on the industry.” To address these issues, CATA recommended that the industry develop industry-wide best practices, establish a research series of IT security professional perspectives reports, undertake a study to determine the value of an IT security skills set, and work to define Canada’s global IT security brand.

35. March 8, Network World – (International) Top cybercrook targets for 2008. A recent Internet Security Outlook Report issued by CA warns that social networks and Web 2.0 are among the top potential targets for online attacks in 2008. The study, based on data compiled by CA’s Global Security Advisor researchers, features Internet security predictions for 2008 and also reports on trends from 2007. “Cybercriminals go where opportunity lies and take advantage of any and all vulnerabilities,” said the vice president of Product Management for CA’s Internet Security Business Unit. “While security protection is becoming better at detecting malware, online thieves are getting smarter and stealthier in the way they attack our computers.” CA made a number of online security predictions for 2008, including: the number of computers infected by botnets will increase sharply in 2008, with bot herders changing their tactics and decentralizing via peer-to-peer architectures; new levels of sophistication in malware, which will target virtualized computers and increasingly use obfuscation techniques to hide in plain sight; Social networking sites will become increasingly popular and, as a result, more vulnerable; Web 2.0 services and sites will come under targeted attack; and Windows Vista will more users will bring more attacks.

Communications Sector

36. March 10, IDG News Service – (International) Ericsson predicts demise for Wi-Fi hot spots. As mobile broadband takes off, Wi-Fi hot spots will become as irrelevant as telephone booths, LM Ericsson Telephone Co.’s chief marketing officer said Monday. Mobile broadband is growing faster than mobile or fixed telephony ever did, he said. “In Austria, they are saying that mobile broadband will pass fixed broadband this year. It’s already growing faster, and in Sweden, the most popular phone is a USB modem,” said the Ericsson representative, who was the keynote speaker at the European Computer Audit, Control and Security Conference in Stockholm. As more people start using mobile broadband, hot spots will no longer be needed. A couple of factors will accelerate the move to mobile broadband. In countries such as Austria, Denmark and Sweden, the average price for a mobile broadband subscription is only $31 U.S. per month, he said. Also, support for high-speed packet access (HSPA), favored by Ericsson, is being built into more and more laptops. Ericsson recently signed a deal to put HSPA technology in some Lenovo Group Ltd. notebooks. But challenges still remain. Coverage, availability and price – especially when someone is roaming on other networks – are all key factors for success. Operators are also looking at ways to provide better signal coverage, particularly indoors and in rural areas.

37. March 8, BroadbandReports.com – (New York) NYC launches ambitious wireless network. New York City is about to launch a citywide wireless network intended to cover all of the city’s 322 square miles by the end of the year. This is not a public Wi-Fi program but instead is designed as a municipal network providing over fifty different applications including public safety, government asset tracking and mobile worker support within certain agencies. MuniWireless is calling it the “most comprehensive and far-reaching wireless project in the nation, in terms of applications breadth.” The initial launch is next month and will cover about seventy percent of the network. That should be followed by another twenty five percent completed by the end of the summer. The final five percent should find the network accessible by year’s end. As for public access, the network’s leaders say that they may eventually consider doing something with the network to bridge the digital divide by providing public Wi-Fi access to certain populations. However, they note that there are other projects in the works designed to meet these needs.
Source: http://www.dslreports.com/shownews/NYC-Launches-Ambitious-Wireless-Network-92458