Wednesday, March 26, 2008

Daily Report

• According to CNN, of the 28,000 commercial airline flights that take to the skies on an average day in the United States, fewer than one percent are protected by on-board, armed federal air marshals, a nationwide CNN investigation has found. That means that a terrorist or other criminal bent on taking over an aircraft would be confronted by a trained air marshal on as few as 280 daily flights. (See item 13)

• The Associated Press reports a security lapse made it possible for unwelcome strangers to see personal photos posted on Facebook Inc.’s popular online hangout, circumventing a recent upgrade to the Web site’s privacy controls. (See item 26)

Information Technology

25. March 25, InfoWorld – (National) Criminals target CA’s BrightStor in new attack. Just days after Microsoft warned of attacks targeting its Jet Database Engine software, cybercriminals have found a new program to attack: CA’s BrightStor ARCserve Backup. The new attack was reported Monday by Symantec, which said that a malicious Web page with a .cn domain was serving the attack code. By tricking an ARCserve user into visiting the Web site in question, attackers could leverage the flaw to install malicious software on a victim’s PC, Symantec said. A proof-of-concept example of the code was made public last week on the Web site. Symantec quickly predicted that it would likely be modified and used for attack. The flaw lies in the Unicenter DSM r11 List Control ATX ActiveX control, found in ARCserve Backup version 11.5, Symantec said. Other versions of the product may also be vulnerable, however. CA has not commented on the bug, so there is no indication when it might be patched. Symantec is advising users to turn off the buggy ActiveX control within the Windows Registry, something that should only be attempted by technologically savvy users.

26. March 24, Associated Press – (International) Security lapse exposes Facebook photos. A security lapse made it possible for unwelcome strangers to see personal photos posted on Facebook Inc.’s popular online hangout, circumventing a recent upgrade to the Web site’s privacy controls. The Associated Press verified the loophole Monday after receiving a tip from a Vancouver, Canada, computer technician, who began looking for security weaknesses last week after Facebook unveiled more ways for 67 million members to restrict access to their personal profiles. The added protections were not enough to prevent the researcher from pulling up the most recent pictures posted by Facebook members and their friends, even if the privacy settings were set to restrict the audience to a select few. After being alerted Monday, a Facebook spokeswoman said the Palo Alto-based company would look into the problem. By late Monday, Facebook appeared to have closed the security hole.

27. March 24, InfoWorld – (International) Most sites still hack-able. The latest research report out of Web applications security specialist WhiteHat finds that most sites are still woefully vulnerable to hacker attacks. Just as in its previous research, WhiteHat estimates that some 90 percent of all pages are hack-able, the same figure that it has attached to several previous reports. Over the last two years that WhiteHat has been issuing its paper, the company has reported that the volume and variety of Web site attacks have in fact only continued to rise, with Cross-Site Request Forgery (CSRF) tabbed as the next big thing by the experts this go round. According to the company, nine out of ten sites still have serious vulnerabilities, with an average of seven vulnerabilities per site. The leading forms of exploit that WhiteHat is observing on the Net have not budged much in recent months either, with classic techniques including SQL injection, buffer overflows, and cross-site scripting (XSS) leading the way. However, the company is predicting that CSRF threats will soon begin to multiply.

Communications Sector

Nothing to Report