Thursday, March 27, 2008

Daily Report

• According to Patriot News, the security at Three Mile Island (TMI) is under scrutiny by federal regulators because of a reported deficiency. But the problem, which was identified by plant operator AmerGen Energy last summer and quickly corrected, will remain a secret under federal rules that prevent the public disclosure of security weaknesses. (See item 3)

• The Associated Press reports authorities revealed Tuesday that a man carrying a loaded shotgun was arrested in January near the U.S. Capitol, and explosives left in his truck nearby went undetected for three weeks. According to an indictment filed in District of Columbia Superior Court the suspect faces charges of planning to set off a bomb. (See item 24)

Information Technology

28. March 25, InfoWorld – (National) Apple’s Safari browser likened to malware. Mozilla’s chief executive has lambasted Apple for its use of iTunes to offer the Safari web browser to Windows users, saying the technique “borders on malware distribution practices” and undermines the security of the Internet. “What Apple is doing now with their Apple Software Update on Windows is wrong,” he wrote on his personal blog. “It undermines the trust relationship great companies have with their customers, and that’s bad - not just for Apple, but for the security of the whole web.” Mozilla makes the Firefox browser, currently the most popular alternative to Microsoft Internet Explorer with about 15 percent of the market to IE’s 78 percent, according to figures cited recently by Apple. Apple said Safari currently has about five percent of the market, a figure the company intends to increase. In June of last year, when the company announced Safari would be coming to Windows, Apple’s CEO said Apple would be using iTunes to deliver Safari to Windows users. Mozilla’s CEO is concerned that Apple would be “adding Safari by default to an update mechanism normally used for updates to already-installed programs, including urgent security updates.” Apple Software Update, which is installed along with QuickTime or iTunes on Windows PCs, currently lists Safari 3.1 as a default download, already checked, alongside the latest update to iTunes.

29. March 25, heise online – (National) Firefox update fixes critical security vulnerabilities. Mozilla is distributing version of its popular open source Firefox browser. This release fixes several critical vulnerabilities which could be exploited by attackers to inject malicious code or fake page content. The browser’s JavaScript engine contains several of the security vulnerabilities. Due to incorrect processing, attackers can execute external code with maximum privileges in the browser and also perform cross-site scripting (MFSA-2008-14 and MFSA-2008-15). Security advisory MSFA-2008-18 describes a vulnerability which allows Java applets to access any port on a local computer. According to the Mozilla security advisory, Sun has integrated a bug fix into the current version of Java Runtime, but the Mozilla programmers have also introduced counter-measures into their new version. A security vulnerability allows attackers to fake a borderless popup from a background tab using crafted web pages and place it in front of the user’s active tab. This could be used to spoof form elements and phish for data such as login data. Attackers can also circumvent the method used by some websites to protect against cross-site request forgery (CSRF) if server-side protection is based solely on referrer checking, as it is possible to fake the HTTP referrer (MSFA-2008-16). The Mozilla browser may reveal personal data if a user possesses a personal certificate which the browser presents automatically during SSL client authentication. According to security advisory MFSA-2008-17, following the update the browser asks the user before presenting the client certificate when it is requested by a website. Most of the security vulnerabilities also affect the Thunderbird mail client and the Seamonkey browser suite. The security advisories refer to Thunderbird version and Seamonkey 1.1.9, in which these bugs should be fixed. These versions are not yet, however, being distributed automatically. Firefox users should install the update without delay, as the vulnerabilities can be exploited using crafted web pages to inject trojans. Source:

30. March 25, PC World – (National) Sites’ personal questions may pose security risk. If
you have an online account at a retailer like, you have probably run into security questions when opening an account or when trying to recover one of the dozens of passwords you juggle in your head. Online businesses everywhere have embraced the technique, which is called knowledge-based authentication. Theoretically, the answers to these questions are so personal and obscure that knowing them proves you are you. Experts say, however, that the technology could end up helping hackers compromise your online accounts more easily. Knowledge-based authentication does not replace user names and passwords; it is an extra layer of security on top of such schemes, since hackers who stumble across your log-in credentials will not easily figure out the name of your high-school sweetheart. Collecting log-in information and answers to secret questions from your computer requires keylogging software, making it harder for malicious hackers to triumph. Scammers have adapted, adding secret questions to their decoy pages, says the CTO of fraud research company Secure Science. Bank phishing sites may include their own fraudulent drop-down lists that capture people’s answers, which bad guys can then use to hack real accounts. Even when hackers do not resort to subterfuge, these nuggets of information can sometimes be easier targets than passwords since there are a limited number of answers to questions such as “What was the make of your first car?”

Communications Sector

31. March 25, Associated Press – (National) Verizon’s open access may not be that open. Verizon Wireless picked up coveted wireless airwaves at a recent auction held by the Federal Communications Commission, which imposed certain consumer-friendly provisions on how that network can be used and what it will it eventually look like.