Monday, March 31, 2008

Daily Report

• The Associated Press reports a man fatally shot three people Thursday at a Columbus, Georgia, hospital. Police shot the man, who is being charged with murder and will be turned over to police after an overnight stay in another hospital. (See item 28)

• According to the Examiner, the District of Columbia Police Department will spend about $1.2 million to provide security at Nationals games, nearly doubling its presence from last year while assigning officers from around the city to ballpark duty, officials said. (See item 37)

Information Technology

34. March 27, IDG News Service – (National) Google: Web sites slow to fix serious Flash flaws. Two months after Adobe Systems patched a serious flaw in its Flash development software, there are still hundreds of thousands of Web pages serving up buggy Shockwave Flash (.swf) files that could be exploited by hackers, according to a Google researcher. The Google security engineer discovered the widespread vulnerability in his spare time while researching a book on Web security. It turned out that many Flash development tools created files that could be used by hackers in what is known as a cross-site scripting attack. This attack can be used in phishing, but it also gives the bad guys a nearly undetectable route into a victim’s bank account or almost any type of Web service. The researcher estimates that more than 10,000 Web sites are still affected by the issue. He first noticed the bug on Google’s Web site and tracked down the Google employee responsible for the flaw: a sales representative who had been using Dreamweaver to create buggy Flash files. The bug was in other Flash development tools too, but Adobe and others quickly patched their software after the findings were disclosed.

35. March 27, Computerworld – (Washington) Washington state passes RFID anti-spying law. Washington’s governor this week signed a bill making it a Class C felony to use radio frequency identification (RFID) technology to spy on someone. The bill was signed about a week after the Washington State Senate unanimously passed Bill 1031, which makes it a crime to intentionally scan people’s IDs remotely, without their knowledge and consent, for the purpose of fraud, identity theft, or some other illegal purpose. The bill specifically cites RFID and facial recognition technology. Violators face a prison sentence of up to 10 years. In addition, if the illegally gathered data is used in a separate crime, up to 10 years could be added to whatever sentence violators receive for the second crime. “Our intent was to put some basic rules of the road in place,” said a state congressman. “As the technology is being deployed, it needs to be done in a way that the public won’t sense there’s a huge violation to their privacy rights. My fear is that state legislatures are good at being reactionary when something atrocious happens. We wanted to be ahead of this one.” The congressman, who sponsored the bill, noted that Washington state began using enhanced driver’s licenses this winter. The new licenses use RFID tags and can be used at the Canadian/U.S. border crossing instead of a passport. In light of these new ID cards and the growing number of RFID-based customer-loyalty cards and company ID cards, he said it was time for a law that protects people’s privacy. The law, which goes into in July, focuses on skimming or lifting information from RFID tags without the knowledge of the owner.

Communications Sector

36. March 28, IDG News Service – (International) Analyst: Money will lead to more mobile spying programs. Spying programs for mobile phones are likely to grow in sophistication and stealth as the business of selling spying tools grows, according to a mobile analyst at the Black Hat conference on Friday. Many of the spy programs on the market are powerful, but are not very sophisticated code, said a senior antivirus researcher at Finnish security vendor F-Secure, which makes security products for PCs and mobile phones. But there is increasing evidence that money from selling the tools will create a stronger incentive for more accomplished programmers to get into the game, which could make the programs harder to detect, he said. He said his prediction follows what has happened with the malware writers in the PC market. Many hackers are now in the business of selling easy-to-use tools to less technical hackers rather than hacking into PCs themselves. One of the latest tools on the market is Mobile SpySuite, which he believes is the first spy tool generator for mobiles. It sells for $12,500 and enables a hacker to custom-build a spy tool aimed at several models of Nokia phones, Niemela said. The number of mobile spyware programs pales in comparison to the number of such programs available for PCs. However, mobile spying programs are harder to track, since security companies such as F-Secure do not see as many samples circulating on the Internet as they do of malicious software for PCs. However, anecdotal evidence has emerged that enterprises may be increasingly encountering mobile spyware on their fleets of phones.