Monday, April 28, 2008

Daily Report

• According to WJLA 8 Washington, a Mesa Airlines pilot’s laptop, filled with top secret security information, was reported missing on April 17 at Dulles Airport, District of Columbia. Seventeen airports were forced to make emergency changes to access codes at Dulles, Atlanta, Phoenix, Chicago’s O’Hare, and San Antonio. (See item 17)

• MSNBC reports the head of Interpol said Friday that there is a “real possibility” that the Beijing Olympics will be targeted by terrorists or that anti-China groups could attack athletes. (See item 35)

Information Technology

32. April 25, IDG News Service – (National) Researcher finds new way to hack Oracle database. A security researcher has released technical details of a new type of attack that could give a hacker access to an Oracle database. Called a lateral SQL injection, the attack could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software, he said in an interview on Thursday. He first disclosed this type of attack at the Black Hat Washington conference last February, but on Thursday he published a paper with technical details. In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would only work if the attacker was inputting character strings into the database, but the paper showed that the attack can work using new types of data, known as date and number data types. The attack targets the Procedural Language/SQL programming language used by Oracle developers. The researcher was not sure how widespread lateral SQL injection vulnerabilities are, but he thinks the attack could cause real damage in some scenarios. “If you happen to be using Oracle and you write your own applications on it, then yes, you could be writing vulnerable code,” he said. “The sky is not falling ... but it’s certainly something that people should be made aware of.” Database programmers should review their code to be sure it is checking to make sure that all of the data it is processing is legitimate, and not injected SQL commands, he said. Source:

33. April 25, IDG News Service – (National) Spammers ramp up siege on Google’s Blogger via bots. Spammers are using an automated method to create bogus pages on Google’s Blogger service, again highlighting the diminishing effectiveness of a security system intended to stop mass account registrations, according to security vendor Websense. The spammers are sending coded instructions to PCs in their botnets, or networks of computers that have been infected with malicious software, wrote a threat analyst, on Websense’s blog. Those sophisticated instructions tell PCs how to register a free account on Blogger. The spammers also figured out a way to solve the CAPTCHA, the warped text that has to be deciphered in order to complete an account registration. The compromised PC sends a request to an external host that tries to solve the CAPTCHA and then sends the answer back to the PC. Websense estimates the process has an 8 to 13 percent success rate. It is unknown how exactly the CAPTCHA gets solved. It has been theorized the process has been outsourced to real humans who get paid for every one deciphered. But researchers have successfully developed methods that enable computers to increase their success rate at solving the puzzles, indicating that hackers have also figured out how to do it. Security vendors and researchers have seen a rapid rise in accounts used for spam on free e-mail services from Microsoft, Yahoo, and Google, indicating current CAPTCHA technology has reached the end its usefulness. Source:

34. April 24, Dark Reading – (International) Securing the Internet’s DNS. The Internet is slowly inching closer to ratcheting up the security of its Domain Name System (DNS) server architecture: The Internet Corporation for Assigned Names and Numbers (ICANN) plans to go operational with the secure DNS technology, DNSSEC, later this year in one of its domains. ICANN officials said the organization plans to add DNSSEC to its .arpa Internet domain servers, and that the .org domain servers as well as the .uk servers also will go DNSSEC soon. Country domains .swe (Sweden), .br (Brazil), and .bg (Bulgaria) already run the secure version of DNS for their domain servers. DNSSEC, which stands for DNS Security Extensions, digitally signs DNS records so that DNS responses are validated as legitimate and not hacked or tampered with. That ensures users do not get sent to phishing sites, for example, when requesting a legitimate Website. DNS security increasingly has become a concern, with DNS prone to these so-called cache poisoning attacks, as well as distributed denial-of-service (DDOS) attacks like the one last year that temporarily crippled two of the Internet’s 13 DNS root servers. But DNSSEC adoption has been slow in coming, mainly due the complexity of managing the keys. Converting .arpa – a domain mostly relegated to Internet research sites – to DNSSEC is not quite the same as securing .com, but it could signal that DNSSEC is finally ready for prime time, experts say. Still, DNSSEC is not completely
useful unless all domains have deployed it. Source:

Communications Sector

Nothing to Report