Search This Blog

Friday, August 31, 2007

[SECURITY] [DSA 1363-1] New Linux 2.6.18 packages fix several vulnerabilities

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1363-1

Dann Frazier
August 31st, 2007
- --------------------------------------------------------------------------

Package : linux-2.6
Vulnerability : several
Problem-Type : local/remote
Debian-specific: no
CVE ID : CVE-2007-2172 CVE-2007-2875 CVE-2007-3105 CVE-2007-3843

Several local and remote vulnerabilities have been discovered in the Linux
kernel that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:


Thomas Graf reported a typo in the IPV4 protocol handler that could
be used by a local attacker to overrun an array via crafted packets,
potentially resulting in a Denial of Service (system crash).
The DECnet counterpart of this issue was already fixed in DSA-1356.


iDefense reported a potential integer underflow in the cpuset filesystem
which may permit local attackers to gain access to sensitive kernel
memory. This vulnerability is only exploitable if the cpuset filesystem
is mounted.


The PaX Team discovered a potential buffer overflow in the random number
generator which may permit local users to cause a denial of service or
gain additional privileges. This issue is not believed to effect default
Debian installations where only root has sufficient privileges to exploit


A coding error in the CIFS subsystem permits the use of unsigned messages
even if the client has been configured the system to enforce
signing by passing the sec=ntlmv2i mount option. This may allow remote
attackers to spoof CIFS network traffic.


Alan Cox reported an issue in the aacraid driver that allows unprivileged
local users to make ioctl calls which should be restricted to admin

These problems have been fixed in the stable distribution in version

The following matrix lists additional packages that were rebuilt for
compatibility with or to take advantage of this update:

Debian 4.0 (etch)
fai-kernels 1.17+etch5
user-mode-linux 2.6.18-1um-2etch4

We recommend that you upgrade your kernel package immediately and reboot
the machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.

Upgrade Instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- --------------------------------

Source archives:

Size/MD5 checksum: 5672 0d32469058eb990ded360c98a66d027e

Size/MD5 checksum: 5310664 a99b3fdf8cd187d5209849229202d75c

Size/MD5 checksum: 52225460 6a1ab0948d6b5b453ea0fce0fcc29060

Architecture independent components:

Size/MD5 checksum: 3587232 152d52b161fda741f7cab6b52035ede0

Size/MD5 checksum: 1082150 5b702a589ad09771ade968eeba946998

Size/MD5 checksum: 1482942 c9d942021c5cacb75b443c2f63965632

Size/MD5 checksum: 41417314 6d28d791ee48f4e20a4c3c7a772298f1

Size/MD5 checksum: 3738432 570762f56596a615a46b654f9e96bda8

Size/MD5 checksum: 51396 1ab0d6ab43a0f1f87446178bf4cbb4d3

Alpha architecture:

Size/MD5 checksum: 3024442 3362559b47ea89f365eb829d1140d0f6

Size/MD5 checksum: 50860 8912d209983bbb4ec3c98f9e220ebc45

Size/MD5 checksum: 50900 0e0d1dba4b55eddde452a64878f1b4dd

Size/MD5 checksum: 263800 ee5976d624f68ba354ff4957479804d8

Size/MD5 checksum: 264146 1dc508e68a44da1852ae74cc4e19c5ec

Size/MD5 checksum: 263308 a6f1bf5783966b75519d2ca470c2b8a8

Size/MD5 checksum: 3048458 68690881006af1d143b92d944a0df512

Size/MD5 checksum: 264500 0f42477463ea486926eb7de63ec8fac2

Size/MD5 checksum: 23484708 0fba7689445cc8e35476a7672ce90492

Size/MD5 checksum: 23464946 65ea27093d7b1240c4fa0986438331ba

Size/MD5 checksum: 23838760 56bf66a83227957b6fd9292be4de67a5

Size/MD5 checksum: 23528896 4eb2f82c1f6c6de513c203fb7c3c6ec3

AMD64 architecture:

Size/MD5 checksum: 3164824 77ab8ac60831b09ca871f29a34283c29

Size/MD5 checksum: 50946 0c879cda7036bb0c06331abd09efd66e

Size/MD5 checksum: 50968 6e04f2796fd3d444d2edb23040a11ca9

Size/MD5 checksum: 270610 a4ab5371b7ba6b9cc5ad51e602800a08

Size/MD5 checksum: 3188018 d51ced41e18f919b50f9e5dedc4b8982

Size/MD5 checksum: 269428 203be35cb321fdc9df212532cc99edff

Size/MD5 checksum: 3331150 dccfb5bd23759816fb0cedc7ccf9f194

Size/MD5 checksum: 269988 2e1ee5d32a4f2b570d6a9bdd0432c39e

Size/MD5 checksum: 3353954 e8fddcfc3991315e5e9df21698a380b1

Size/MD5 checksum: 270278 14cb16db13f5b98c9e9711008a4e3e8a

Size/MD5 checksum: 16800800 81ace49f4b6b820dbe11bb9af347fcbe

Size/MD5 checksum: 16839028 9ecdf246ae8273dba14402de483bd9d2

Size/MD5 checksum: 1648098 94954f6d3525324ea1bd60dac4fbb125

Size/MD5 checksum: 1679122 a3076fb139f94d7306ed1234160d9c5b

Size/MD5 checksum: 15238998 d179d9fa6ac58664fa8f63510b5af5b8

Size/MD5 checksum: 15256744 e3ea330989570cb06b58a0af2d58111b

Size/MD5 checksum: 50916 331b40c2f98d6823d72cabccf5c5cf45

Size/MD5 checksum: 50936 8c5cabeca8417285c4d8fcbcdc3ce9bf

ARM architecture:

Size/MD5 checksum: 3407220 e11422f9cdc08a630cfb09b776a569d7

Size/MD5 checksum: 50870 3e5597986071f5628021b88da2346fa7

Size/MD5 checksum: 50912 3fbc395e8b52a66c6be50c4c271fbfc2

Size/MD5 checksum: 230098 1ccb65412d6f28cef5de3238bfc27995

Size/MD5 checksum: 231066 c7cd102b54594cc3898178ece285f27d

Size/MD5 checksum: 236422 36b2210092b2b9c64292993c8a6f5366

Size/MD5 checksum: 195080 2e3a528d4258e5d462badf6be2dc675d

Size/MD5 checksum: 199870 23cab9a989475b372cb30bad27cc7c25

Size/MD5 checksum: 7560132 8b46abeda5d10617b050f7c4b0c6b57a

Size/MD5 checksum: 7921636 9da34b30bd4485c8337b49bbbd7edfcb

Size/MD5 checksum: 8865008 1d19d9a6eee18bac9aebe32a6290f1f9

Size/MD5 checksum: 4583778 a9e7d53d61083ba3d607e0ed564671bb

Size/MD5 checksum: 5005928 c04668f93d9a315d154d5b6ad2444216

HP Precision architecture:

Size/MD5 checksum: 2964348 5128c6fe342b7172826bf40bf412623f

Size/MD5 checksum: 50942 ed399d1bf1a4b678e436de02c20e393e

Size/MD5 checksum: 50964 678e3603c2c9c228202b4c677b18e510

Size/MD5 checksum: 188708 3d7fd2fb9dcd67a808448eff59db321b

Size/MD5 checksum: 189606 f60a4b3983f5b6440d9a6e077010d31d

Size/MD5 checksum: 189354 aae3a5595e925a30ace2364d9c97666f

Size/MD5 checksum: 190038 e36e733de674a5680e6db13fda862220

Size/MD5 checksum: 10499120 3a1f8485b2329ae16791988b499d8cb2

Size/MD5 checksum: 10940720 02a9b9bbcecec33f4ef44ebcd8697ddd

Size/MD5 checksum: 11345710 8c991105b7ea074f9c7912052c9c8425

Size/MD5 checksum: 11752124 40cc795be6bbc96fe3c4e996626d970a

Intel IA-32 architecture:

Size/MD5 checksum: 3164760 565cbd97958098dceda2d4b1cf5c745e

Size/MD5 checksum: 277776 c961fda294d68a2e51f605441c077f66

Size/MD5 checksum: 277074 4b4f96d43707aff7f2566429d8ef7efa

Size/MD5 checksum: 275952 f0fe08af81997db663d8e617075f66e8

Size/MD5 checksum: 50936 8ebb41c54438c6d952f841fd5e7dfa5b

Size/MD5 checksum: 50994 8d810286dedfb3733a85cf546d29a440

Size/MD5 checksum: 269096 d0daac8a6a46d52dc7e77d1eb81e410a

Size/MD5 checksum: 275854 8660de8170a4bb5fdf475b5a0cc74206

Size/MD5 checksum: 3051096 e60e00f9d41854bfba39fd91a285d071

Size/MD5 checksum: 274500 8785bcd9051ce0a09530a3cd853276d8

Size/MD5 checksum: 274308 07142e47b9e89767c577aaf0f7616bfd

Size/MD5 checksum: 3145454 ad4083e2b92c9519d6faff8f27fcd778

Size/MD5 checksum: 269466 6d91c72b916c6adf77c3e36dfc13c35f

Size/MD5 checksum: 3167544 719e11c2137303882aaa17857fa9c1e7

Size/MD5 checksum: 270048 273d4828e07cb65577f49c9f99fefe30

Size/MD5 checksum: 16170472 156df9018bb9cf1d60acf11da0dc8906

Size/MD5 checksum: 16319626 d0138f70da473b8f8c41402a0b836736

Size/MD5 checksum: 16385140 ef468894c4c90f6dea97cb69172ea168

Size/MD5 checksum: 16816552 da48174b5c23b60e9006fe7ba9ae3108

Size/MD5 checksum: 16450872 d27820e6be19287cc54a076de377df0a

Size/MD5 checksum: 16358526 bcf501a714d81b30247eae6e9f12f0ed

Size/MD5 checksum: 16488842 e0b8a37b009ea3f541a69ede9363fd3f

Size/MD5 checksum: 1296438 29c84f2d63128c92f8d12143557682be

Size/MD5 checksum: 1323614 5d7aca4a7c95b246924a1b01b9605acf

Size/MD5 checksum: 14258626 3a9dbe277a1e5acef334f545b3b7c969

Size/MD5 checksum: 14272316 fc4bda5ae29218e479169eedf18ee883

Size/MD5 checksum: 50920 140a510970c614920108bd4b91d03254

Size/MD5 checksum: 50932 51696902bfbb40bd028148c0cd426c61

Intel IA-64 architecture:

Size/MD5 checksum: 3078660 cd0b4c38cfd220ad24931447bc523c10

Size/MD5 checksum: 50944 3014173e9aa751c0dbc632f0130116a2

Size/MD5 checksum: 50966 3109b9df0c3a19e6f0a195887e8b8ddd

Size/MD5 checksum: 251958 bd38da689cc65f7b9deef7fc3a079735

Size/MD5 checksum: 251842 42d0e8fb18f6ad667ec7ef1e2a6cb87a

Size/MD5 checksum: 28007304 cc75ba0a8fe7b8326e3270408c1c3840

Size/MD5 checksum: 28177892 529c24f23f7c1aacf71656dd7b43ec55

Big endian MIPS architecture:

Size/MD5 checksum: 3346650 8e794572557cc5fb298790ae9dd4d73d

Size/MD5 checksum: 50940 6eb3f44a69be6bbb5f641fe7c9b65d76

Size/MD5 checksum: 50988 5b43acb9b1b1c0c9828e436350c9ae14

Size/MD5 checksum: 146208 09c3632adf6012a27f03fa05c7eeb0f4

Size/MD5 checksum: 156878 e847a3100fbb0609837424eb38b6f4c5

Size/MD5 checksum: 161260 9bd90ae1b01eb2c5ea06ca5a8229d3b7

Size/MD5 checksum: 179732 1d72924cb5bf081900046818e740a55c

Size/MD5 checksum: 179460 5c1366a589406ef7cece065dc5824cfd

Size/MD5 checksum: 6090784 29c9546bbd50ca0bda2ffbbcb46cd0e0

Size/MD5 checksum: 8272214 b593ff7e6f323b066d78cf1396c42ab9

Size/MD5 checksum: 9038058 03917d37e0f845dfccb1170dab1114e9

Size/MD5 checksum: 15636424 b40804614834ee86756bd279992eccc7

Size/MD5 checksum: 15608880 dde30bcf5bc1bb91ab12c19c89d320c5

Little endian MIPS architecture:

Size/MD5 checksum: 3346850 462fd3ec6168ae6109890977f488af47

Size/MD5 checksum: 50944 cd30eaed077c66f3bdcc55d57d9588af

Size/MD5 checksum: 50998 351d58c3c33fe23a4de3d44bd781a2c8

Size/MD5 checksum: 146350 248d8bc63d0457b935ef105dce08902a

Size/MD5 checksum: 152528 e6896b82f477abc7a79360ad7cec97d6

Size/MD5 checksum: 152606 5d0e3c4c7043e24ef199dfa9b789bbdb

Size/MD5 checksum: 175300 f162ba0598e2e29037353ddad6053171

Size/MD5 checksum: 179676 7a561f0067dd1c89cac45ae7c15584b7

Size/MD5 checksum: 179470 d753400358c2710f8fd5fbcb23601a46

Size/MD5 checksum: 6025714 65184bf5ee2fa1f6d4f4ea34c1e14f8d

Size/MD5 checksum: 5938072 5d3ef9327674cb2e55435d6b469f63fc

Size/MD5 checksum: 5921696 6aea1f4776b92db090fcdee828f4953e

Size/MD5 checksum: 9857632 3e6ef62417484887aacb56784a95f3ad

Size/MD5 checksum: 15053652 7bc7203cdebf3282d4dbafa825cfc5a9

Size/MD5 checksum: 15020522 1fcf23a65eb5d835dd07ce4d9ce0c13a

PowerPC architecture:

Size/MD5 checksum: 3389080 e9bce0707b794703b1c49ee18025c91d

Size/MD5 checksum: 50946 b6f1ab01d7fb27d1b30334d29940a141

Size/MD5 checksum: 50988 5fde45bf4d33780f4112e6f4db99625c

Size/MD5 checksum: 248218 36fe6d8e70a671468e8c538f4dc1290f

Size/MD5 checksum: 226390 720cd0a623d616632372f880bc3d0af7

Size/MD5 checksum: 248582 833f02e5501e18bbe0d9fbcf756d05b5

Size/MD5 checksum: 248700 721bc909d03a7dcbc4fd5c357455ca3c

Size/MD5 checksum: 243200 cfe2245eee5948c8f93e9701d77d9aac

Size/MD5 checksum: 3411446 833f6deb7733fedc0831934852cb391f

Size/MD5 checksum: 248562 84ce06dcfd3be86abfcc2a96ee6cc91e

Size/MD5 checksum: 249688 d43c75b5c92ec4ea42cefaf7eb602464

Size/MD5 checksum: 16623846 9ecf11d7decd2812dccf58cc7fd69fbf

Size/MD5 checksum: 15150576 c935b5932b7cc40c240f21bacd1b76c1

Size/MD5 checksum: 16960694 d547274742afc3df332d0314ca5a8a0b

Size/MD5 checksum: 18291500 19328b3d29114000c85a5f4828bc3b45

Size/MD5 checksum: 16397134 028d5aa143c4ab4e93f7aec862d99b74

Size/MD5 checksum: 17008536 19142d786ad597f2e0d2373a9337d7f4

Size/MD5 checksum: 18341688 92e65b411dfed7c80b16158554161108

IBM S/390 architecture:

Size/MD5 checksum: 2939860 b74255932d2a7896dd12ce12e37e5647

Size/MD5 checksum: 50938 6103a4197c459acc0472f6fcd3b78c10

Size/MD5 checksum: 50960 ed6675b16e70a49329037c8b52a098f1

Size/MD5 checksum: 139452 e5865441db3b6ae8565590ea904cfea0

Size/MD5 checksum: 139716 da657eeef5bcded8f616b8135f77f235

Size/MD5 checksum: 2962892 ca307878f35f08aac93cbd26eed371ce

Size/MD5 checksum: 140640 5b9797358eca5a5639f4a71b0c09c03c

Size/MD5 checksum: 5398934 45929ef35c681a89807c22a70874cc45

Size/MD5 checksum: 1435428 3284f9407eba0721c3a1d9e297225aca

Size/MD5 checksum: 5613996 794c4db163d4f545b787521ee4c839b0

Size/MD5 checksum: 5659716 3b9b4ade41389b053f8eeec9a50562b1

Sun Sparc architecture:

Size/MD5 checksum: 3164954 d2d25e0954c941e85cdf90612dad604d

Size/MD5 checksum: 50938 bf6268ea0c0b06952c13c6387af8637f

Size/MD5 checksum: 50968 c262724ca9ce05e1b4f42fdedbc4e6ed

Size/MD5 checksum: 162188 59ec2dcbfb31fde4e7a0688bd83864f8

Size/MD5 checksum: 191242 9c22fc4bfe5283e4483ce1f7f7fefeb4

Size/MD5 checksum: 191966 1a49adafe7e10c27fbb6ffa19d1a2cfc

Size/MD5 checksum: 3187272 26645d4265edaafba9e0fac1996d1726

Size/MD5 checksum: 192404 8a32387b7650d9eaa15006dd4fd92dc3

Size/MD5 checksum: 6406398 e923dabb20729d315f7446eef4040133

Size/MD5 checksum: 10352346 b20befc67997825374f1579af134f125

Size/MD5 checksum: 10610528 a858d25bf4ab21f1713bf90c49e6ebc4

Size/MD5 checksum: 10656406 5d17c4174538585c99f970bcc8eb2688

These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb etch/updates main
For dpkg-ftp: dists/etch/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and
Version: GnuPG v1.4.6 (GNU/Linux)


To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Articulos de interes: La soledad

El saber que este articulo fue de su interes es importante,
de la misma manera que nos sugieran temas.
No dude en responder este email.



Es importante darse permiso de intentar un
acercamiento que pase el proceso de
compañerismo, amistad, noviazgo,
compromiso, matrimonio y familia. Esta es
parte de la clave para evitar la soledad y
la falta de sentido de pertenencia.

Algunos puntos clave para lograrlo son:

Te interesa lee completo el articulo en
el boletin de la Revista "100% Familiar"

Envia tus cometarios o sugerencia, con gusto


Lic. Reina Rodriguez
Revista Cinterniños
Tel. 998 8475267

Cisco plans to blend two NAC schemes; UTM firewalls ready for the enterprise

Network World

Daily News: PM

Network World Daily News: PM, 08/31/07

Cisco plans to blend two NAC schemes
Cisco is planning oneNAC, a hybrid of its NAC schemes that will address customer concerns about the complexity, maintenance and speed of the company’s ...

UTM firewalls: Ready for the enterprise
IT managers at small and midsize businesses like unified threat management appliances - firewalls that layer on antimalware protection, content filtering, antispam and intrusion prevention - because deploying a single, multi-function device reduces costs and simplifies configuration. But with dramatic differences between SMB and enterprise requirements, is there a place for enterprise UTM firewalls? The answer is definitely "yes," for these three reasons: reduced complexity, simplified management and increased flexibility.

Office Open XML standardization to drag into next year
Microsoft-inspired Office Open XML proposal to be voted on this weekend by ISO members, but standardization effort will stretch into next year.

Best practices for WAN Optimization

Join Mark Fabbi, Gartner Vice President and Distinguished Analyst, as he discusses the four critical actions you must take to meet your application acceleration goals. Also, learn how to choose the best WAN optimization solution for your needs, how to building a scalable architecture and more.

Click here to learn more.

Vendor beware: this CTO knows - and will exploit - your weaknesses
IT buyers often have a hard time finding a bargain - but not Dave Leonard. Find out how this savvy CTO analyzes the motivations of vendors and gets them to slash prices.

Outsourcing can save companies big bucks, report says
Outsourcing noncore infrastructure management and application services can save companies between 12% and 17% on average, a Forrester Research ...

Acer masters the PC market share
Acer executed a master stroke in the global war for PC market share with its US$710 million purchase of Gateway Inc., but it may take a while for ...


What's your longest-running Cisco device?
Blogger Michael Morris came across a device that had been up for 1,166 days. How about you?


1. Microsoft blames human error for glitch
2. Airline puts Linux PC in every seat
3. MPLS proposal spawns IETF, ITU turf war
4. Psst... Wanna buy a data center?
5. Hacks hit embassy, government e-mail worldwide
6. Secrets of vendors' pricing plans
7. Bank of India site hacked
8. ISPs to rural U.S.: Live with dial-up
9. Notes from OPNETWORK 2007
10. How close is World War 3.0?


Airline puts Linux PC in every seat

Contact the author:

Questions? Feedback? Contact Site Editor Jeff Caruso.



Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details.

You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today.

International subscribers, click here.


To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here.

This message was sent to: Please use this address when modifying your subscription.

Advertising information: Write to Associate Publisher Online Susan Cardoza

Network World, Inc., 118 Turnpike Road, Southborough, MA 01772

Copyright Network World, Inc., 2007

Security Management Weekly - August 31, 2007


  Learn more! ->   sm professional  

August 31, 2007
  1. " FBI Investigates String of Store Threats" Bomb-Threat Caller Demands Money From 15 U.S. Stores During Past Week
  2. " Convenience Stores Get Tips to Boost Security"
  3. " Mexico City Police Find Bomb in Nation's Tallest Skyscraper" Ten Thousand Workers Evacuated
  4. " With Software and Soldering, AT&T's Lock on iPhone Is Undone"
  5. " Saudis Set Up Force to Guard Oil Plants"
  6. " Vindicated Olympic Park Bombing Suspect Richard Jewell Dies"

  7. " E-Mail Bomb Threats Sent to Campuses Across U.S."
  8. " Chertoff Touts Coast Guard Changes, New FEMA Warning System" Hurricane Response Is Revamped
  9. " Aggressive Bees May Track Future of Flying Robots"
  10. " After Virginia Tech" Campuses Struggling to Keep Up With Record Number of Mentally Ill Students
  11. " Preventing the Next Campus Shooting"

  12. " All of World's Biggest Firms Hit by Typosquatting"
  13. " Digital Detectives Discern Photoshop Fakery"
  14. " America's Hackable Backbone" IBM Researcher Hacks Into Nuclear Power Plant
  15. " A Common-Sense Approach to Computer Security"



"FBI Investigates String of Store Threats"
Seattle Post-Intelligencer (08/29/07) ; Tucker, Eric

The FBI says that a bomb-threat caller--believed to be one person or group--has made telephoned bomb threats against 15 stores in no fewer than 11 states during the past week, claiming that he will detonate a bomb in the store if store managers do not immediately wire money to an overseas account. During the threatening call, the caller tells store managers that he is watching the store at that moment and can see inside the store, adding that he has a gun or bomb and will kill shoppers inside the store. He typically asks the managers to send money to the overseas account via Western Union, MoneyGram International, or another wire-transfer service. During one call, the caller ordered employees and shoppers inside a Dillons grocery store in Kansas to take off their clothes upon threat of death; the employees and customers complied with his demand. In another instance, the caller demanded a store employee cut off the store manager's fingers if the manager failed to comply with the caller's demands. The targeted businesses include Wal-Mart, Safeway, US Bank, Giant Eagle, and Vons, among others. Police believe the caller is ad-libbing and bluffing during the calls, and they doubt he has the ability to see into the stores. One call has been traced to Portugal, and police said in at least one instance the caller was said to have a foreign accent.
(go to web site)

"Convenience Stores Get Tips to Boost Security"
Houston Chronicle (08/28/07) ; Crowe, Robert

Houston Mayor Bill White's 38-member Task Force on Convenience Store Security is providing security tips to the 1,600 convenience stores in the city. Among other things, the task force recommends that convenience store owners implement security cameras, keep minimal amounts of cash in the register, establish relationships with local police officers, and remove clutter from store windows so that crimes in progress will be visible. These recommendations are "minimal steps, which are very inexpensive and will improve the safety by 50 percent or more," says Assistant Houston Police Chief John Trevino. The task force is led by a convenience store owner and includes city officials, police officials, and other convenience store owners among its members. The task force further recommends that Houston legislators pass laws pertaining to the type of lighting used at stores and the minimum number of security cameras that must be in place. The task force plans to assign a grade of "high crime" or "low crime" to all convenience stores in the city, and the task force is lobbying the Houston Police Department to create a convenience store unit.
(go to web site)

"Mexico City Police Find Bomb in Nation's Tallest Skyscraper"
Bloomberg (08/30/07) ; Rota, Valerie; Arai, Adriana

About 10,000 workers were evacuated Thursday from Mexico City's 59-floor Torre Mayor skyscraper--the country's tallest--after authorities discovered a bomb in a stolen car parked in the building's underground parking area. Authorities claim that the bomb, consisting of a cell phone connected to three pipes, did not contain enough gunpowder to damage the building, but security experts say that the incident nonetheless underscores Mexico's vulnerability to terrorism. Torre Mayor's director of operations, Felipe Flores, explained that the building was evacuated after a threatening phone call was received, prompting the discovery of the bomb. Police say that a similar threat was received Wednesday, forcing the evacuation of the skyscraper's first 19 stories. Since November 2006, the extremist Popular Revolutionary Army group has been bombing stores and oil pipelines in Mexico. The group posted an anti-government rant on its Web site Thursday, but the message did not mention the Torre Mayor incident.
(go to web site)

"With Software and Soldering, AT&T's Lock on iPhone Is Undone"
New York Times (08/25/07) P. B1 ; Stone, Brad

Several software and hardware techniques have been developed to allow iPhone users to recalibrate the device to work on any network instead of exclusively on AT&T. George Hotz, a 17-year-old from Glen Rock, N.J., spent about 500 hours unlocking two iPhones, which can now operate on any network thanks to a little soldering and some software tools. "This was about opening up the device for everyone," says Hotz. Hotz described his technique in detail on his Web site in the hopes that someone may be able to simplify the process. Meanwhile, a group called iPhoneSimFree has developed a software update that allows users to install the software and switch the phone's SIM card with one from another carrier to unlock the phone. The group says it has been working on the software since June, and plans to sell it to anyone interested in unlocking large numbers of iPhones, though a price has not been announced. Another company called Bladox, based in the Czech Republic, recently started selling a device called Turbo SIM that would allow users to attach another carrier's SIM card and insert it into the iPhone to trick the iPhone into thinking it is running on the AT&T network. Last fall, the Librarian of Congress issued an exemption to the Digital Millennium Copyright Act that allows individuals to unlock their cell phones, but the ruling does not apply to companies and individuals such as Hotz who distribute or sell unlocking tools and techniques. AT&T and Apple could sue such distributors, arguing that people sharing modifications to iPhones are interfering with the business relationship between Apple, AT&T, and their customers.
(go to web site)

"Saudis Set Up Force to Guard Oil Plants"
Financial Times (08/26/07) ; England, Andrew

Faced with ongoing potential threats to its oil facilities from both Al Qaeda and Iran, the Saudi Arabian government has decided to boost the kingdom's oil-facility security personnel from the current 5,000 to about 35,000 within the next two to three years. U.S. defense company Lockheed Martin, in association with the Sandia National Laboratories' Defense Systems and Assessments Unit, is training the current group of Saudi security personnel in several areas, including the use of laser security, satellite imaging, surveillance technology, emergency management, and countermeasures. State oil company Aramco employs the 5,000 Saudi security personnel, who are stationed on-site at the oil facilities. The new security personnel will be subject to background checks.
(go to web site)

"Vindicated Olympic Park Bombing Suspect Richard Jewell Dies" (08/29/07)

Private security guard Richard Jewell, the hero of the 1996 Olympics who saved people's lives by evacuating Centennial Olympic Park in Atlanta just before a package bomb exploded, has died of natural causes. Jewell had diabetes and his kidneys were said to be in failure. After the Olympics bombing, the media initially hailed Jewell as a hero for spotting a suspicious package that turned out to be a package bomb. Jewell began herding people away from the package before it exploded, killing one person and wounding upward of 100 others. The media's coverage of Jewell took a turn for the worse after the FBI began investigating him as a potential suspect in the bombing. The FBI eventually cleared Jewell of all suspicion, and in 2005 serial bomber Eric Robert Rudolph pleaded guilty to the Centennial Olympic Park bombing. Jewell later sued the FBI and a number of media outlets, including CNN and NBC, which agreed to settle his lawsuit.
(go to web site)

"E-Mail Bomb Threats Sent to Campuses Across U.S."
Ithaca Journal (NY) (08/31/07) ; Sanders, Topher

The FBI is helping local law enforcement agencies across the country investigate a series of bomb threats that have been emailed to at least 15 colleges and universities, prompting evacuations at all of those schools. The Department of Homeland Security also is monitoring the threats, but department spokeswoman Veronica Valdez claims that the threats are not credible. "At this time, there is no credible information to suggest that there is an imminent attack on the homeland," Valdez says. The FBI says it is taking the threats seriously, noting that the threats are all similar in nature.
(go to web site)

"Chertoff Touts Coast Guard Changes, New FEMA Warning System"
Houston Chronicle (08/28/07) ; Nelson, Melissa

Homeland Security Secretary Michael Chertoff marked the two-year anniversary of the Hurricane Katrina disaster by praising the efforts of first responders and the Coast Guard, and he also used the occasion to tout a new text-message-based public warning system from the Federal Emergency Management Agency (FEMA). The FEMA warning system, dubbed Public Alert and Warning System (IPAWS), launched this hurricane season in the states of Louisiana, Mississippi, and Alabama. Citizens must sign up to participate with the system, which sends email alerts and text messages to their cell phones. Chertoff noted that the Coast Guard has been realigned since Katrina, with various operations groups deployed across the country and ready to respond in areas as varied as port security, hazardous materials, and law enforcement. This realignment model also will be used by other agencies within the DHS, including the TSA, Chertoff said. "We've already begun the process of cross-training and coordinating with TSA and Customs and Border Protection so we can create teams across these components as a single DHS-managed and -led force that can respond to any threat, whether it be natural or manmade threat," said Chertoff.
(go to web site)

"Aggressive Bees May Track Future of Flying Robots"
UQ News Online (08/23/07)

The Queensland government has given professor Mandyam Srinivasan $2.5 million to develop improved robot technology based on the behavior of bees. "Professor Srinivasan's unique marriage of biology and engineering will help to put Queensland on the map at a time where enhanced surveillance and security are key priorities for governments and leaders around the world," says Queensland Premier Peter Beattie. Srinivasan has studied bees for more than two decades, with previous funding coming from NASA and the U.S. Air Force. His research specializes in the emotion of bees, especially aggression, which changes the insects from docile creatures into "little fighter aircraft." Srinivasan also has studied the "visuomotor" system that allows bees to accurately track moving objects. Srinivasan believes that this research could be used in creating better unmanned aerial vehicles for purposes ranging from weather monitoring to reconnaissance and surveillance missions. The research also could be applied to autonomous spacecraft, which would be able to explore Mars more efficiently than the current robots that require remote control from Earth.
(go to web site)

"After Virginia Tech"
Newsweek (08/20/07) P. 70 ; McGinn, Daniel; Raymond, Joan; Henig, Samantha

The number of mentally disturbed students on college and university campuses is at an all-time high, and schools are finding that, despite their best efforts, they are having difficulty meeting the needs of all of these students. The University of Virginia and many other schools provide about eight or nine therapy sessions per individual student before referring the student to private counseling, although most schools avoid handling the most serious cases, choosing instead to refer those cases immediately to private counseling. Many students with mental health issues do not bother to check themselves in for counseling, making it imperative for colleges to come up with systems to identify such students before they can cause harm to themselves or others. To that end, the most crucial step schools can take is improving inter-departmental communications about troubled students. MIT, which was plagued by a rash of suicides during the last decade, decided in 2002 to enhance its efforts at identifying students who need help. Thus, MIT's mental-health center made a number of changes, including focusing most of its efforts on providing therapy to students instead of faculty; increasing the number of staff; making more walk-in hours available; and stressing to students that it is normal to seek counseling. MIT's health center also takes a proactive approach by sending health educators to dorms, where they talk about issues like time management, sleep, and eating disorders. Former MIT student Alison Malmon has formed Active Minds, a mental-health help-group with 1,000 members and chapters on 69 campuses.
(go to web site)

"Preventing the Next Campus Shooting"
Security Management (08/07) Vol. 51, No. 8, P. 54 ; Harwood, Matt

The April 16 Virginia Tech massacre prompted college and university campuses across the nation to examine their security and preparedness procedures, especially in the area of emergency communications. Universities are advised to create a system that identifies troubled or potentially violent students before they act upon their impulses. Although there are no national standards to serve as a roadmap for creating such a system, both the Federal Bureau of Investigation and U.S. Secret Service offer methods and guidelines for assessing behavioral threats. Universities must navigate the various privacy laws that can hinder information sharing efforts regarding troubled students or their removal from campus. The 1999 Columbine High School massacre dramatically changed the way authorities respond to active school shootings, forcing officers to switch from a patient approach of surrounding the school and negotiating with the gunman to a proactive approach predicated on entering the building quickly and eliminating the shooter or shooters. The switch in tactics was necessary because gunmen, like those who carried out the Columbine and Virginia Tech killings, have the same mindset as suicide bombers, meaning time is of the essence. The response to a school shooting should begin well before an event occurs by coordinating roles and relationships among all parties and agencies expected to take part in the response. Security experts highly recommend colleges and universities participate with the U.S. government's National Incident Management System and comply with its Incident Command System.
(go to web site)

"All of World's Biggest Firms Hit by Typosquatting" (08/29/07)

Typosquatting--the practice of registering domain names for profit that are very similar to domains used by famous brands--has affected all of the Fortune Global 500 biggest companies and the FTSE 100 biggest companies, according to research from OUT-LAW. Typosquatters typically register a domain name and use the domain to create an ad-filled Web site, thereby making money. One example of a typosquatting domain would be Typosquatters are using "very deliberate and carefully calculated" approaches, says Pinsent Masons intellectual property expert John MacKenzie, who advises lawyers to defend against typosquatters by thinking like they do and adopting technology "to automate their processes" and go after typosquatters' pocketbooks. Christopher Bolinger, a corporate counsel for Pfizer, estimates that domain name abuse causes millions, if not billions, of dollars in damages to brands. Pinsent Masons trademark specialist Lee Curtis explains what constitutes a reasonable case of typosquatting trademark infringement: "If you had a typosquatter operating a Web site via a domain name that was one or two letters different to the trademark owner's site and was obtaining advertising revenue that way on the back of that domain, then you could argue that they were using the brand in the course of trade."
(go to web site)

"Digital Detectives Discern Photoshop Fakery"
Christian Science Monitor (08/29/07) P. 13 ; Gaylord, Chris

Image-manipulation software has become increasingly easy to use and exponentially more difficult to detect, but Hany Farid, a computer science professor at Dartmouth and head of the college's Image Science Group, has developed computer algorithms that can test photos to see if they are fakes by finding the tiny hidden flaws. "There's no way to push a button and tell if it's real, but there are tests we can run that allow us to be pretty sure if it's a fake," Farid says. Some of the techniques teach a computer to identify subtle imperfections that untrained humans have difficulty spotting, such as inconsistencies in the physics and geometry of the image. For example, the vanishing points may not match, or the shadows cast from two or more objects may contradict each other. While some of the tests seem simple, others are quite complicated. One of the tests checks the reflection of light in people's eyes to triangulate the location of the flash camera that took the picture. If the analysis shows that the camera was in multiple places, the photo is a fake. While a significant amount of image manipulation is done by tabloid media, fake photos are problematic for the legal system, and this is where Farid's software will be put to good use. Farid has already testified in more than two dozen court cases as to whether photographs were altered. He says that so far most accusations of fraud turn out to be unfounded.
(go to web site)

"America's Hackable Backbone"
Forbes (08/22/07) ; Greenberg, Andy

By hacking into a nuclear power station, IBM researcher Scott Lunsford demonstrated to the plant's initially skeptical owners exactly how vulnerable their supervisory control and data acquisition (SCADA) software was to attack. SCADA systems are employed nationwide to manage infrastructure such as natural gas and oil pipelines, water filtration, and trains. Moreover, the system's flaws are increasingly linked to the Internet, exposing a large swath of national infrastructure to any hacker with a laptop. Tipping Point security researcher Ganesh Devarajan has notified SCADA software manufacturers about the weaknesses he has found, adding that though the bugs are simple, they are perilous. One such vulnerability enables hackers to insert their own commands, which would enable the insertion of false data. Still, the overwhelming complexity of critical infrastructure systems may be preventing criminals from controlling SCADA systems. However, over the past two years, threats have come in from hackers demanding ransom and claiming to have broken into SCADA systems, says Allan Paller of the SANS Institute. The dearth of security features in SCADA systems can be attributed to their age, as most were created before infrastructure systems were linked to the Internet. In addition, many SCADA software developers fail to provide security patches, or make it hard to install such patches. Jim Christy of the Department of Defense believes SCADA systems are in need of regulation by the government so that changes are made to increase security to at least a minimum standard.
(go to web site)

"A Common-Sense Approach to Computer Security"
Baseline (08/07)No. 75, P. 39 ; McCormick, John

William Boni's pragmatic approach to security at Motorola stems from his desire to balance protecting data with granting Motorola's engineers the freedom they need to be productive and innovative. Boni notes that many in the industry have not yet acknowledged the increasing sophistication of hackers, as modern hackers are more likely to be criminals than the hooligans and hobbyists of the 1990s. Boni's team is therefore focused on countering both existing risks and emerging threats. Boni has also chosen to concentrate on data that requires rigorous management as well as compliance with regulations and policies. User and staff training is also a large part of Boni's plan. To that end, Boni cut the 300-plus-page security guidance manual given to staff members down to a more manageable 20 or so pages. By narrowing security's focus and simplifying the message, Boni has eliminated security measures that had previously been impeding non-critical systems' operations. At the same time, Boni is working to ensure that critical data has the appropriate controls surrounding it, and to ensure that metrics and mechanisms are being developed to keep the variants within acceptable limits.
(go to web site)

Abstracts Copyright © 2007 Information, Inc. Bethesda, MD

  ASIS also offers a daily and a non-sponsored, special-content Professional Edition of
Security Newsbriefs. Please click to see a sample or to contact us for more information.

Unsubscribe | Change E-mail | Advertising Opportunities | Security Management Online | ASIS Online