This week's security events includes a Defcon talk by MIT students stopped by a court order, a critical vulnerability in the Joomla CMS, Microsoft's bumper Patch Tuesday in the month of August, and states urged to do more to tackle cybercrime.
Defcon talk by MIT students stopped by court order
A Defcon presentation by three MIT students that was initially scheduled on Sunday was canceled following a lawsuit by the Massachusetts Bay Transportation Authority (MBTA).
The MBTA filed a lawsuit Friday seeking to stop three Massachusetts Institute of Technology students and MIT from giving the talk. Judge Douglas Woodlock of the United States District Court for the District of Massachusetts issued a court order in favor of the MBTA Saturday afternoon.
Some of the topics to be covered included techniques to clone and reverse-engineer the MBTA's CharlieCard, which is based on the same Mifare Classic RFID technology that was broken earlier this year. Of course, the title of the talk — "The Anatomy of a Subway Hack: Breaking Crypto RFIDs & Magstripes of Ticketing Systems," probably did little to help in this case.
The restraining order also sought to suppress conference slides distributed on the Defcon CD-ROM, though it proved too late as they were already distributed on Friday afternoon. The irony in this case is that a now publicly available vulnerability assessment report (pdf) filed as a supporting document for the court order appears to be more explicit than the conference slides about the vulnerabilities pertaining to the MBTA ticketing system.
Though a more secure version of Mifare is available — the Mifare DESfire, it will probably take some time before transport operators switch over, due to the sheer cost of replacing every RFID card reader in order to support it.
Joomla CMS suffers from a critical vulnerability
A critical vulnerability has been discovered in the password reset function of the Joomla Content Mangement System (CMS). All versions of Joomla from 1.5 up to 1.5.5 are affected by this flaw.
When a password reset is requested a token is sent to the user by email. The flaw occurs when a token is presented to the system; the validation system contains a flaw which allows an unauthenticated, unauthorised user to reset the password of the first enabled user and take control. Typically this first active user is the administrator.
Users are encouraged to upgrade to Joomla 1.5.6 or directly modify the reset.php file to remove the bug.
Bumper Patch Tuesday this month
This week's Patch Tuesday saw a massive crop of 11 updates, with six of them deemed as "critical" by the Redmond-based company. And yes, I meant to report on this over the weekend, though a family emergency put a stop to my efforts. I am writing about this anyway due to the sheer number of patches released — such a high number of updates have not been seen in a while.
Security vendor McAfee noted that Microsoft had not released this many bulletins simultaneously since February, and had not patched as many vulnerabilities at once for the past two years. "This is a mammoth Patch Tuesday, and we have not seen anything of this scale in a long time," stated Karthik Raman, a research scientist at McAfee, in a Wednesday statement.
Anyway, these vulnerabilities affect multiple applications such as Windows Media Player, Internet Explorer, Microsoft Office,and also all currently supported versions of the Windows operating system — including Windows Vista.
If you have set your Windows Update settings to manual, perhaps due to frequent traveling, now would be a good time to get your system patched up.
States urged to do more to tackle cybercrime
A report has been released by two technology policy groups noting that most top state prosecutors have failed to address cybercrimes outside of high-profile child pornography or cases involving sexual predators.
The report, which collected information about consumer complaints from 30 states, found that 24 states had an Internet-related category in their top-10 list of complaints, and in four states, Internet-related complaints topped the list. For most states, the complaints consisted of problems with Internet auctions or Internet sales, with few states collecting information about spyware, spam or phishing attacks, according to the Center for Democracy and Technology (CDT) and the Center for American Progress (CAP), the two groups that published the report (pdf).As a result, criminals are getting away even as they swindle, hack, or trick they way to riches, with little risk of being caught and punished. The vice president and chief operating officer at the Center for Democracy and Technology, Ari Schwartz, called upon state attorney generals to focus on this problem. Which leads me to ask: Were you ever victim to a cybercrime?