Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
David Learmount, reporting from the Flight Safety Foundation's European Aviation Safety Seminar, held in March in Amsterdam, says in *Flight International* (20-26 Mar, 2001, p17) that the European Joint Aviation Authorities' Future Aviation Safety Team has identified "crew reliance on cockpit automation" as the top potential safety risk in future aircraft. PBL
>From Private Eye 6-19th April 2001, p6: Managers at the Public Records Office in Kew have devised a clever money-saving idea: they are using prisoners in British jails to input on to computer the information from the 1901 census. The prisoners' work has been checked, however, and they have been found to be rewriting history. All references to prison wardens in 1901 have been changed to "bastards". Officials are now using cheap labour in India to correct the errors. Peter Mellor, Centre for Software Reliability, City University, London EC1V 0HB +44 (0)20 7477 8422 Pete Mellor <p.mellor@csr.city.ac.uk> [And of course no one in India still remembers the British. PGN]
The RISK here is that there appeared to be no inside escape override for the door: taking protection against vandalism to new heights. http://www.theregister.co.uk/content/28/18312.html Interesting related fact: in the UK, all lift escape hatches are welded shut (i.e., don't exist anymore in a usable fashion), I vaguely remember that this was to prevent kids in estate buildings getting themselves in danger in the elevator shaft (which happened frequently). The fact that this thus prevents any escape in case of emergency appears to have made insufficient impact on the decision. Peter Houppermans <peter.houppermans@paconsulting.com>
For college-bound seniors, it is a ritual of spring to eagerly await the daily mail delivery - looking for a thick or thin envelope which will notify them of college acceptance or rejection. But for the 94% of applicants to Tufts University, who provided an address, notification of acceptance AND rejection came via an e-mail this year. Tufts follows up with a physical mailing - and thus will reject people twice! [Boston Globe. 06-APR-2001. "For some, bad news traveling faster"] Tufts started email notifications several years ago to students in foreign countries. Two years ago it started e-mail notifications to applicants on the West Coast. (Tufts is in Medford, MA) This year it is almost everyone. The story notes that several colleges have password-protected web sites where an applicant can look up their admissions status. Risks 1) This seems impersonal for those who are accepted. It would be interesting to find out if this type of notification changed the percentage who choose to enroll at Tufts. And it is adding to insult to injury to reject an applicant twice. Tufts must get some very interesting e-mail replies. 2) Not all high school seniors have private email accounts, they are often shared with family members or friends. Thus the wrong person might get the message. 3) Could these e-mails be mistaken for spam? I must get a half dozen offers of University Diplomas each week. 4) Hacking! I shudder to think what could happen if there was a dedicated hacking attack that sent out forged admission e-mails.
My mind boggles.
The University of North Carolina has finally found a network server that,
although missing for four years, hasn't missed a packet in all that
time. Try as they might, university administrators couldn't find the
server. Working with Novell Inc., IT workers tracked it down by
meticulously following cable until they literally ran into a wall. The
server had been mistakenly sealed behind drywall by maintenance workers.
Source: TechWeb News, 04/09/01:
http://www.techweb.com/wire/story/TWB20010409S0012
This sounds like a novel way — pun intended — to physically secure a
server. I suppose if you absolutely can't do without a floppy drive, etc.,
per the Orange book, this might be an acceptable alternative to help meet C2
specifications.
[Except that electronically, it is C-Through rather than C-2.
[Also noted by Mike Hogsett. PGN]
[Source: Article by Lester Haines, 17 Apr 2001, via Brian Randell http://www.theregister.co.uk/content/28/18312.html] A 51-year-old woman was subjected to a harrowing two-hour ordeal [on 16 Apr 2001] when she was imprisoned in a hi-tech public convenience. Maureen Shotton, from Whitley Bay, was captured by the maverick cyberloo during a shopping trip to Newcastle-upon-Tyne. The toilet, which boasts state-of-the-art electronic auto-flush and door sensors, steadfastly refused to release Maureen, and further resisted attempts by passers-by to force the door. Maureen was finally liberated when the fire brigade ripped the roof off the cantankerous crapper. Maureen's terrifying experience confirms that it is a short step from belligerent bogs to Terminator-style cyborgs hunting down and exterminating mankind.
KYW News Radio in Philadelphia reported on 17 Apr 2001 that there had been a problem when tax procrastinators attempted to file their Pennsylvania State returns just before the midnight Monday deadline. Apparently in the last few hours, users received an error message from the filing Web site, and they were unable to complete their transaction. Because of this, the state decided to give ALL late filers an extension through 18 Apr. Officials were quoted as saying that "a glitch on the Web server" was the cause of the problem (whatever that means). This brings to mind the possibility of denial-of-service attacks on the infrastructure being a way to avoid paying taxes (short term, anyway). Rebecca Mercuri [Life, death, and taxes are not the only sure things. But perhaps *electronic* files could provide a new way to get out of jail. PGN]
RISK: The simplest ID theft is that of an e-mail address. I use e-mail quite a lot for business purposes, and also make regular contributions to a lot of newsgroups. I've been on the net for a decade, so am on a zillion and one "40 million e-mail addresses for just $5" lists - thank god for filters. But on Sunday some insufferable person or organisation forged my e-mail address as the sender of some X-rated Spam. This has caused me lost business, a little personal embarrassment, and a mailbox rapidly filling up with bounces from nonexistent addresses. I'm expecting DOS counter-attacks from clueless newbies. There's not a lot that can be done to stop someone from doing this. But the risk is that I might not be able to do anything about it in the way of compensation. NeoTrace has given me plenty of clues to the perpetrators, but only by tracing the site that was advertised in the email. Proving it is another matter, and they may have no assets anyway. A.E.Brain <aebrain@dynamite.com.au>
Sabotaged phone lines and stolen credit cards allowed thieves to safely rob a Sydney shopping centre. "The thieves first sabotaged the telecommunication network in late February. They entered the pits via street-level manholes and severed all the lines leading to shopping centre businesses. With all on-line transaction systems down, shopkeepers processed transactions manually and the thieves used stolen credit cards to buy goods and withdraw cash. Bills are still coming in from the spree." Full story at http://www.smh.com.au/news/0104/15/text/national12.html Simon Carter
Security flaw found in Alcatel's high-speed modems, By Tim Nott It's a security flaw. No, it's a spy. No, it doesn't exist at all. Tsutomu Shimomura, better known for his contribution to, and book about, the arrest of hacker Kevin Mitnick claims to have found a "trapdoor" in Alcatel ADSL modems. On Monday evening, Liberation reported, Shimomura and San Diego Supercomputer Centre colleague Thomas Perrine reported their findings to the Computer Emergency Response Team. The point, continued Liberation, is simple. Anyone can penetrate a computer system linked to the Internet by Alcatel 1000 ADSL and Speed Touch Home modems. http://www.thestandardeurope.com/article/display/0,1151,16251,00.html
Recently, Alcatel <URL:http://www.alcatel.com> has come under fire for security problems with some of it's products (see [broken URL] <http://www.securityfocus.com/frames/?content=/templates/archive.pike %3Ffromthread%3D0%26threads%3D0%26list%3D1%26end%3D2001-04-14 %26mid%3D175229%26start%3D2001-04-08%26> for details) As a result, Alcatel has released a statement, as a Microsoft Word document, which they placed on their Web site. According to <URL:http://morons.org/articles/1/188>, it had all the document history present (I cannot confirm this, as they appear to have corrected the mistake), in which we see such gems as: > (When and where will the firewall software be available? CERT has > said that they don't believe that installing a firewall is the > answer. What are you doing to provide a legitimate fix?) The RISKS? Well, apart from looking like idiots, and revealing early drafts of statements that are "off message", and potentially drawing attention to errors of omission that you are conveniently brushing under the carpet... Mike Bristow, seebitwopie
Not bad! :) Imagine the malicious freezer viruses! IBM and Carrier, an air-conditioning manufacturer, said they plan to offer Web-enabled air conditioners in Europe this summer that can be controlled wirelessly. Financial terms of the collaboration were not disclosed. Owners of the newfangled air conditioners will be able to set temperatures or switch the units on or off wirelessly using a website called Myappliance.com. http://www.wired.com/news/business/0,1367,42918,00.html From their press release (http://myappliance.com/myapp/press.htm): Unit performance and maintenance information over time can be gathered and recorded. ... In the opposite direction it is envisaged that Carrier dealers or engineers will be given 'service access' to check the system without the need for a PC connection. In the extreme case, someone with the correct hardware could check the aircond logs to see the typical times the aircond is off, i.e., when no one is home! Alpha
I found a sorting error on Northwest Airlines web site (nwa.com) that I had not seen before, but am surprised is not more common. If you ask for a list of flights between two cities it returns the results sorted by departure time of the outbound flight. For example, from San Francisco (SFO) to Minneapolis (MSP) (return flight and other non-relevant data discarded): Departs Arrives Flight Number 6:25am 12:04pm NW928 7:50am 1:28pm NW344 10:15am 3:47pm NW350 11:30am 5:16pm NW588 12:40am 6:09am NW360 3:25pm 9:01pm NW354 5:00pm 10:31pm NW358 The risk? Assuming that because 11:30am is later than 10:15 am it follows that 12:40am is later than 11:30am. Another good reason to drop AM/PM in favor of a 24 hour clock (particularly if you call midnight 0.00 and not 24.00). Marcos H. Woehrmann | marcos@panix.com | http://members.home.com/marcos
The Seattle news played a story on a local police force that is now using Palm VII's to give traffic tickets. Apparently, officers can look up information on vehicles and people via the wireless interface from this Palm. The obvious risk comes from the publicly based network that the Palm relies on, namely the CDPD network. Just imagine someone getting a ticket, and wanting to cover it up. If they broke into the system, they could start issuing tickets to every car on the road. How would anyone know what tickets were valid? Simpler security risks also are involved, such as just monitoring the communications and seeing what people are accused of, or even looking for addresses that are transmitted- if someone is getting pulled over, they're probably not home. As a side note, I wonder how you get your court summons, since this procedure removes paper tickets. It would also appear to eliminate the officer's signature, making for a dubious case, since there is no official document indicating the charge against you. The full story is linked at: http://www.king5.com/biztech/storydetail.html?StoryID=17028
Ed Foster's Gripeline column in the current issue of *InfoWorld* (www.infoworld.com) raises another interesting security related issue. The column starts with: Microsoft recently prevented an independent lab from publishing benchmark results, using a term in the SQL Server license that says the user "may not disclose the results of any benchmark test without Microsoft's prior written approval" to threaten the lab with legal action. It's not my intent to focus on Microsoft as this is an element of UCITA. In prior columns, Ed included a similar comment from Network Associates. Consider a security related "benchmark test" that reveals a vulnerability. The vendor's permission will be required to "disclose the results" of the test. What does this do to the entire CERT process?
There is one very important point that has been forgotten in the latest postings about the fatal Aasta train crash: The railways deliberately introduced a single point of failure system some months prior to the accident. The old operating procedure was that both the train driver and the ticket taker (conductor) had to verify that the signal was green before the train left the station. Under the new procedure, introduced some months before the crash, only the driver had to check the signal. The line where the crash occurred does not have an automatic train stop system that stops trains that are headed towards each other on the same track, so the drivers observation of the signal is the final barrier against a crash. Magne Mandt
Am I missing something here or is all this beside the point? Using mobile 'phones as a safety-critical means of communication entails so many risks I hardly know where to start: The network coverage is patchy at best and hardly at its best when used in a train; the handset batteries have short lives and are liable to fail; the handsets are easily lost or damaged; handsets are typically unsuitable for noisy environments; communication is dependent on a network outside the control of the train company; even if you get network coverage, cell capacity is limited; the list just goes on and on. Some of these risks can be addressed but some simply cannot. Surely this can't be right? Merlyn Kline
In RISKS-21.32 it was noted that Microsoft was being particularly heavy-handed with the end-user agreement and the rights to intellectual property transmitted over their.NET or Hailstorm passport service. Wanting to see the fine print for myself I downloaded the agreement at http://www.passport.com/Consumer/TermsOfUse.asp. Yes, it does say that Microsoft reserves the right to take advantage of any intellectual property. However, it would appear that the intent of the agreement is allow Microsoft the rights to any intellectual property submitted to them concerning the service, not intellectual property transmitted over the service. Towards the end of the section in question the following appears: This section also is inapplicable to any documents, information, or other data that you upload,transmit or otherwise submit to or through any Passport-Enabled Properties. Please refer to the terms and conditions for such Passport-Enabled Properties to determine the rights of the web site or service provider to such documents, information and/or data. The first sentence would seem to limit the rights of Microsoft with respect to misappropriating intellectual property transmitted via these services. But, then again the second sentence might lead one to be suspicious about how such rights are determined. Perhaps the real risk is not being able to read all of the fine print, since it is not clear where one would go to find these additional "terms and conditions for such Passport-Enabled Properties". Will Fletcher <will_fletcher@msn.com>
UltimateTV shrinks from the spotlight A software bug is inadvertently shrinking hard-drive storage space on set-top boxes for UltimateTV, the new interactive TV service from Microsoft. The bug reduces how many hours of programming people can record onto the hard drive of UltimateTV set-top boxes. Customers began reporting the problem on Web forums earlier this month. http://www.zdnet.com/zdnn/stories/news/0,4586,5081102,00.html
Do prescription records stay private when pharmacy stores are sold? The issue caught the attention of the Clinton administration By Milo Geyelin THE WALL STREET JOURNAL April 11 - A novel lawsuit over the privacy of prescription records at a former neighborhood drug store could complicate the way pharmacy chains buy up their competitors. The suit challenges the common but little-known practice of "file buying," in which chains purchase customer prescription files from pharmacies they acquire and add them to their own. http://www.msnbc.com/news/557734.asp
Police officers serving a warrant or searching for a suspect hiding inside a building could soon have a new tool for protecting themselves and finding the "bad guy." A prototype device called the RADAR Flashlight, developed at the Georgia Tech Research Institute (GTRI), can detect a human's presence through doors and walls up to 8 inches thick. The device uses a narrow 16-degree radar beam and specialized signal processor to discern respiration and/or movement up to three meters behind a wall. The device can penetrate even heavy clothing to detect respiration and movements of as little as a few millimeters. http://unisci.com/stories/20012/0416015.htm
A recent *Wired* news article <http://www.wired.com/news/technology/0,1282,42771,00.html> detailed problems that Microsoft had with an Internet Explorer security patch: In some cases the patch would wrongly display "This update does not need to be installed on this system." Although I hadn't seen such a message, I double-checked that the patch was properly installed - and it wasn't. After digging further, I was surprised at the reason why. Microsoft maintains a "Windows Update" site, which automatically scans your Windows installation (locally), compares it with a list of known patches, and lists any missing updates. Further, they have a "Critical Update Notification" tool that runs in the background and automatically alerts the user when any "critical" patches are added to Windows Update. I run the notification tool, and I check Windows Update often, so I expected my system to be quite current. Documentation for the notification tool says: "Download this component and never miss a Critical Update again. Whenever a new Critical Fix is released, you will be notified... Critical Update Notification is the best way to keep your computer up-to-date and protected from potential security issues affecting Microsoft Windows." As it turns out, although Microsoft puts many of its IE security patches on Windows Update, four critical patches this year were not included there, and thus are not detected by the notification tool. Users must go to a separate IE Security site to download these patches - a site that is not promoted or even mentioned by the Windows Update site or other customer service pages. I first learned of it from the *Wired* article. Risks: - Maintaining two separate patch repositories - Promoting a site as the way to "never miss" security patches, but failing to add all security patches there - Trusting Microsoft to help keep my computer up-to-date Jay Levitt <jay@jay.fm>
BKSWN2SI.RVW 20010320
"Securing Windows NT/2000 Servers for the Internet", Stefan Norberg,
2001, 1-56592-768-0, U$29.95/C$43.95
%A Stefan Norberg stefan@norberg.org http://people.hp.se/stnor
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 2001
%G 1-56592-768-0
%I O'Reilly & Associates, Inc.
%O U$29.95/C$43.95 800-998-9938 fax: 707-829-0104 nuts@ora.com
%P 199 p.
%T "Securing Windows NT/2000 Servers for the Internet"
This book is based on the paper "Building a Windows NT bastion host in
practice," which is available on the author's Web site. The title of the
essay is much more accurate than the title of the text. The work is
concerned strictly with bastion hosts, and does not address, in more than a
nominal way, considerations of applications that are necessarily part of any
Internet server.
Chapter one takes a brief, scattered, and not very clear look at a number of
issues related to Windows and/or security. This disregard for background
information extends into chapter two. Having presented an extensive list of
services to turn off, Norberg tells us that "[you now] understand the
purpose of all active software components on the host." The irony of this
bald assertion stems from the fact that there has been little discussion of
why these services are to be turned off, and what you lose along the way.
(Further, for those new to Windows NT or 2000, there is no indication of how
to accomplish the task of reduction.) Once we get into more advanced tuning
there is slightly more information, but not much. The material on the
differences in Win2K, contained in chapter three, does present a bit more
detail on how to accomplish the restrictions.
Chapter four describes a number of software tools that will encrypt sessions
to be used for remote administration, but does not deal with system
management itself. The standard advice you always read about backups ("make
one") is repeated in chapter five. Chapter six reviews auditing and
logging, with, for some unknown reason, four times as much space devoted to
network time synchronization as to intrusion detection. "Maintaining Your
Perimeter Network" is the title of chapter seven, but it seems to be a
return to the same kind of catch-all discussion that started the book.
In the Preface, Norberg does state that the book is not intended as a primer
for security, or even for Windows security. The text is written as a kind
of a checklist for those thoroughly familiar with NT or 2K. There is, of
course, nothing wrong with such an approach, and those in the target
audience will appreciate the brevity of this concise guide. The approach
does, however, severely limit the utility of the work. Chapter two (and
three, if you are using Win2K) is the heart of the book, and the rest seems
to be an attempt to expand the text to more than pamphlet length.
copyright Robert M. Slade, 2001 BKSWN2SI.RVW 20010320
rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer