A news brief in the California Public Interest Research Group (CALPIRG) Citizen Agenda, Summer 2000, p.6, is worth noting here, with the rapid increase in identity theft. We used to see a case or two a year. Now they seem to be coming in much more often, perhaps a few each month. Survey Details Hassles of Identity Theft Identity theft victims spend two years or more removing an average of $18,000 in fraudulent charges from their credit reports. ``Unless new laws force banks, department stores and credit bureaus to clean up the identity theft mess, this crime is only going to get worse.'' said CALPIRG's Dan Jacobson -- who is urging state lawmakers to back proposals pending in the Legislature that would allow consumers to block access to their credit reports and streamline law enforcement investigation and victim assistance programs. Try sending e-mail to email@example.com to request the report. Unfortunately their Web site at www.calpirg.org is apparently still under construction as I write this.
A new study released by the General Accounting Office has exposed widespread deficiencies in computer security in government agencies ranging from the Department of Interior to the U.S. Treasury. The report comes nine months after the President Clinton called on federal agencies to beef up security in his "National Plan for Information System Protection." That plan proposed that Congress boost federal spending for computer security and research by $280 million to $2.3 billion in 2001, but agencies say they need the money now. Government computer managers point to the tight labor market for computer security experts and say it's difficult to retain good personnel. The GAO report found that some agencies have failed to take even the most rudimentary steps to increase security, such as encrypting password files and limiting physical access to sensitive computers. In addition, agencies have been less than diligent about blocking access for independent contractors and former employees after they've left the government. In one agency, 7,500 of 30,000 users were not deleted after 160 days of inactivity. "The federal government, outside the defense area, is worse than the private industry because good computer security is about regular maintenance and housekeeping -- and that's not one of the government's strong points," says Stewart Baker, a Washington, D.C. technology lawyer. (Los Angeles Times 11 Sep 2000; NewsScan Daily, 11 Sep 2000 http://www.latimes.com/business/20000911/t000085464.html)
The Associated Press reported on 29 Aug 2000 that a satellite system outage disrupted AP services providing radio and TV stations with certain specialized info, as well as some smaller newpapers that receive AP Basic, beginning around 5:15 a.m. after new software was dowloaded to satellite receivers on AP's Ku-band system. Partial service was restored that afternoon, but full service was estimated at taking several days. [PGN-ed]
A break in a 231,000-volt line carrying power over the mountains left the Puerto Rican capital of San Juan without power Thursday morning, trapping dozens of people in elevators, slowing rush-hour traffic when traffic lights failed, knocking out air conditioning, and forcing many businesses to close. About 500,000 customers were affected for most of the day. A helicopter crew was sent out to do the repair. [Source: AP item, 7 Sep 2000; PGN-ed] Doneel Edelson, Information Technology, EULER American Credit Indemnity 1-410-554-0797 firstname.lastname@example.org
Intel is recalling its 1.3 gigahertz Pentium III chip, which it has sold to only "a handful" of "power users" running advanced applications, because a certain combination of data, voltage, and temperature conditions may cause the chip to fail. The chip is expected to be back on the market in a couple of months. (Reuters/*The Washington Post*, 29 Aug 2000 http://www.washingtonpost.com/wp-dyn/articles/A40772-2000Aug29.html NewsScan Daily, 29 August 2000)
An alert CSX crew (in Fredericksburg VA) noticed an erroneous proceed-signal indication on a parallel track on 8 Aug 2000. By contacting the dispatchers (in Jacksonville FL), they prevented a collision between Amtrak's Auto Train and a Virginia Railway Express commuter train. The incident prompted the inspection of the insulation of a certain type of old (TC Green, 1948 to 1962) signal wiring that may be still in use in thousands of signals nationwide. [Source: *Trains Magazine*, http://www.trains.com, commenting on an article by Don Phillips in *The Washington Post*, 17 Aug 2000; PGN-ed]
An F-117 on a training flight on 7 Sep 2000 flew quite close to United Airlines flight 174 from LAX to Boston. The UAL's TCAS system apparently detected the incoming fighter (the fighter was broadcasting its position), and triggered a scramble to avoid a possible collision. This opens up a lot of questions, such as why was the stealth flying at 500 feet vertical separation from the UAL flight at 10,800 feet (and .6 mile horizontal when detected), in the LAX take-off corridor? Was the fighter under proper air-traffic control? There have been enough Air Force incidents lately that more caution would seem to be in order. Besides, there is always the risk with TCAS that both planes try responsive maneuvers that make things worse -- especially at high closing speeds, perhaps something less than 5 seconds in this case. Preliminary reports seem to indicate controller error, which is not surprising given the ever increasing stresses on an already stressed and archaic operational environment.
Britain's Civil Aviation Authority has noted various cases in which "radio hackers" have commandeered air-traffic control communications, giving false instructions or fake distress calls. The number has risen from 3 in 1988 to 18 in 1999, and 20 thus far in 2000. A case at Washington's Reagan International in April 1999 was also noted. [RISKS has reported a few such cases years ago, including a Miami masquerader, the Roanoake Phantom -- and the Manchester (UK) spoofer in 1996.] http://dailynews.yahoo.com/h/ap/20000827/wl/britain_fake_air_controllers_1.html http://abcnews.go.com/sections/us/DailyNews/FakeAirTraffic000829.html Joe McCauley [contributed by others as well. PGN]
Until I read Elaine Scarry's "Swissair 111, TWA 800, and Electromagnetic Interference" in the September 26, 2000 issue of the New York Review of Books at http://www.nybooks.com/nyrev/WWWfeatdisplay.cgi?20000921092F, I had no idea that both flights took off from JFK airport at 8:19 p.m. on a Wednesday night, but that's only the beginning. It seems the role of electromagnetic interference in the downing of both flights has yet to be fully explored. Of particular interest to RISKS readers is that Swissair 111 may have been unable to detect a problem until it was too late because of the plane's ability to reconfigure its electrical systems in the event of problems: Swissair 111 was an MD-11, a type of plane made by McDonnell-Douglas and derived from the DC-10. When the MD-11 first appeared in the 1990s, its "design philosophy" was widely celebrated: 1,500 software engineers (working in consultation with pilots from thirty-seven airlines) had created a plane that could fly smoothly while carrying out tremendous feats of self-repair. This contrasts the design of a submarine, where everything is exposed in an effort to show failure as soon as possible, with the design of a commercial airliner, where everything is hidden to always make the flight appear as smooth as possible to the passengers. I hadn't realized this smoothness may now extend to the airliner crew as well. At any rate, it's a dramatic story that's worth reading. Fred Ballard
I notice that both SmartMoney.com's "Map of the Market" and CNNfn's intraday chart have gotten confused by decimalization of stock prices. If you check out a decimalized stock (like Gateway (GTW), for example) at either of these sites: http://www.quicken.com/investments/charts/?symbol=GTW or http://www.smartmoney.com/marketmap/ (and look at the largest block in the "Technology" sector) you'll see that both sites think that Gateway's per-share valuation today (8/28) is $6655.00, instead of $66.55. Bob Blakley, Chief Scientist, Tivoli SecureWay Business Unit
Western Union warned thousands of online customers on 9 Sep 2000 that hackers had broken into the company's Web site. Although no fraudulent transactions or breaches of personal information had been discovered, the penetration could have affected on-line users. More than 10,000 customers were being alerted, suggesting they cancel their credit and debit cards. The Web site was out of service that evening, and was expected to remain that way for several days. [Source: AP item, 10 Sep 2000; PGN-ed]
A former employee of online press release distributor Internet Wire was arrested on 31 Aug 2000 and charged with securities and wire fraud in connection with the distribution of a phony press release that sent a tech company's stock price plummeting on 25 Aug. Shares of Emulex, a maker of fiber-optic equipment, lost up to 60% of their value, most of it during one 15-minute freefall, after some financial news services, including Dow Jones and Bloomberg, ran stories based on the release. The bogus release claimed the company had issued a profits warning, that it was being investigated by securities regulators, and that its CEO had stepped down. The stock eventually recovered most of its value after the company denied the reports. The suspect, 23-year-old Mark Jakob, allegedly used a computer at El Camino Community College to construct and send the release, and then initiated a series of trades that netted him profits of $240,000. (AP/*Investors Business Daily*, 1 Sep 2000; NewsScan Daily, 1 September 2000 http://www.investors.com/editorial/tech05.asp)
In Windows NT and 2000, you can hit Alt-Ctr-Del, and one of the options is to lock the computer. Then, a password is required to unlock it. A reboot also requires a password to log in, so it would seem that this is a pretty safe state to leave your computer in when stepping away from your desk. The other day, I pushed the button to sync my palm pilot, and it worked. Then I realized that I had locked my computer. I did some testing on Windows NT and 2000, and apparently, the Palm synchronization always works when the computer is locked. There are several risks/attacks: - I take a blank palm pilot to your computer, which is locked, and I sync with it and copy all of your palm pilot data. Many people keep a master list of accounts and passwords on their pilot, among other valuable/sensitive data. - In a more malicious version of the previous attack, I sync all your palm data. Then, I zero out the contents of each record in every database. Then I sync again. The result is very likely that I will delete all of the data on the PC, and that the next time you sync, all of the data will be deleted on the palm. I know of a case where this "attack" worked in practice, by accident. - I write a palm hack that does whatever I want it to do to your data. I then sync with your PC, and the hack gets copied to your pilot desktop. The next time you sync, the hack is installed on the palm. I am sure there are other attacks that I haven't thought of. Anyway, I think that if Windows NT/2000 is going to have an option to lock the computer, it must make access to something as important as all of the Palm Pilot databases inaccessible. Perhaps turn off access to the serial port, USB, port, etc, and not just the keyboard. Avi http://avirubin.com/
This just in: Microsoft Oregon Channel Update - September 2000 Date: Mon, 28 Aug 2000 13:22:05 -0700 From: Jennifer Kern <jennik@MICROSOFT.com> <snip> IMPORTANT NEWS OF THE DAY Microsoft Windows Update Corporate Website Launched Today! This site features more than 1,000 system updates and drivers for the Windows 2000 platform that can be distributed over a corporate network. It is a one-stop location for Windows Update content and Microsoft Windows Hardware Quality Lab logo device drivers. The site provides criteria-based searching based on vendor, operating system and device type. http://corporate.windowsupdate.microsoft.com/en/default.asp
eBay presents each auction on a bookmarkable Web page which shows the item description, the time remaining before the auction ends, the current high bid, and the eBay identity of the high bidder. On repeated access, the "time left" field decrements in near-real time, eventually changing to "Auction has ended." The seller's guide notes that "Going, going, gone! When your auction ends, you and the high bidder will get e-mails." This breezy remark is the only thing the seller's guide says about these e-mails, and it is easy to assume that they are just reminders. In contrast, eBay is very emphatic about the importance of buyer and seller contacting each other "within 3 days" after the auction ends. Formerly, confirmation e-mails were sent within a few hours of the close of the auction, but lately they have been very slow, taking, in some cases, several days to arrive. I listed a cheap item on which I expected few bids and got single bid for my minimum price within a few hours after the auction started. Day by day the "time left" counted down, and eventually read "Auction has ended." The page still showed a single bid and the ID of the original bidder. Two days after close of auction I had not received any e-mail, so I contacted the bidder shown on the Web page to initiate the transaction. Needless to say, the next day a confirmation e-mail arrived showing that a second bidder with a higher bid had won the auction. The Web page for the auction, which formerly showed "Auction has ended, 1 bid, $5.00" now showed "Auction has ended, 2 bids, $12.50." Obviously--in retrospect--the "time left" field is generated by some simple process that does not required database updating (since the end of the auction is constant). The rest of the page requires database access and is probably subject to the same delays as the process that sends the e-mail confirmations. But it is natural to assume that if part of a dynamically generated Web page has been updated, the rest of it has, too. Stupid, to be sure--but natural.
> If all of that is true, what value does the security audit that AA > performed have? [...] If they're like the other big consulting firms, the security audits are designed solely to give upper management something to brag about. We had a client site which got audited once by another big-name consulting firm. Since it was before the site launch, I was somewhat worried about this as the site was hosted on an NT box and I had yet to do my final security checks to verify that we'd closed all of the default wide-open security settings. After I had to explain some basic security concepts to the auditor when he didn't understand some of my questions about the sort of things they checked, I become rather less worried. We passed with flying colors ("That's the most secure NT box we've ever seen - most of them are trivial to break into") and, having watched the server logs, all they looked for were some old security holes (e.g. ::$DATA and a couple of microsoft sample security holes); their software engineering test appears to have been seeing whether your queries break when someone places a ' into a form. No attempts were made to do things like check for weak passwords or even test services other than WWW/FTP, much less anything resembling a serious attempt by a knowledgeable intruder. Things like the URL editing attacks are something I use to show our greener new hires why they should always use a session libraries. The Annapa site appears to be using ASP and, while I have numerous complaints about ASP, a lack of built-in session support isn't one of them. What this means is that whoever developed the site wasn't even at what I'd consider the "ASP for Dummies" level, which is deeply disturbing. The real irony, of course, is that it was more work for them to do things the way they did than it would have been to do it the right way. Chris Adams  Of the platforms we deal with, ASP and ColdFusion have adequate session libraries and PHP has an excellent one (this relationship holds true for almost everything else). In all cases, sessions trivial to setup and use for basic tasks like the ones mentioned and even inexperienced developers will be up and running quickly.
The reason why this happens so much is that programmers are coming from a centralised approach where the client side can be at least slightly trusted to an Internet based approach where everything is out in the open. I'll admit that I have to think really hard about how to perform my actions in such a way so as to keep everything in a session. Web programming is a different beast that many programmers are just not prepared to deal with. They post information inside of hidden fields thinking it's safe. The only safe place is inside of a session object on your side, keyed by a random piece of garbage that you trail the client with (a session cookie) -- MD5 sums are great for this because they are a rather large keyspace, plus upon isnert intot he db you can check to make sure it's unique, and if not try to generate another session key. The key itself cannot contain any data, but merely reference an internal data space, this is where many programmers go wrong. The key is made to be the data! This is utterly wrong and opens you to a host of problems. I even go so far as to drop into the local data what form entries *should* be if they are say modifying an existing record, I'll record little tuples of information that will allow me to later make sure that they aren't trying to sneak a change into another record ID. An yes this can be done in such a way so as to allow multiple browser windows. Yes it is complicated, but it must be doen in order to maintain security. Michael Loftis
In RISKS-21.02 we heard about Whispercode technology, which adds sub-audible coded signals to commercials that activate personal "hit" counters for measuring how many and perhaps which commercials a person has been exposed to. Hoping to increase the accuracy of measuring the effectiveness of TV advertising, Whispercode's CEO is quoted as saying "With Whispercode, we will finally be providing our clients with a true accounting of where their advertising money is going." By "tagging" commercials like this, Whispercode may have inadvertently provided what has historically been carefully avoided by the television industry - a signal that distinguishes commercials from "content". The availability of this information will make it trivial to develop the much sought "commercial killer" box. This may produce the further unintended effect of proving beyond a doubt where advertisers' money is going - straight down the drain.
The PFIR (People For Internet Responsibility) statement dated September 7, 2000, entitled: "PFIR Statement on Government Interception of Internet Data" is available at: http://www.pfir.org/statements/interception Lauren Weinstein email@example.com or firstname.lastname@example.org or email@example.com Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Moderator, PRIVACY Forum - http://www.vortex.com
BKBBIPSR.RVW 20000614 "Big Book of IPsec RFCs", Pete Loshin, 2000, 0-12-455839-9, U$34.95/C$48.95 %E Pete Loshin firstname.lastname@example.org %C 340 Pine Street, 6th Floor, San Francisco, CA 94104-3205 %D 2000 %G 0-12-455839-9 %I Morgan Kaufmann Publishers %O U$34.95/C$48.95 415-392-2665 fax: 415-982-2665 email@example.com %T "Big Book of IPsec RFCs: Internet Security Architecture" RFC (Request For Comments) documents are the standard references of the Internet. (Not that all of them are standards as such: some are discussion papers or even opinion pieces. RFC 1796 has an interesting take on this fact.) IPsec is that group of articles dealing with security. The RFCs are important materials. They are also available online, for free. Why, then, would you pay for a collection of them? Fortunately for the ease of my review, Loshin asks this question, and gives a detailed answer, in the introduction. In the first place, you'll probably want to print out the documents at some time, and this is probably one of the cheapest ways to do it. (Certainly one of the most convenient.) Also, this is a collection of the IPsec standards, and therefore the compilation work has been done for you. Finally, Loshin has provided an extensive index, which greatly increases the value of the text. (Original formatting has been retained, and the individual manuscripts preserve their page numbering: the index can be used to point to items in the RFCs even for those referring to the online forms.) Twenty three RFCs are included in the book. Fortunately for Loshin's effort, one of the documents provides an overview of net security and another presents a structure for the RFCs themselves. Each contains its own definitions of terminology, although an aggregated glossary would have been helpful. The items are listed in numerical order, as is suitable for a reference work: RFC 2401, on security architecture, is possibly the best starting point for newcomers, but is roughly in the middle of the book, and RFC 2411, describing the relationships among the RFCs, comes near the end. Topics include the MD4 and MD5 digest algorithms, using MD5 for IP authentication, ESP (Encapsulating Security Payload) encryption, RC5 encryption, hashed message authentication code (HMAC), the CAST-128 algorithm, test cases for message digests, RC2 encryption, security architecture, the authentication header, Internet Security Association and Key Management Protocol (ISAKMP), security associations, Internet Key Exchange (IKE), NULL encryption, a document roadmap, OAKLEY key determination, and the Diffie-Hellman key agreement method. For those needing, or even wanting, to know about IPsec, this is the reference. copyright Robert M. Slade, 2000 BKBBIPSR.RVW 20000614 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
The announcement and call for papers are at: http://www.ieee-security.org/TC/sp2001.html
Please report problems with the web pages to the maintainer