Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The Risks Forum has long advocated the importance of increased awareness of risks and avoidance of critical systems with too many inherent weak links. On 11 Sep 2001, the Internet stood up well and was a very important source of information; land-based and cellular telephone systems experienced major outages in lower Manhattan. A few companies such as Cantor-Fitzgerald and eSpeed suffered huge personnel losses, but were nevertheless able to resume operations quickly — through various combinations of advanced planning and rapid recovery strategies. There are many lessons that are worth recording here, so I would like to invite some of you to contribute short but pithy items on what was achieved, what was learned, and what insights you might have gained. [Thanks to Scott Rainey for encouraging me to do this.]
Combating Terrorism: Selected Challenges and Related Recommendations. GAO-01-822, September 20. http://www.gao.gov/new.items/d01822.pdf Aviation Security: Terrorist Acts Demand Urgent Need to Improve Security at the Nation's Airports, by Gerald L. Dillingham, director, physical infrastructure issues, before the Senate Committee on Commerce, Science, and Transportation. GAO-01-1162T, September 20. http://www.gao.gov/new.items/d011162t.pdf Aviation Security: Terrorist Acts Illustrate Severe Weaknesses in Aviation Security, by Gerald L. Dillingham, director, physical infrastructure, before a joint hearing of the Senate and House Appropriations Subcommittees on Transportation and Related Agencies. GAO-01-1166T, September 20. http://www.gao.gov/new.items/d011166t.pdf
Internet experts believe that the threat of cyber-attacks are increasing, though not necessarily from Osama bin Laden's AlQaida network, which seems focused on destroying physical targets and killing civilians. Georgetown University computer science professor Dorothy Denning says, "It's my understanding that they're not teaching this in the terrorist-training camps," but rather that the danger comes from "these thousands of affiliates or sympathizers." Stephen Northcutt, who runs an information warfare simulation for the SANS Institute, warns that terrorist could "potentially paralyze commerce" and might be able to "accomplish a cascading failure of the electronic grid." (*San Jose Mercury News*, 1 Oct 2001; NewsScan Daily, 1 October 2001; http://www.siliconvalley.com/docs/news/depth/cyber100101.htm) [Also, there is clearly renewed interest in off-site backup data storage. PGN]
Hackers face life imprisonment under 'Anti-Terrorism' Act; Justice Department proposal classifies most computer crimes as acts of terrorism By Kevin Poulsen, 23 Sep 2001 Hackers, virus-writers and web site defacers would face life imprisonment without the possibility of parole under legislation proposed by the Bush Administration that would classify most computer crimes [and maybe noncrimes (PGN)?] as acts of terrorism. The Justice Department is urging Congress to quickly approve its Anti-Terrorism Act (ATA), a twenty-five page proposal that would expand the government's legal powers to conduct electronic surveillance, access business records, and detain suspected terrorists. [See http://www.securityfocus.com/news/257 for the full item. PGN]
Gartner is recommending that IIS users who have been hit by the recent MS exploits should "immediately" consider moving to alternatives such as Apache or iPlanet. http://www4.gartner.com/DisplayDocument?doc_cd=101034 But when will those in control take note? I'm sure that a lot of NT/200 sysadmins (and especially Webmasters) are aware of the limitations of their platform, but corporate strategy means that they are a "Microsoft shop". Alistair McDonald Bacchus Consultancy www.bacchusconsultancy.com
Will Knight, New Scientist, 20 Sep 01 http://www.newscientist.com/news/news.jsp?id=ns99991329 A computer security expert has revealed how he altered news articles posted to Yahoo!'s web site without permission. The incident highlights the danger of hackers posting misleading information to respected news outlets. Freelance security consultant Adrian Lamo demonstrated that, armed only with an ordinary Internet browser, he could access the content management system used by Yahoo!'s staff use to upload daily news. He added the false quotes to stories to prove the hole was real to computer specialist site Security Focus. Yahoo! has issued a statement saying the vulnerability has been fixed and security is being reviewed. But experts say that the incident demonstrates a serious risk. "Just think how much damage you could do by changing the quarterly results of a company in a story," says J J Gray, a consultant with computer consultants @Stake. Gary Stock, CIO & Technical Compass, Nexcerpt, Inc. 1-616.226.9550 gstock@nexcerpt.com
Yet another attack on hotmail. Computing (20 Sept 2001) reports that one can hack the hotmail web site, and redirect users to another site. This brings up the possibility of password collecting. The hacker, known as "Oblivion", reported this to the bugtraq mailing list. The exploit involves smuggling javascript code through the filters used at hotmail. Alistair McDonald Bacchus Consultancy www.bacchusconsultancy.com
http://news.excite.com/news/r/010910/11/net-tech-gambling-hacking-dc [The article is on risks in on-line gambling, and particularly CryptoLogic, Inc., a Canadian on-line casino games developer that has been hacked. One of their sites had been "fixed" so that craps and video slot players could not lose, with winnings totalling $1.9 million. Every dice throw turned up doubles, and every slot spin generated a perfect match. Whether it was an insider attack or a penetration is not clear from the article. (We noted the likelihood of hacking of Internet gambling sites in RISKS-19.27, 1 Aug 1997, not to mention my 1995 April Fool's piece in RISKS-17.02.) Interesting question: which laws against hacking will apply to subversions of illegal Internet gambling parlors? Who gets to prosecute remote attacks on off-shore operations? PGN-ed]
>From http://www.volkskrant.nl/nieuws/nieuwemedia/1001567916953.html (in Dutch). 27 Sep 2001 The 20-year-old creator for the Kournikova virus, J. de W. from Sneek, was sentenced to 150 hours of community service by the court of Leeuwarden this Thursday. The prosecution demanded the maximum of 240 hours of community service. In February De W. released on the Internet the so-called wormvirus, which spread itself as an e-mail message. The virus was activated by clicking the e-mail which was titled Anna Kournikova (the tennis player). This lead to inconvenience of Internet users all over the world. When determining the sentence, the court took into consideration that the boy had no previous run-in with justice, that he turned himself in, and that material damages were limited. The American investigation service FBI reported an amount of $166.827 in damages.
[Follow-up on RISKS-21.62 items. PGN]
'Good Sam' Hacker 'Fesses Up, By Declan McCullagh, 27 Sep 2001 declan@wired.com
It seemed like such a straightforward example of prosecutorial misconduct:
An Oklahoma man was being investigated by the Justice Department for helping
a newspaper fix a Web site security hole.
The outcry among the geek community last month began with an uncritical
story on LinuxFreak.org entitled "Cyber Citizen Lands Felony Charges?" Sites
such as Slashdot soon picked up the sad tale of 24-year-old Brian K. West as
evidence of out-of-control, tech-clueless government lawyers, and urged
everyone to e-mail the U.S. Attorney in charge of the prosecution.
Making the story even more appealing to the open-source community was the
Microsoft angle: West was said to have reported to the Poteau (Oklahoma)
Daily News and Sun a security flaw in Microsoft NT 4.0 IIS and Microsoft
FrontPage. But a guilty plea that West signed tells a far different story
-- and shows how easily a well-meaning community of programmers and system
administrators can be led astray.
http://www.wired.com/news/politics/0,1283,47146,00.html
[Politech archive on U.S. v. Brian K. West:
http://www.politechbot.com/cgi-bin/politech.cgi?name=sperling]
[PGN-excerpted from the Sperling release:
While probing the site, defendant made copies of six proprietary
Practical Extraction Report Language (PERL) scripts that were part of
the source code running the PDNS Web page. Defendant also obtained
password files from PDNS and used those passwords to access other parts
of the PDNS Web page. Defendant electronically shared the scripts and
the password files for the PDNS Webs ite with another individual.
Defendant's access to the Web page involved interstate communications.
...]
Reuters reports that the U.S. District Court in Philadelphia has ordered John Zuccarina to shut down sites operated by him. The Federal Trade Commission filed a complaint against Zuccarina, claiming that he has purchased domain names which are misspellings or other "one-offs" of popular sites, which he uses to "blitz" unsuspecting visitors with pop-up ads, from which the user cannot escape, in order to receive advertising revenue (estimated between $800K and $1 million). Zuccarina has registered some 5500 domains, including www.annakurnikova.com, 41 variants of "Britney Spears", and others. http://www0.mercurycenter.com/breaking/docs/081329.htm
Yesterday (10 Sept. 2001) the U.S. Transportation dept released a report on the vulnerabilities of the Global Positioning System. The report can be obtained from http://www.navcen.uscg.gov/gps/geninfo/pressrelease.htm There is a short story about it in *The New York Times 11 Sep 2001: http://www.nytimes.com/2001/09/11/national/11NAVI.html The report notes that GPS is being increasingly relied on for life-critical performance in transportation and recommends that various backups be maintained and new ones developed. Joseph Bergin, Professor, Pace University, Computer Science, One Pace Plaza, NY NY 10038 berginf@pace.edu HOMEPAGE http://csis.pace.edu/~bergin/
The hospitals in "Västra Götaland" sweden (west coast, population 1M) were isolated fron Internet during 23 Sep 2001. Some of internal networks had to be partitioned to prevent nimda spreading further. Reservations and computer-based medical records were unavailable. http://www.vgregion.se The fact that a hospital chain has so relaxed security is amazing. It's also amazing that whole organizations are kept hostage of a vendor that's not even cost-effective. What would happen in case we get a *real* threat to security?? Peter Håkanson, IPSec sverige, Bror Nilssons gata 16 Lundbystrand S-417 55 Gothenburg Sweden "Safe by design" +46707328101 peter@ipsec.nu
The Y2K problem is being blamed for incorrect Down's Syndrome results being given to more than 150 pregnant women throughout northern England between January and May last year. As a result, four Down's syndrome pregnancies went undetected. Amongst other factors, the mother's age is used to assess her risk category. Only those in the high-risk category undergo further tests for the syndrome. Staff noticed the strange results coming from the system, but initially thought they was due to a different mix of women being tested. Full report: http://news.bbc.co.uk/hi/english/health/newsid_1541000/1541557.stm Les Weston, Quinag-CSL, Edinburgh. [Also noted by several others. TNX. Overconfidence in the PathLAN computer was blamed for errors, occurring between 4 Jan and 24 May 2001. PGN]
Westchester Medical Center was fined $22,000 for 11 violations related to the death of the 6-year-old boy killed by the magnetically attracted stray oxygen tank carried into the room by a doctor. http://www.newsday.com/news/nationworld/wire/sns-ap-mri-death0928sep28.story
On 20 October 2001 there will be an election of members of the Legislative Assembly of the Australian Capital Territory. It is hoped that about 9% of voting will be done using a new electronic voting system. Further details are at <http://www.elections.act.gov.au/Elecvote.html>. For the electronic system, no independently verifiable copy of a voter's choices will be kept. The selections made by a voter and displayed on the monitor of the voting computer will be, we're led to believe, what go into the duplicated databases for counting. RISKS readers will be reassured to know that (see <http://www.elections.act.gov.au/media0104.html>): "The new software will be subjected to extensive testing to ensure it is accurate and secure, as well as easy to use. The software will be used on standard computer hardware, that will not be connected to any external networks. The system will also include numerous backups and safeguards to ensure that voting data will not be lost. This will guarantee the security of the electronic voting and counting processes," Mr Green [the ACT Electoral Commissioner] said. I hope Murphy is not eligible to vote. [Actually, given the flakiness and lack of security in existing all-electronic voting systems, it is likely that Murphy's entire surrogate extended family will be able to vote repeatedly, many times over. PGN]
Australians voice anger over online spying By Rachel Lebihan, ZDNet Australia News, 07 September 2001 Only three percent of surveyed ZDNet readers believe Internet Service Providers should monitor all user activity, following a parliamentary report that recommends user logs should be kept on customers' online activities. The diminutive support for tighter online monitoring was transcended by a resounding 60 percent of polled readers who said they would kick up a fuss until the law was changed, if ISPs were forced to maintain access logs. http://www.zdnet.com.au/news/breakingnews/story/0,2000020826,20259325,00.htm
In light of this morning's events, which I will not minimize by trying to select an adjective to describe, I thought it might be interesting to search the RISKS archives, and see how the building's history figures in that sphere. First, there's coverage of the car bombing, and how the evac plan and generators failed, in http://catless.ncl.ac.uk/Risks/14.37.html#subj4.1 with follow-on in http://catless.ncl.ac.uk/Risks/14.38.html#subj5.1 http://catless.ncl.ac.uk/Risks/14.39.html#subj8.3 There's other coverage of the bombing, as well, in http://catless.ncl.ac.uk/Risks/14.39.html#subj8.2 which discusses how the building operators are allowed to violate the building codes that they would be otherwise bound by. Also, http://catless.ncl.ac.uk/Risks/14.39.html#subj8.2 discusses the fact that damned near every TV and most of the radio broadcast antennas serving NYC and Eastern NY State just hit the ground as well; that had to be making life miserable for people trying to get the word out. http://catless.ncl.ac.uk/Risks/14.41.html#subj1.1 discusses an ATM outage in NJ attributable to the evac from that bombing. Another outage in California happened at least in part because the backup systems were otherwise occupied due to that same situation: http://catless.ncl.ac.uk/Risks/14.41.html#subj2.1 http://catless.ncl.ac.uk/Risks/17.17.html#subj10.1 notes in passing that the WTC is not alone in having such problems. [Discussion of the Citicorp problems and unlikely events. PGN] Jay R. Ashworth, Member of the Technical Staff, Baylink, Tampa Bay, Florida http://baylink.pitas.com +1 727 804 5015 jra@baylink.com
> Re: Consumer Reports password policy risks (Bumgarner, RISKS-21.65) > ... but does give the last five digits Sounds like the Taiwan power company sending bills with only the last few digits of your auto-payment bank account revealed, the phone company sending theirs with only the first few digits revealed. Steal two envelopes and you've got the account number? http://www.geocities.com/jidanni/ Tel+886-4-25854780
I had to get some x-rays recently. I felt real confident when I saw a bright yellow post-it note on the x-ray machine with bold print stating that the measurements were in mm (millimeters) and not in cm (centimeters). Since the note was needed, one can assume they had problems with people calibrating the machine properly with the right units. I think the x-ray software interface needs some improvement to eliminate this danger of miscalibration. E. Asa Bour <bourea@scripturememory.org> http://www.scripturememory.org/ http://www.schemer.com/
I recently received a confirmation e=mail from an Australian domestic airline confirming a booking I had made over the web. The entire e-mail was in capitals (were they shouting at me or was it all "very important"?) including a little URL at the bottom for more information on in-flight health: > SOME STUDIES HAVE CONCLUDED THAT PROLONGED IMMOBILITY MAY BE A RISK > FACTOR IN THE FORMATION OF BLOOD CLOTS IN THE LEGS, > (DVT - DEEP VEIN THROMBOSIS). IF YOU FEEL YOU MAY BE AT RISK FROM > DVT OR OTHER HEALTH PROBLEMS, QANTAS RECOMMENDS YOU CONSULT WITH > YOUR DOCTOR BEFORE TRAVEL. INFORMATION ON HEALTH ISSUES CAN BE > FOUND ON OUR WEBSITE - > WWW.QANTAS.COM.AU/FLIGHTS/ESSENTIALS/HEALTHINFLIGHT.HTML, > IN OUR TIMETABLE AND INFLIGHT MAGAZINE OR CONTACT YOUR LOCAL QANTAS > OFFICE. No prizes for guessing whether or not the all-uppercase URL works... So the RISKS... other than making the entire message much harder to read, you can also break things.
2002 USENIX Annual Technical Conference, June 9-14, 2002, Monterey, CA http://www.usenix.org/events/usenix02/ Submissions to the General Refereed Sessions Track are due on November 19, 2001. FREENIX is a special track within the USENIX Annual Technical Conference that showcases the latest developments and applications in freely redistributed technology. The FREENIX track covers the full range of software and source code including but not limited to Apache, Darwin, FreeBSD, GNOME, GNU, KDE, Linux, NetBSD, OpenBSD, Perl, PHP, Python, Samba, Tcl/Tk and more. The FREENIX program committee is looking for papers about projects with a solid emphasis on nurturing the open source/freely available software community and talks which advance the state of the art of freely redistributable software. Areas of interest include, but are not limited Submissions to the Freenix Track are due on November 12, 2001. Submission guidelines and conference details are available on our Web site: http://www.usenix.org/events/usenix02/cfp/ The 2002 USENIX Annual Technical Conference is sponsored by USENIX, The Advanced Computing Systems Association. www.usenix.org
Please report problems with the web pages to the maintainer