Lawrence Livermore National Laboratory in California has banned all wireless networks, including Microsoft's Wi-Fi, because of security concerns. Wi-Fi supporters say the technology is secure when it's been properly installed, but experts say that only about 10% of all users install them correctly. (*USA Today*, 28 Jan 2002; NewsScan Daily, 29 January 2002) http://www.usatoday.com/life/cyber/tech/2002/01/29/wifi.htm
Wireless carriers including Sprint, Cingular, and Seven (a startup) are putting together products that tunnel through the firewall to allow you to access the e-mail, calendars, etc. on your desktop machine remotely from a wireless device. But not to worry, since it "conforms to the highest levels of transport security". After all, what could go wrong with a tunnel like this? NOT! The risks are apparent to everyone except the vendors involved. Full story at http://www.infoworld.com/articles/hn/xml/02/01/28/020128hnport.xml
Soon business travelers passing through Minneapolis-St. Paul International Airport will be able to access the Internet at high speeds for free. Anyone want to send out lots of SPAM or launch attacks? Just go to MSP. http://www.startribune.com/stories/535/1130636.html
This potential risk was sent to me at work today. At click glance of the site below, you may truly feel that you viewing a drastic mistake at microsoft.com, or the evil doings of a disgruntled employee. I as a Web developer and consultant quickly determined how it was done (simply passing a username and password to the true url to display the page). However, a link contained within an e-mail to the unsuspecting consumer bringing them to a site like this could be a disaster. This false representation is an easy way to exploit information from consumer thinking they are buying/subscribing/requesting information from a company - when in fact, it may be a scenario like the link below: http://www.microsoft.com&item=3Dq209354@hardware.no/nyheter/feb01/Q209354 %20-%20HOWTO.htm
Related to Rob Graham's item in RISKS-21.89, an even more insidious URL risk is described in an excellent column on the Inside Risks page of the February 2002 CACM: Evgeniy Gabrilovich and Alex Gontmakher The Homograph Attack Communications of the CACM, vol 45, no 2, inside back page This is a WONDERFUL RISKS-relevant article. Please read it. For your convenience, this column is now on the Inside Risks Web site http://www.csl.sri.com/neumann/insiderisks.html as http://www.csl.sri.com/neumann/insiderisks.html#140 The examples given use Cyrillic characters. For example, a Russian "o" and an English "o" look alike but can have radically different results.
http://www.newsobserver.com/ncwire/news/Story/903276p-902507c.html In Durham, NC (USA), a waterpipe break on early Saturday (12-Jan-2002) morning forced the closure of the city police department building and 911 center. The water flooded a subbasement and took out the electrical equipment and backup power generators. Callers to 911 got busy signals or disconnects (I suppose that's better than hold muzak) until the temporary location (at Duke University) was online about 12 hours later, with dispatchers taking call information on paper (no computers). RISKS: 1) Putting all the eggs, police dept and 911 center, in one building 2) Putting critical electrical equipment in a place where it can be easily flooded out and in the same building 3) Not having 911 services "roll-over" to somewhere else (for example, Cary, NC - about 20 miles from Durham - has an agreement with the Wake County 911 center that if Cary becomes unable to take a given 911 call, it automatically rolls over to Wake's 911 center) - a (*gasp*) backup Dave Bank aka Dirk the Daring dirk at psicorps dot org
Today's Daily Telegraph (a quality UK broadsheet newspaper) carries a *potentially* disturbing report describing a new service, "Money Claim Online", whereby individuals and law firms (solicitors) can issue most simple legal proceedings (where a sum less than UK pounds 100,000 is claimed, = USD 140K)) and enforce judgments via a Web browser. The new service has been set up without publicity by the Lord Chancellor's Department, which runs the courts system in England and Wales. It seems that the system is accessible to the public now, although it has not been officially launched. People using the service are (oddly) referred to as "customers" .... and there is a Customer Help Desk ... The newspaper report is also viewable at this Daily Telegraph link on-line: http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2002/01/26/nsue26.xml&sSheet=/news/2002/01/26/ixhome.html The service can be seen on-line at: https://www.moneyclaim.gov.uk/csmco/index.html No details are apparent of what measures are taken to validate the identity of the claiming party or prevent other gross miscarriages of justice .... but it would appear that the potential exists for significant trouble .... even though the site warns that "vexatious litigants" are not allowed to us it (these are people who have abused the litigation system in the past to such an extent that they have been declared "vexatious litigants", restricting their ability freely to issue legal proceedings). PS: I am a lawyer myself, although I don't practise in this area .. but do work in-house for a large IT company ... these comments are offered purely in a personal capacity. Tony Ford, Guildford, Surrey, UK <email@example.com>
A public chat session was scheduled yesterday between, on one hand, the Dutch Crown Prince Willem Alexander and his fiancee Maxima Zorreguieta and, on the other hand 100 selected citizens. The session was made available for everybody to watch on a Web site. The server failed after a few minutes and did not come up again, so the rest of the session was canceled. According to several news sources (radio and TV news, printed press), KPN, who provided the server, says that the crash was caused by "sabotage", and that the site, that was designed for "tens of thousands" of users, received 3 billion (Yes, 3,000,000,000) hits. The story does not look very plausible to me. To deliver 3,000,000,000 IP packets, even short ones, in a few minutes takes something like a 10 Gbits/sec connection into the server, and would require quite a powerful attacking machine with a comparable network connection, or a concerted attack by tens of thousands of home PC's on modem lines. I also had a look at http://internettrafficreport.com Such a volume of traffic in a short time should cause some slowdown of other Internet traffic in the networks concerned. I saw no noticeable performance degradation in any of the Dutch routers monitored by this site, nor anywhere else, around the time of the event. Speculation in the media now goes that the site simply received more genuine hits than it was designed for, but not billions (Holland has 16 million inhabitants), and could not cope, and that KPN is reluctant to admit their mis-estimation of the traffic. Does anybody have more information about what really happened?
The Strasbourg newspaper "Dernières Nouvelles d'Alsace" reports (in French) an interesting case of e-mail forgery. The exact circumstances are not yet clear, but it appears that: - An e-mail was sent from the account of the mayor, telling members of a city commission to vote in favour of a plan to extend a local hypermarket. The official, public policy of the city council and the mayor is to oppose this extension. - The mail to one member of the commission bounced, because the recipient's name was incorrectly spelled. - An assistant to mayor Fabienne Keller, who has access to her mailbox, noticed the "undeliverable" reply and determined that the mail had been sent at a time when the mayor could not have sent it. - The general manager of the hypermarket is under police investigation for illegal entry into a computer system, forgery, use of forged documents, and attempted fraud. Original texts in French for those interested: > http://www.dna.fr/cgi/dna/motk/idxlist_light?a=art&aaaammjj=200201&num=180 > 41610&m1=keller&m2=mairie&m3= http://www.dna.fr/cgi/dna/motk/idxlist_light?a=art&aaaammjj=200201&num=19049 910&m1=keller&m2=mairie&m3= I suppose the RISK is that if you're going to pretend to be someone else, make sure you can spell ! Nick Brown, Strasbourg, France
Even in the sticks there are risks: Last autumn, the propane company that fills our tank (for stove, hot water and drier) was taken over by another propane company. We learned last night, when all of our gas-fired appliances stopped working, that "some customers fell through the cracks" during the acquisition, to wit, the new company wasn't refilling their tanks and was apparently relying on calls like ours to let it know whom it had forgotten. They promised a delivery "first thing" in the morning. So about noon we called, and learned a few additional tidbits: apparently customers scheduled for regular deliveries from the old company had been silently changed to "will call" status by the new one, and no, the new company didn't believe it had any liability for interrupted service. The risk of mistranslating fields in an acquired database should be obvious, as should the rule that any untranslatable values get flagged and/or at least converted to the least-damaging equivalent in the new system. (There's also the obvious financial risk that customers won't want a company that careless involved in delivering a commodity know to blow folks to bits when mishandled.)
I recently attempted to send E-mail to the author of a RISKS submission. Since my DSL line was down when I sent the E-mail, and since outbound SMTP connections are blocked from the dial-up accounts provided by my ISP, I had to send my E-mail through my ISP's mail server. It bounced as follows (the identify of the intended recipient has been masked): <RECIPIENT@RECIPIENT-HOST>: Connected to RECIPIENT-HOST-IP but sender was rejected. Remote host said: 571 <firstname.lastname@example.org>... Return address email@example.com does not match sending computer mail11.speakeasy.net -- check your configuration. http://www.RECIPIENT-HOST/mail/571_2.html for details. If you visit the URL referenced above, you discover that this site's system administrators have decided to block all E-mail for which the host name in the envelope address can't be matched up obviously (using a simple string comparison) with the host name of the mail server sending the message. In other words, if you have your own domain name, but you send E-mail through your ISP's mail server, you simply can't send E-mail to this site. Supposedly, they check their logs for such bounces "as we have time" and add messages that should have gone through to an exception list, but who knows when/if they'll ever get around to doing that in any particular case. Furthermore, they provide no mechanism for contacting them by E-mail or Web to ask to be excepted -- all they give on the Web page is a long-distance telephone number. Fortunately for me, or so I thought, I *do* send outbound mail through my own mail server when my DSL line is up, and it was fixed yesterday, so I decided to attempt to resend my message. It bounced again, with a different error: RECIPIENT@RECIPIENT-HOST (reason: 550 We do not accept mail from the spam-relay machine: jik-0.dsl.speakeasy.net.. http://www.RECIPIENT-HOST/mail/571_1.html for details.) If you visit *that* URL, you see that they're claiming that my machine is a spam relayer. It isn't and never has been. I've never sent spam and I block all third-party relaying through my machine. I can't find an entry for either my IP address or my subnet in any of the black-lists checked by <URL:http://relays2.osirusoft.com/cgi-bin/rbcheck.cgi>. Of course, they don't bother to say *why* they think my machine is a spam-relay machine, so who knows where they got that charming idea? And, as mentioned above, they don't provide any way to contact them on-line to complain about it. For example, many sites which enforce restrictions this draconian provide an address which is exempt from the restrictions to which people can complain; the spammers don't ever bother complaining, so it really isn't particularly burdensome to do this. Unless, of course, you really don't care if people can't send legitimate E-mail to your site. I understand the desire to block spam, but there are ways to do it which don't also block legitimate E-mail, or at the very least which provide an on-line mechanism people can use for getting themselves unblocked. This is just really excessive; I would even go so far as to say that I question the legitimacy of allowing RISKS submissions from people who make it impossible for people to send them E-mail responses to their submissions. jik
According to the BBC News Web Site, Iceland's main airport is introducing "face recognition technology" to identify "any hijackers on wanted lists". http://news.bbc.co.uk/hi/english/sci/tech/newsid_1780000/1780150.stm The article notes that a similar system was tried in Florida, and abandoned after two months. The article notes: "'In my opinion, had this system been installed at airports in North America last summer, it would have increased the chances of catching those criminals who hijacked the planes,' said Keflavik airport police commissioner, Johann Benediktsson. [...] A recent report by the America Civil Liberties Union showed that over a two-month period, the software failed to identify a single person photographed in the department's criminal database. Instead, the software produced many false identifications, said the ACLU report. [...] "For Jonina Bjartmortz, a member of the foreign affairs committee in the Icelandic parliament, the system has become a sure way of reassuring nervous passengers. 'We are at the western most tip of Europe and a gateway to America. We only have one airline and we felt it was very necessary to invest in the technology,' she said. It seems to have worked. Flights coming and going from Keflavik airport are generally full and passengers appear happy." One is tempted to say "The Usual Risks": - False Positives and False Negatives - Customers (and Management) with a potentially false sense of security - It will only pick up "known" faces. What if your hijacker not "known"? That said, we can hope that the existing security precautions will pick up the "unknown" hijackers. At least the risk is no greater unless security staff come to rely on the system. Chris Leeson
The following is the entirety of a story printed in *Australian Financial Review* 21 Jan 2002, attributed to Australian Associated Press: "Dataline in court" "The ACCC has begun legal action against Brisbane-based Internet provider Dataline.net.au, its managing director, Mr John Russell, and associated companies Australis Internet and World Publishing Systems. Dataline allegedly intercepted e-mails and debited consumers' credit cards without authority." ACCC stands for Australian Competition and Consumer Commission, or in tabloid-ese "The consumer watchdog". Other contributors to RISKS have mentioned packet sniffing and electronic "dumpster diving" to extract credit-card numbers. This looks to be much simpler. If the ACCC is correct, this seems a good reason to become an ISP. Is this a new risk? Probably not. The full and more worrying set of allegations is at ACCC's Web site: http://www.accc.gov.au/media/mediar.htm then click on 18 January 2002 ACCC Takes Action Against Internet Service Provider Peter Deighan <firstname.lastname@example.org>
Today I received the "RSA Conference 2002 eNewsletter, Volume 2". Much to my dismay, this HTML-ized e-mail had several hidden tracking features, including the classic 1x1 pixel GIF with a unique identifier encoded in the URL pointing to a company I've never heard of. RISK: assuming you can trust e-mail from a conference and a company (RSA Security, Inc. sponsors the conference) which emphasizes security and privacy. -- Rex Sanders, USGS
[Earl Boebert's message in RISKS-21.87 provoked many responses that are not included in this issue of RISKS, but to which Earl offered the following generic response. PGN] Well, I'm glad I provoked at least some discussion of the issue. Unfortunately, many of the responses, including some from people who should have known better, exhibited a depressing degree of ignorance about the role of processor architecture in implementing protection mechanisms. To respond to these in detail would involve the moral equivalent of a course in the subject, which I do not currently have either the time or the inclination to do. I would refer interested parties to Dick Kain's book , which (along with some of the more informative replies) shows that there are more things in heaven and earth than dreamt of in the x86 philosophies. I suppose a final note would be: Relying on any one element of an integrated hardware-software system for protection from hostile code is dangerous. Currently popular processor architectures contain such stupidities that they place an impossible burden on software and programmer discipline. Yes, these things can shoulder the burden in theory, but the historical evidence is that they fail consistently in practice.  If you don't know this reference, you probably shouldn't be in this business.
> SAS Institute has developed software that it says can sift through > e-mails and other electronic text to discern falsehoods. It would be interesting to take a press release or privacy statement regarding this product and run them THROUGH said product, ne? Russ Perry Jr 2175 S Tonne Dr #114 Arlington Hts IL 60005 847-952-9729 email@example.com
The German publishing house "Heise" reports in its online news about a remote configuration change of mobile phones via the short message service (SMS) which is available in GMS networks: http://www.heise.de/newsticker/data/pmz-24.01.02-000/ The Swiss telco Swisscom has confirmed that it has sent to selected customers special SMS messages that deleted roaming information on the SIM cards of the customers' mobile phones. Swisscom says that the purpose for the messages is to test for the introduction of new services in the Swisscom mobile phone network. The customers have not been informed about the change. The SMS appeared as empty messages sent from the phone number "0800". The magazine also reported that insiders believe that the modification of the roaming information was to direct traffic to networks owned by Vodafone -- which acquired a 25% share of Swisscom on april last year. Customers have to re-enter the information to their phones manually. It would be interesting: * If there is any security mechanism protecting anyone from sending such "special" messages. * Which setting on the mobile phone can be changed (or probably retrieved from the phone) without knowledge to the customer. * If the network provider must implement such features, I do not understand why this must happen unperceived by the customer. Why not send a message telling people what will happen? S.Llabres
BKALASCR.RVW 20011122 "Algebraic Aspects of Cryptography", Neal Koblitz, 2001, 3-540-63446-0, U$64.99 %A Neal Koblitz firstname.lastname@example.org %C 175 Fifth Ave., New York, NY 10010 %D 1998 %G 3-540-63446-0 %I Springer-Verlag %O U$64.95 212-460-1500 800-777-4643 %P 206 p. %T "Algebraic Aspects of Cryptography" When certain technical people find out that I am involved in data security, they assert an interest in cryptography, and an intention to write a cryptographic program sometime. While I not wish to disparage this goal, questioning of the individual's background in mathematics tends to point out that the task is harder than they might have foreseen. The magic phrase "number theory" is usually the dividing line. For those who make it past that limit, I am going to recommend that they get Koblitz's work. Not that I am implying that this book is more demanding than it needs to be: only that the topic itself is a difficult one. This is the heart of cryptology: the underlying foundations that make it work. The material presented does not address specific programs, standards, or even algorithms, but deals with the basic mathematical theory that can be used to construct algorithms, or test their strength. Chapter one is something of an overview, touching on many fields of cryptography and introducing an appropriate and exemplar equation for each. Theories related to the strength of cryptographic algorithms are given in chapter two. Basic algebra associated with primes are discussed in chapter three, underlying the more common asymmetric (public key) systems such as RSA. Chapter four outlines an illustrative history of the development, cracking, and improvement of one particular algorithm, demonstrating the mathematical work necessary to each step. Knapsack type problems and theories are explained in chapter five. Chapter six deals with the currently very highly regarded elliptic curve algorithms, and is backed up with an even more extensive appendix on hyper-elliptic curves. This is not an introduction. It is intended as a text for graduate (or possibly advanced undergraduate) work, and requires a solid background in mathematics or engineering. For those seriously interested in cryptography, though, it is worth the work. copyright Robert M. Slade, 2001 BKALASCR.RVW 20011122 email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Homeland Defense & CyberTerrorism: Dealing With Harsh New Realities 3-6 Sep 2002, Washington, DC http://www.misti.com/ Your Sponsors: Winn Schwartau, Interpact, Inc. - www.interpactinc.com MIS Training Institute - www.misti.com White Wolf Consulting www.whitewolfconsulting.com We are soliciting creative analytic, interoperable real-world opinions and solutions that will function in: * Countering the threats of Global and National Cyberterrorism * National and Municipal Critical Infrastructure Protection * Military and Government Information Operations (Defense and Offense) Submission Deadline: February March 11, 2002 [sic. one or the other? PGN] For inquiry or discussion on submissions, please contact Winn Schwartau at 1-727-393-6600, or InfowarCon@Earthlink.Com or email@example.com. Winn Schwartau, President, Interpact, Inc. www.security-aware.com
Please report problems with the web pages to the maintainer