Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Bugs fixed, cities must repay county over $1M in erroneous disbursements After two and a half years, Brevard County, Florida, has finally fixed the bugs that surfaced following installation of it's Y2K preparedness software in 1999. One bug prevented the county Clerk of Courts from determining how fines should be divided among the many cities and agencies that receive a share from each ticket. Since then, employees in the clerks office have estimated how big each city's checks should be. When new software became available last summer, the Clerk of Courts went through the records back to 1999 and discovered that some cities were significantly overpaid and must return the excess amounts. Melbourne owes $430,993 and Cocoa owes $353,083. Melbourne Beach owes $227,150, which represents about 10% of its budget. City Manager William Hoskovec said: "We will have to make some concessions or raise taxes...". The Clerk of Courts office was unable to suspend drivers licenses because it was impossible to track who was paying fines. Without the threat of license suspension, many motorists didn't pay their fines and revenues from fines dropped. With the bugs now fixed, notices are being sent to scofflaws and the county expects to recover $4 million for the cities to share, thus reducing their reimbursement payments. During the two and one half years of buggy software, the computers were also blamed for issuance of incorrect bench warrants, mistaken judicial assignments, failure to notify jurors of there summonses, and more. *Florida Today*, 12 Apr 2002, front page
Thousands of people who have installed a popular wireless video camera, intending to increase the security of their homes and offices, have instead unknowingly opened a window on their activities to anyone equipped with a cheap receiver. The wireless video camera, which is heavily advertised on the Internet, is intended to send its video signal to a nearby base station, allowing it to be viewed on a computer or a television. But its signal can be intercepted from more than a quarter-mile away by off-the-shelf electronic equipment costing less than $250. [...] [Source: John Schwartz, *The New York Times*, 14 Apr 2002 http://www.nytimes.com/2002/04/14/technology/14SPY.html?ex=1019744700&ei=1&en=cfeb1e93a276b9ee] From Dave's IP, http://www.interesting-people.org/archives/interesting-people/
... The Matamata wireless link replaced an expensive frame relay service as well as providing a 1Mbs Internet service to several outlying sites including a library and remote management of water supplies. "As the water facilities are computer controlled, they are able to manipulate them remotely rather than sending someone 20 miles down the road just to turn a valve. ... From *The New Zealand Herald* (Talking about 802.11b) http://www.nzherald.co.nz/storydisplay.cfm?storyID=1392336&thesection=technology&thesubsection=general Now I don't know if this technology is mature enough to be trusted for this type of thing - I guess I'll wait for the comments to come flooding in. I sincerely hope they've thought through the encryption and security issues here.
I obtained some information about another Web voting trial, this time in the UK, in Crewe & Nantwich Borough (Cheshire). This has been the subject of fairly low-key advertising, perhaps because it is limited to two wards (local electoral districts), Wybunbury and Maw Green. However, it has been publicised as "e-mail voting", when in fact it is "Web voting". Details are sketchy (local council officials are somewhat hesitant about providing too much detail), but the company behind the trial is the Oracle Corporation, in the form of Oracle (UK) Ltd. Basically, the Council has posted a letter (actual snail mail) to every eligible voter in these two wards with a "secret code". Over the next few days, a second such letter, with another "secret code", will be sent, together with a URL within the Council's Web domain (www.crewe-nantwich.gov.uk), which will allow the voter to select their candidate and vote by entering the two previously-supplied codes. The risks are pretty much as previously discussed in this forum for such schemes, with the added irritation that only certain browsers are supported - yes, it's IE and Netscape, but only the Windows versions, so tough cookie to all you Linux-user voters out there - you have to turn up in person. It looks like browser independence didn't feature highly in the design of the trial, with only a vague reference to "security accreditation" being offered as to why Linux browsers aren't acceptable. That looks like a re-run of the UK Government Gateway browser-specificity debacle - or the Microsoft Government Gateway, as we should call it now that we have learned the Government has handed over the IPR for the whole thing (£35m worth) to Microsoft completely free, on the basis of potential future licence royalties... but that's another whole shed-load of risks...! R M Crorie (risksANTISPAM-AT-REMOVEDcrorie.com)
By Robert Lemos, Staff Writer, CNET News.com, 16 Apr 2002 Microsoft acknowledged on Tuesday that its popular Office applications for the Macintosh have a critical security flaw that leaves users' systems open to attack by worms and online vandals. The software slip-up happens because the Microsoft applications incorrectly handle the input to a certain HTML (Hypertext Markup Language) feature. By formatting a link in a particular manner, an attacker can cause a program to crash a Macintosh or run arbitrary commands. The link could appear on a Web page or in an HTML-enabled e-mail. [...] http://news.com.com/2100-1001-884364.html
The latest financial giant to move much of its information technology work outside U.S. borders, Mellon Financial will soon be sending a quarter of its routine software maintenance chores to India. (A study by the Meta Group consulting firm indicates that an Indian programmer can be hired for one-fourteenth the rate of an American programmer.) Mellon executive Ken Herz says the company hopes to have new work for all U.S. workers affected by the company's decision, and explains: "This project emphasizes our intent to focus Mellon technology talent on growth-related projects and have routine maintenance work done offshore." (*San Jose Mercury News* 16 Apr 2002; NewsScan Daily, 17 April 2002) http://www.siliconvalley.com/mld/siliconvalley/3077722.htm
I had reason to question the denial of a claim on our dental insurance. I called the appropriate 800 number and ended up choosing the menu item for their "automated services." The first thing they asked for was my subscriber identification number, which the voice then said "is usually your social security number." I punched it in. The voice repeated it back to me — and then went on to spell out my name (yes, they had it correct; OK, no middle initials, but first and last name were fine) *and* give my birthdate. Need I say more?
I run an e-mail discussion list for postgrad students at University of New South Wales. At the beginning of 2001 UNSW moved to an on-line re-enrollment system. Besides the obligatory teething problems, the designers seemed to have forgotten that not all students were undergrads. Much of the information on the site, while good for undergrads, was quite misleading and confusing for the rest of us, leading to a good deal of frustration and venting on the list. (And at the end of the day, we *still* had to queue up to get our student cards, like always...) One day after the last day of March, somebody <cough> 'forwarded' a message from a Mrs. Avril Fuller, announcing that all enrollment data had been lost in a server crash and that students would have to line up to re-re-enroll. Also, that they'd have to bring proof that they'd paid their fees first time around. Also, that their student numbers had been lost in the crash, and they'd be given new ones strictly by alphabetical order. (Note that the student number is printed on the cards everybody still had from when they re-enrolled.) Also, that because our e-mail accounts are based on student numbers, we would have to change addresses immediately. In the previous weeks I'd been working hard to educate list members on 'how to spot a hoax', since I was tired of seeing supposedly-educated people sharing yet another variation of the Good Times warning every couple of weeks. I made sure Mrs. Fuller's message covered some of the biggies, like lack of date or any contact details for 'Mrs Fuller' beyond a non- existent e-mail address. And just in case anybody *still* didn't realise it was a joke, I also added that UNSW would be imposing a $5 additional charge on each student to cover the costs of the extra work for their staff. *Most* of the list members got the joke, either immediately or (in one case) just before leaping from the top of the refrigerator to an untimely death. One, however, was completely taken in, and became very angry at University management. When he realised it was a joke, he became even angrier at having demonstrated his gullibility in front of five hundred people, and directed that anger at me. Within a few weeks his behaviour forced me to eject him from the list, by which time he'd progressed to making quite serious threats against my person. The (April Fool-specific) risks: Forgetting that there will ALWAYS be somebody who doesn't get the joke, no matter how obvious you make it - and that human failure modes are just as bizarre and dangerous as technological ones. Geoffrey Brent - email@example.com
I usually pay my Citibank Visa bill via the Web, having the balance debited from my checking account. I tried to pay the bill the other morning, but this resulted in "We've had a problem processing your request. A general system error has occurred. Try your request again and let us know if this problem continues." A repeated attempt resulted in the same message. So, I called them on the phone to inquire about the problem. The person who answered the phone said hello from Citibank but did not ask for my account number (as is usual). So, I said "Good morning. May I provide you with my account number?" He said "No, our systems are down for maintenance. They should be up in a couple of hours." Ah, I said, that is why I cannot pay be the Web. Right, he said. Unfortunately, over the next few days, I still could not pay via the Web. So, I called to pay by phone. The Citibank employee said they were having problems with their Web system. I said I would like to pay by phone. No problem said she. She asked for the last four digits of my checking account. Then she asked for a check number. After an immediate internal chuckle, I said "I'm paying by phone. Why do you need a check number?" "She said "We have to have a check number. You need to void that check number." I suspect that if I told her I was ROTFLMAO she would not chuckle at that, either. Anyway, I said "But there is no check! How can I give you a check number?" "We need a check number" was the best answer I got. So I said "I have a big problem with this. I do not want to pay my account balance by phone today. Thanks". In retrospect, I should have given them a check number like "83750595828437693093". Or maybe a negative number. Or one with alphanumeric characters (imagine the fun I could have had with that one ..."AMEXNo1"). The RISKS? Seems to me like I should be informed when there is a lengthy outage in the Web interface, instead of receiving a general error message. When I did contact them, the employee concurred with my assumption that the source of my problem was due to system maintenance. Apparently, he did not know about the extended Web problem. Having employees ask for a fictitious check number seems to be a poor procedure or suggests a lack of training. However, it was good for a chuckle. This time.
A group of Chicago Web site operators say they will break into school, government and corporate computers and alter records, for fees starting at $850. But at least one security expert thinks the operation probably is a scam. Among the services promised by Chicago-based 69 Hacking Services, is changing bad grades and other records on elementary, high school or college computer systems. [Source: Brian McWilliams, Newsbytes, http://www.newsbytes.com/news/02/]
Somebody recently pointed me to CASPR, the Commonly Accepted Security Practices and Recommendations group (www.caspr.org), loosely associated with ISC2 (www.isc2.org). They are looking for group leaders to lead groups in order to prepare papers on a variety (about 70) of security topics roughly grouped under the ten CBK domains. I have created a Yahoo group for the Anti-virus Management and Protection topic, notified the CASPR people, and have apparently been accepted as the group leader. I have used the name malware in order to be somewhat more inclusive in the discussion. (I note that in CASPR viruses come under Computer Operations, whereas they appear in Applications Development in the ISC2 domains.) The group name is CASPRmalware. To join, send e-mail to: CASPRmalwarefirstname.lastname@example.org or see the group home page: http://groups.yahoo.com/group/CASPRmalware The group e-mail address is: CASPRmalware@yahoogroups.com This group is for discussion and preparation of the CASPR (http://www.caspr.org, Commonly Accepted Security Practices and Recommendations) Anti-virus Management and Protection document. Currently membership is open and the discussion is unmoderated. I reserve the right to change that if circumstances warrant :-) If any of you are interested, I would be delighted to have you join. email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [What might be a precursor effort that grew out of the National Research Council *Computers at Risk* study report led to The Generally Accepted Systems Security Principles: http://web.mit.edu/security/www/gassp1.html PGN]
This item: 6. The oil, water temperature, and alternator warning lights would all be replaced by a single "General Protection Fault" warning light. is a much simplified version of an older, sarcastic comment on the "ed" editor's single warning message: Brian Kernighan has an automobile which he helped design. Unlike most automobiles, it has neither speedometer, nor gas gauge, nor any of the numerous idiot lights which plague the modern driver. Rather, if the driver makes any mistake, a giant "?" lights up in the center of the dashboard. "The experienced driver", he says, "will usually know what's wrong." Sorry, I've lost the identity of the author, though it was already in some "fortune" files in 1983. The worst consequence of this warning messages was when a user tried to quit without saving. "ed" would respond "?", and most users would think, I said "q", and repeat the command, losing all their work. To make matters worse, the system console was often a printing terminal, so someone trying to repair a system in single user mode was faced with a line-mode editor which they didn't know well, and which wouldn't give them useful warnings. Walter Underwood, email@example.com, Senior Staff Engineer, Inktomi http://www.inktomi.com/
BKCMCRIN.RVW 20020315 "Handbook of Computer Crime Investigation", Eoghan Casey, 2002, 0-12-163103-6 %E Eoghan Casey %C 525 B Street, Suite 1900, San Diego, CA 92101-4495 %D 2002 %G 0-12-163103-6 %I Academic Press/Academic Press Professional/Harcourt Brace %O U$39.95 800-321-5068 fax: 619-699-6380 firstname.lastname@example.org %P 448 p. %T "Handbook of Computer Crime Investigation" This book is hard to read. Not because of excessive technical rigour or depth: quite the opposite. The work lacks focus and direction, and appears to be a compilation of components without an assembly diagram. It's the type of material that might result from the "war stories" told around a security seminar, after the core curriculum had been taken away. Chapter one is entitled "Introduction," but, other than a statement that the book is supposed to be a resource for forensic examiners who may have to deal with computerized systems, there is almost no declaration of what the volume is about. The remaining material in the chapter, while it does have an obvious relation to the act of obtaining evidence from computers, does not have any clear structure. The points asserted are good advice, but appear to be relatively random thoughts. The text is neither readable nor lucid: in places it seems more like a parody of obfuscated academic papers. Chapter two is somewhat more understandable, offering an outline on how to prepare documentation for discovery. Unfortunately, while it does deal with some technical issues (original media is better than a bit-wise copy, which is better than a copy of a file), the material concentrates on lawyerly debates about what might be needed, and, after a great deal of verbiage, boils down to the recommendation to produce all possible documentation, but not too much. (Where the material does get technical it frequently goes too far, starting to deal with specific pieces of software, rather than concepts.) Part one looks at tools in forensic computing. Unfortunately, to a greater or lesser extent, the four chapters each deal only with a single tool or vendor; EnCase, Cisco's NetFlow logs, Network Flight Recorder, and NTI. Part two is entitled technology: it looks at operating systems, networks, and other system types. Chapter seven provides some details of the FAT (File Allocation Table) and NTFS (NT File System) structures, as well as print spool files. A miscellaneous collection of information about UNIX files is given in chapter eight. A similarly unstructured compilation is listed in chapter nine, which reviews network data. Wireless network analysis, in chapter ten, concentrates on cellular telephone systems, and really only throws out generic information about such setups. Chapter eleven's overview of embedded systems varies between a similar generality and unhelpful photographs of breadboarded circuits. Part three provides three case studies. While interesting (parts of the third are especially amusing), they really don't provide much in the way of assistance to anyone having to perform investigations. The authors and contributors seem to be much more involved in the law, and law enforcement, than in the technology of computer forensics. The book has no framework or structure within which to place the many details. Therefore, the material simply blends into a haze of trivia, rather than providing the promised handbook. For those seriously working in the field there are many helpful points of information, but organizing them is left as an exercise to the reader. copyright Robert M. Slade, 2002 BKCMCRIN.RVW 20020315 email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Conference on Cyber Security and Disclosure May 9 at Stanford University http://www.seeuthere.com/rsvp/invitation/invitation.asp?CC=4%2F22%2F200209%3A25&id=/951771153071 Stanford Law School Center for Internet & Society presents a conference exploring the relationship between computer security, and disclosure of information about security vulnerabilities. One view is that vulnerability information should be kept secret and out of the hands of potential criminals and foreign agents. Another view is that network administrators require distributed research and public disclosure of vulnerability information to enable them to secure their own systems. Panelists will discuss vulnerability disclosure and the trade-offs between security, government and corporate interests, and the public's right to know. Computer security researchers and practitioners, computer science academics and professionals, hackers, policy formulators, and private and governmental organizations concerned with securing private and public computer infrastructures are invited to attend the conference. This program is cosponsored by the Stanford Program in Law, Science & Technology and the Information Technology Association of America (ITAA).
2002 International Conference of Dependable Systems and Networks: DSN 2002 Hyatt Regency, Bethesda, MD, 23-26 June 2002 The advance program, registration and accommodation information are now available at www.dsn.org. The early registration deadline is May 24, 2002. This year's keynote speaker is the Honorable Richard Russell, Associate Director (Designate), White House Office of Science and Technology Policy (OSTP).
23rd SUMMER COURSE TRENTO - ITALY 3-13 AUGUST, 2002: CYBERWAR, NETWAR AND THE REVOLUTION IN MILITARY AFFAIRS: REAL THREATS AND VIRTUAL MYTHS ISODARCO: INTERNATIONAL SCHOOL ON DISARMAMENT AND RESEARCH ON CONFLICTS Founded in 1966 (http://www.isodarco.it) Sponsors: UNIVERSITY OF ROME "TOR VERGATA"; UNIVERSITY OF TRENTO; ISTI - C.N.R., OPERA CAMPANA DEI CADUTI - Rovereto; FORUM TRENTINO PER LA PACE - Autonomous Province of Trento; U.S.P.I.D. - Section of Trento; Italian Pugwash Group ISODARCO has been organizing residential courses on global security since 1966. The courses are intended for people already having a professional interest in the problems of disarmament and conflicts, or for those who would like to play a more active and technically competent role in this field. The courses have an interdisciplinary nature, and their subject matters extend from the technical and scientific side of the problems to their sociological and political implications. Cyberwar, Netwar and the Revolution in Military Affairs have given rise to a lively discussion in political and military circles in the last few years. Issues of major importance are: the relation between computers and regional defense; the threat of "cyberterrorism" as well as "cyberwar"; emerging forms of network organization and how information technology supports them; the impact of information technology developments in military doctrine and organization of military forces. Of comparable importance is the issue of the possible implications on civil society and civil liberties possibly brought about by counter-measures to cyberwar and netwar. [If you are interested, first read the full information at www.isodarco.it This looks like a very interesting event. PGN] Applications should arrive not later than June 3, 2002 and should be addressed to the Director of the School: Prof. CARLO SCHAERF, Department of Physics University of Rome "Tor Vergata" Via della Ricerca Scientifica 1, I-00133 Rome, Italy Tel.: (+39) 06 72594560/1 — Fax: (+39) 06 2040309 E-mail: email@example.com The Course will be held at Istituto Salesiano "Maria Ausiliatrice", Via Barbacovi 22, 38100 Trento, Italy. Tel. (+39) 0461 981265 and Fax (+39) 0461 981972. Directors of the Course: GARY CHAPMAN and DIEGO LATELLA Dott. Diego Latella, Consiglio Nazionale delle Ricerche Area della Ricerca di Pisa - ISTI Via G. Moruzzi, 1 - I56124 Pisa, ITALY phone: +39 0503152982 or +39 348 8283101 fax: +39 0503138091 or +39 0503138092 e-mail: Diego.Latella@cnuce.cnr.it http://www.cnuce.pi.cnr.it/people/D.Latella
Please report problems with the web pages to the maintainer