[from Tim Finin, Prof Computer Science & Electrical Eng, Director Inst. for Global Electronic Commerce, U Maryland Baltimore County, 1000 Hilltop, Baltimore MD 21250 email@example.com 410-455-3522 http://umbc.edu/~finin/ Dave's IP archives at: http://www.interesting-people.org/archives/interesting-people/] Now showing on satellite TV: secret American spy photos; Security lapse allows viewers to see sensitive operations Duncan Campbell, Thursday June 13, 2002, *The Guardian* European satellite TV viewers can watch live broadcasts of peacekeeping and anti-terrorist operations being conducted by US spyplanes over the Balkans. Normally secret video links from the American spies-in-the-sky have a serious security problem - a problem that makes it easier for terrorists to tune in to live video of US intelligence activity than to get Disney cartoons or new-release movies. For more than six months live pictures from manned spy aircraft and drones have been broadcast through a satellite over Brazil. The satellite, Telstar 11, is a commercial TV relay. The US spyplane broadcasts are not encrypted, meaning that anyone in the region with a normal satellite TV receiver can watch surveillance operations as they happen. The satellite feeds have also been connected to the Internet, potentially allowing the missions to be watched from around the globe. http://www.guardian.co.uk/international/story/0,3604,736462,00.html
According to a U.S. Army report, a software problem contributed to the deaths of two soldiers in a training accident at Fort Drum. They were firing artillery shells, and were relying on the output of the Advanced Field Artillery Tactical Data System. But if you forget to enter the target's altitude, the system assumes a default of 0. (A Web site I found indicates that (part of) Ft. Drum is at 679 feet above sea level.) The report goes on to warn that soldiers should not depend exclusively on this one system, and should use other computers or manual calculations. Other factors in the incident include the state of training of some of the personnel doing the firing. [Source: AP] Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
Air control safety complaints soar By Paul Marston Transport Correspondent *Daily Telegraph* (Britain), 14 Jun 2002 [PGN-ed] The number of formal complaints of over-work from air-traffic controllers has more than doubled since the Swanwick national control centre opened in January 2002. National Air Traffic Services (NATS) said staff had filed 30 "overload" reports in the last five months, compared with 12 during the same period in 2001. [Computer-related problems related to Swanwick and UK ATC are noted in RISKS-22.02,03,09,12.] Planning staff at Swanwick have also complained about the legibility of some flight levels and airport codes on their terminal displays.
At least a couple of times a week, mechanic Ernie Pride tells customers at his independent repair shop he can't fix their cars because he doesn't know what's wrong with them. Go to the dealer, he advises. He has the experience and knowledge to service vehicles but lacks the closely guarded information needed to diagnose problems with today's high-tech cars. Automakers refuse to make much of it available to independent shops that compete with higher-priced dealerships. The practice is raising hackles in Congress and a vigorous defense by the industry. ... [AP, June 24, 2002] http://www.cnn.com/2002/TECH/ptech/06/24/diagnosing.cars.ap/
The Enron/Anderson debacle is fading as news, but it has some reverberations for those of us in the info tech fields. Anderson is not alone in engaging in questionable audit practices. Others of the "Big 5" are under scrutiny, in at least two cases involving, ironically, high tech companies. For the past decade or more, there have been pressures to reduce regulatory oversight, and we are now seeing the results. So, what is the relation to IT? Well, these are the same firms who hold the major contracts for auditing information security and assurance. (In relation to the subject line: yes, "ISACA," I know.) firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Gina Kolata, *The New York Times*, 16 Jun 2002 Across the nation, hospitals and doctors' offices are returning blood pressure cuffs to their manufacturers to comply with a federal environmental initiative to cut down on the use of mercury, a toxic metal that can pollute the air and water when disposed of improperly. But leading medical experts, joined by the American Heart Association and the National Heart, Lung and Blood Institute, say the mercury gauges are being replaced by newer devices that may be unreliable, and they warn that inaccuracies may be leading to false diagnoses and inappropriate treatments. [...] http://www.nytimes.com/2002/06/16/health/16BLOO.html
You've heard of Trustworthy Computing, and the massive corporate remodeling going on at Microsoft where every developer, product manager, and executive assistant has been asked to rethink everything they do in the context of security. Well, that's just the tip of the iceberg. Secretly, the company has been working on a plan to rearchitect the PC from the ground up, to address the security, privacy, and intellectual property theft issues that dog the industry today. Inexplicably, the company pulled an Apple and chose to detail its plans solely to Newsweek, so we only have that one report to work from. But if Newsweek's take on the plan is correct, and consumers and businesses buy into the new devices that would result, the PC landscape will soon change forever. [...] http://www.ntsecurity.net/Articles/Print.cfm?ArticleID=25681
Since I installed MS Messenger 4.6 (4.6.0082) on my machine, my firewall is going wild: In addition to numerous Microsoft sites, Messenger is contacting the following sites each time I log in: expedia.com, xp.mcafee.com, carpoint.msn.com and port-64-1956779-zzt0prespect.devices.datareturn.net. No way to know what information MS Messenger is transmitting to these sites, I did not find any meaningful information on it on the Microsoft website...
Microsoft accidentally sent the virulent Nimda worm to South Korean developers when it distributed Korean-language versions of Visual Studio .Net that carried the virus, the company acknowledged Friday. http://news.com.com/2100-1001-935994.html
>From a 2002/05/13 article by Caron Carlson in eweek.com: http://www.eweek.com/article/0,3658,s%253D701%2526a%253D26875,00.asp "A senior Microsoft Corp. executive [Jim Allchin] told a federal court last week that sharing information with competitors could damage national security and even threaten the U.S. war effort in Afghanistan. He later acknowledged that some Microsoft code was so flawed it could not be safely disclosed." and later, directly quoting Allchin... "Computers, including many running Windows operating systems, are used throughout the United States Department of Defense and by the armed forces of the United States in Afghanistan and elsewhere." Microsoft proposes to withhold details of the MSMQ protocol (TCP port 1801 and UDP port 3527), the Windows File Protection API, as well as APIs for anti-piracy protection and digital rights management under the security carve-out. I recall that the Windows NT family of operating systems was designed to meet DOD's C2 security criteria, including the Orange Book (standalone, which they passed), as well as Red Book (networking) and Blue Book (subsystems) criteria which they started working on at least 4 years ago; I don't know if they've yet passed, but I suspect not if it's so flawed that they don't want to disclose the protocol or API! See http://msdn.microsoft.com/library/default.asp? url=/library/en- us/dnproasp2/html/windowsntsecuritysystems.asp So, one risk of flawed software might be that you have to publicly invoke national security (read patriotism) as a last refuge from legal process. --Brien Webb http://www.LA.com/
According to CNN's website today http://www.cnn.com/2002/TECH/internet/06/26/identity.theft.ap/index.html a nongovernmental organization called CardCops is providing a service in which consumers can check to see if their credit cards have been abused in some way. The check is done by visiting the website and entering your credit card number. The RISKS here are bad enough to be humorous. Although CardCops themselves appear to be a legitimate organization (at least at time of press) , and do not themselves ask for the expiration date required to complete a transaction, there's no protection against copycat websites whose intent is entirely evil, or telephone scams based on the CardCops publicity. The quality of the data is another obvious minefield. [And as of today, their site is also down due to high volume.] Conrad Heiney firstname.lastname@example.org http://fringehead.org
I was checking the sendmail queue today when I noticed a message with a certain 4-letter word as part of the queue id that ends in "uck". I checked the sendmail logs further and there was another 4 letter word as part of another queue id that also ends in "uck" and another that ends in "ock" with a certain letter before it. I wonder how many people pay attention to queue IDs and would raise an eyebrow on those. I also wonder if any of the filtering software out there might filter out legit mail messages just because certain random 4 letter words were contained in the queue-id that are inserted into the mail headers as they pass through each system.
McAfee Security is reporting that a new virus called "Perrun" is the first ever to infect picture files, which, along with other data files, have long been considered safe from such threats. Researchers at McAfee received the virus from its creator and say it's what's called a proof-of-concept virus and does not cause any damage. Up until now, viruses infected and were spread through program files; data files might be deleted or damaged, but Perrun is the first to infect them by inserting portions of the virus code into the picture file. When a .JPG picture is viewed, the virus installs a file on the victim's hard drive that can infect other pictures. Because the original picture looks fine, the victim won't know that anything's amiss. [AP, 13 Jun 2002; NewsScan Daily, 14 June 2002] http://apnews.excite.com/article/20020613/D7K4F4EG1.html
After the password for accessing a Norwegian history museum's database catalog for 11,000 books and manuscripts had been lost when the database's steward died, the museum established a competition to recover it. Joachim Eriksson, a Swedish game company programmer, won the race to discover the password (ladepujd, the reverse of the name of the researcher who had created the database). How he arrived at it was not disclosed. [Source: Long-lost password discovered: Norwegian history database cracked with help from the Web, By Robert Lemos, MSNBC, 11 Jun 2002; PGN-ed] Lillie Coney, Public Policy Coordinator, U.S. Association for Computing Machinery Suite 510 2120 L Street, NW Washington, D.C. 20037 1-202-478-6124
As handheld computers become increasingly competitive with Texas Instrument (TI) calculators for mathematical graphing, TI has been busy adding features such as address books, organizers, and a large variety of spreadsheet programs. The main advantage of handhelds, of course, is that they are general-purpose devices. Nelson Heller, who publishes the Heller Report newsletter on education technology, says that both calculators and handheld computers are getting better but adds: "The question I see is whether a specialized appliance like the graphing calculator will in the long run lose out to a more generalized appliance like a PDA." Calculators, however, still have two advantages: lower cost (about half of a PDA's cost) and acceptability in testing situations, in that students are permitted to use calculators but not handheld computers when taking the Scholastic Aptitude Test. The reason? Fear that some students might use the infrared messaging capability of handhelds to cheat on the test. (AP/*San Jose Mercury-News*, 12 Jun 2002; NewsScan Daily, 12 June 2002) http://www.siliconvalley.com/mld/siliconvalley/3453135.htm [And exam proctors will be able to determine that the so-called "calculator" is not surreptitiously a general-purpose device? PGN]
The Bank of England asked banks Monday to stop issuing its new anti-counterfeit 5-pound notes after discovering that serial numbers on the currency could be rubbed off. [AP, 27 May 2002] http://news.lycos.com/news/story.asp?section=World&storyId=423067
About the same time PGN posted to the list about RISKS SPAM, I got a call from someone who was going through corporate-education on e-mail addresses. She had been given a test, and she had to identify which e-mail addresses were valid. She was told that half of them were invalid. The purpose of the test was to train employees to be able to properly harvest the e-mail addresses of their elderly customers. As far as I can tell, all of them were valid. The very next day, I made myself a new e-mail address, "@ @"@nmt.edu. I like this address, it has been a lot of fun so far. No customer-relations software seems able to accept that this is a valid e-mail address. People seem pretty trusting, and are willing to try and (and are surprised when it works). The risk is that the customer-relations programmers are living in a world of [a-z0-9_] for mailbox names, while the standard has long allowed for virtually any character (including NULL). More and more services are unavailable if you "don't have an e-mail address", and usually even the web form to submit a bug won't process because it wants your e-mail address, so they never even know. Even if I wasn't taunting them with "@ @", I'd be giving out my address with a "+" and then the name of their company to help me sort out where my SPAM is really coming from. Few pieces of software will allow even the harmless little "+" character in an address.
[In attempting to confirm a subscription request, Ethan's mail system responded to RISKS and not to majordomo. This seems to happen from other e-mail systems as well. PGN] Eudora's recent MacOS X version is broken and ignores reply-to headers; older versions didn't used to do that.
In RISKS-22.12, Peter Ladkin mentions NERC's use of a token ring as if this were obviously a bad thing. If I remember correctly, a token ring has better behaviour at high load (as compared to ethernet), because it implements a round-robin allocation and thus does not waste capacity in collisions. Indeed a precursor (the Cambridge ring) had the endearing characteristic that high loads made the PLL clock drift fast, upping the capacity by a few percent. The risk is in assuming the dominant technology is best for all situations. URL: http://www.westpoint.ltd.uk/ - Internet recon.
Thank you, Geoffrey, for you've given me a hook on which to hang one of my *favorite* rants. "navydallas.com" (the proper spelling, for the DNS is case-insensitive by design) is *not* a "trusted domain", in any remote sense of the word. Nor is "myflorida.com" (an alias for www.state.fl.us, which apparently is too complicated for people) or "largo.com". I have a *real* dislike for municipal and government web teams who have *so* little faith in their audience's mentalities that they feel they have to spurn the TLDs in which they *would* be protected — and could be trusted (the ".gov" and ".us" domains which have — or perhaps in the latter case "had" — restrictions on registration) — for ".com", just because "that's the only thing people understand". <sigh> At least it turned around and bit Largo Florida in the ass about a year ago when their mail server melted down under the load of 60K+ *bounce* and complaint messages when someone used "largo.com" as a forged return address on some spam. I've seriously thought about registering "yourflorida.com" and putting up a website that looks very much like myflorida.com, but is parody (when you look closely enough), and which explains exactly why I think they are doing wrong... but while that wouldn't even *be* civil disobedience, much less copyright infringement (based on the Skyywalker Music case), the fact that no less a legal luminary than Lawrence Lessig thinks that civil disobedience is no longer a useful approach http://www.reason.com/0206/fe.jw.cyberspaces.shtml scares me to death. Jay R. Ashworth, Baylink, Member of the Technical Staff, The Suncoast Freenet Tampa Bay, Florida +1 727 647 1274 http://baylink.pitas.com email@example.com
> I also realized that the alarm would likely sound as I exited at the other > end of the store. Which also points out a whole series of other problems. I worked with corporate security for a large supermarket chain in So. Calif. several years ago. I don't think the law has significantly changed, but at the time, you, as an individual, could not stop someone for a misdemeanor (like shoplifting) unless you saw them take the item and followed them until they exited. If you did, it was quite possible for you to be charged with unlawful detention getting both yourself and the company in big trouble. Having an alarm go off as you walk through it was not a good enough reason to stop someone. Only a sworn peace officer could stop someone in those circumstances. For this reason and the safety of the employees, they were required to know the store policy and follow it. If they suspected someone of shoplifting they were to call someone in management and let them deal with it. Under no circumstances were they to take any action on their own. Bottom line: Those alarm units are often more a psychological barrier than a legal one.
BKDEVTRS.RVW 20020514 "Developing Trust", Matt Curtin, 2002, 1-893115-72-0, U$39.95 %A Matt Curtin firstname.lastname@example.org %C 175 Fifth Ave., New York, NY 10010 %D 2002 %G 1-893115-72-0 %I Springer-Verlag/Apress %O U$39.95 212-460-1500 800-777-4643 email@example.com %P 282 p. %T "Developing Trust: Online Privacy and Security" The title, foreword, preface, and introduction aren't terribly clear about the purpose of the book. Ultimately, the key word seems to be not trust, but privacy: the work appears to be directed at providing tips for developers, of all stripes, to help maintain the confidentiality of information. Part one is a generic introduction to security and privacy. Chapter one, entitled "Why Privacy," seems, ironically, to move us even further away from the topic of privacy. The emphasis of the chapter is on intrusions, although the reconnaissance phase does get the most space. (The subtitle, "Why This Book," does not appear to be addressed.) The discussion of privacy theory, in chapter two, flips back and forth between the technical issues of identity authentication and access control, and the social concepts of privacy, failing to make hard relations between the two ideas. A partial list of basic conceptual security terms are reasonably well defined in chapter three. Chapter four does start to get into privacy issues, specifying a number of notions important to protecting confidentiality in an online (generally Web based) environment. A number (but not an exhaustive list) of threats to privacy are discussed in chapter five. Part two looks at the problem. Chapter six provides a concise list of the basic principles of development of secure applications. (Interestingly, Curtin uses the principle of least common mechanism as an argument for the adoption of modular code, where others might say that it was a reason to avoid modularity.) Background concepts for the Internet and Web, the basic development environment assumed for the book, are given in chapter seven. Some specific examples of privacy problems on the Web are presented in chapter eight. Part three outlines the cure. Chapter nine reviews some basic security protections, such as firewalls and constrained systems. Opt out systems are criticized in chapter ten. "Earning Trust," in chapter eleven, points out that providing privacy for customers is not just a cost and a nuisance, but good business. A structure for analyzing and designing secure Web systems is proposed in chapter twelve. Strangely, while the book is disjointed and difficult to pin down as to the central theme, ultimately it could be quite valuable. In the end, the title is appropriate, albeit in a punning fashion: the content is directed at developing trustworthy applications. The literature in the field of developing secure applications is not extensive, and much of it is either ethereally academic or completely language specific. This book attempts to be practical, and, while hardly ever touching on implementation, the precepts suggested are a sound foundation. Security professionals would find the general background limited, but developers will neither be snowed under by esoteric discussions nor left with too many vulnerabilities uncovered. The specifics in the book deal with the Web, but the tenets of secure design are applicable to all systems. copyright Robert M. Slade, 2002 BKDEVTRS.RVW 20020514 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer