Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
British police on Tuesday said they uncovered a fake Internet bank used to con at least two people out of nearly $100,000. The National Criminal Intelligence Service (NCIS) said the Web site had been set up using a domain name very similar to that of "a major British bank" and appeared almost identical. "It looks very professional," said a spokesman, declining to name the bank involved because the investigation is still ongoing. "There's also a reputation issue to think of and the issue of trust online." http://zdnet.com.com/2110-1106-959644.html http://news.bbc.co.uk/2/hi/technology/2308887.stm
A recent article in InfoWorld discusses Microsoft Windows Service Packs in the context of health care providers. http://www.infoworld.com/articles/op/xml/02/09/16/020916opwinman.xml Apparently, the latest Service Packs for the popular Microsoft Windows 2000 and XP operating systems contains new licence language that allows Microsoft to install new updates on your machine at will and without notifying you. The RISKS of having your computer systems changing on their own accord should be obvious. As the article points out, this "upsets many companies whose PCs can't be allowed to morph at will". Indeed. The article quotes a systems manager at a teaching hospital: "Our procedures sometimes involve surgery to place over 100 recording electrodes in the patient, sometimes on the surface of the brain. These PC-based systems use Microsoft Windows..." Having a Windows application controlling the voltage to 100 pins surgically embedded in your brain is scary enough, but what happens if it updates to the latest Service Pack and that causes the systems to fail? While the pins are in your brain... The article makes the further point that, from 14 Apr 2003, it may be illegal under the Health Insurance Portability and Accountability Act (HIPAA) to install Windows Service Packs. In a strange twist, it may also be illegal _not_ to install the Service Packs... See http://www.hipaadvisory.com/regs/HIPAAprimer1.html for more information on the HIPAA. The article concludes: "It's not just hospitals but every user of Windows who should be wondering. You'd think Microsoft would understand that customers don't want their mission-critical systems changing in the dead of night. This isn't brain surgery." Allan Engelhardt http://cybaea.com/
Well, of course it's really hunters who do it, but there are strong indications they've been helped by weak encryption. In 1998 40 Swedish wolves, out of about 100, were fitted with transponders in order to track their movements to learn more about how wolves reestablish a presence. Of them, 20 are still alive, 11 have been found dead with working transponders, one has been found dead as a result of illegal hunting without transponder and eight (four this summer) have disappeared. That that many transponders have failed is considered very unlikely. Current plans are to quickly replace the transponders to something "not everyone can triangulate". It's not clear from the article in Dagens Nyheter what sort of encryption is used now, but it's clear from the context transmissions has to be coded and that one was aware from the beginning wolf-haters would like to take advantage of the tracking equipment.
I was shocked, shocked, to hear this stunning statistic! I was also shocked, shocked, to hear that pi was irrational, that the world was round, and that the Beatles had split up. Microsoft says 1 percent of bugs cause half of all software errors Reuters, 2 Oct 2002 One percent of the bugs in Microsoft Corp.'s software cause half of all reported errors with 20 percent of bugs responsible for 80 percent of the mistakes, Chief Executive Steve Ballmer said on 2 Oct 2002. Microsoft has been criticised for unstable and unwieldy software — which runs on more than 90 percent of personal computers. "Let's acknowledge a sad truth about software: any code of significant scope and power will have bugs in it," Ballmer told customers in a memo similar to one by Chairman Bill Gates this year renewing Microsoft's commitment to trustworthy computing. But Ballmer said Microsoft was arming itself with better information to help develop its software, by building error reporting features into its products. Engineers use the reports, sent in a short burst over the Internet, to track software bugs and provide a fix, he said. "We've been amazed by the patterns revealed in the error reports that customers are sending us. About 20 percent of the bugs cause 80 percent of all errors, and — this is stunning to me — one percent of bugs cause half of all errors." While reassuring users the information was used for no other purpose than to fix bugs, Ballmer said such information was shared with other makers of software and hardware to try to improve Microsoft's products. He said Microsoft would work to better the system. "As we understand more errors, we're adding an option for customers to go to a Web site where they can learn more about and even fix the errors they report. In the future we want to enable customers to look up the history of their error reports and our efforts to resolve them." http://biz.yahoo.com/rc/021002/tech_microsoft_ballmer_1.html
By Shawna McAlearney, SECURITY WIRE DIGEST, 4, 74, OCTOBER 3, 2002 [excerpt] First found circulating in the wild last Sunday, the W32.BugBear worm has raced to the top of virus prevalence lists, displacing Klez for the first time since its discovery last April. "BugBear is increasing steadily in volume and spreading like Klez, which became the biggest virus ever," says Alex Shipp, senior antivirus technologist at MessageLabs. "Each day, we're seeing more of BugBear all around the world--at least 1,000 copies an hour. It could very well grow to become as big a problem as Klez has been and has gotten firmly entrenched in the home user population." Similarities to Klez include the use of inconsistent body text, attachment names and subject lines, as well as forged e-mail addresses. BugBear exploits an unpatched Microsoft vulnerability. After infection, the worm copies itself into the Windows system directory and start-up folder as an executable file with a random three-letter name. It installs a Trojan keystroke logger and attempts to disable antivirus and firewall software. BugBear also attempts to infect other networked PCs via the address book and network shares. "BugBear is another example of a worm written with instructions to kill an extremely long list of security apps," says Steven Sundermeier, product manager at Central Command. "The idea of terminating various AV and personal firewall applications is becoming increasingly popular among virus authors." On the brighter side, Shipp says the BugBear worm could have been much worse. "We haven't found any remote control facilities yet, which makes the virus less dangerous than it could be otherwise," Shipp says. "Our analysis isn't complete yet so we can't say for certain that it doesn't have that capability, but it appears unlikely." Antivirus experts recommend updating AV signatures; blocking all Windows programs at the e-mail gateway, if possible; and deploying updated versions of Outlook, Explorer and Outlook Express. http://www.messagelabs.com/viruseye/report.asp?id=110 http://www.microsoft.com/technet/security/bulletin/MS01-020.asp To SUBSCRIBE to Security Wire Digest, go to: http://infosecuritymag.bellevue.com
http://www.sfgate.com/cgi-bin/article.cgi ?file=/chronicle/archive/2002/09/27/MN181034.DTL A federal "No Fly" list, intended to keep terrorists from boarding planes, is snaring peace activists at San Francisco International and other U.S. airports, triggering complaints that civil liberties are being trampled. [...] Critics question whether Sister Virgine Lawinger, a 74-year-old Catholic nun, is the kind of "air pirate" lawmakers had in mind when they passed the law. Lawinger, one of the Wisconsin activists stopped at the Milwaukee airport on April 19, said she didn't get upset when two sheriff's deputies escorted her for questioning. [Source: Alan Gathright, *San Francisco Chronicle*, 27 Sep 2002] Tim Meehan, Communications Director Ontario Consumers for Safe Access to Recreational Cannabis Web: ocsarc.org
>From: Mark White <tausyankee@optusnet.com.au> Phone system could have your number Kate Mackenzie, *The Australian*, 7 Oct 2002 A single telephone number doubling as an e-mail address could soon be available in Australia despite fears the technology could become a de facto identification number. Under the ENUM system being analysed by the Australian Communications Authority, one number could track down a person via a home or mobile phone number, or an e-mail or website address. The technology has attracted controversy overseas because of privacy implications of people being identified by a single number. The ACA wants feedback on a discussion paper it has issued, saying privacy is one of its concerns. But ACA numbering manager Neil Whitehead said potential benefits of the system could be enormous. "People would only need to remember one number to contact other people in a variety of devices," he said. Equipment manufacturers and Internet service providers were keen to pursue the technology. Telstra proposed a single-number service in 1997 and offered numbers beginning with 0500 that could redirect to any number. Called Telepath, the service, which cost $7 a month, failed to attract many subscribers. ENUM would have to be deployed across all telecommunications and Internet providers to be effective. IP Archives at: http://www.interesting-people.org/archives/interesting-people/
IDC, the technology research firm, is predicting that within just three years, the number of e-mail messages sent worldwide will increase from the current level of 31 billion daily to more than 60 billion daily. Most of it will be spam (unsolicited commercial messages), and if the problem of spam is not dealt with by more effective message-filtering, the usefulness of e-mail as an effective business and personal communications tool will be endangered. IDC executive Mark Levitt says, "Like water flowing out of a hose, e-mail has the potential to fill our inboxes and workdays, overwhelming our abilities to navigate through the growing currents of content." [VNUNet 30 Sep 2002; NewsScan Daily, 30 September 2002] http://www.vnunet.com/News/1135485
An interesting juxtaposition of "Design" and "User Perception".
I had to visit one of our local hospitals. I went to Reception and
identified myself to the receptionist. She asked if I had filled in the
Questionnaire (in effect, the Personal Details form) and I hadn't.
She brought out her copy of the form, which had been partially filled in by
the administrator who made the original appointment.
It started with the following information:
Name: Andrew Leeson [Andrew being my first name]
Gender: Unknown
Our reactions to this little piece of data were quite different:
Her reaction was to mutter darkly about the administrator who could not tell
that "Andrew" was clearly "Male".
My reaction was that:
(a) The database designer had understood that it was possible for the
gender to be unknown (at least at the time the appointment was set up),
and chosen suitable values for the field: male, female and (default)
unknown.
(b) In the absence of supplied information, the administrator had not
assumed that any one name implied a specific gender.
So, the system was designed correctly, the administrator used it correctly,
but the receptionist interpreted it as "bad" because the result was not what
she thought of as reasonable.
The actual event - wrong gender data - is not much of a risk. The
difference in perception could be.
Note also that the shortcut for inserting a "hard return" in a formatted e-mail is Shift-Enter. This is sometimes necessary for, say, creating a multiple-line item in a bulleted list. You can easily send your partially-complete e-mail instead of inserting a hard return just by accidentally misplacing one finger a little lower on the keyboard. Send any responses to greg_searle(at)hotmail(dot)com.
Hopefully those mailing databases are configured to catch transcription errors for Canadian postal codes. In all of the above examples, transcription errors would likely result in the erroneous code failing the standard test of ANA NAN (letter-number-letter number-letter-number) that covers all Canadian postal codes. Further reduction in undetected transcription errors is achieved by disallowing certain letters: Q U O I D F are not permitted in Canadian postal codes. I suspect that Q O D are just too similar to sort out, U is too much like V, F confuses the issue with E, and a plain I (straight vertical stroke) is easily confused with parts of letters like T and L. Some of these may be driven by the requirement to determine postal codes on mail by scanning and recognizing handwritten codes. It's important to know what RISK-reducing features are available - and then take advantage of them. Better yet would be a snippet of javascript to check the postal codes before the WWW address form is even submitted.
The messages about elections in Britain and Germany where the ballots are counted by hand seem to indicate (though it wasn't entirely clear) that each ballot contains only one or two races. I agree that in this case hand counting is quite feasible. But in the United States, that assumption does not hold. As a resident of Portland, Oregon, I get to vote for all of the following elected positions: US president, US senator, US representative, state governor, state senator, state representative, secretary of state, state attorney general, state treasurer, state labor commissioner, state superintendent of schools, state supreme court judges, state appeals court judges, state circuit court judges, regional government commissioners, county commissioners, county sheriff, city mayor, city council members, school board members, and the water & soil conservation district directors. Not all of these positions are up for election at the same time, but in the general election in even numbered years a majority of them are. In addition to candidates, I also get to vote for or against any changes to the city charter or state constitution, any property tax levies, any laws referred to the voters by the state legislature (usually to avoid the governor's veto), and any initiatives that citizens have put on the ballot by submitting enough signatures. In the November 2000 general election I had about 45 things to vote for on my ballot. When all the various cities, special districts, and state legislature districts are factored in, the county elections board had a total of 117 different races for which it had to count votes in that election. I am by no means an election expert, but here are my opinions anyway: It seems to me that counting every one of those races by hand would be much slower, more tedious, and more error prone than counting them by machine. I think the best way to cast and count votes is to have the voter fill in ovals on a piece of paper, have an optical scanner read the ballots and count the votes, and have any recounts done by hand. That seems to provide the best combination of ease and accuracy of voting, quick counting of results, and verifiability of results when disputes arise. David Olsen <olsen@rational.com> [The alternative that makes a single-issue piece of paper possible is that you vote for your delegated representative, and everything else follows therefrom. You are describing the other extreme. PGN]
Well, as an example, here in Oregon, we can vote by *mail* in most
elections. But the votes cannot legally be counted until 8 pm on election
day. You can vote as late as that by dropping off the ballot at a collection
site!
That means *millions* of votes have to be counted in a few hours.
> Why keep paper ballots unless you have trained and experienced humans
> in place to count them? And if you have that, why not just get the
> humans to count the papers in the first place?
Time. We can't *afford* that many people, nor do we have that many
trained volunteers available. So if it *does* come down to a manual
count, it'll require recruiting and training a *lot* of people.
> I'd have to check the Guinness Book of Records for this, but I think
> the record number of counts in a British General Election is
> something like 7, and it took about 20 hours from when the polls
> closed. A far cry from Florida in 2000, where it wasn't possible to
> count every vote even once in several months.
Much of this was due to court fights. And the fact that the (poorly
designed) ballots were hard to make out the vote on. They had to stop the
count several times, and then restart it. Often with changes in the rules as
to what constituted a "valid" vote ("hanging chad", "dimpled chad", etc)
Also, look up the population of Florida and compare it with the
population of Britain.
[More on multiple races and issues...] My "ballot" for one election a while
back was both sides of *six* sheets of paper. With something like six
"columns" of things to vote on.
Our ballots are the type where you use a pencil to fill in an oval. The
technology for scanning those is something like 40 years old. It's
pretty mature and reliable.
And I'm told that any questionable ballots get kicked out to be looked
at by a human.
Even so, it only takes a few hours to run the ballots for a major
election in the Portland Metro area.
It's not perfect. But I think it's a pretty good compromise between
speed, usability and security.
Leonard Erickson (aka shadow{G}) shadow@krypton.rain.com
[Further comment on long US ballots from Andrew Sapuntzakis. PGN]
BKINSCMN.RVW 20020628
"Information Security Management", Gurpreet Dhillon, 2001,
1-878289-78-0, U$69.95
%A Gurpreet Dhillon
%C 1331 E. Chocolate Ave., Hershey PA 17033-1117
%D 2001
%G 1-878289-78-0
%I Idea Group Publishing
%O U$69.95 800-345-4332 fax: 717-533-8661 cust@idea-group.com
%P 184 p.
%T "Information Security Management: Global Challenges in the New
Millennium"
This is a collection of essays by different authors. The preface,
however, states that the intention was to bring together diverse views
and yet to "build an argument." What the argument, or central thesis,
of the work is, has not been stated.
Chapter one is supposed to set forth the new challenges to information
security, but ends up telling us, at great length, that "the times
they are a-changin." (Extracting further information from the
academic-speak is not made any easier by the many grammatical oddities
and awkward constructions.) Policy is central to security, and so it
is no surprise to see it as the topic of chapter two. What is
astounding is the fact that so much is wrong with this paper that it
is hard to know where to start. Everything seems to be backwards. It
is stated that an audit should be done as the prelude to policy
development, by how can you conduct an audit with no policy to measure
compliance against? Again, the essay says that the procedures in
place will form the policy, whereas it should be the policy that
guides development of procedures. A simplistic discussion of ethics
makes up chapter three. There really isn't any analysis: after a few
facile presentations of both sides of a variety of issues the author
just asserts that X is or is not moral. Chapter four is supposed to
argue that ethical policies build trust and trust promotes e-commerce,
but instead actually just lists a number of random security topics. A
look at "cyber terrorism," in chapter five, seems to consist only of
listing Web sites for known terrorist organizations. Prescription
fraud is never rigorously defined, so it is hard to say whether the
technical measures proposed in chapter six are relevant or not.
Chapter seven tells us (surprise, surprise) that disaster recovery
planning is often done inadequately, or left undone. A discussion of
development models, in chapter eight, seems to be so abstract that it
is of no digital use. Internet and e-business security touches on
some miscellaneous subjects in chapter nine. The author obviously
thinks Compliance Monitoring for Anomaly Detection (CMAD, with some
kind of trademark symbol appended to it) is vitally important, but
chapter ten's explanation seems to just describe another type of
statistical change measurement. Chapter eleven vaguely discusses some
of the security issues involved with the use of agent or mobile
software. The final chapter lists some "motherhood" security
principles.
One of the interesting, and disturbing, aspects of the book is that
each paper is accompanied by a bibliography of sources, but almost
none of the standard security reference works in the various fields
addressed are cited. How can you discuss, for example, computer
ethics without having read Deborah Johnson's (cf. BKCMPETH.RVW) works?
Compilation works tend to be hard to pin down, and to vary in quality
and usefulness. This work has a remarkable consistency, in that the
items included are all vague, uninteresting to the professional, and
unhelpful to the practitioner.
copyright Robert M. Slade, 2002 BKINSCMN.RVW 20020628
rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
2003 IEEE Symposium on Security and Privacy 11-14 May 2003, The Claremont Resort, Oakland, California, USA sponsored by IEEE Computer Society Technical Committee on Security and Privacy in cooperation with The International Association for Cryptologic Research (IACR) Paper submissions due: 6 Nov 2002 Panel proposals due: 6 Nov 2002 5-minute abstracts due: 17 Mar 2003 For submission guidelines see http://www.research.att.com/~smb/oakland03-cfp.html For questions, please contact the program chairs, at oakland-chairs03@research.att.com. Symposium Committee: General Chair: Bob Blakley (IBM Software Group - Tivoli Systems, USA) (bblakley@us.ibm.com) Vice Chair: Lee Badger (Network Associates Labs, USA) Program Co-Chairs: Steven M. Bellovin (AT&T Research, USA) David A. Wagner (University of California at Berkeley, USA) Steve Bellovin, http://www.research.att.com/~smb [This has been probably the most important research conference on security and privacy for over two decades. PGN]
Please report problems with the web pages to the maintainer