Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
New Jersey's E-ZPass windshield transponders are wearing out sooner than expected, resulting in hundreds of thousands of mistaken violation notices being issued. Similar problems with the manufacturer, Mark IV Industries, have arisen in 14 states (not all of which are E-ZPass customers). Over about 900,000 users out of six million will be getting free replacements. [Source: Ronald Smothers, *The New York Times*, 16 Oct 2002, PGN-ed] http://www.nytimes.com/2002/10/16/nyregion/16PASS.html [Head them off at the Pass? PGN]
Recently a prominent physicist at the Lawrence Berkeley National Laboratory was fired, and the reported detection of element 118 was retracted. Everyone concerned agrees that essential data in a computer file had been faked, forged, or fudged. [What to name the would-be new element? Phonium? Phakium? Phorgium? Phudgium? PGN] The fired physicist denies doing the dirty work. According to *The New York Times, Science section, 15 Oct 2002: ``He says he is as perplexed as anyone. His account on the laboratory computer system was used by everyone in his group, he says, and his password was an open secret.'' Sardonic cackling in the deep background may emanate from the ghost of Richard P. Feynman, once the resident lockpicker at Los Alamos. Wendell Cochran, West Seattle
The outside key-code on my building has five buttons but ten digits — two digits per button. This allows for 10^n different "combinations" as humans must remember it, but 5^n different combinations as the door remembers it. Who thought of this? Hopefully the same person who thought capitalizing all passwords before performing comparisons was a good idea — I'd hate to think there are more than a handful of people making mistakes like this.
An electronic tracking system that follows suspects and criminals around their neighborhoods and compares the information to current crimes has received, of all things, the stamp of approval from the American Civil Liberties Union. The Global Positioning System's satellites track probationers and parolees and compare their whereabouts to the location of crimes committed in their vicinity. ... [Source: Julia Scheeres, wired.com, 15 Oct 2002] http://www.wired.com/news/privacy/0,1848,55740,00.html
Government's secret Celldar project will allow surveillance of anyone, at any time and anywhere there is a phone signal Jason Burke and Peter Warren, 13 Oct 2002, *The Observer* Secret radar technology research that will allow the biggest-ever extension of 'Big Brother'-style surveillance in the UK is being funded by the Government. The radical new system, which has outraged civil liberties groups, uses mobile phone masts to allow security authorities to watch vehicles and individuals 'in real time' almost anywhere in Britain. The technology 'sees' the shapes made when radio waves emitted by mobile phone masts meet an obstruction. Signals bounced back by immobile objects, such as walls or trees, are filtered out by the receiver. This allows anything moving, such as cars or people, to be tracked. Previously, radar needed massive fixed equipment to work and transmissions from mobile phone masts were thought too weak to be useful. ... http://www.observer.co.uk/uk_news/story/0,6903,811027,00.html
Finally someone in FAA and in the mainstream press [ahem] has gotten a clue
and figured out how to improve airline security. If only all these airline
security articles had anything to do with comp.risks.
Seeking to address "the number-one threat to airline security," the
Federal Aviation Administration announced Monday that it will consider
banning passengers on all domestic and international commercial
flights. [...]
http://www.theonion.com/onion3838/faa_passenger_ban.html
GAO: Commercial Satellite Security Should Be More Fully Addressed http://www.gao.gov/new.items/d02781.pdf
Seen in *Security Wire Digest* ... seems to me it's trading the devil you know for the devil you ... know. Is WinXP really any more secure than WinNT/2K? Now if they banned the use of Outlook, that might be a step forward... BTW, students have to pay for a copy of WinXP. Maybe this is a fundraising effort by Microsoft... put out products that are so vulnerable that users have to spend more money to buy a less vulnerable version. "I'm sorry ma'am, but the wheels frequently fall off the 1998 model cars. We have no intention of fixing the problem. Would you like to buy a 2002 model for $20,000? By the way, you'll also need to build a new garage on your house to park it in, and a new driver's license, because the old ones aren't compatible." *UNIVERSITY BANS WINDOWS NT/2000 Citing security reasons, the University of California at Santa Barbara (UCSB) has banned the use of Microsoft Windows NT/2000 on its residential network, ResNet. In a posting on the ResNet site, UCSB officials blame the OSes for "hundreds of major problems on UCSB's residential network during the 2001-2 academic year," including exploited vulnerabilities, denial-of-service attacks, port scanning, and infections by Code Red and Nimda. UCSB recommends that ResNet users switch to Windows XP Home. http://www.resnet.ucsb.edu/information/win2k.html
I showed my boss the piece that M.E. Kabay submitted regarding Lookout, er, I mean Outlook, always forcing the primary over the secondary address. She's had the same experience using it at home. At work, we've been happily using Lotus Notes for our mail client for many years. In the near future, the powers that be will be switching us to Outlook. I can't wait!
A grass-roots campaign orchestrated by a PR department is commonly called "astroturf." What shall we call Microsoft's embarrassing sally at Apple's successful "Switchers" campaign? Let's consider "paid testimonial." ... No one expects Apple's ads to swing much market share, but perhaps Microsoft was feeling their sting. On Monday the company posted a Web page, "Confessions of a Mac to PC convert," supposedly written by a young woman who had switched from Apple to Windows XP. Her name was not given. Her picture, as Slashdot posters quickly discovered, was a stock image available for purchase from Getty's Photodisc. (Why the agency did not use an image from the competing Corbis service, owned by Bill Gates, is another mystery.) http://newsletter.mediaunspun.com/index000021694.cfm#a100869
Yahoo Inc. said on 17 Oct 2002 that some of its customers had been tricked into giving their credit-card numbers to an unaffiliated third party that had posed as Yahoo in a mass e-mail. [Source: Reuters, Yahoo, 17 Oct 2002] http://story.news.yahoo.com/news ?tmpl=story&ncid=582&e=2&cid=582&u=/nm/20021018/wr_nm/tech_yahoo_fraud_dc
I have just received a Bugbear-initiated e-mail message. What made this one
different was that the body of the message contained a fragment of another
e-mail message that stated a username and password for an Australian event
ticket seller's e-commerce site. I set up an account on said site to see how
it worked; it appears to automatically recall credit-card details upon
login, as well as showing the usual personal details (address, phone number,
email address, etc). There's not even an address to give the Web folks
feedback.
RISKS? At least three, as I make it:
* Sending the two authorizing IDs in the one message
* Sending them cleartext
* Not requiring manual entry of credit-card details per transaction
Paul Edwards, Research Support Officer, Advanced Research Computing
The University of Melbourne 3010 AUSTRALIA t: +61 3 8344 8884
[Note added 18 Oct 2002:
Just to follow up to my original posting, I finally managed to speak to
someone by phone about the problem. They now appear to have removed the
automatic link to credit-card details, and some (although not all) of
the personal details. PE]
I have been following, with a mixture of amusement and alarm, the correspondence about elections ever since Florida. In the UK, we have a separate ballot paper for each issue at stake (perhaps we're not as democratic as the USA - there is usually just one at a time), and we use a manual count. The counters are usually "volunteered" from the class of people most likely to be able to count large numbers of pieces of paper quickly and accurately - bank cashiers. The count proceeds in two stages: separating the votes between the various candidates, and then counting the individual piles, grouping them by elastic band into packets of 500 or 100. Dubious cases are taken out and argued over separately. The counts are scrutinised by representatives of the various political parties and others involved. A partial recount can be done very quickly by counting the number of packets in each candidate's pile (e.g. a winning count of 25,000 votes is counted by counting the 50 packets of 500 votes each), while a full recount involves recounting the number of votes in each packet (not a very long job, but necessary only if the result is close). Any candidate can claim a recount, either if there is doubt about who has won, or if there is doubt about whether a candidate has obtained enough votes to keep his deposit. Every general election, there is an informal competition between the various constituencies to see which can declare their result first (the declaration including a statement of the numbers of votes for each candidate, hence requiring a complete count). With an electorate averaging about 80,000 per constituency, the time to first declaration is usually just over one hour after the ballot closes. At a general election, the result is usually clear enough for the loser at national level to concede victory before the following dawn, and the removal trucks (should they be required) move into Downing Street the day after the election (in the UK, the result is, usually, effective immediately). The system is low-tech, but quick, reasonably efficient, recountable, and verifiable. However, there are moves afoot to introduce electronic voting in the UK, and it was reported last week that Dr. Rebecca Mercuri visited the UK last week to voice her concerns about some of the proposed voting methods. I sincerely hope that the UK authorities will respect her knowledge and listen to her concerns. Dr. Richard Pennington, Camberley, Surrey, UK
Is Microsoft's End User License Agreement for Windows 2000 Service Pack 3 insidious or just sloppily worded? It's possible to read it as being meant primarily to ask for permission to execute certain tasks that the user is about to initiate: the tasks that constitute the OS upgrade. There's a big problem, though, in that the EULA doesn't spell out that the permission being asked for is limited to an immediate response to a specific user request. * If you choose to utilize the update features within the OS Product or OS Components, it is necessary to use certain computer system, hardware, and software information to implement the features. By using these features, you explicitly authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft may disclose this information to others, but not in a form that personally identifies you. * The OS Product or OS Components contain components that enable and facilitate the use if certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version fo the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.
One solution is simply to turn the automatic update off. I have had a Windows 2000 system that periodically and mysteriously rebooted itself in the middle of the night. Turning this automatic update "feature" off solved the problem. [greg_searle(at)hotmail(dot)com]
Well, it does say "recording electrodes", which sounds to me like there's no output voltage. Unless there's a need to send a small voltage pulse out to cause a response for certain things being recorded, of course. However, if it did control voltages, and those voltages had a range high enough to cause damage to the patient, you are correct there's a big risk here. Whether that's from MS having an OS that might update itself during surgery, or a hospital dumb enough to put something that could be harmful to the patient on the Internet where MS updates are only one of a number of bad things that can happen to it, I'm not sure.
Seems perfectly sane to me, if you allow for modular composition. Consider software functions. You make them general, so that they can be called from multiple contexts. From some contexts, some parameter arguments will never occur. Now consider that the phone menus are functions .... Given the sad state of software engineering, and the generally accepted view that modularity is good for software quality, I'm not particularly troubled that the phone people didn't bother to special-case this. Crispin Cowan, Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org
Anyone who called this story the result of an online translation and plagiarism problem hasn't read the facts at http://www.pinoylife.com/article.php?sid=88 . An inexperienced student journalist didn't realize that pinoylife.com is an "insider" Filipino-American site with it's tongue in it's cheek. She might not even know what the tongue in the cheek meant. How she found the site is anybody's guess, but don't they have a proofreader or at least an editor at the *Daily Evergreen*? What about the risk of telling a story without presenting all the facts and giving it a loaded title?
One solution to the hunters using the wolf-tracking devices for hunting would be to deploy a large number of bogus trackers (assuming they're inexpensive enough). Perhaps a number of sheep could be equipped and deployed for this purpose, with the added benefit of providing food to help the struggling wolf population. They would, of course, also be sheep in wolves' clothing, so to speak... ...phsiii (smiling, um, sheepishly) [Watch out for ewe turns. PGN]
I finally caught up with a fascinating analysis of the history of risk management over the previous millennium. Although the book is somewhat slanted toward the financial world, it nevertheless has an incisive and yet broadly quasi-mathematical thoughtful perspective on risk management, and could be of interest to you. However, you might browse before you buy. It is not a typical page-turner, and is probably better digested slowly. Peter L. Bernstein Against the Gods: The Remarkable Story of Risk John Wiley & Sons, New York 1996 ISBN 0-471-29563-9 The inside cover has this sentence: This book chronicles the remarkable intellectual adventure that liberated humanity from oracles and soothsayers by means of the powerful tools of risk management that are available to us today. [Thanks to David Huestis for lending me this book.]
BKHCKEXP.RVW 20020911 "Hacking Exposed", Stuart McClure/Joel Scambray/George Kurtz, 2001, 0-07-219381-6, U$49.99 %A Stuart McClure stuart@hackingexposed.com %A Joel Scambray joel@hackingexposed.com %A George Kurtz george@hackingexposed.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2001 %G 0-07-219381-6 %I McGraw-Hill Ryerson/Osborne %O U$49.99 905-430-5000 fax: 905-430-5020 %P 729 p. + CD-ROM %T "Hacking Exposed: Network Security Secrets and Solutions, 3rd Ed" Yes, I know that this book has the most sales for any security work, ever. And, for the life of me, I still can't figure out why. Part one looks at gathering data for an attack. Chapter one discusses company information that is generally available. However, while it may alert some to the fact that a lot of information can be obtained about them, most of the material deals with facts that you either want to make available, or that you must make available. Some suggested countermeasures are useful, while others strain the topic, such as the protection against domain hijacking. Scanning for weaknesses and loopholes, mostly with individual tools, in this edition, is the topic of chapter two. Enumeration, or finding weak user accounts and unprotected system resources (mostly on Windows 2000) is covered in chapter three. Part two looks at details of specific systems. Chapter four touches on Windows 9x. NT gets a fair amount of detail in chapter five, but such vital and standard topics as disabling the Administrator account and setting up auditing are barely mentioned. Windows 2000 now has its own chapter: six. Some common NetWare attacks are listed in chapter seven. UNIX has the most extensive coverage, in chapter eight, but it is hardly comprehensive. Part three deals with network weaknesses. Most of chapter nine discusses war-dialling and dial-up, but there is a brief mention of Virtual Private Networks (VPN). Some device weaknesses (vendor specific bugs, that is) are listed in chapter ten. (There is also a very brief mention of wardriving and detecting wireless networks.) Firewalls, in chapter eleven, are primarily addressed in terms of scanning to (for identification) or through. Chapter twelve describes a few denial of service attacks. (Something has been lost in the update: a discussion of IP fragmentation attacks refers to "earlier" material on teardrop that no longer appears in the book.) Part four looks at software. Chapter thirteen deals with remote access software in fair detail. Hijacking and backdoors are discussed in chapter fourteen. Miscellaneous Web site bugs are reviewed in chapter fifteen. Chapter sixteen is a confusing amalgam of ActiveX design flaws, Internet Explorer implementation bugs, and random discussions of malware. The original preface (which no longer appears in the work) stated that the book was intended for system administrators, but it did, and still does, read more like a cookbook for security breaking. The authors defend themselves against this charge in advance, and certainly "keep quiet" versus "let it all hang out" is a constant debate in security circles. However, the attack descriptions are far more detailed than the countermeasures sections, and many attacks are presented without any specific protections being mentioned. There are a number of points in the book that can be helpful in identifying specific security weaknesses. However, the book can't be comprehensive in that regard, and what it fails to do is give an overall concept of, or framework for, security on an ongoing basis. The examples given are frightening and stimulating, but the authors present them as the entire picture. In fact, even the picture as presented is not entire. A number of descriptions given in the book either do not mention, or gloss over, the fact that, for example, sniffers must be placed on a local, promiscuous, network, and session hijacking requires that the attackers somehow get "between" two systems. On the other hand, the book is quite readable and can give you some tips. And, I wouldn't mind seeing a few sysadmins a little more scared than they are at the moment. As long as they don't think that this is *all* you need to do. copyright Robert M. Slade, 2000, 2002 BKHCKEXP.RVW 20020911 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKHYLTCG.RVW 20020825
"Have You Locked the Castle Gate", Brian Shea, 2002, 0-201-71955-X,
U$19.99/C$31.99
%A Brian Shea
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D 2002
%G 0-201-71955-X
%I Addison-Wesley Publishing Co.
%O U$19.99/C$31.99 416-447-5101 fax: 416-443-0948
%P 193 p.
%T "Have You Locked the Castle Gate: Home and Small Business
Security"
Chapter one is entitled "Assessing Risk." It deals with the basic concepts,
but in a somewhat confused manner, and sometimes stresses or sensationalizes
minor points. A grab bag of security concepts drifts into Windows specifics
in chapter two. The author has said that he will be concentrating on
Windows, since it is the most widely used system for home computers, but the
material tells only *how* to, for example, set up groups, and not what
groups are used for in terms of security. Chapter three is more of the
same: more miscellany, and more Windows. The discussion of servers, in
chapter four, is almost entirely devoted to Windows, and is weak on security
concepts and technologies such as firewalls. There is a set of vague ideas
about the Internet in chapter five. Chapter six, on email security, has
some good suggestions, but a number of gaps. Web security is a questionable
checklist of browser settings, almost entirely for Internet Explorer, in
chapter seven. "Defending Against Hackers," in chapter eight, sounds like
it should be important, but it is hard to find any point. Chapter nine, on
viruses, starts with a surprisingly good set of definitions (recognizably
from "Robert Slade's Guide to Computer Viruses") but quickly deteriorates
into errors (the Internet Worm was *not* an accident), and poor suggestions
(it does not make an awful lot of sense to talk about "boot disks" for
scanning Windows systems without getting into a lot of detail).
I am all in favour of having a relatively simple and straightforward guide
to security for home and small business users. But Jeff Crume already did
"Inside Internet Security" (cf. BKININSC.RVW), and did a much better job.
copyright Robert M. Slade, 2002 BKHYLTCG.RVW 20020825
rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer