A computer glitch has been blamed for July's disastrous launch of a Japanese supersonic jet model at South Australia's Woomera rocket range. Japan's National Aerospace Laboratory says a design change caused the $150 million scale model's computer system to short-circuit. Flight director Kimio Sakata says the autopilot then reset itself and caused the jet and rocket booster to separate during take-off. http://www.abc.net.au/news/justin/nat/newsnat-12dec2002-22.htm Hmm. sounds like bad design *processes* as much as a computer glitch...]
Never let it be said that the United States Senate has done nothing for Internet privacy. Network administrators for the U.S. government site www.senate.gov shut down an open proxy server over the weekend that for months had turned the site into a free Web anonymizer that could have allowed savvy surfers to launder their Internet connections so that efforts to trace them would lead to Capitol Hill. A proxy server is normally a dedicated machine that sits between a private network and the outside world, passing internal users' Web requests out to the Internet. http://online.securityfocus.com/news/1780
We recently had an article in comp.risks titled "Identity thieves strike eBay". Below, author Spider Robinson reports how he was victimized, plus details on the not-very-good way that eBay handled it, all which made the situation worse. Mr. Robinson has been robbed by almost a thousand dollars because of it. http://www.theglobeandmail.com/servlet/ArticleNews/PEstory/TGAM/20021211/COSPIDER/Columnists/columnists/columnistsNational_temp/1/1/6/ http://www.theglobeandmail.com/servlet/ArticleNews/PEstory/TGAM/ 20021211/COSPIDER/Columnists/columnists/columnistsNational_temp/1/1/6/
A number of concerned First Amendment advocates say a landmark libel decision by the Australian High Court may have the effect of erecting a fence on the borderless information frontier opened up by Internet technology. The 10 Dec 2002 ruling concluded that an Australian businessman, Joseph Gutnick, could sue Dow Jones for defamation in Australia based on a Barron's magazine story that emanated from the company's computer servers in New Jersey. Although, as attorney Harvey Silverglate explains, defamation cases have traditionally been brought ''in the jurisdiction where the speech is uttered or published or where you targeted it,'' the ruling effectively expanded that jurisdiction in the online world to where a story can be downloaded. The case involves a ''United States media publication which is really focused on United States markets and United States investors'' and ''a journalist who operated completely out of the United States,'' says Stuart Karle, a Dow Jones associate general counsel. ''This dramatically changes how you can communicate within this country.'' [Source: Mark Jurkowitz, *The Boston Globe*, 16 Dec 2002] http://www.boston.com/dailyglobe2/350/business/Australian_ruling_is_raising_worries+.shtml [All sorts of implications. PGN]
Intel chairman Andy Grove warned participants at the International Electron Devices Meeting this week that electrical current leakage from inactive processors poses a major challenge to the continued viability of Moore's Law (which predicts the doubling of transistor densities every couple of years). "Current is becoming a major factor and a limiter on how complex we can build chips," said Grove, who added that his company's engineers "just can't get rid of power leakage." As chips become more powerful, leakage rates increase, and while the industry is accustomed to low-level leakage rates, high-end chips made up of a billion transistors may leak between 60 and 70 Watts of power, causing problems with cooling. Grove also warned that the trend of migrating chip manufacturing to Asian plants could shift the balance of power eastward. "It is easy to project that the independence becomes more one-sided, with an adverse impact on our educational system because so much of the university funding comes from industry. There is a spiral there in the wrong direction." [Computerwire/The Inquirer 11 Dec 2002; NewsScan Daily, 12 Dec 2002] http://www.theinquirer.net/?article=6677 Copyright 2002. NewsScan Daily (R) is a publication of NewsScan.com Inc. Reproduced in RISKS with permission.
I received an e-mail with the subject: "Paypal Alert: Please Update your current Billing Information" In that I don't have a paypal account, I was a little curious, and decided to investigate. When I looked at the message, I saw what appears to be a scam: "Unfortunately today we have had some trouble with one of our computer systems. While the trouble appears to be minor, we are not taking the necessary precautions. We have decided to take the affected system offline and replace it with a new system. Unfortunately this has caused us to lose member data and information. Please follow the link=link below and log into your account to re-enter your information to be assured none of your prior information has been lost. Please Note: Account balances have not been affected." Then there is a link "Click Here To Begin the Account Process", with a link that goes (upon examination of the source HTML) to an IP address at some Autobahn Access Corporation. The message was very cleverly constructed, to use Paypal images (based on their own urls) <A href=3D"https://www.paypal.com/" target=3D_blank><IMG height=3D35 alt=3DPayPal src=3D"http://www.paypal.com/images/email_logo.gif" width=3D25 5 border=3D0></A> And it had a reply-to address of email@example.com. (They were careful to say in the message, though, "Please do not reply to this e-mail. Mail sent to this address cannot be answered.")
West Bloomfield (Michigan) bulk e-mailer Alan Ralsky, who just may be the world's biggest sender of Internet spam, is getting a taste of his own medicine. Ever since I wrote a story on him a couple of weeks ago (www.freep.com/money/tech/mwend22_20021122.htm), he says he's been inundated with ads, catalogs and brochures delivered by the U.S. Postal Service to his brand-new $740,000 home. It's all the result of a well-organized campaign by the anti-spam community, and Ralsky doesn't find it funny. ... [Source: Mike Wendland, *Detroit Free Press*, 6 Dec 2002]
Tower Records, a well known chain of record shops that does business in the US and the UK, recently suffered an embarrassing information leak due to amateurish Web programming. A Windows "Active Server Page" script, which allowed customers to check the status of their orders by entering their order numbers, was written so that it required no other identification from the user than the order numbers themselves — which were assigned in sequence. Simply modifying a URL to contain an order number one greater or one less than that assigned to your own order would show you another customer's information. E-mail addresses, street addresses, phone numbers, and order information dating back to 1996 were exposed. The chain reports that the hole was finally closed this week. http://www.extremetech.com/article2/0,3973,760739,00.asp
David Lazarus, *San Francisco Chronicle*, 13 Dec 2002 Pacific Bell may be taking on a new name, but it's still up to the same old tricks. The company's customers were outraged when I wrote how Pac Bell, which now wants to be known by the moniker of its corporate parent, SBC, slipped an insert into recent bills advising that personal information will be shared with business partners unless the customer says otherwise. ... That's not the half of it. For some services, Yahoo says it will request Pac Bell customers' Social Security number "and information about your assets." The online company says it will track DSL subscribers' Internet browsing and share personal information with "trusted partners." Such info will be used in part "to customize the advertising and content you see." "Once you create an SBC Yahoo account and sign in to our services, you are not anonymous to us," Yahoo warns in surprisingly stark language. ... http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2002/12/13/BU191399.DTL
Many of us have known for years that education and heightened awareness are vital to improving the general information security situation. It's been rather frustrating to try and promote the idea. However, at long last there seems to be a groundswell of both interest in the topic, and work towards producing seminars and training. As a step in getting some cooperation going in terms of the production of security awareness seminars, I have started a mailing list and a Web page of contacts. The mailing list is firstname.lastname@example.org: if you want to join send e-mail to email@example.com. The Web page is at http://victoria.tc.ca/techrev/comseced.htm or http://sun.soci.niu.edu/~rslade/comseced.htm. If you have curricula, materials, or ideas that you would be willing to share, please drop me a line or join the group. firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
<http://www.aro.army.mil/research/index.htm> The U.S. Army Research Office (ARO) is soliciting proposals to determine whether genetically-determined odortypes may be used to identify specific individuals. The proposal also calls for development of the science and enabling technology to detect and identify specific individuals by such odortypes. The Odortype Detection Program will leverage research that has demonstrated that the same set of genes that code for internal immune system self/non-self recognition in mice — the Major Histocompatibility Complex (MHC) — also code for individual odortype. Total funding for the research and development effort may be up to $3.2 million in 2003. http://www.biometritech.com/enews/121602c.htm [De-scent into the pits? PGN]
The HP paper you're referring to ("Throttling Viruses: Restricting propagation to defeat malicious mobile code" by Matthew Williamson, Hewlett-Packard Labs) was presented this week at the 18th Annual Computer Security Applications Conference, and won the best paper award. Along with Paul Karger's Multics retrospective (discussed in previous issues of RISKS), it's made this year's ACSAC particularly interesting.
The RISK of RISKS: I've become paranoid over the past year, but legitimately. And it is wrecking my life. Because I was involved in a National Academies study of anti-terrorism, I examined how people defeated security systems. The security community -- with some notable exceptions — seems to think this is a technological problem: put in enough technology and the system is secure. I have always thought just the opposite: this is a social problem. Indeed, my belief is that "The more secure you make the system from a technological point of view, the less secure you are apt to have made it in reality." Why? Because the technology gets in the way of work, and so the most dedicated workers will defeat the system in order that they can get their work done. My studies of the cracker community and discussions with professional "red team" members simply reinforces the view. We are social beings: we work well in small, cooperative groups. Part of the benefits of our society is that we all help one another. We trust one another. The people who would deceive us understand this and manipulate it. Well, the social engineer takes advantage of all of this. I've just finished reading the book by Mitnick and Simon. I recommend it to everyone: it is scary. It tells how a few simple sounding (but very sophisticated) phone calls can get the sophisticated con artist almost anything. It gives very convincing examples. Mitnick, K. D., & Simon, W. L. (2002). The art of deception: controlling the human element of security. Indianapolis: Wiley. So now I am on guard. And guess what, I immediately spot spoofs. I get an e-mail stating that I have just signed up with American Express for bill-paying, so I should log on to this URL and set up my account. Except that I didn't recall signing up, and the URL is not associated with American Express : it is "thevalidnetwork.com" . Sounded like a spoof to me. I call up American Express. They deny all knowledge of the site, but they also refuse to accept my complaint. "Not my department," said the woman, as she gave me a different phone number to call and hung up on me. The man at the other phone number also confirmed that this was not a valid American Express site, and he wanted to report it, but it wasn't his responsibility either -- the phone number he asked me to use was for the woman who refused to take it. He tried — he was turned down too. So American Express claims this is not their site, but refuses to let me file a complaint. Then yesterday, I get a letter inviting me to a conference. Would I send my address and phone number, and also the phone numbers of anyone else I thought should be invited. The person said he had gotten my name from X, and said the conference was run by Consumers Reports. Well, the website he listed gave no hint of why I should trust this person — he claimed to be a contractor. I checked with X, who said, no, he couldn't vouch for the person. The letter said time was of the essence, but it came in over the weekend, so I couldn't call Consumer Reports to check. Both letters were perfect examples of Mitnick's illustrations of how to con people. They look legitimate, but if you examine them closely, the URLs are wrong, and although legitimate names are given, this is an emergency and the answer must be given now, after hours, when those legitimate-sounding names can't be checked. I now have discovered that both e-mails were legitimate. My financial advisor had signed me up for the bill payment scheme (he says we asked him to). The site was subcontracted by American Express to do this, but obviously, their phone support people don't know this. As for the invitation, the person at Consumer Reports vouched for it. But what a life we have to lead: we can easily be conned by legitimate looking requests. And we might refuse to honor legitimate requests that could also be frauds. Or, even if we accept them, we waste a lot of time checking them out — a lot of our time and that of the people we have to bother to find out if it is real. And, along the way, I also discovered that even if we are recipients of a real fraud, it is very difficult to tell anyone. An amazing number of websites lack any contact information, any way of reporting problem. And even if you do report a problem, it is answered bizarrely. I just reported over a website to Mindspring that their server seemed to be down. In reply I was told how to check the modem settings under Windows 98. That wasn't my complaint, I don't use a dial-up modem, and I don't run Windows 98. When I complained that the response was not relevant, I got instructions to check the wiring of my modem. So consider the RISKS of RISKS. We waste time every day deleting spam and backing up our systems. We waste time every week updating our virus controls and rescanning our computer systems. We no longer can trust the people we interact with, for social engineers take advantage of all that we have come to trust. We are searched at work and when traveling. We have to watch what we say in public because it might be misinterpreted. And there is nobody to complain to. Trust is rapidly leaving our society, and we all are worse off as a result. Don Norman, Prof. Computer Science, Northwestern University http://www.jnd.org and Nielsen Norman Group http://www.nngroup.com firstname.lastname@example.org [See Rob Slade's following item. PGN]
BKARTDCP.RVW 20021028 "The Art of Deception", Kevin D. Mitnick/William L. Simon, 2002, 0-471-23712-4, U$27.50/C$39.95/UK#19.95 %A Kevin D. Mitnick %A William L. Simon %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2002 %G 0-471-23712-4 %I John Wiley & Sons, Inc. %O U$27.50/C$39.95/UK#19.95 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471237124/robsladesinterne %P 352 p. %T "The Art of Deception: Controlling the Human Element of Security" Those in the security field know that Kevin Mitnick does not deserve the reputation he has gained as some kind of technical genius. His gift was skill as a social engineer. Stripped of the five dollar words, this means that he was a plain, old con man, cheat, or fraud. In other words, this is a book about how to fool people. Theoretically, the determined reader should be able to use the book to keep from being conned. In the preface, Mitnick would have us believe that, although he admits to being a fraud and deceiver, he was never a grifter. He never harmed anybody, never obtained a material benefit, and was just curious to see if he could ride the buses for free (at the expense of the transit system) or make calls for free (at the expense of an MCI customer). (The willing moral blindness of these assertions is possibly the most instructive part of the book: it is truly representative of large portions of the blackhat community.) He would have us believe that he is a "changed person": one of the most sought- after computer security experts world-wide, and the world's most famous hacker. Oh, and just in case the authorities are inclined to think that this book runs counter to the injunction that he not profit from the stories of his criminal exploits, the tales are all completely fictional. Trust him. Part one is entitled "Behind the Scenes." Chapter one states that people are security's weakest link. This is a truism well known in the field, but the first account is really about insider fraud, while the remainder are generic fear-mongering. Part two describes the art of the attacker. (At great length.) Chapter two depicts escalation or enumeration through social engineering, and points out that sometimes innocuous information isn't. There is a section on "preventing the con" at the end of each chapter: in this case we are told not to give out information, but not provided with any advice about authenticating callers. Similarly, chapter three says that sometimes attackers just ask for access or information and says to verify callers, but doesn't say how. Chapter four tells you to distrust everyone--which would probably be more damaging to society than social engineering. (Interestingly, yesterday a report came out about studies of "freeloading" in the animal kingdom, which notes that communities with too many non- contributing members tend not to survive. By extension, only societies with an overwhelming majority of trustworthy members exist for any length of time.) The prevention bit tells companies not to have people give credit card information over the phone, but stresses teaching employees about cons rather than policies. At about this point the text, which is very repetitious, throws in some minor technical details. This is enough to remind the professional that the book is designed for the naive user, with extremely lightweight analysis, and implications that would not be useful. There is more repetitive redundancy in chapter six, on the way to some useful information about fraudulent e-mail and really lousy data about viruses and malware, in chapter seven. Chapters eight and nine are simply more of the same stories, which start to get very tedious. Part three is apparently supposed to help us detect intruders. Chapter ten has a little useful advice about having termination procedures. The major points in chapter eleven seem to be about all the people who have been mean to our poor Kevin. Then it is back to the, by now extremely tiresome, con jobs for another three chapters. We are intended to believe that part four will help us protect ourselves and our companies against social engineering. Chapter fifteen is an attempt to convince us that the book should be purchased for all employees. (Nice try, Kev.) There is an arbitrary, and oddly both generic and overly detailed, suggested security policy, in chapter sixteen. So. Security professionals already know about social engineering. It is unlikely in the extreme that even the most head down, don't-talk- to-the-users, socially maladept firewall administrator will learn very much from this book. But, of course, this is not a trade paperback. This is a hardback aimed at the mass market: the non-professionals. Will they learn anything from it? Well, it might be useful for teaching new tricks to those who like to con people (although fraudsters will likely be disappointed at the number of times it is assumed that they know how to reprogram DMS-100 switches: don't try this at home). The prevention sections, as noted, are big on "don't" and short on "how not to." Well, but the book can still be a fascinating read, can't it? Sure. If you're the type of person who finds humour in watching someone fall on his or her face. Over and over and over and over and over and over and over and over and over and over again ... copyright Robert M. Slade, 2002 BKARTDCP.RVW 20021028 email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [See Don Norman's previous item. PGN]
BKSCDCMP.RVW 20020905 "Secured Computing", Carl F. Endorf, 2002, 1-55212-889-X, U$44.95/C$64.00 %A Carl F. Endorf email@example.com %C Suite 6E, 2333 Government Street, Victoria, BC V8T 4P4 %D 2002 %G 1-55212-889-X %I Trafford Publishing %O U$44.95/C$64.00 888-232-4444 FAX 250-383-6804 sales@trafford.Com %O http://www.amazon.com/exec/obidos/ASIN/155212889X/robsladesinterne %P 538 p. %T "Secured Computing: CISSP Study Guide, Second Edition" Like Mandy Andress' book (cf. BKCISPEC.RVW), this concentrates on terminology, rather than the concepts that the CISSP exam actually tests for. Like Krutz and Vines' book (cf. BKCISPPG.RVW), this obviously and slavishly follows the (ISC)^2 syllabus. Unlike Shon Harris' book (cf. BKCISPA1.RVW), it doesn't provide much added value or explanation. It does offer a money back guarantee. If, within six months of buying the book, you take the CISSP exam twice (at U$450 a pop) and fail both times, you get the price of the book back. Less shipping and handling. (Also, you might need to be careful when ordering the book. The ISBN is identical for both the first and second editions.) Some of the errors in the first edition of the book have been corrected, but a few remain, such as the addition of a "strong star" property to the Bell-LaPadula security model. Since the work concentrates on jargon, there are glaring gaps in the coverage. For example, the Law, Investigation, and Ethics domain has almost nothing to say about incident response, investigation, preservation of evidence, computer forensics, or interviewing. Added to the book in this second edition is a practice CISSP exam. Although the structure of the questions appears to be similar to those you would see on a real exam, the answers, oddly enough, rely on nonstandard terminology. Approximately one third of the total material in the second edition is a reprint of the "Standard of Good Practice" document available from the Information Security Forum (www.securityforum.org). While there is nothing wrong with the document, and it could be a useful aid to the practitioner, it isn't much of a help in studying for the CISSP. While this book might provide some assistance in exam prep, it is probably not a sufficient guide by itself. copyright Robert M. Slade, 2002 BKSCDCMP.RVW 20020905 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer