Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The worst problem since the last time.... RISKS readers will remember RISKS-18.55 and .60 in which the new Berlin light-rail switching computers had themselves a little glitch when they hit real service in 1998 — a stack overflow. *Tagesspiegel* (http://archiv.tagesspiegel.de/archiv/12.01.2003/389362.asp) of 12 Jan 2003 reports that a little power-out at 13:35 the day before caused all three of the switching computers governing the track between Zoo and Ostbahnhof (the line with the most daily traffic, of course) to crash. It took until around 16:00 to get the systems back in service. Because this section of track is also in use by the Deutsche Bahn, many trains were terminated at stations outside of the city. Around 100 light-rail trainsets were stranded on open track. People were kept in the cars for up to 90 minutes. Luckily, the electricity came back on right away, so the heaters were on and people didn't have to freeze. Those in charge have absolutely no explanation for the problem, etc. At least the fail-safe worked, and all the signals went to red. I suppose we have to be thankful for small blessings. Further reports just noted that there is no explanation for all of the computers (which are supposed to be on separate power lines) crashing at the same time. I had hoped to be able to give more information, but the papers have dropped the topic in favor of more racy topics.... Prof. Dr. Debora Weber-Wulff, FHTW Berlin FB 4, Treskowallee 8, 10313 Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/
A research team in New Zealand has discovered a man who developed an almost-fatal blood clot after spending up to 18 hours a day at his computer workstation. The clot developed in his leg and traveled to his lungs. Researcher Richard Beasley of the Medical Research Institute of New Zealand said that the problem could be widespread, and advised people who spend long periods using computers to stretch their legs frequently. [*Globe News*/CNet New Zealand, 30 Jan 2003; NewsScan Daily, 30 January 2003] http://www.stuff.co.nz/stuff/0,2106,2226653a7144,00.html [... not to mention finger, hand, back, eye, and other problems. PGN]
Microsoft has been embarrassed by having to acknowledge that the SQL Slammer virus, which infected computer servers all over the world, also contaminated some of Microsoft's own servers, because system administrators had failed to heed the company's own advice to install a software patch months ago to fix a known system vulnerability. A Microsoft executive had to admit: "We, like the rest of the industry, struggle to get 100% compliance with our patch management. We recognize — now more than ever — that this is something we need to work on. And, like the rest of the industry, we're working to fix it." [*The New York Times*, 28 Jan 2003; NewsScan Daily, 28 January 2003] http://partners.nytimes.com/2003/01/28/technology/28SOFT.html
Of course, Microsoft's own SQL servers were victimized because they had not all been properly patched! Reports that the patches were available 6 months ago seem to be erroneous, because the patch for the Slammer exploit was apparently released only recently before the attacks. Although some folks are trying to put the blame on incompetent system administrators, I have heard that the service packs were poorly documented, and came in multiple versions depending on which SQL server software you were running, so that the SysAdmin burden was considerable. The worm affected many worldwide, including Bank of America's automatic teller machines, air-traffic control at Houston's Bush Intercontinental Airport, Cleveland, and New Jersey, American Express operations, and a Canadian Internet election.com vote in progress (which RISKS readers already know is not a great idea with respect to security). I had one out-of-band report that a major corporate research intranet was hosed because port 1434 accepted random UDP packets through the firewall. And once again, the payload on this worm was relatively benign compared with the damage it could have done. The fact that so many different exploits keep recurring suggests that something is fundamentally wrong with the software development and operational processes. As I said at the Homeland Security Town Meeting panel in San Diego on 28 Jan 2003, the chickens of neglect are coming home to roost. The folks who should be developing sound systems seem to have chickened out. Especially the non-bantam roost-ers who crow about their perfect security.
With all the noise about SQL Slammer, I gave instructions on Monday to my staff to verify that all systems in our lab that run SQL Server were at the latest patch level. Not surprisingly, a few weren't, and so upgrades began. Several of the systems ended up dead, and we naturally blamed the patch install process, which is notoriously error prone. In this case, though, there was another explanation. Midway through the install process, the fuses on one of the furnaces in the building blew (the outside temperature has been much below usual in Virginia for the past few weeks). This apparently sent enough of an electrical spike into the computers that we ended up with file system corruption in a way that wasn't resolved by an ordinary reboot, despite our UPSs & surge protectors. It also caused the temperature in the building to drop to a point where we were uncomfortable and having difficulty thinking carefully, especially given the obvious explanation of a failed patch. We don't quite know how it happened, but the file system corruption was both on Windows & Solaris boxes, so we're sure it had nothing to do with the patch installation, and the electrical malfunction seems the most likely explanation. The RISK is assuming that a system failure which occurs in temporal proximity to a security patch is in fact caused by the security patch!
The latest cyber attack (last weekend's SQL Slammer virus, which infected thousands of computer servers throughout the world) has given a new boost to "network risk insurance" (AKA "hacker insurance"), which is expected to grow from the $100 million industry it is now to a $2.5 billion industry by 2005. Bruce Schneier, the chief technology officer for Internet security at Counterpane, thinks that insurance is every bit as important as prevention: "I believe that within a few years hacking insurance will be ubiquitous. The notion that you must rely on prevention is just as stupid as building a brick wall around your house. That notion is just wrong." But getting "hacker insurance" is not as easy as one might think, because insurers typically require a third-party assessment of the insurance applicant's security system, which might cost as much as $50,000. [Reuters/*USA Today*, 28 Jan 2003; NewsScan Daily, 29 Jan 2003] http://shorl.com/bupimybristumu
[From Pete Lindstrom, Spire Security, petelind@spiresecurity.com] *<Adjective> Computer Worm <verb> Internet* In the wee hours of <date>, a <adjective> computer worm spread <adverb> throughout the Internet. Dubbed <silly name> because <ridiculous reason that doesn't explain anything about how it works>, and also known as <another random name> and <another random name>, the worm has infected an estimated <number> systems within <length of time>. Experts are calling this worm the most <adjective> since <date in the past>. The worm exploits a hole in <Microsoft product name> that was first identified <number> months ago by <security company name>. In an attempt to secure the planet, <same company> released detailed information about the vulnerability and how to exploit it. They also mentioned how to fix it, but apparently <noun> listened. Coincidentally, the worm that exploited this hole was also first identified by <same company>. Even more coincidentally, they make a product to protect against <noun>. "Actually, it's not really a <noun>, it's a <noun>," said <Pete Lindstrom, or some other person seeking publicity>. " A true <noun> works by <random filler that nobody will read>." The worm's payload <verb> every system by <verb ending in -ing> the <noun>. Comparatively speaking, this is much worse than <another worm> but not as bad as <another worm>. The computers of <place> were hit the hardest. Current damage is estimated at <dollar figure more than the GNP of two-thirds of the world's nations>. " This worm has the potential to <something or other>," said <Pete Lindstrom, or some other person trying hard to come up with something interesting to say ;-)>. " It just goes to show you that <another something or other>." Though there is no way to protect against this particular bug, experts recommend trying <longshot one> or <longshot two>, neither of which matter, since nobody will do it anyway.
By Stephanie Hanes, Sun Staff, 26 Jan 2003 Twelve University of Maryland undergraduates have been accused of using Web-equipped cell phones or handheld organizers to cheat on a business school final exam last month, according to the school's student-run Honor Council. Six of them have admitted to misconduct during that same test, the council said. The allegations prompted Provost William W. Destler to issue a warning to faculty members about the potential misuse of cell phones and other common handheld electronics, said J. Andrew Cantor, a 20-year-old senior and chairman of the Honor Council. ... http://www.sunspot.net/news/education/bal-md.cheating26jan26,0,3792093.story
QUALCOMM's CDMA Technology Enhances Security Measures at Super Bowl XXXVII
Regional Homeland Security Agencies and Technology Partners Teamed Up To
Provide Security Assistance for the Super Bowl -
SAN DIEGO, Jan. 29 /PRNewswire-FirstCall/ --
QUALCOMM Incorporated (NASDAQ:QCOM), pioneer and world leader of Code
Division Multiple Access (CDMA) digital wireless technology, joined forces
with regional homeland security agencies and technology partners to augment
existing security measures for Super Bowl XXXVII. QUALCOMM, in partnership
with the San Diego Regional Network on Homeland Security (RNHS) and other
technology companies, assisted the San Diego Police Department (SDPD) with
security preparations for Super Bowl XXXVII by providing technology and
products based on CDMA technology.
QUALCOMM provided wireless phones capable of carrying government-
classified information over commercial cellular networks to federal law
enforcement agencies and federal task force entities. These phones, referred
to as the Qsec-800(R), are National Security Agency certified cellular phones
developed through a U.S. Government contract with QUALCOMM. The phones
represent a first step in securing the nation's cellular communications using
the extensive CDMA network that is commercially available.
In addition to the secure wireless handsets, QUALCOMM had worked out an
architecture that allowed the SDPD to access data, such as real time video as
supplied by cameras, using digital technology from cVideo, at QUALCOMM
Stadium, over commercial CDMA2000 1X networks. QUALCOMM's expertise in
security ensured these data capabilities met the high standards set by the
United States Department of Justice and local law enforcement. ...
http://finance.lycos.com/home/news/story.asp?story=31220472
Tracking device crucial in rescues: Environmental satellites with search-and-rescue tracking capability helped save 171 sailors, hikers, downed pilots, and others across the country last year, including 15 people in five incidents off the New England coast. The Coast Guard requires all commercial fishing vessels and merchant ships to carry an Emergency Position Indicating Radio Beacon, which sends out a distress signal that NOAA satellites pick up and relay to the appropriate emergency response agency. Since it was launched in 1982, the satellite system is estimated to have saved 4,500 lives in the United States, said NOAA administrator Conrad C. Lautenbacher. ... [Source: Jim Geraghty, States News Service, 26 Jan 2003; PGN-ed] http://www.boston.com/dailyglobe2/026/nation/Satellite_system_seen_as_a_key_life_saver+.shtml
BKAPCSPR.RVW 20021216
"Absolute PC Security and Privacy", Michael Miller, 2002,
0-7821-4127-7, U$34.99/C$55.95/UK#25.99
%A Michael Miller
%C 1151 Marina Village Parkway, Alameda, CA 94501
%D 2002
%G 0-7821-4127-7
%I Sybex Computer Books
%O U$34.99/C$55.95/UK#25.99 800-227-2346 info@sybex.com
%O http://www.amazon.com/exec/obidos/ASIN/0782141277/robsladesinterne
%P 530 p.
%T "Absolute PC Security and Privacy: Defend Your Computer Against
Outside Intruders"
Miller never knew much about viruses, or took them seriously, until a
friend got infected and it turned out to be more of a nuisance than he
thought. So he decided to write a book about them. And also about
spam, since he was annoyed by that, too.
Part one is about viruses, and other stuff. There are so many errors
in the introduction, chapter one, that I don't know where to start.
Since this book is obviously not written for professionals, is it
important that it was Fred Cohen, and not Len Adleman, who did the
first academic research on viruses? No. Is it important that the
book constantly contradicts itself (for example, promoting the idea
that virus writers are technically competent, and then pointing out
that virus creation kits require no expertise at all)? Possibly not,
but it doesn't inspire any confidence. Is it important that policies
to prevent 95% of current viruses are dismissed in a single paragraph,
buried in 150 pages of procedures (like the old "use only commercial
software" myth--and the book also notes that commercial software has
been distributed in an infected state) that might help protect you
from some of the remaining 5%? Yeah, that could turn out to be
significant. Chapter two talks about some high risk activities, but
the relevant points are hidden in a mass of relatively low peril
particulars. Boot sector and file infectors are discussed in chapter
three, but aren't important to users any more. Chapter four talks
about macro viruses, but the suggested actions, such as manually
deleting macros, are mostly ineffective. The material on script
viruses, in chapter five, is quite confused: ActiveX is *not* a
scripting system, and it is pushing the facts to say that Internet
Explorer is a safe browser. (The procedures for disabling Windows
Script Host could be useful.) The definitions, and particularly
examples, of trojans, viruses, and worms are very confused in chapter
six. Chapter seven examines e-mail and IRC (Internet Relay Chat)
viruses, but concentrate on minor dangers and issues. Chapter eight
warns against virus hoaxes, but does not tell how to identify them.
The discussion of antiviral software in chapter nine deals *only* with
scanning, and does not properly advise on limitations and weaknesses
(such as the fact that real time, on-access, or firewall-based
scanning may be 20% less effective than manual scanning). The other
forms of antiviral software are mentioned in chapter ten, but so
briefly as to be useless. "Preventing Virus Attacks," in chapter
eleven, repeats earlier content. The suggested responses to a virus
infestation, in chapter twelve, are seriously overblown.
Part two is concerned with Internet attacks. Given the preceding
material, it is surprising that chapter thirteen provides reasonably
good background on intrusion. But, given the tone and audience of the
book, the attacks described are not relevant to the readership: most
home users would not be able to do anything about the offensives
described. The assaults listed in chapter fourteen are different, but
the mentions are too terse to provide any means of defence. Chapter
fifteen suggests some good precautions, but does not explain the
implications of following them. Chapter sixteen says that peer-to-
peer systems are dangerous, but is quite reserved given the level of
the threat and the scare tactics used elsewhere. Network protection
systems are briefly listed in chapter seventeen. "Choosing a
Firewall," in chapter eighteen, describes the various types too poorly
for the user to make an informed choice. Chapter nineteen's advice on
dealing with an attack is too short to provide identification of a
real incident, and the response advice is unhelpful.
Part three supposedly deals with theft of privacy. Chapter twenty's
overview of threats against privacy is not bad, although it does
confuse cookies, packet sniffing, and keystroke logging in the course
of a single paragraph. A discussion of online fraud, in chapter
twenty one, is mostly about eBay, and mostly generic advice. A
reasonable, if not extensive, set of explanations of harassment,
spyware, and cookies are given in chapters twenty two, twenty three,
and twenty four, respectively. However, the background and
suggestions in regard to passwords and encryption, in chapter twenty
five, are weak. The section finishes with anonymous surfing, in
chapter twenty six.
Part four covers spam. Chapter twenty seven presents a good overview
of the basic concepts, but betrays a very weak technical understanding
of the subject. The recommended actions for protection and prevention
are not very effective. A more serious look at anti-spam activities
is in chapter twenty eight, but it boils down to a recommendation not
to tell anyone your e-mail address: a suggestion that the book itself
admits is not completely effective since spammers regularly generate
random addresses to try. In addition, the information about tracking
down and fighting against spammers is too brief to be of any use.
Chapter twenty nine recommends against forwarding chain letters, but
probably should have more information about items such as the
technical impossibility of the messages that supposedly reward you for
the number of missives you forward, and the variations on "advance
fee" (aka "419" or "Nigerian scam") frauds.
It is unclear why "Web-Based Intrusions" could not have been covered
elsewhere without creating a part five. Chapter thirty deals sensibly
with pop-up ads, although I am not sure why disabling JavaScript is
considered an extreme action, particularly in view of some of the
other recommendations in the book. The advice about the use of the
hosts file, though, could be very helpful. Inappropriate content and
filtering, in chapter thirty one, is handled rationally (if curtly),
but does not mention the hidden agendae that filtering software or
organizations may have.
Although some of the points in the book can be good, a great deal of
the material is either too short to be really useful, or questionable,
or wrong. In terms of security guides for the average user, Crume's
"Inside Internet Security" (cf. BKININSC.RVW) is much better, and so
is "Access Denied" (cf. BKACCDEN.RVW) by Cronkhite and McCullough,
even though the latter is directed at managers.
copyright Robert M. Slade, 2002 BKAPCSPR.RVW 20021216
rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKISBPBR.RVW 20021215 "Information Security Best Practices", George L. Stefanek, 2002, 1-878707-96-5 %A George L. Stefanek %C 225 Wildwood Street, Woburn, MA 01801 %D 2002 %G 1-878707-96-5 %I Butterworth-Heinemann/CRC Press/Digital Press %O 800-366-BOOK fax: 1-617-933-6333 dp-catalog@bh.com www.bh.com/bh/ %O http://www.amazon.com/exec/obidos/ASIN/1878707965/robsladesinterne %P 194 p. + CD-ROM %T "Information Security Best Practices: 205 Basic Rules" The preface states that this book contains rules for a, possibly novice, system administrator and manager to provide a basic level of security for an organization. Chapter one lists a few (well, eleven) attacks on information systems. These are rather simple; the virus definition is quite old (there is no mention of macro or e-mail viruses) and worms are depicted in terms of memory exhaustion; and it is difficult to see what purpose they serve. The generic structure of an attack or intrusion is described in chapter two. The initial discussion of policy, in chapter three, is limited to the advice that you have one. This recommendation is expanded in chapter four, which does provide some reasonable points on creating a policy. A few of the "rules" have been given in the earlier chapters, but chapter five, on network architecture and design, begins what is obviously the body of the book. Some of the advice is questionable, such as the commandment to limit firewall selection to those products that carry the NCSA stamp of approval. (The NCSA approval has some value, but is far from definitive, and, in any case, the group morphed into the ICSA many years ago, and is now TruSecure.) By and large the material, and that which follows, is reasonable and would help to improve the security of any enterprise, although it is quite limited. The remaining chapters cover physical security, PCs (tersely), Internet security, application development, software validation, configuration management, network monitoring, maintenance and troubleshooting, and training. The advice about hardware selection (in chapter six), is restricted to "motherhood" type rules which are vague and would be hard to follow. The chapters on network hardware (eight) and operating systems (nine) both recommend that there be a C2 level rating for routers and servers, although the "orange book" specifications are no longer considered standards (and in spite of the fact that Windows NT 3.51 got a C2 rating--on condition that it was not connected to a network). Encryption, in chapter fourteen, is supposed to be "strong," although there is little information on how to measure strength. (In fact, a key length of 128 bits is mandated, despite the fact that this is far too short for asymmetric systems, and longer than triple DES [Data Encryption Standard].) The suggested actions in case of attack, in chapter nineteen, are rather drastic: spam should be addressed by killing e-mail service, and a denial of service attack should be responded to by disconnecting from the net. Overall, this does have value as a "quick and dirty" set of guidelines for administrators who do not have formal security training and experience. The book is short, and thus easily readable for busy people. While security professionals may cringe at the simplistic nature of some recommendations, the rules can help improve the security of a system that would otherwise have none ... as long as the reader does not gain a false sense that he has implemented proper security. copyright Robert M. Slade, 2002 BKISBPBR.RVW 20021215 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer