The worst problem since the last time.... RISKS readers will remember RISKS-18.55 and .60 in which the new Berlin light-rail switching computers had themselves a little glitch when they hit real service in 1998 -- a stack overflow. *Tagesspiegel* (http://archiv.tagesspiegel.de/archiv/12.01.2003/389362.asp) of 12 Jan 2003 reports that a little power-out at 13:35 the day before caused all three of the switching computers governing the track between Zoo and Ostbahnhof (the line with the most daily traffic, of course) to crash. It took until around 16:00 to get the systems back in service. Because this section of track is also in use by the Deutsche Bahn, many trains were terminated at stations outside of the city. Around 100 light-rail trainsets were stranded on open track. People were kept in the cars for up to 90 minutes. Luckily, the electricity came back on right away, so the heaters were on and people didn't have to freeze. Those in charge have absolutely no explanation for the problem, etc. At least the fail-safe worked, and all the signals went to red. I suppose we have to be thankful for small blessings. Further reports just noted that there is no explanation for all of the computers (which are supposed to be on separate power lines) crashing at the same time. I had hoped to be able to give more information, but the papers have dropped the topic in favor of more racy topics.... Prof. Dr. Debora Weber-Wulff, FHTW Berlin FB 4, Treskowallee 8, 10313 Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/
A research team in New Zealand has discovered a man who developed an almost-fatal blood clot after spending up to 18 hours a day at his computer workstation. The clot developed in his leg and traveled to his lungs. Researcher Richard Beasley of the Medical Research Institute of New Zealand said that the problem could be widespread, and advised people who spend long periods using computers to stretch their legs frequently. [*Globe News*/CNet New Zealand, 30 Jan 2003; NewsScan Daily, 30 January 2003] http://www.stuff.co.nz/stuff/0,2106,2226653a7144,00.html [... not to mention finger, hand, back, eye, and other problems. PGN]
Microsoft has been embarrassed by having to acknowledge that the SQL Slammer virus, which infected computer servers all over the world, also contaminated some of Microsoft's own servers, because system administrators had failed to heed the company's own advice to install a software patch months ago to fix a known system vulnerability. A Microsoft executive had to admit: "We, like the rest of the industry, struggle to get 100% compliance with our patch management. We recognize -- now more than ever -- that this is something we need to work on. And, like the rest of the industry, we're working to fix it." [*The New York Times*, 28 Jan 2003; NewsScan Daily, 28 January 2003] http://partners.nytimes.com/2003/01/28/technology/28SOFT.html
Of course, Microsoft's own SQL servers were victimized because they had not all been properly patched! Reports that the patches were available 6 months ago seem to be erroneous, because the patch for the Slammer exploit was apparently released only recently before the attacks. Although some folks are trying to put the blame on incompetent system administrators, I have heard that the service packs were poorly documented, and came in multiple versions depending on which SQL server software you were running, so that the SysAdmin burden was considerable. The worm affected many worldwide, including Bank of America's automatic teller machines, air-traffic control at Houston's Bush Intercontinental Airport, Cleveland, and New Jersey, American Express operations, and a Canadian Internet election.com vote in progress (which RISKS readers already know is not a great idea with respect to security). I had one out-of-band report that a major corporate research intranet was hosed because port 1434 accepted random UDP packets through the firewall. And once again, the payload on this worm was relatively benign compared with the damage it could have done. The fact that so many different exploits keep recurring suggests that something is fundamentally wrong with the software development and operational processes. As I said at the Homeland Security Town Meeting panel in San Diego on 28 Jan 2003, the chickens of neglect are coming home to roost. The folks who should be developing sound systems seem to have chickened out. Especially the non-bantam roost-ers who crow about their perfect security.
With all the noise about SQL Slammer, I gave instructions on Monday to my staff to verify that all systems in our lab that run SQL Server were at the latest patch level. Not surprisingly, a few weren't, and so upgrades began. Several of the systems ended up dead, and we naturally blamed the patch install process, which is notoriously error prone. In this case, though, there was another explanation. Midway through the install process, the fuses on one of the furnaces in the building blew (the outside temperature has been much below usual in Virginia for the past few weeks). This apparently sent enough of an electrical spike into the computers that we ended up with file system corruption in a way that wasn't resolved by an ordinary reboot, despite our UPSs & surge protectors. It also caused the temperature in the building to drop to a point where we were uncomfortable and having difficulty thinking carefully, especially given the obvious explanation of a failed patch. We don't quite know how it happened, but the file system corruption was both on Windows & Solaris boxes, so we're sure it had nothing to do with the patch installation, and the electrical malfunction seems the most likely explanation. The RISK is assuming that a system failure which occurs in temporal proximity to a security patch is in fact caused by the security patch!
The latest cyber attack (last weekend's SQL Slammer virus, which infected thousands of computer servers throughout the world) has given a new boost to "network risk insurance" (AKA "hacker insurance"), which is expected to grow from the $100 million industry it is now to a $2.5 billion industry by 2005. Bruce Schneier, the chief technology officer for Internet security at Counterpane, thinks that insurance is every bit as important as prevention: "I believe that within a few years hacking insurance will be ubiquitous. The notion that you must rely on prevention is just as stupid as building a brick wall around your house. That notion is just wrong." But getting "hacker insurance" is not as easy as one might think, because insurers typically require a third-party assessment of the insurance applicant's security system, which might cost as much as $50,000. [Reuters/*USA Today*, 28 Jan 2003; NewsScan Daily, 29 Jan 2003] http://shorl.com/bupimybristumu
[From Pete Lindstrom, Spire Security, firstname.lastname@example.org] *<Adjective> Computer Worm <verb> Internet* In the wee hours of <date>, a <adjective> computer worm spread <adverb> throughout the Internet. Dubbed <silly name> because <ridiculous reason that doesn't explain anything about how it works>, and also known as <another random name> and <another random name>, the worm has infected an estimated <number> systems within <length of time>. Experts are calling this worm the most <adjective> since <date in the past>. The worm exploits a hole in <Microsoft product name> that was first identified <number> months ago by <security company name>. In an attempt to secure the planet, <same company> released detailed information about the vulnerability and how to exploit it. They also mentioned how to fix it, but apparently <noun> listened. Coincidentally, the worm that exploited this hole was also first identified by <same company>. Even more coincidentally, they make a product to protect against <noun>. "Actually, it's not really a <noun>, it's a <noun>," said <Pete Lindstrom, or some other person seeking publicity>. " A true <noun> works by <random filler that nobody will read>." The worm's payload <verb> every system by <verb ending in -ing> the <noun>. Comparatively speaking, this is much worse than <another worm> but not as bad as <another worm>. The computers of <place> were hit the hardest. Current damage is estimated at <dollar figure more than the GNP of two-thirds of the world's nations>. " This worm has the potential to <something or other>," said <Pete Lindstrom, or some other person trying hard to come up with something interesting to say ;-)>. " It just goes to show you that <another something or other>." Though there is no way to protect against this particular bug, experts recommend trying <longshot one> or <longshot two>, neither of which matter, since nobody will do it anyway.
By Stephanie Hanes, Sun Staff, 26 Jan 2003 Twelve University of Maryland undergraduates have been accused of using Web-equipped cell phones or handheld organizers to cheat on a business school final exam last month, according to the school's student-run Honor Council. Six of them have admitted to misconduct during that same test, the council said. The allegations prompted Provost William W. Destler to issue a warning to faculty members about the potential misuse of cell phones and other common handheld electronics, said J. Andrew Cantor, a 20-year-old senior and chairman of the Honor Council. ... http://www.sunspot.net/news/education/bal-md.cheating26jan26,0,3792093.story
QUALCOMM's CDMA Technology Enhances Security Measures at Super Bowl XXXVII Regional Homeland Security Agencies and Technology Partners Teamed Up To Provide Security Assistance for the Super Bowl - SAN DIEGO, Jan. 29 /PRNewswire-FirstCall/ -- QUALCOMM Incorporated (NASDAQ:QCOM), pioneer and world leader of Code Division Multiple Access (CDMA) digital wireless technology, joined forces with regional homeland security agencies and technology partners to augment existing security measures for Super Bowl XXXVII. QUALCOMM, in partnership with the San Diego Regional Network on Homeland Security (RNHS) and other technology companies, assisted the San Diego Police Department (SDPD) with security preparations for Super Bowl XXXVII by providing technology and products based on CDMA technology. QUALCOMM provided wireless phones capable of carrying government- classified information over commercial cellular networks to federal law enforcement agencies and federal task force entities. These phones, referred to as the Qsec-800(R), are National Security Agency certified cellular phones developed through a U.S. Government contract with QUALCOMM. The phones represent a first step in securing the nation's cellular communications using the extensive CDMA network that is commercially available. In addition to the secure wireless handsets, QUALCOMM had worked out an architecture that allowed the SDPD to access data, such as real time video as supplied by cameras, using digital technology from cVideo, at QUALCOMM Stadium, over commercial CDMA2000 1X networks. QUALCOMM's expertise in security ensured these data capabilities met the high standards set by the United States Department of Justice and local law enforcement. ... http://finance.lycos.com/home/news/story.asp?story=31220472
Tracking device crucial in rescues: Environmental satellites with search-and-rescue tracking capability helped save 171 sailors, hikers, downed pilots, and others across the country last year, including 15 people in five incidents off the New England coast. The Coast Guard requires all commercial fishing vessels and merchant ships to carry an Emergency Position Indicating Radio Beacon, which sends out a distress signal that NOAA satellites pick up and relay to the appropriate emergency response agency. Since it was launched in 1982, the satellite system is estimated to have saved 4,500 lives in the United States, said NOAA administrator Conrad C. Lautenbacher. ... [Source: Jim Geraghty, States News Service, 26 Jan 2003; PGN-ed] http://www.boston.com/dailyglobe2/026/nation/Satellite_system_seen_as_a_key_life_saver+.shtml
BKISBPBR.RVW 20021215 "Information Security Best Practices", George L. Stefanek, 2002, 1-878707-96-5 %A George L. Stefanek %C 225 Wildwood Street, Woburn, MA 01801 %D 2002 %G 1-878707-96-5 %I Butterworth-Heinemann/CRC Press/Digital Press %O 800-366-BOOK fax: 1-617-933-6333 email@example.com www.bh.com/bh/ %O http://www.amazon.com/exec/obidos/ASIN/1878707965/robsladesinterne %P 194 p. + CD-ROM %T "Information Security Best Practices: 205 Basic Rules" The preface states that this book contains rules for a, possibly novice, system administrator and manager to provide a basic level of security for an organization. Chapter one lists a few (well, eleven) attacks on information systems. These are rather simple; the virus definition is quite old (there is no mention of macro or e-mail viruses) and worms are depicted in terms of memory exhaustion; and it is difficult to see what purpose they serve. The generic structure of an attack or intrusion is described in chapter two. The initial discussion of policy, in chapter three, is limited to the advice that you have one. This recommendation is expanded in chapter four, which does provide some reasonable points on creating a policy. A few of the "rules" have been given in the earlier chapters, but chapter five, on network architecture and design, begins what is obviously the body of the book. Some of the advice is questionable, such as the commandment to limit firewall selection to those products that carry the NCSA stamp of approval. (The NCSA approval has some value, but is far from definitive, and, in any case, the group morphed into the ICSA many years ago, and is now TruSecure.) By and large the material, and that which follows, is reasonable and would help to improve the security of any enterprise, although it is quite limited. The remaining chapters cover physical security, PCs (tersely), Internet security, application development, software validation, configuration management, network monitoring, maintenance and troubleshooting, and training. The advice about hardware selection (in chapter six), is restricted to "motherhood" type rules which are vague and would be hard to follow. The chapters on network hardware (eight) and operating systems (nine) both recommend that there be a C2 level rating for routers and servers, although the "orange book" specifications are no longer considered standards (and in spite of the fact that Windows NT 3.51 got a C2 rating--on condition that it was not connected to a network). Encryption, in chapter fourteen, is supposed to be "strong," although there is little information on how to measure strength. (In fact, a key length of 128 bits is mandated, despite the fact that this is far too short for asymmetric systems, and longer than triple DES [Data Encryption Standard].) The suggested actions in case of attack, in chapter nineteen, are rather drastic: spam should be addressed by killing e-mail service, and a denial of service attack should be responded to by disconnecting from the net. Overall, this does have value as a "quick and dirty" set of guidelines for administrators who do not have formal security training and experience. The book is short, and thus easily readable for busy people. While security professionals may cringe at the simplistic nature of some recommendations, the rules can help improve the security of a system that would otherwise have none ... as long as the reader does not gain a false sense that he has implemented proper security. copyright Robert M. Slade, 2002 BKISBPBR.RVW 20021215 firstname.lastname@example.org email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer