Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
On 7 Feb 2003, doctors at Duke Hospital in North Carolina mistakenly transplanted a heart and lungs from a donor with Type A blood to a recipient with Type O blood. Her body immediately started rejecting the transplanted organs. The organs, which came from a cadaver in Massachusetts, included paperwork correctly listing the donor's type-A blood. The hospital admits the error, but hasn't made public any information indicating how the mistake was made. On 20 Feb, new matching organs were transplanted in a second surgery. Under normal conditions, a heart-lung transplant has a 50% success rate. [I have yet to hear whether there was any computer-related error here -- for example, someone miskeying the patient's blood type as A or misrepresenting the donor's type as O. Please let us know if you hear anything further. PGN]
Sitting too long at your computer can cause potentially deadly blood clots. The European Respiratory Journal reports the case of a young man from New Zealand who nearly died after developing deep-vein thrombosis (DVT) after using his computer as much as 18 hours a day. The clot in his leg broke off and traveled to his lungs. (This problem has been reported on long airline flights, and was reportedly first noticed in people who sait in World-War-2 air-raid shelters). [Source: BBC news, 28 Jan 2003; PGN-ed] http://news.bbc.co.uk/1/hi/health/2698119.stm Peter Mellor, Centre for Software Reliability, City University, Northampton Square, London EC1V 0HB +44 (0)20 7040 8422
The RISKS of the following should be obvious to regular readers of
this forum. Emphasis IN CAPITALS added by poster, not in original.
INTERNET LIFT CONTROL: Alcala University's Electronic Department has a
research group that is developing an electronic system that will monitor
the operation state of an elevator and transmit that information through
the Internet to a central computer. The system would be installed in each
lift with temperature-gauge inputs in various locations. The transmission
signals WILL PERMIT THE MACHINERY TO BE RESET AND ACTED UPON BY REMOTE
CONTROL. Collaboration is being sought through a joint venture or a
licensing/manufacturing agreement. .... ELENET(R) is a free e-mail
newsletter transmitted biweekly by Elevator World, Inc., the publisher of
ELEVATOR WORLD magazine. ELENET(R) is a registered trademark and all
rights are reserved. Copyright 2003(C) Elevator World, Inc., 356 Morgan
Avenue, Mobile, AL 36606, phone: (251) 479-4514, fax: (251) 479-7043,
Internet: www.elevator-world.com.
[I got a real UPLIFT from reading that one. I hope it PUSHES YOUR
BUTTONS as well. In elevator parlance, it could RUS(S)tle your CAGE. I
note that the Spanish word for elevator is "ascensor", which suggests
that we might contemplate the SENSOR CENSOR that filters the information
that is available to the Internet when a Critical Person or someone with
a large rear end (as*censor) enters the elevator, and perhaps even a
SEE-YOU-LATER-ALLOCATOR ACTUATOR when you wish to delay someone you
don't like. PGN]
Despite being described as a long-time Internet user and an accomplished dentist who was knowledgeable about Internet crime, Bruce Lachot decided to buy a new BMW M5 over the Internet from someone in Germany, for the bargain price of $55,000. The result: no car, no trace of the seller, and the need for a lot more dental patients. [Bob Sullivan, MSNBC, 23 Jan 2003; PGN-ed] http://www.msnbc.com/news/854552.asp
A security flaw at FTD.com left a large flowering bouquet of private
information ready for picking during the busy business week leading up to
Valentine's Day. Using sequentially modified cookies, outsiders could
exhaustively access customer billing records, including names, addresses,
and phone numbers. (Availability of credit-card data was reported
initially, but later denied by FTD — perhaps after they blocked it.) This
was discovered when one customer found another person's information
displayed by his browser, and reported to NTBugTraq on 12 Feb. It was fixed
on 14 Feb. Prerequisite for doing the attack was reported as 'HTML for
Dummies' (or equivalent).
[Source: Robert Lemos, FTD.com hole leaks personal information,
CNET News.com, 13 Feb 2003; PGN-ed]
http://news.com.com/2100-1017-984585.html
[See the cryptome.org URL below, which is one of the sites at which
this message and its supporting documents appeared. PGN]
Citibank is trying to get an order in the High Court today gagging
public disclosure of crypto vulnerabilities:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_gag.pdf
I have written to the judge opposing the order:
http://www.cl.cam.ac.uk/ftp/users/rja14/citibank_response.pdf
The background is that my student Mike Bond has discovered some really
horrendous vulnerabilities in the cryptographic equipment commonly
used to protect the PINs used to identify customers to cash machines:
http://www.cl.cam.ac.uk/TechReports/UCAM-CL-TR-560.pdf
These vulnerabilities mean that bank insiders can almost trivially find out
the PINs of any or all customers. The discoveries happened while Mike and I
were working as expert witnesses on a `phantom withdrawal' case.
The vulnerabilities are also scientifically interesting:
http://cryptome.org/pacc.htm
For the last couple of years or so there has been a rising tide of
phantoms. I get e-mail with increasing frequency from people all over the
world whose banks have debited them for ATM withdrawals that they deny
making. Banks in many countries simply claim that their systems are secure
and so the customers must be responsible. It now looks like some of these
vulnerabilities have also been discovered by the bad guys. Our courts and
regulators should make the banks fix their systems, rather than just lying
about security and dumping the costs on the customers.
Curiously enough, Citi was also the bank in the case that set US law on
phantom withdrawals from ATMs (Judd v Citibank). They lost. I hope that's an
omen, if not a precedent ...
Microsoft has filed a lawsuit against unnamed bulk mailers who harvested the e-mail addresses of Hotmail users in order to bombard them with junk messages. The spammers allegedly used tools to randomly generate e-mail addresses and then tested them to see which accounts were active. Microsoft argues that this form of dictionary attack violates federal laws, including the Computer Fraud and Abuse Act. (*The Register*, 19 Feb 2003; NewsScan Daily, 19 Feb 2003) http://www.theregister.co.uk/content/6/29382.html
Two teenagers died when their rowboat sank in Long Island Sound on 24 Jan 2003. The 911 operators who took their last-minute phone call have been charged for not handling the call and delaying the search for a day. The story suggests that there may have been some familiar RISKS themes along with the obvious ones: the operator attempted to enter "Long Island Sound" as the location but the software prevented that and, after consulting an equally ill-informed superviser, the operator simply gave up and dropped the call. It sounds like this was a known problem as the official response has been that they should have known to use the address of the nearest police station instead. http://story.news.yahoo.com/news ?tmpl=story&ncid=533&e=9&cid=533&u=/ap/20030218/ap_on_re_us/missing_teens
A newly-available Web site at <http://www.sentinel.csiro.au/> declares: "Sentinel Fire Mapping is a mapping tool designed to provide timely fire location data to emergency service managers across Australia. The mapping system allows users to identify fire locations that pose a potential risk to communities and property." Unfortunately, recent publicity for the site has generated a burning interest: "Due to heavy demand this Web site is currently experiencing delays. Please be patient and allow priority access to emergency services."
I got a fundraising phone call last week from one of the US political party's campaign fund raising organizations. This alerted me to a new type of phone-calling mechanism that more and more telemarketers are using. While the voice on the other end of the line was human, there were odd pauses between portions of our conversation, a few clicks on the other end of the phone line, and sometimes an odd response to my questions or comments. I realized that I was talking to a machine which was being controlled by a human. Not an "Eliza" like computer program mind you, but a recorded voice mechanism which a human was controlling. Half of the responses were totally appropriate, accurate, and well-delivered, but the rest seemed that "he" was not really listening to me, or had to read from a pre-canned and scripted set of responses. Well, of course that is exactly what was going on. The human telemarketer would be listening to the call, and in response to my questions, comments, and responses, push a button on a computer screen which would then play a prerecorded statement in answer to my query. It was fairly easy to ask a couple of offbeat questions which could only be handled by vague, stiff, and rather useless zombie-like answers. The system can actually be quite useful in many circumstances where the phone operators repeat the exact same answers many times during the day. A live operator can sound bored, angry, distracted, or have a hard to understand accent, where the prerecorded voice is always pleasant, clear, and can even have the same regional or national accent of the caller. These same human controlled computer response "e-lip" systems are not just useful in telemarketing, they can also be useful in phone Customer support environments, at least on the front line calls. And in an Internet "chat" room support environment, one technician could carry on multiple conversations simultaneously, responding by copy&pasting pre-canned text to a screen full of slow typists. In a chat-room environment, the delay in responses would barely be noticed unless the tech was trying to do too many conversations at once. http://sfgate.com/cgi-bin/article.cgi?f=3D/c/a/2003/02/19/LAZ.TMP details a SBS Yahoo tech call with "Floyd" and support.sbcglobal.net/general/contact/ can connect you with "Austin". Both are apparently a form of "e-lip" systems. The risk here is that inappropriate responses from a "known" machine can be tolerated to some extent, but my tolerance level shrunk to almost zero when I realized that I was being "fooled" into thinking I was actually talking with a human. There is a difference between talking WITH a person, and talking AT a person who is responding via a canned-response machine. If I was talking to Stephen Hawking, the machine responses are "normal", but these systems are attempting to fake you out, and those same responses evoked frustration, resentment, and maybe even anger. After playing with the "cyborg machinery" for a few seconds I just hung up.
Ok, I know it's not much of a security issue, but to leave the code in your
Web page viewable to see what format the 'valid serial number' should be is
just silly.
I wanted to download a patch for my lecturer to run a copy of 3dstudio
max on XP, and went to www.discreet.com to do this:
(Yes, they have licenses, but the software version they use won't
work on XP)
www.discreet.com/support/max
where I was prompted for my name, surname, address, serial number of the
product etc in order to obtain the update.
After being told I had entered incorrect details persistently, I thought
I'd check the source code to see what it wanted. Yep, there it was:
function ValidSerial(item) {
if (item.length != 12) return false;
if (item.indexOf('-') != 3) return false;
var i;
for (i = 0; i < item.length; i++) {
var c = item.charAt(i);
if (((c < "0") || (c > "9")) && (i != 3)) return false;
}
if (item == "226-19791979") return false;
if (item == "110-12345678") return false;
return true;
So, in goes a random number in the format clearly described, and away I go.
A valid street name and postal code can be obtained from www.streetmap.co.uk
and typing in a random street name, and an e-mail address, should they need
to send you an activation code or such like, can be set up at hotmail
instantly. The least they could've done is use .asp to hide the code. One
easy way to avoid disclosing your personal information to companies you'd
rather not have it.
Nik, student at BCUC(.ac.uk)
In Norway, a 106-year-old woman was summoned to start school, and offered free bus rides to the school. The last time she had started school was of course 1903, having been born in '97. "Since I can already read, maybe I should skip a couple grades," she joked. [Source: Associated Press, 31 Jan 2003; PGN-ed] http://news.yahoo.com/news ?tmpl=story2&u=/ap/20030131/ap_on_fe_st/norway_senior_student
As a proof that technology can lead to a dead end, here it goes what happened last winter to my girlfriend and me. While visiting Portugal, in Lisbon, we had to go to the doctor. The medical insurance she is subscribed to allows her to receive medical assistance without any bills, which are sent to the insurance company. For the only purpose of being sure that the carrier of the insurance title the insurance company is asked to send a fax copy of the actual contract. Oh well. That is not as easy as it sounds. When called, the company representative who answered the 24hrs service line said "we don't do faxes anymore. Don't they have an e-mail address?" It happens that in the 24 service hospital we went to, they do not have e-mail. And for that matter, what kind of authentication mechanism both ends would have used to ensure that the sender was who it claimed to be? As seen, early technology adoption with a depreciation of old communication methods is as bad as slow technology adoption. Finally we had to pay the bill. She will probably sue the company ;) Jesus Climent | Unix SysAdm | Helsinki, Finland | pumuki.hispalinux.es
The National Association of Criminal Defense Lawyers has joined with the Electronic Frontier Foundation and the Sentencing Project in publishing a position paper that argues people convicted of computer-related crimes tend to receive harsher sentences than perpetrators of comparable non-computer-related offenses. "The serious nature of the offenses is overplayed," says Jennifer Granick, author of the paper and clinical director at Stanford University's Center for Internet and Society. "The (majority) of the offenses are generally disgruntled employees getting back at the employer or trying to make money." In a review of 55 cases prosecuted under the most-often used computer crime statute, only 15 involved harm to the public and only one resulted in a threat to safety. Those convicted "are receiving sentences based on the fear of the worst-case scenario rather than what the case may really be about," says Granick. The paper was submitted in response a request for public comment by the U.S. Sentencing Commission as required by the Homeland Security Act of 2002. Cybercrime legal expert Scott Frewing says he agrees with many points raised in the paper, but recommends a two-tiered sentencing threshold: "I would be comfortable in a situation where the code addresses the discrepancy between those who cause bodily injury and those that don't. If that results in the law being unfair to a virus writer, maybe that's enough to put them on notice." [CNet News.com 20 Feb 2003; NewsScan Daily, 21 February 2003] http://news.com.com/2100-1001-985407.html?tag=fd_top
[Dan Foster said "there is no safe way to deterministically recover" from the failure he described in RISKS-22.57. PGN] Actually, there is a reasonably "safe" automatic recovery procedure for traffic lights to transition from blinking-red to normal operation: Switch to red in all directions for the 10-20 seconds, in order to clear the intersection of those who were crossing in 4-way stop mode. This allows the intersection to clear of traffic before normal operation resumes. You can pick nits on cases where a car ends up being stuck in the intersection after the light resumes normal operation, but those can occur during normal operation as well. [Congratulations to RISKS readers who responded to this one. We received over 100 messages, mostly with content similar to Nicholas's. Many thanks. That sets the all-time RISKS record thus far. CHEERS! PGN]
> As usual the two most common responses are: > 1. Blame Microsoft for producing code with holes in. > 2. Blame the sysadmins for not patching systems. > [and 3. Nobody blames the anti-social [deleted] who wrote it] My reaction is to blame the sysadmins who exposed a system to the Internet running unhardened applications without minimal firewalls in place. I have one Internet-visible box running SQL server... it's isolated behind a proxy firewall that doesn't allow any connections n or out that aren't specifically required for the application running on top of the database. This is really the appropriate level of protection for an application that's only "LAN tight"... regardless of who wrote the OS or application. I wouldn't demand everyone use a proxy firewall, but I would expect at least as much protection between it and the Internet, and between the inside LAN and it, as there is between the inside LAN and the Internet. But even the elementary precaution of restricting incoming connections to ports and addresses that are known to be required would have been enough to stop this worm in its tracks.
BKMMSCRP.RVW 20030207 "Mike Meyers' Security+ Certification Passport", Trevor Kay, 2003, 0-07-222741-9, U$29.99/C$44.95 %A Trevor Kay trevor@trevorkay.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2003 %G 0-07-222741-9 %I McGraw-Hill Ryerson/Osborne %O U$29.99/C$44.95 800-565-5758 fax: 905-430-5020 %O http://www.amazon.com/exec/obidos/ASIN/0072227419/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0072227419/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0072227419/robsladesin03-20 %P 363 + CD-ROM %T "Mike Meyers' Security+ Certification Passport" Given the organization of the Security+ objectives, part one covers general security concepts and chapter one is on access control. Some factors are dismissed a little bit too concisely: it is difficult to justify the blanket statement that biometric authentication is "extremely accurate and secure." (Biometrics does get a bit more explanation in the chapter on physical security, but there is no indication of that in this location.) For the first set of sample questions, the emphasis is on simple definitions and fact recitation, but later questions do become somewhat more complex. A variety of attacks are described in chapter two, generally reasonably. The virus material is unfortunately poor, concentrating on older viral technologies (such as the almost extinct boot sector viruses and older DOS precedence-based companions) and failing to provide proper outlines of the basic antivirus technologies. Part two looks at communications security. Chapter three deals with remote access, but the content has limited application to security. Technologies related to Internet application security are reviewed in chapter four. The highlights are touched on, but the lack of detail can be troubling. Cookies are discussed, with some mention of privacy, but the potential problem of cross-site tracking is not dealt with at all, and neither is the danger of HTML (HyperText Markup Language) formatted messages when the topic turns to e-mail. The material on wireless networking and security, in chapter five, is very weak. The explanation of direct-sequence spread spectrum is not clear at all, a mention of SSL (Secure Sockets Layer) makes no reference to the description in the previous chapter (and almost contradicts it), and security itself gets short shrift in the haste to trot out the alphabet soup of related technologies. Part three deals with infrastructure security. Chapter six runs through a list of networking components, cabling, and storage media, again with limited allusion to security. Network topologies and intrusion detection systems are discussed in chapter seven. System hardening, generally by applying patches and disabling functions, is reviewed in chapter eight. Cryptography is in part four. Most of the basic content in chapter nine is sensible, but it is clear from the paragraphs on double- and triple-DES (Data Encryption Standard) that the author does not fully understand the subject. Chapter ten reviews key management, but it is not clear why the topic was separated from that of PKI (Public Key Infrastructure). Part five deals with operational and organizational security. Physical security, in chapter eleven, is covered fairly well. Disaster recovery is confined to backups and fault tolerance: chapter twelve supports Kenneth Myers contention (cf. BKMGTCPD.RVW) that most people concentrate on recovering technology rather than the business, and would be improved by a broader view that incorporated all aspects of the operation. Chapter thirteen lists some areas that should be covered in a security policy. Forensics is dealt with poorly, and chapter fourteen also throws in education and training. While the book still adheres, rather slavishly, to the arbitrary structure of the Security+ list of objectives, the content is generally pretty reasonable, providing background explanations for important concepts, and keeping the descriptions of many of the specific technologies limited to the fundamental ideas. The text does tend to be terse, given the size of the book, but most basic material should be available to the student. This does vary by chapter: some seem to be merely going through the motions. The work could be improved with some removal of duplicated material. For example, there are three separate discussions of social engineering, and two could be replaced with cross-references. Despite its smaller size, I would recommend this volume over the Syngress "Security+ Study Guide and DVD Training System" (cf. BKSCRTYP.RVW), but not emphatically. copyright, Robert M. Slade, 2003 BKMMSCRP.RVW 20030207 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer