Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Excerpt from SANS NewsBites April 16, 2003 Vol. 5, Num. 15 http://www.sans.org/newsletters/newsbites/vol5_15.php The most recent release of OpenBSD should eliminate buffer overflows, according to the group's project leader. The group took three approaches to hardening the software. First, the location of the stack in memory is randomized. Second, the team added a tag to the memory structure that will detect address modifications. Finally, they managed to divide the main memory into two sections: writable and executable; the pieces of data and programs, called "pages", would be stored in one or the other section, ensuring that no page is writable and executable at the same time. http://news.com.com/2100-1002-996584.html [Editor's Note (Gene Schultz): Many kudos are in order here. If what the OpenBSD people are doing really works, they will put considerable pressure on other vendors and developers to do the same. Buffer overflow problems continue to plague operating systems and applications. Eliminating this category of vulnerabilities would be a major victory for the information security arena. (Schneier): It's great to see this kind of approach to buffer overflows. This is an example of building in security instead of trying to patch it afterwards. (Ranum): It's GREAT to see that at least a few people are smart enough to try to attack problems like this systemically, rather than keeping stuck in the fruitless "penetrate and patch" while loop. This is how to make progress in security: fundamental protections. (Shpantzer): Initiatives like this should be taught as case studies in computer science courses at the undergraduate level. ]
I recently had a prescription filled that was written for 60 pills with 4 refills. The pharmacist made a data-entry mistake, and the prescription was entered for 60 pills with 60 refills! Because prescriptions are valid for a year, the pharmacy computer could have detected the error and alerted the pharmacist. But, in this case, the prescription was printed by my doctor's computer so the issue of reading the doctor's handwriting was not an issue. The pharmacist may be used to finding the number of refills in a specific place on the prescription and the computer generated prescription might have the number of refills and quantity of pills in unusual places. The prescription was laser printed in the corner of a standard 8.5" x 11" piece of paper so the form factor of the prescription was also non-standard. [I suppose Monty was lucky the fields were not transposed. Imagine having a prescription for 60 refills of 4 pills each. PGN]
A Reuters news story written yesterday ("Revenge Behind Air India Bombing,
Court Told", by Allan Dowd) included mention of "the Golden Temple in the
city of AmriCzar". Google-ing AmriCzar revealed eight hits, compared to the
about 141,000 of the correct spelling. (That, as you may have guessed, is
Amritsar.) The six shown (two other similar hits were omitted) are:
http://www.washingtonpost.com/wp-dyn/ articles/A58594-2003Mar7.html
http://www.punjabi.net/talk/messages/1/829.html
http://cndyorks.gn.apc.org/news/articles/ asia/itemsonconflict.htm
http://terrorism.com/
http://www.ocf.berkeley.edu/~andychou/archive200211.htm
http://www.jekyl.com/jekyl/arc_Nov02.htm
(Note that some of these are quoting Reuters articles!)
At a guess, the cause seems to have been blind string-matching without
regard for context, including whether the string was part of a larger word.
The RISK? Fortunately, just mild embarrassment in this case, and even that
is assuming that the IT folks at Reuters ever catch wind of this. However,
we've seen worse consequences reported here before due to similar "help",
even when the "correction" is limited to spelling....
David J. Aronson, Software Engineer for hire in Washington DC area.
See http://destined.to/program/ for online resume, references, etc.
[Roto-reuters strike again. PGN]
The Kellogg Company ("cereal giant") began a two-month sweepstake intended
to give away one grand prize of 25,000 American Airlines' AAdvantage miles
each day for 60 days. Unfortunately, due to a "computer glitch", several
thousand people were erroneously notified by e-mail that they were winners
-- and then later notified that the earlier e-mail was in error but that
they would receive 500 miles as a goodwill gesture. [Source: AP item, 29
Apr 2003; PGN-ed]
http://www.siliconvalley.com/mld/siliconvalley/
[For those readers who wonder about why this item is relevant to RISKS,
please remember that technology usually depends on a lot of people. PGN]
The pilots couldn't pass the psychological and physical tests to be allowed
to carry a firearm --- but flying huge planes full of people is OK. Oh, this
makes so much sense! The risks should be obvious.
Four pilots did not finish gun training. Four of the 48 veteran airline
pilots who began the government's first training course for pilots wishing
to carry guns in the cockpit were rejected after they failed at least one
of the battery of required background checks, psychological exams and
firearms tests. Officials said the four rejections showed that the
government was serious about providing guns only to pilots who were
psychologically and physically fit to carry firearms in flight and defend
their planes against attackers. The bill permitting airline pilots to
carry guns was passed by Congress last year, a legacy of the hijackings on
11 Sep 2001, over the serious objections of senior members of the Bush
administration and some members of Congress. [Source: *The New York
Times*, 22 Apr 2003]
http://www.nytimes.com/2003/04/22/international/worldspecial/22PILO.html
By Declan McCullagh, 21 Apr 2003 Cisco Systems has created a more efficient and targeted way for police and intelligence agencies to eavesdrop on people whose Internet service provider uses their company's routers. The company recently published a proposal that describes how it plans to embed "lawful interception" capability into its products. Among the highlights: Eavesdropping "must be undetectable," and multiple apolice agencies conducting simultaneous wiretaps must not learn of one another. If an Internet provider uses encryption to preserve its customers' privacy and has access to the encryption keys, it must turn over the intercepted communications to police in a descrambled form. Cisco's decision to begin offering "lawful interception" capability as an option to its customers could turn out to be either good or bad news for privacy. Because Cisco's routers currently aren't designed to target an individual, it's easy for an Internet service provider (ISP) to comply with a police request today by turning over all the traffic that flows through a router or switch. Cisco's "lawful interception" capability thus might help limit the amount of data that gets scooped up in the process. On the other hand, the argument that it hinders privacy goes like this: By making wiretapping more efficient, Cisco will permit governments in other countries — where court oversight of police eavesdropping is even more limited than in the United States — snoop on far more communications than they could have otherwise. Marc Rotenberg, head of the Electronic Privacy Information Center, says: "I don't see why the technical community should hardwire surveillance standards and not also hardwire accountability standards like audit logs and public reporting. The laws that permit 'lawful interception' typically incorporate both components — the (interception) authority and the means of oversight — but the (Cisco) implementation seems to have only the surveillance component. That is no guarantee that the authority will be used in a 'lawful' manner." U.S. history provides many examples of government and police agencies conducting illegal wiretaps. The FBI unlawfully spied on Eleanor Roosevelt, Martin Luther King Jr., feminists, gay rights leaders and Catholic priests. During its dark days, the bureau used secret files and hidden microphones to blackmail the Kennedy brothers, sway the Supreme Court and influence presidential elections. Cisco's Internet draft may be titled "lawful interception," but there's no guarantee that the capability will always be used legally. Still, if you don't like Cisco's decision, remember that they're not the ones doing the snooping. Cisco is responding to its customers' requests, and if they don't, other hardware vendors will. If you're looking for someone to blame, consider Attorney General John Ashcroft, who asked for and received sweeping surveillance powers in the USA Patriot Act, along with your elected representatives in Congress, who gave those powers to him with virtually no debate. I talked with Fred Baker, a Cisco fellow and former chairman of the Internet Engineering Task Force (IETF), about his work on the "lawful interception" draft. ... http://news.com.com/2010-1071-997528.html
Complaints about fraudulent schemes perpetrated over the Internet tripled in 2002 from the previous year, with the most common grievance being auction fraud, followed by non-delivery of promised merchandise, credit card fraud and fake investments. According to a report from the Internet Fraud Complaint Center, which is run by the FBI and the National White Collar Crime Center, the 48,252 complaints referred for prosecution in 2002 represent only a fraction of the crimes authorities believe are occurring. The center also received almost 37,000 other complaints that did not constitute fraud, but involved such things as spam, illegal child pornography and computer intrusions. The report says 80% of known fraud perpetrators and about 71% of complainants are male. Fraud complaints originated in all parts of the country, with a third coming from California, Florida, Texas and New York. One of the most persistent scams described in the report is the infamous "Nigerian letter," which urges victims to pay an upfront fee (characterized as a bribe to the government) in order to receive non-existent funds from the "Government of Nigeria." There were 16,000 complaints related to that scam in 2002, up from 2,600 in 2001. [AP, 9 Apr 2003; NewsScan Daily, 10 Apr 2003] http://apnews.excite.com/article/20030409/D7QA6UFO0.html
The following CUSTOMER SERVICE ANNOUNCEMENT warns of bogus e-mail offering domain renewals. > Date: Tue, 22 Apr 2003 19:51:59 -0400 > From: "Network Solutions, Inc." [...] > Subject: Customer Renewal Warning > Dear Network Solutions(R) Customer, > We recently learned that our customers are receiving domain name renewal > notices from companies falsely representing themselves as Network > Solutions. These notices inform customers that their domain name > registration is due to expire and provides instructions on how to renew. > If you receive a renewal notice you do not believe is from Network > Solutions or if you have an unauthorized vendor listed on your credit card > statement for 'domain name renewal,' please contact us immediately [...].
As efforts to tackle junk e-mail ramp up, unscrupulous spammers increasingly are hiding their identities by taking over innocent users' accounts using e-mail messages that resemble computer viruses. Like many other viruses, these programs exploit weaknesses in Microsoft's popular Outlook e-mail package. One of the first hijacking programs to emerge was called "Jeem," which contained a hidden e-mail engine that enabled it to route messages via the infected computer. Another, called Proxy-Guzu, comes as a spam message with an attachment. When the unsuspecting recipient clicks on the attachment, the computer contacts a Hotmail account and transmits information about the infected machine, making it possible to route e-mail through that machine. "Spammers are beginning to use virus-like techniques to cover themselves," says Larry Bridwell, content security programs manager at ICSA Labs. "Spam is one of the two things that the security industry is going to be asked to deal with. The other is adware or spyware." [BBC News 30 Apr 2003; NewsScan Daily, 30 Apr 2003] http://news.bbc.co.uk/2/hi/technology/2988209.stm
Deborah Wolfe, a Canadian citizen who was just breast-feeding her son and changing his diaper while en route between Houston and Vancouver, says her "subversive" actions led to her being threatened with detainment, RCMP involvement and legal charges for terrorist action against a U.S. citizen in international airspace while on an American flight during a time of war. ... Wolfe says she refused a flight attendant's offer of an airline blanket to hide herself because it hadn't been sealed and, given the SARS scare, she'd rather use her own things. Thus, unbeknownst to her, a "Level 1" crew complaint was filed. ... She says the flight attendants also began to call her and her travelling party "foreign nationals in international airspace on an international flight during a time of war." And she was informed both of the complaint and that it could be upgraded to a Level 3, which meant possible mandatory detainment by U.S. authorities for 24 hours, RCMP involvement and criminal charges for an act of war upon an American. http://www.canada.com/montreal/montrealgazette/story.asp ?id=51AA6AB6-034B-4FE0-911C-04871E6B1EC5 IP archives at: http://www.interesting-people.org/archives/interesting-people/
As reported in RISKS-22.65, etc., the accuracy requirements for the FBI's National Crime Information Center have been reduced or eliminated. Also discussed in the April 2003 Cryptogram: http://www.counterpane.com/crypto-gram-0304.html At first sight this is bad. But the other point of view may be worth noting: a widely used database which is "accurate" but has a high false positive rate may provide a useful widespread learning experience. Most users of databases regard "the computer" as infallible. A 100-to-1 false positive rate would be salutary! :-) It isn't enough that engineers and computer scientists understand accuracy requirements; the end-users, as represented by lawyers, have to have a feeling for it as well. Bad databases already do damage — it may be that what is needed is a really high-profile failure. You can argue probabilities as much as you like; the thing will only hit home when almost everyone who's had contact with the database has actual knowledge of a failure. [Perhaps if a few Senators, Representatives, Justice Department folks, and other government officials were mistakenly apprehended, that might help. PGN]
I believe a technical contribution to this organizational problem was the fact that Aegis computed/computes the first and second derivatives of measured target height to derive sink/climb rate and acceleration. These values, derived as they are from noisy measurements, are notoriously unreliable. The crew seems to have treated these "measurements" at face value, deriving a threat from the fact that they indicated a high sink rate directed at the Vincennes, when in reality the aircraft was flying level. So in this case the misinterpretation (at least in part) resulted in the ability of computers to provide processed but unreliable data, very likely without an indication of its unreliability (ever seen error bars on such displays?). Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen Research & Development - Tel. +49 201 437 52 52 http://www.mediasec.com
BKFRINSC.RVW 20030321
"Firewalls and Internet Security", William R. Cheswick/Steven M.
Bellovin/Aviel D. Rubin, 2003, 0-201-63466-X, U$49.99/C$77.99
%A William R. Cheswick ches@cheswick.com
%A Steven M. Bellovin smb@stevebellovin.com
%A Aviel D. Rubin avi@rubin.net
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D 2003
%G 0-201-63466-X
%I Addison-Wesley Publishing Company
%O U$49.99/C$77.99 416-447-5101 fax: 416-443-0948
%O http://www.amazon.com/exec/obidos/ASIN/020163466X/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/020163466X/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/020163466X/robsladesin03-20
%P 433 p.
%T "Firewalls and Internet Security: Repelling the Wily Hacker,
Second Edition"
As the first work to deal seriously and completely with the topic, the first
edition of "Firewalls and Internet Security" was one of those classics that
get known only by the last names of the authors, so as not to leave any
possibility of confusion with books whose titles may be similar.
When such a long time has elapsed between editions of a work such as this,
it is more than possible that the field has moved on far enough that a minor
updating of the material is simply not feasible. The authors are quite well
aware of the new territory: where useful, the original structure has been
retained, but otherwise, the book has essentially been rewritten. A huge
undertaking, but the only practical course, in the circumstances.
Part one establishes a starting point. Chapter one, an introduction,
presents a number of basic, but worthwhile, security concepts. The
operations of various components of the TCP/IP protocol suite are discussed,
with the most serious security vulnerabilities helpfully highlighted, in
chapters two (lower layers) and three (upper layers). The authors' thoughts
on the security of the Web are amply expressed in the title of chapter four:
"The Web: Threat or Menace?"
Part two outlines the threats to networked machines. Chapter five describes
a number of different types of attacks. A variety of tools for determining
security weaknesses are listed in chapter six, alongside discussions of the
relative costs/benefits of disclosure versus security by obscurity.
Part three details security tools and utilities. Chapter seven reviews
authentication concepts and techniques. Various network security systems
are described in chapter eight.
Part four gets us to firewalls and virtual private networks (VPNs)
themselves. Chapter nine outlines the different types of firewalls. Basic
filtering concepts are examined in chapter ten. Considerations for
constructing and tuning your firewall are in chapter eleven. Tunnelling and
VPNs are discussed in chapter twelve.
Part five extends the isolated technology of firewalls into the application
of protecting an organization. Network layout, and the implications
thereof, is reviewed in chapter thirteen. Chapter fourteen deals with
hardening of hosts. Chapter fifteen is a rather terse look at intrusion
detection.
Part six is entitled "Lessons Learned." The detection and tracing of
"berferd" is described in chapter sixteen, along with the taking of the
"CLARK" machine in chapter seventeen. In chapter eighteen, Kerberos and
IPSec are used as examples of approaches to security of insecure networks.
Chapter nineteen finishes with some ideas for work that yet needs to be done
to help with the security of the Internet.
The place of firewalls in regard to network security has broadened
considerably in the past decade. This book does reflect that reality.
Unfortunately, that breadth of topic has come at the expense of some depth
in coverage. The result is a book that is definitely worthwhile as an
introduction to the field, but which may no longer be suitable as a working
reference. I must admit that, for some time, I have been recommending
Chapman and Zwicky (cf. BKBUINFI.RVW) over Cheswick and Bellovin's original
text, since "Building Internet Firewalls" seems to have the edge in terms of
practicality. Upon reviewing this new edition of the classic, I would have
to stick to that recommendation.
copyright Robert M. Slade, 1994, 2003 BKFRINSC.RVW 20030321
rslade@sprint.ca rslade@vcn.bc.ca slade@victoria.tc.ca p1@canada.com
BKINSCMI.RVW 20030321 "Inside the Security Mind", Kevin Day, 2003, 0-13-111829-3, U$44.99/C$69.99 %A Kevin Day %C One Lake St., Upper Saddle River, NJ 07458 %D 2003 %G 0-13-111829-3 %I Prentice Hall %O U$44.99/C$69.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0131118293/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0131118293/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0131118293/robsladesin03-20 %P 309 p. %T "Inside the Security Mind: Making the Tough Decisions" I am quite sympathetic to the idea that the realization of a security mindset or attitude (I frequently refer to it as professional paranoia) is more important to attaining security than isolated technical skills. I'm sorry to say that this work is not likely to help you find, attain, or assess that protection perspective. Right from the beginning of the book, readers will find a flavour of eastern philosophy, and even mysticism, to it. There are four virtues, an eight-fold path, and even repeated injunctions for the reader to keep an "open mind"--a phrase which those who have conversed with devotees of the Buddhist faith will find rather familiar. Unfortunately, chapter one seems to demonstrate that Day is bringing us only a newage vagueness in his description of the security mind. We are to rid ourselves of negative thoughts, and follow fundamental virtues, which we haven't been given yet. Computer security is only a decade old, we are told in chapter two, and constantly changing, and expensive, and there are few practitioners, and lots of bad guys out there, and we are paralyzed by fear--but we have nothing to fear but fear itself! Chapter three finally lists the four virtues for us: security is ongoing, a group effort, requires a generic approach, and is dependent upon education. I don't disagree with any of these points (other than the philological debate about whether they should be called virtues), and neither would any other security professional. However, they don't really provide us with much in the way of help. Eight security "rules," in chapter four, list principles such as "least privilege," which are also commonly known in security work. Chapter five is supposed to tell us how to develop a security mind, but actually seems to be an exercise in wishful thinking. If the world were neatly divided into safe and unsafe zones, and if our systems all worked perfectly and in correspondence with our users' known requirements, and if everyone that we trusted were completely competent in regard to their own defence, security would be much easier. Decision-making is likewise simplisticly seen to be supported by the virtues and rules, in chapter six. There is a superficial overview of blackhats and vulnerabilities in chapter seven. Chapter eight has a standard review of risk analysis. Vague ideas on hiring security, and some thoughts on outsourcing, are in chapter nine. The author gives his opinion on some security tools in chapter ten. Chapter eleven is another attempt to prove that the rules can be used. We are given a final adjuration to change our attitudes in chapter twelve. Basically, this book is yet another attempt to write a general security guide, without first ensuring that the material is structured, sound, complete, or useful. copyright Robert M. Slade, 2003 BKINSCMI.RVW 20030321 rslade@sprint.ca rslade@vcn.bc.ca slade@victoria.tc.ca p1@canada.com
Please report problems with the web pages to the maintainer