Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The Helios solar-powered flying wing was lost in June in the Pacific just west of the Hawaiian Islands, whence it was flying, due to "control difficulties that resulted in severe oscillations" at about 3,000 ft altitude [1]. The craft set an altitude record for propeller-driven craft of nearly 100,000 ft in its previous set of flights for NASA. Helios is (rather, was) extremely lightweight and remote-piloted. Lots of it has been recovered from the ocean, but the fuel-cell system, reported to cost $10m, sank in about 1,800m of water and is unlikely to be recovered. The National Research Council Committee on the Effects of Aircraft-Pilot Coupling [APC] on Flight Safety reported in 1997 that, although APC events are rare, they occur "at some point during the development of almost all FBW [Fly-By-Wire] aircraft" and notes that they are often associated with the introduction of new technologies [2, p6], of which the Helios is one of the more remarkable. [1] Guy Norris, Helios board looks at cause of `severe oscillations´, Flight International, 15-21 July, 2003, p26. [2] National Research Council, Committee on the Effects of Aircraft-Pilot Coupling, "Aviation Safety and Pilot Control", National Academy Press, 1997. Peter B. Ladkin, University of Bielefeld, Germany http://www.rvs.uni-bielefeld.de
The *Wall Street Journal* reported today that a mistaken order on the Chicago Board of Trade's "e-mini Dow Jones Industrial Average Futures" caused wild market swings today. Apparently an order to sell 10,000 contracts instead of 100 was put in by mistake. This caused the market, which had been on the upswing htat day, to plunge downwards in both the Chicago Board of Trade and the Chicago Mercantile Exchange. Several traders reported assuming that some bad news such as a terrorist attack had sparked the sell-off. The RISK of a typo on an electronic system causing financial havoc is once again made clear. Conrad Heiney conrad@fringehead.org http://fringehead.org
By Michael D. Shear, *The Washington Post*, 13 Jul 2003 Federal and state police put the handcuffs on 32-year-old Angel Gonzales in front of his wife and two young children just as the neighborhood school bus pulled up. ''We're taking your father to jail,'' they told his 6-year-old daughter, walking Gonzales to the cruiser as his neighbors gawked. The police had nabbed Gonzales, who lives in the Tidewater area of Virginia, on a Las Vegas fugitive warrant on cocaine charges. The warrant said he was armed and dangerous. Ambur Daley, 27, was arrested in a North Carolina airport as she returned from visiting her grandmother in Canada. The Staunton, Va., resident was booked, fingerprinted, and kept overnight in jail, accused of writing bad checks. In fact, neither Daley nor Gonzales had done anything wrong. The crimes they were accused of were committed by phantoms — identity thieves who have stolen their names, Social Security numbers, addresses, and telephone numbers. Dependent on electronic records in databanks, police across the nation were chasing the wrong people. Both now have a Virginia Identity Theft Passport, the first two victims to participate in a program aimed at giving people such as Daley and Gonzales a fighting chance in convincing police of their innocence. A state law creating the program took effect July 1. Issued by a judge and bearing the seal of Attorney General Jerry W. Kilgore, the passport is intended to aid Virginia residents who are the victims of identity theft. ... http://www.boston.com:80/dailyglobe2/194/nation/ A_Virginia_law_aids_identity_theft_victims+.shtml
According to a story in the "This is True" mailing list, based on another from the *Los Angeles Daily News*, 6 people in the Los Angeles area, 18 in Oregon, and 4 in Alaska, all with the name David Nelson, have been pulled from commercial flights even after passing security checks. The Transportation Security Administration is quoted as saying that the name is not on any list, but that pattern matching technology is flagging the name. Does anyone have any further information on this phenomenon? rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Tonny Horne, an Indiana man who thought Chicago WFLD (Channel 32) news anchor Tamron Hall was talking to him through his television set, and who showered her with affectionate and obscene e-mails for two years, will be among the first people charged under Illinois' 2001 cyberstalking law. A grand jury indicted him on charges of cyberstalking and criminal trespassing. He had been arrested on 16 Jun 2003 outside the Chicago Fox studios. If convicted, he could face 2 to 5 years in prison. [Source: article by Rick Jervis, *Chicago Tribute*, 13 Jul 2003; PGN-ed] http://www.chicagotribune.com/technology/chi-0307130506jul13,1,2009477.story
Computer security expert Richard M. Smith says that in the last month network vandals (possibly linked to Russian organized crime) have found ways to take over PCs with high-speed connections to the Internet and use them, without their owners' knowledge, to send Web pages advertising pornographic sites. Smith says that "people are sort of involved in the porno business and don't even know it." Most PC owners don't know when their computers have been hijacked and the hijacking apparently doesn't damage the computer or disrupt its operation. Because so many different machines are hijacked to perpetrate this scheme, there's no single computer that be shut down to end the problem. Smith adds: "We're dealing with somebody here who is very clever." (*The New York Times*, 11 Jul 2003; NewsScan Daily, 11 Jul 2003) http://partners.nytimes.com/2003/07/11/technology/11HACK.html
ZDNet reports yet another attempt to "discourage PC theft": http://zdnet.com.com/2100-1105_2-1009807.html A short extract: "Every time a computer outfitted with TheftGuard connects to the Internet, it pings the TheftGuard site. A computer-theft victim can register the machine at the site. If the stolen machine is brought online, the original owner can arrange to have the machine crippled or crippled with all data erased, and can determine the Internet Protocol address used--which can help in hunting down the thief." Naturally: - The TheftGuard site can and will never, ever be hacked - or even a tempting target for hackers; - Extensive checks will be put in place to ensure that only the registered owner of a PC can call in to say it's been stolen (perhaps they'll ask for your SSN ?); - The world's law enforcement agencies have thousands of officers just standing by reports saying "the person who used IP address A.B.C.D at <timestamp> is a thief; go get them !". Nick Brown, Strasbourg, France [Now, that is nice sarcasm. PGN]
Erik Sherman, *The New York Times*, 13 Jul 2003 ''We've got 12 . . . wait, 13. Another just came in!'' On the hunt for 30 seconds, Gary Morse is jazzed. We've walked about 45 feet down Avenue of the Americas in Midtown Manhattan, and he has been counting the number of chirrups coming from the speaker of his hand-held computer. Each represents potential prey: wireless networks in the offices and apartments above us. So far, we have had more than a dozen chances to sneak Internet access, reap user ID's and passwords and otherwise peer into the private affairs of individuals and businesses. Morse is an expert — president of Razorpoint Security Technologies Inc., a computer security consulting firm that helps companies find their weak spots and fix them — and a self-described ''professional hacker.'' He knows dozens of tricks to ease his way into any of the networks he has found. Most users don't realize that left untended, the wireless technology that can quickly connect computers will literally broadcast every bit of transmitted information to anyone with a computer and a $40 wireless networking card. The software package running on Morse's hand-held is called Kismet, from a Turkish-derived word meaning fate. The program uses the wireless card like a police band scanner, noting each wireless network that makes its presence known. ''I could put it in my pocket and record all the networks without anyone seeing,'' he says. The program is available to security experts and would-be hackers for a perfectly legal and free download. ... http://www.nytimes.com/2003/07/13/magazine/13HACKING.html
[Cf. the item by Paul Festa via Monty Solomon in RISKS-22.40. PGN]
http://catless.ncl.ac.uk/Risks/22.40.html#subj3
eBay's Web site allows for SSL (https — i.e., secure) logins, but non-SSL
(http — i.e., insecure) password changes.
A recent visit to half.com, and eBay company, provides for SSL logins,
and, to my surprise, an SSL password change screen. I promptly changed my
password using half's ssl form, logged out, then logged into eBay via SSL
using my new password from half.com, and it took.
So, even if eBay doesn't change their 'Change Password' form [back] to
SSL, we can still use half.com's form and do it securely.
Now watch - I say this and half.com will magically remove SSL capability
from its password change form.
Software released in 2003 contains vulnerabilities disclosed in 2001 8 Jul 2003 Summary: In early 2001, we have discovered a serious security flaw in Adobe Acrobat and Adobe Acrobat Reader. In July'2001, we've briefly described it in "eBook Security: Theory and Practice" speech on DefCon security conference. Since there was no reaction from Adobe (though Adobe representative has attended the conference), we have reported this vulnerability to CERT in September'2002 (after more than a year), still not disclosing technical details to the public. Only in March'2003, CERT Vulnerability Note (VU#549913) has been published, and after a week, Adobe has responded officially (for the first time) issuing the Vendor Statement (JSHA-5EZQGZ), promising to fix the problem in new versions of Adobe Acrobat and Adobe Reader software expected in the second quarter of 2003. When these versions became available, we have found that though some minor improvements have been made, the whole Adobe security model is still very vulnerable, and so sent a follow-up to both CERT and Adobe. Both parties failed to respond. Full story: http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0011.html
The Internet bank Egg <http://www.egg.com/> has just sent me an unsolicited leaflet (EP1996 06/03) trying to induce me to sign up for its account aggregation service. Step 2 of its four-step procedure says: "Read and accept the terms and conditions. Then download a piece of software from Microsoft, called ActiveX. This acts like a digital safe and sits on your PC protecting your password and log in details." How many of Egg's customers have now installed ActiveX in the belief that it is a security product?
The Center for the Study of Complex Systems (CSCS) at the University of Michigan appears to be staffed with competent, knowledgeable people who study "complex systems". Yet their Computer Lab Security page at http://www.pscs.umich.edu/lab/security.html advises the user, when faced with a ssh host key change warning (potential "man in the middle" attack) to essentially ignore the warning, and to simply delete the offending key. When a group studying "complex systems" has difficulty dealing with the issues of computer security, what hope to mere mortals hold?
Corporate executives are becoming increasingly aggressive about spying on their employees, and with good reason: now, in addition to job shirkers and office-supply thieves, they have to worry about being held accountable for the misconduct of their subordinates. Even one offensive e-mail message circulated around the office by a single employee can pose a liability risk for a company. Not only that, but a wave of laws - including the federal Health Insurance Portability and Accountability Act of 1996 and the anticorruption and corporate-governance Sarbanes-Oxley Act of 2002 - have imposed new record-keeping and investigative burdens on companies. Not complying with some laws can result in the personal liability of officers and directors. As a result, employers have stepped up their surveillance of employees, often using stealth techniques to peer deep into their computer use. As of 2001, more than a third of all American workers with access to computers, or 14 million in all, were being monitored in one way or another, according to the Privacy Foundation, a Denver research group; with added pressure on executives to oversee their employees' electronic activities, experts predict that those numbers will grow. ... [Source: Marci Alboher Nusbaum, *The New York Times*, 13 Jul 2003] http://www.nytimes.com/2003/07/13/business/yourmoney/13EXLI.html
Curious, I went to the FTC site and tried to register my Canadian home phone number. It was rejected with an uninformative error message. However the site was quite happy to accept my (also Canadian) 800 number. This raises a blend of techno-legal issues, because it is not possible to distinguish syntactically or in any simple way between a US and Canadian 800 number, and indeed one number can terminate in multiple locations based on the caller's location, the time of day, load, etc. So what's the legal situation if I get a junk call at this number from a US telemarketer? From a non-US one? US legislators have not been shy in the past about extending the reach of their laws outside their borders. Is this legislation written clearly enough to provide a definitive answer? The Canadian telecom regulator (the CRTC) has been mumbling about Do Not Call for some years. Perhaps they should get together with their southern counterparts and arrange a common site and database. On second thought, maybe they should just go for a friendlier message.
Readers of RISKS are now doubt familiar with some of the less then graceful ways in which technology fails in the event of a brown or black out. When the electricity to my apartment building went out recently, I thought I might experience just such a failure. Five minutes prior to losing power, I had started a load of laundry in the shared washing machine on my floor. The laundry machines in my complex use a smart card system for payment as opposed to coins. The machines have a digital control system that displays the remaining time and the cycle on an LCD display. After power was lost I checked the machine to verify that it had lost power. No display, not noise and no overhead light in the laundry room. I figured I was out US$1.25, good for the recently increased bus fare in San Francisco. When power was restored, I returned to the laundry room to find that the machine had restarted and was prompting me to select a cycle. It appears the designers had thought about the problem of losing power mid cycle and decided to start the cycle over after user input once power had been restored. This is the right thing when you consider a repair person who wouldn't want the machine starting by itself unexpectedly when power is restored after electrical work.
Sony is recalling some Vaio FRV laptops because of a static-electric shock hazard, which can occur if and your phone rings whenever the laptop is plugged in and and connected to a grounded peripheral, the phone line is disabled, and you are touching a metal part of the laptop. No injuries have been recorded, and fewer than 10 complaints. (PGN-ed from 9 Jul 2003 Reuters item) http://finance.lycos.com/home/news/story.asp?story=34798831
The "soft walls" idea of steering planes away from restricted airspace leaves the question of what constitutes "restricted" airspace? After adding all possible terrorist targets, I can imagine a flight into a large east coast city weaving through the narrow "safe" course to the airport but leaving the airlines bankrupt paying for air sickness bags. Of course, the airport itself is a terrorist target and should be restricted, right?
> ... and it only takes one airplane with the soft-wall avionics missing or > disabled, to defeat the purpose of the whole system. Not to mention subverting the code so that at a particular date and time, the logic inverted and the exclusion zones became the only place where the airplanes would fly...
Hmmm ... How well do RFID embedded chips survive exposure to stun guns, cattle prods or other colorful toys? http://www.violetwands.com/entrance.html I'm not above wanding my groceries with some high voltage to preserve some privacy. Chips can be hardened, but radio chips would seem to be more difficult to harden against high voltage. Crispin Cowan, Ph.D. http://immunix.com/~crispin/ Chief Scientist, Immunix http://immunix.com http://www.immunix.com/shop/
It must be a wonderful picture imagining how thousands of software developers delay their vacations to provide a poor public servant like DWW with her paycheck in time... However, recalling my experience with the Berlin local government, the reality is not so dramatic. The payment system now is not more "wacky" than it was 28 years ago, when I first came into contact with it. Every year the government and the unions have "concocted" changes like these, and without a word the additional money has been paid one, two, or even three months later. So where is the problem, the reason for this outburst? The problem is, that for the first time after WW II in Germany public servants have to work more and get less for that - from my point of view only a fair deal under the circumstance that their jobs guaranteed. It is not a problem of IT: it is a problem of perception - being forced to face the reality outside the ivory tower.
BKCMINFO.RVW 20030605
"Computer and Intrusion Forensics", George Mohay et al., 2003,
1-58053-369-8, U$79.00
%A George Mohay
%A Alison Anderson
%A Byron Collie
%A Olivier de Vel
%A Rodney McKemmish
%C 685 Canton St., Norwood, MA 02062
%D 2003
%G 1-58053-369-8
%I Artech House/Horizon
%O U$79.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com
%O http://www.amazon.com/exec/obidos/ASIN/1580533698/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/1580533698/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/1580533698/robsladesin03-20
%P 395 p.
%T "Computer and Intrusion Forensics"
The traditional data recovery aspect of computer forensics has been covered
by Kruse and Heiser in "Computer Forensics" (cf. BKCMPFRN.RVW), and by
Caloyannides in "Computer Forensics and Privacy" (cf. BKCMFRPR.RVW) (and
somewhat less ably by Casey [cf. BKCMCRIN.RVW], Kovavish and Boni
[cf. BKHTCRIH.RVW], Icove, Seger, and VonStorch [cf. BKCMPCRM.RVW], Marcella
and Greenfield [cf. BKCYBFOR.RVW], van Wyk and Forna [cf. BKINCRES.RVW],
and Mandia and Procise [cf. BKINCDRS.RVW]).
So far network forensics has only been specifically dealt with in the
not-terribly-useful "Hacker's Challenge," by Schiffman (cf. BKHKRCHL.RVW).
"Computer and Intrusion Forensics" is the first attempt to bring both topics
into a single book. (It is intriguing to note that Eugene Spafford, who
wrote the foreword, is a pioneer of the "third leg": software forensics,
which the book does not cover.)
Chapter one is an introduction to computer and network (intrusion)
forensics, pointing out the ways that computers can be involved in the
commission of crimes and the requirements for obtaining and preserving
evidence in such cases. While the material provides a good foundation, the
text is inflated in many places, and could benefit from stricter adherence
to the topic and more focused writing. (One illustration shows a pattern of
concentric rings indicating that the set of productive activities
encompasses all legal endeavors which, in turn, encompasses all approved
actions. I suspect that a great many legal and even approved activities are
unproductive--while no doubt a number of illegal activities would be
approved, at times.) "Current Practice," in chapter two, is a broad
overview of the concerns, technologies, applications, procedures, and
legislation bearing on digital evidence recovery from computers. In fact,
this single chapter is the equivalent of, and sometimes superior to, a
number of the computer forensics books mentioned above. However, the
breadth of the discussion does come at the expense of depth. This content
is quite suitable for the information security, or even legal, professional
who needs to understand the field of computer forensics, but it does not
have the detail that a practitioner may require. Although chapter three is
supposed to deal with computer forensics in law enforcement (and there is a
brief section on the rules of evidence), it is primarily a reiteration (and
some expansion) of the procedures for data recovery and the software tools
available for this task. Forensic accounting, and the algorithms that can
be used to detect fraud, are outlined in chapter four, but very little is
directly relevant to computer forensics as such. Case studies,
demonstrating the techniques discussed earlier and some that are not, are
described in chapter five. Intrusion forensics concentrates on intrusion
detection systems (IDS), although it does not provide a very clear or
complete explanation of the distinctions in data collection (host- or
network-based) or analysis engines (rule, signature, anomaly, or
statistical). Chapter seven finishes off the book with a list of computer
forensic research which is being, or should be, undertaken.
While the computer forensic content is sound, and it is heartening to see
other fields being included, the very limited work on network forensics is
disappointing. This text is a useful reference for those needing background
material on forensic technologies, but breaks no new ground.
copyright Robert M. Slade, 2003 BKCMINFO.RVW 20030605
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer