In the January/February 2005 issue of _The Atlantic Monthly_ there is an article by James Fallows entitled "Success Without Victory," discussing risk management as it applies to the war on terror. One key point is that there are people out there who, in the tradition of RISKS readers themselves, take a sensible and scientific approach to the war on terror, seeing it as an exercise in risk management rather than something that can be "won," causing all of the risks to go away: There will always be a threat that someone will blow up an airplane or a building or a container ship.... But while we have to live in danger, we don't have to live in fear. Attacks are designed to frighten us even more than to kill us. So let's refuse to magnify the damage they do. We'll talk about the risk only when that leads to specific ways we can make ourselves safer. Otherwise we'll just stop talking about it, as we do about the many other risks and tragedies inevitable in life. We cannot waste any more time on make-believe....measures that seem impressive but do not make us safer, such as national threat-level warnings and pro forma ID checks. The most damaging form of make-believe is the failure to distinguish between destructive but not annihilating kinds of attack we can never eliminate but can withstand and the two or three ways terrorist groups could actually put our national survival in jeopardy. We should talk less about terrorism in general and more about the few real dangers. Screening lines at airports are perhaps the most familiar reminder of post-9/11 security. They also exemplify what's wrong with the current approach. Many of the routines and demands are silly, eroding rather than building confidence in the security regime of which they are part. [Daniel] Prieto argues that the roughly $4 billion now going strictly toward airline passengers could make Americans safer if it were applied more broadly in transportation -- reinforcing bridges, establishing escape routes from tunnels, installing call boxes, mounting environmental sensors, screening more cargo. All these efforts combined now get less than $300 million a year, which will drop to $50 million next year. Where the article gets really interesting, however, is in pointing out the political barriers to doing the rational thing from a risk-analysis point of view. For example, spending less on airline security in order to spend more on land and water transportation: Rationally, this is an easy tradeoff: less routine screening of passengers who don't call out for special attention (watch lists, travel and spending patterns, and other warning mechanisms can be improved), in exchange for more and faster work to reduce the vulnerabilities of bridges, tunnels, and ports. In wartime a commander would easily make such a decision to protect his troops. But politically this decision is almost impossible. Such a tradeoff would make it likelier that some airplane, somewhere, would be blown up. If that happened, whoever had recommended the change would be excoriated -- even if more people had been spared equally gruesome fates in subways or near ports. And even examples of where this is already happening: [Terror and counter-insurgency experts] understand that this struggle will be with us for a very long time, that success will mean reducing rather than absolutely eliminating the threat of attacks, and that because there is no enemy government or army to surrender, there can be no clear-cut moment of victory. "Ironically, when President Bush said this in the campaign, he was immediately jumped upon," Jenkins said. "It was a moment of truth for which he was promptly punished. Senator Kerry had a similar moment, when he said that the objective was to reduce terrorism to no more than a nuisance. Conceptually that was quite accurate, even if it was not the most felicitous choice of words. And he was punished too. In a campaign with a great deal of nonsense about the threat of terrorism, these two moments of truth were mightily punished, and the candidates had to back away and revert to the more superficial and less supportable assertions." The article goes on with some general and specific recommendations for improving the security of America against terror attacks. The approach will be nothing new to RISKS readers, though the details may be. But I find it very hopeful that articles like this are appearing in general interest magazines rather than just specialized forums like this. The article is available on-line to _The Atlantic Monthly_ subscribers at http://www.theatlantic.com/doc/200501/fallows If you are not a subscriber but know one, he can e-mail you a link that will make the full article available to you for three days. Curt Sampson <email@example.com> +81 90 7737 2974 http://www.NetBSD.org
The FBI has abandoned its custom-built Internet surveillance technology, dubbed Carnivore, and is now using commercial software to eavesdrop on computer network traffic during investigations of suspected criminals, terrorists and spies. In addition, it's asking Internet service providers to conducting wiretaps on targeted customers, when necessary. Carnivore initially was developed because commercial tools available in 2000 were inadequate, but FBI spokesman Paul Bresson says the Bureau moved a while ago to using popular commercial wiretap software because it's less expensive and has improved in its ability to copy e-mails to and from a specific Internet account without affecting other subscribers. "We see the value in the commercially available software; we're using it more now and we're asking the Internet service providers that have the capabilities to collect data in compliance with court orders," says Bresson. The FBI didn't disclose how much it had spent on Carnivore, but outside experts estimate expenditures at somewhere between $6 million and $15 million. [AP, 18 Jan 2005; NewsScan Daily, 19 Jan 2005] http://apnews.excite.com/article/20050119/D87MS3CO0.html
Consumers' penchant for constant upgrades -- new cell phones, a sleeker laptop -- is causing havoc in the environment, and with technology products now accounting for as much as 40% of the lead in U.S. landfills, e-waste has become one of the fastest-growing sectors of the U.S. solid waste stream. The International Association of Electronics Recyclers estimates that Americans dispose of 2 million tons of electronic products a year -- including 50 million computers and 130 million cell phones -- and China, which has served for years as the final resting place for Americans' unwanted TVs and computers, is becoming overwhelmed by the volume. Some high-tech companies are taking matters into their own hands -- Hewlett Packard and Dell job out their e-waste handling to environmentally sensitive recyclers such as RetroBox -- but such efforts are still quite limited and unable to cope with a problem that's reaching crisis proportions. Meanwhile, the U.S. is the only developed country not to have ratified the 1992 Basel Convention, the international treaty that controls the export of hazardous waste. "There's a real electronics-waste crisis," says Basel Action Network coordinator Jim Puckett. "The U.S. just looks the other way as we use these cheap and dirty dumping grounds." [*The Washington Post*, 21 Jan 2005; NewsScan Daily, 21 Jan 2005] http://www.washingtonpost.com/wp-dyn/articles/A24672-2005Jan20.html
An investigation by *The Harvard Crimson* was reported in that newspaper on 21 Jan 2005, noting that a Harvard University website, iCommons Poll Tool, for months had contained confidential information on the drug purchase history of students and employees that was easily accessible to outsiders. After *The Crimson* demonstrated this to university officials, the website was immediately shut down. Authentication information required for access was based on a Harvard ID and birthdate that were easily available on the Web. In addition, the Family Educational Rights Privacy Act (FERPA) requires that students may request a special security status for total privacy, and that status was not properly enforced. The university's drug insurer, PharmaCare, also had the same problems -- which still existed at the time of the article in *The Crimson*. This is seemingly a violation of the HIPAA legislation, which prohibits unauthorized disclosure of individual's medical records. [I suppose if medicinal uses of marijuana were covered by insurance, someone might have found the situation HIPAA-pot-amus-ing. PGN]
http://abclocal.go.com/ktrk/news/bizarre/011405_APsn_jury.html A computer glitch at the state Office of Jury Commissioner alphabetized names of potential jurors, rather than shuffling them, before summonses were sent out. That created a jury pool of people whose last names mostly begin with the letter "A". Howard Israel, Avaya Global Services, Avaya, Inc. 1-732-852-3353 [Suffolk Superior Court, Massachusetts. That must be as random as anything else they do. None of the lawyers objected! PGN]
On 25 Jan 2005, a homeless man trying to keep warm (says the early report) started a fire that wiped out a control room, disabling New York City's 'A' subway line indefinitely, and seriously curtailed service on several other lines; it may take months, possibly years, to repair the damage. The subway controls destroyed are those that automatically prevent closely-spaced trains from colliding.
On 20 Dec 2004, an F/A-22 crashed on takeoff from Nellis Air Foce Base, Nevada (*Aviation Week*, 3 Jan 2005, pp21-22). According to *Aviation Week* (10 Jan 2005, p19), based on preliminary data, "Pentagon leaders believe" that the cause was a problem in the digital flight control system (DFCS). The short article quotes an unnamed official that, after an apparently normal takeoff roll, once airborne the pilot had "no control over pitch, yaw or roll." Those are the names for the movements about the three axes which constitute the aircraft's movement in the air. The pilot apparently received no warning of a failure. According to the 3 Jan article, in September an F/A-22 was stressed to 10-11g when flying through the wake of an F-16 while carrying external fuel tanks. The operational limit on the aircraft is 9g. The incident was put down to a feature in the DFCS software producing a violent pitch reaction. The pitch gain was calibrated for low-altitude operations, but the aircraft was manoeuvring at high altitude. The SW was modified. The incident aircraft was grounded, and it is uncertain whether it will fly again. The F/A-22 is the U.S.'s new stealthy air superiority fighter. The program is notorious for its tardy and expensive SW development, and thereby ran into funding difficulties with the U.S. Congress, indeed I believe it was threatened with cancellation. The crash of a prototype YF-22A aircraft at very low altitude (just off the runway) was reported by Leveson (citing an article in *The Washington Post* by Gellman) in RISKS-13.46 in 1992, and followed in RISKS-13.47 and 13.50 by some speculative commentary. Peter B. Ladkin, University of Bielefeld, Germany www.rvs.uni-bielefeld.de
A neighbour of mine just bought a new Epson printer and were trying to install it on their laptop. They had a problem : they rebooted their system and it said "Not a system disk". They gave me a call and I wandered up to have a look. I hit a few keys and suddenly it booted again. Odd I thought (not having noticed a crucial event!). I got in as Administrator and installed the software for them and we connected up the printer and rebooted. "Not a system disk". I thought for a bit and looked in the BIOS and lo and behold, the first boot item was a USB disc, and the printer does indeed have a USB disc feature so that you can access camera memory cards via the printer. Unplug the printer and the system boots fine, plug it and no dice. (What I hadn't noticed above was that my neighbour had unplugged the printer from the USB as I was hitting keys) How could anyone expect everyday users with no experience of systems internals to deal with a situation like that? Why should a printer look like a disc anyway (at least by default), and why have the default BIOS setting to boot from USB first? A disaster waiting to happen and it happened.
I recently filed a change of address for some Qwest stock I own. Qwest uses The Bank of New York (www.stockbny.com) to manage stock accounts, so I went to their web page, and filled out the form using name, address, SSN, and account number. Checked for the padlock indicating HTTPS, and convinced there was *some* degree of due diligence, submitted the form. The confirmation screen starred out all but the last four digits of the SSN (i.e., ***-**-9999), which seemed reasonable. Last night I got back an e-mail that they couldn't process my change request (the reason is unimportant), and included in the text of the message my name, e-mail address, account number, and SSN. No stars this time to shield sensitive information. Seems like a pretty useful e-mail to intercept! What kind of security policies allow including this sort of information? The security & privacy policies don't say anything about safeguarding customer information. If anyone has a privacy/security contact at Bank of New York, I'd certainly be interested in talking to them! (This is certainly not a new type of problem; see RISKS 21.83 for another example I wrote about 3 years ago.)
Many automated e-mails have no usable e-mail return addresses. For example, Verizon include the following rubric at the bottom of their messages: "This message was sent from a notification-only e-mail address that cannot accept incoming e-mail messages. Please do not reply." I know this because I have now received five messages from Verizon intended for somebody who shares my last name and probably has a similar e-mail address. I now know this person's mailing address and telephone number, and that they have ordered Verizon's DSL service. I know that the DSL service is now available. I've been receiving these e-mail messages for about a month now (there was a delay in getting the DSL service operational, apparently, for which Verizon have apologised). I have tried e=mailing firstname.lastname@example.org, but have no effect. I could, I suppose, telephone or write to the intended recipient, but I don't see why I should make a transatlantic phone call to someone I don't know. For obvious reasons, I don't have an e-mail address for this person. The risks here are obvious. Verizon presumably have a disgruntled customer, frustrated with not having heard from them. I have personal information about somebody else that I am not entitled to have (at least they didn't sent the account username and password through by e-mail) and get a small amount of unwanted e-mail. Louise Pryor email@example.com www.louisepryor.com
I just received an e-mail from PayPal warning me that my credit card was about to expire. Naturally my first thought was that it was a phishing trip, but closer inspection showed it to be genuine. It ended with the following warning: - - - - - - - - - - - - - - - - - - - - - - - - - - - - PROTECT YOUR PASSWORD NEVER give your password to anyone and ONLY log in at https://www.paypal.com/. Protect yourself against fraudulent websites by opening a new web browser (e.g. Internet Explorer or Netscape) and typing in the PayPal URL every time you log in to your account. - - - - - - - - - - - - - - - - - - - - - - - - - - - - Typing in the URL is excellent advice. Such a shame that they defeated it by making the link clickable.
> ... Thus it is indistinguishable from a phishing scam, ... The amusing thing is that this is actually meant as an anti-phishing tool, and it started from a good idea: eBay would communicate with its customers via an area on its website rather than e-mail. The (reasonable) assumption being that it is somewhat harder (though, of course, not impossible) to spoof eBay's website than a piece of e-mail. But you have to get started, so how do you communicate this new policy to your customers? Presumably eBay would have been better off sending plain text e-mail providing a link only to http://www.ebay.com, or even better, telling people to type that into their browser, or use a pre-existing bookmark, but plain Jane e-mail might cause people to think it was a phishing attack, or other folks probably don't know how to enter a URL directly into a browser -- all of which would drive up eBay's technical support costs. This appears to be one of those cases in which you just can't win. Drew Dean, Computer Science Laboratory, SRI International
BKOSINSC.RVW 20041210 "Outsourcing Information Security", C. Warren Axelrod, 2004, 1-58053-531-3, U$85.00/C$119.50 %A C. Warren Axelrod %C 685 Canton St., Norwood, MA 02062 %D 2004 %G 1-58053-531-3 %I Artech House/Horizon %O U$85.00/C$119.50 800-225-9977 firstname.lastname@example.org %O http://www.amazon.com/exec/obidos/ASIN/1580535313/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1580535313/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1580535313/robsladesin03-20 %O tl a rl 1 tc 1 ta 3 tv 2 wq 2 %P 248 p. %T "Outsourcing Information Security" The author states that he intends to raise issues involved in outsourcing security in such as way that those working through the process will not neglect important areas of concern. Chapter one reviews reasons for outsourcing. Lists of threats and vulnerabilities, in general, are given in chapter two. Costs are examined in chapter three, as a basic discussion of justification for outsourcing. Chapter four looks at risks that might be associated with outsourcing. Various types of costs, such as intangible, subjective, and indirect, are contemplated in chapter five, and costs related to different stages of the evaluation process in chapter six. Chapter seven investigates a number of issues surrounding the development of requirements for system or project development. The first chapter that actually seems to talk in detail about security outsourcing, rather than just outsourcing itself, is chapter eight, which goes through the ten domains of the CISSP (Certified Information Systems Security Professional) CBK (Common Body of Knowledge) (and some subdomains), determining which of them are particularly appropriate for outsourcing, and which are not. Chapter nine outlines the outsourcing process as a sequence of steps. Axelrod has provided a very solid and useful framework for dealing with the many areas that need to be considered if outsourcing is sought. Very little is directly relevant to the security function itself, but that may simply expand the market for the book. It is probably futile to expect that any more guidance could have been provided, since the possibilities are so immense, but the summary given here still leaves the potential outsourcer with an enormous amount of work to do. copyright Robert M. Slade, 2004 BKOSINSC.RVW 20041210 email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [For those of you interested in security implications, see Table 7.1 of my recent report, which summarizes the pros and cons of both outsourcing and offshoring: http://www.csl.sri.com/neumann/chats4.html for browsing, Section 7.10.2 http://www.csl.sri.com/neumann/chats4.pdf and .ps otherwise, page 133 PGN]
BKDYESAV.RVW 20041205 "Degunking Your Email, Spam, and Viruses", Jeff Duntemann, 2004, 1-932111-93-X, U$24.99/C$37.99 %A Jeff Duntemann firstname.lastname@example.org %C Suite 115 4015 North 78th Street, Scottsdale AZ 85251 %D 2004 %G 1-932111-93-X %I Paraglyph Press %O U$24.99/C$37.99 602-749-8787 email@example.com %O http://www.amazon.com/exec/obidos/ASIN/193211193X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/193211193X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/193211193X/robsladesin03-20 %O tl i rl 3 tc 3 ta 4 tv 4 wq 3 %P 334 p. %T "Degunking Your Email, Spam, and Viruses" Lots of books have "quick tips" at the front these days. Usually these are nothing more than promotional fluff, designed to convince you that the author Knows Important Stuff. However, when I perused the suggestions for what to do about email and viruses if you had limited amounts of time, I was quite impressed that Duntemann had, in fact, carefully selected those tasks that would give the most protective value for the temporal coin. I could cavil at a few, but generally this list is very well chosen for those readers who do need to get started right away. Chapter one is an introduction, defining the various problems, and outlining the "12-step" program that structures most of the rest of the book. Although chapter two is supposed to be about creating an email strategy it doesn't go quite that far. But Duntemann does provide guidance on the type of email user you are, and notes the importance (which varies) of having alternative email addresses. Various email clients, and important features, are reviewed in chapter three. The advice is good (although I don't know why he is dissing Pegasus :-) Chapter four outlines good email habits, and effective practices for using and managing email. The advice on maintaining contact and synchronization on the road, given in chapter five, is helpful to travelers although I am not sure that it a) applies to everyone, and b) is a "gunky" problem. Chapter six provides valuable advice for managing stored or saved messages. Chapter seven describes the situation with regard to spam, and suggests the standard actions to avoid it. The concepts and tools for spam filtering are outlined in chapter eight. Chapter nine walks the reader through the installation and "training" of POPfile, while ten lists arguments against non-Bayesian spam prevention filters and systems. Chapter eleven is a good introduction to the broad categories of malware. The choice and evaluation of antiviral programs, given in chapter twelve, is quite decent, although the space and precedence given to the "three sisters" seems to be excessive: companies like Sophos, F-Prot, and Avast turn out technically superior products and are hardly "obscure." Spyware and adware, as well as suggestions to limit them and products to deal with them, are covered in chapter thirteen. Chapter fourteen has good advice about dealing with worms (although I'm surprised that Duntemann did not mention turning off DCOM, which would probably have saved his friend some grief). Chain letters and scams are discussed in chapter fifteen. (I was teaching in Nigeria when I read this book, so I found the coverage of the 419 scam ironic. Nigeria isn't in chaos: it just seems that way.) Chapter sixteen finishes off with advice on what to do if you *have* been hit with something nasty. The book has a lot of very practical and useful information. It is written at a level that any intermediate user, and many intelligent novices can use directly without further experimentation. (A few items could use more detail: how do you turn an .iso file into a bootable CD?) I would recommend this as an excellent reference to have to hand for pretty much any computer user. copyright Robert M. Slade, 2004 BKDYESAV.RVW 20041205 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer