Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
According to an article in *The Register*, the security on RFID devices used in car keys and petrol pump payment systems has been broken (the article actually says "Researchers have discovered cryptographic vulnerabilities in the RFID technology..." http://www.theregister.com/2005/01/31/rfid_crypto_alert/ The encryption uses "an unpublished, proprietary cipher that uses a 40-bit key". The researchers managed to reverse-engineer the system and program a microchip to do the decoding in 10 hours. Using 16 of the chips in parallel reduced the search time to 15 minutes. At about $200 per chip that's not an expensive brute force attack. The article notes that although potential criminals could make fraudulent petrol charges and deactivate vehicle immobilisation systems, they would still have top get past physical locks in the car. Provided that the car has them, of course. I can't resist quoting from the last two paragraphs: "The team recommends a program of distributing free metallic sheaths to cover its RFID devices when they are not being used in order to make attacks more difficult. The company that markets ExxonMobil's SpeedPass system has said it has no knowledge that any fraudulent purchases have ever been made with a cloned version of its device." The Risks? Well, apart from the fairly obvious security/fraud issues, it does seem to me that this is using technology for technology's sake. When I want to disarm the alarm on my car, I point the remote at it and press the button. I don't need an "always on" control...
Several riders were assisted to safety [28 Jan 2005] after a car became stuck on the Incredible Hulk Coaster at Universal Orlando's Islands of Adventure theme park, according to Local 6 News. A Universal spokesman said a computer glitch stopped the train at one of three braking points. Twenty riders walked to safety. Four others in the front of the car were forced to wait until firefighters arrived. There were no injuries reported. [*Florida Today* 29 Jan 2005, p. 8B]
'A stripper mauled by a tiger in an Ontario safari park has won $650,000 in damages ... 'Jennifer-Anne Cowles was driving through the park ... with her boyfriend when a tiger jumped into their car and tried to drag them away. The two insisted their windows had been shut when the tiger charged ... 'The judge accepted the couple's testimony that the power windows had been inadvertently lowered when one of the big cats bumped against the car. The boyfriend was awarded $1.37 million. [Source: Reuters item in the *Seattle Times*, 29 Jan 2005. The Times doesn't believe in copyediting wire-service stories, even those from Reuters. WC] We may indeed have here a computer-related risk, but another possibility is gullible-judge risk.
Microsoft today (02/01/05) announced a new and more precise search engine (http://www.imagine-msn.com/search/tour/moreprecise.aspx). As part of the announcement they gave some example searches, one of which was "What is the mass of Jupiter?". The search.msn.com result for that search does indeed return the mass of Jupiter: "Answer: Jupiter mass: 318 Earth masses". But what is an "Earth mass"? Entering "What is the mass of Earth?" into search.msn.com produces "Answer: World: mass: 1 Earth masses". I suppose that answer doesn't violate the definition of precise (though to be even more precise they could have said "1.0000 Earth masses"). Entering "What is an Earth mass?" produces the same, meaningless, result. BTW, entering "What is the mass of Saturn?" into search.msn.com produces: "Saturn: Mass: 5.69x10", which since it's missing its units doesn't seem precise to me (and it's probably not accurate either, unless the missing units are 10^25 kilograms). Just to demonstrate that this isn't too hard I did the same searches on Google, which produced more reasonable results: mass of Earth = 5.9742 x 10^24 kilograms mass of Saturn = 5.6851 x 10^26 kilograms mass of Jupiter = 1.8987 x 10^27 kilograms The risk here is that if you give an example search to demonstrate your new search engine capabilities, you should test to see if related searches work as well. [Or, if you pardon a pun on the ambiguity of "as well", if they work as poorly. PGN] Marcos H. Woehrmann firstname.lastname@example.org http://www.panix.com/~marcos
The German IT magazine c't reports in its number 2/2005 on the current state of the German Toll Collect system, which does appear to be functioning and raking in some money, much to the glee of the politicians who are now dreaming of exporting this technology. A few highlights not making the daily newspapers: * Checking trucks to make sure they paid the toll is easy if the truck has an OBU (On Board Unit) - mobile checkers can query the box without stopping the truck. Trucks without the OBU pass occasional bridges that photograph the truck, recognize the license plate, calculate the truck geometry to determine the axle count, and then check if this bit is paid for in the central data base. There are pull-off areas that were specially built so that offenders can be pulled off and fined on the spot. Unfortunately, when calculating the distance between the bridge and the pull-off area the engineers used an optimistic assumption on the time needed for the calculations, and used the *middle* of the rest area for calculating the distance between the bridge and the rest area. But actually, if you want to flag down a truck you have to have someone standing a good bit before the rest area. Since neither moving the pull-off area nor the bridge are options, traffic is slowed at these points to give the computers time to grind.... * The mobile checkers have a few problems of their own. Heise reports in http://www.heise.de/newsticker/meldung/mail/55332 that the checkers use infrared communication. They have to drive in front of the truck they are checking and are having problems during fog and snow. The company producing this device insists, however, that there are no problems. * c't tried to make sense of the public database listing the autobahn crossings and the tolls assessed. There is no obvious connection between the numbers for the exchanges and the exchanges, some (in different parts of the country) even have the same number. Other bits of autobahn are only listed in one direction, not in both. Some crossings have multiple numbers, other multiple names. They used the data to build a graph of the German autobahn (> 2000 edges), a nice exercise for students of computing to then calculate the shortest path between A and B. Interestingly, 23 of the edges are listed as being 0,0 km long. Toll Collect says that these are bits of non-autobahn that connect up isolated autobahn portions. c't concludes that it will be difficult for a company to prove that they have been charged the wrong toll - and in a new law rushed through in December the government has stated exactly that - Toll Collect does not have to prove that they charged the correct toll, but a shipper has to prove that they were charged the wrong toll. For those interested in the database: http://www.mauttabelle.de/maut.html (in German) Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Internationale Medieninformatik, Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/ [Slight typo fixed in archive copy. PGN]
Germany switched to a new dole system on 1 Jan 2005 and has been coping with problems ever since. Many people who submitted their paperwork back in October still do not have money - because the paperwork was "misplaced". [Maybe they were just entering in the data LIFO... --dww]. The media in Germany are enjoying finding problems with the system, especially as the officials are announcing it all a roaring success. The Heise Ticker (http://www.heise.de/newsticker/meldung/55427) notes that the "problem" of the software only counting 360 days to a year is a feature and not a bug. According to spokespeople, it lets them figure the amount of the dole much faster [I didn't realize that the isLeapYear routine took *that* much time to compute.... --dww]. The Westfälischen Nachrichten reported the computation, which is also discussed in Spiegel-online at http://www.spiegel.de/wirtschaft/0,1518,338133,00.html will save government about 100 million Euros a year because the payments are done according to a daily rate. All months are now fixed at 30 days. Other fun games: In order to keep people who just barely earn too much from making themselves eligible for money by purchasing health insurance (which is deductible) they are apparently paying people 1 cent a month so they can keep their cheaper public health insurance. The problems with the system are being collected in a database in Nürnberg and are sent out in a non-printable PDF file to keep people from printing it out and giving it to the press. The file has, however, grown larger than 2 MB and is now being rejected by the mail servers throughout the work payment administration. This is the only problem that the officials will admit to in public. The saga will continue! Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Internationale Medieninformatik 10313 Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/
The Can Spam Act went into effect in January of last year, yet unsolicited commercial e-mail on the Internet is now estimated to account for at least 80% of all e-mail sent — a figure up from 50-60% percent of all e-mail before the law went into effect. A number of critics of the law had argued that it would make the spam problem worse by effectively giving bulk advertisers permission to send junk e-mail as long as they followed certain rules. Steve Linford, the founder of the UK-based Spamhaus Project, says the law "legalized spamming itself." The law's chief sponsor, Senator Conrad Burns (R- Montana) says the problem isn' t the law but the ineffective enforcement of the law: "As we progress into the next legislative session, I'll be working to make sure the FTC utilizes the tools now in place to enforce the act and effectively stem the tide of this burden." Anne Mitchell of the Institute for Spam and Internet Public Policy comments: "Most people say it's a miserable failure, but I see it as a lawyer would see it. To think that law enforcement agencies can make spam stop right away is silly. There's no such thing as an instant fix in the law." [*The New York Times 1 Feb 2005; NewsScan Daily, 1 Feb 2005] http://www.nytimes.com/2005/02/01/technology/01spam.html?hp &ex=1107320400&en=f7486f68b21cb2cc&ei=5094&partner=homepage http://www.nytimes.com/2005/02/01/technology/01spam.html?hp&ex=1107320400&en=f7486f68b21cb2cc&ei=5094&partner=homepage
A while ago I was listening to a public affairs program on NPR. One of the speakers was representing a trade association, and his comments really got to me. I Googled him and sent him a somewhat venomous e-mail. A few hours later I got an even more venomous reply. End of story? Not quite. My e-mail address was now in his shortcut list. A few weeks later I was copied on what was clearly meant to be an internal and confidential e-mail from this gentleman to this colleagues.
Quoting from http://www.panix.com: >Panix's main domain name, panix.com, was temporarily hijacked over the >weekend by parties unknown. The false information for the panix.com >domain was present at the top-level Internet domain servers from 04:30 >Saturday morning Jan 15 until 6 PM Sunday Jan 16 (US-EST), when the >domain was returned to us. As a result of this attack, mail, Web >access, and other connectivity to the panix.com domain was disrupted. and >Panix's main domain name, panix.com, was hijacked by parties >unknown. The registration of the panix.com domain was moved to a >company in Australia, the actual DNS records were moved to a company >seemingly in the United Kingdom (but with servers in Canada and >corporate registration in Delaware), and panix.com's mail was >redirected to servers in Canada. None of the systems exploited to >perform this hijacking were under Panix's control. > >It's not supposed to be possible to transfer a domain name from one >registrar to another without notifying both the current registrar and >the current domain owner, but that's what seems to have happened. > >As the hijacking occurred over the weekend, we had great trouble >reaching responsible parties at the other companies involved. The >domain was not returned to us until the beginning of the business day >in Australia on Monday. None of the companies involved had support >numbers that were available over the weekend, or even emergency >contact numbers. More info at http://www.panix.com and http://www.panix.net/hijack-faq.html
Apparently several websites have come up that allow random drivers to report other random drivers for aggressive driving. See a story by Charisse Jones, USA TODAY http://story.news.yahoo.com/news?tmpl=story&cid=710&e=35&u=/usatoday/2005011 8/pl_usatoday/websitesletdriversflagroadragers unsafedriver.com will allow you to register for free, which entitles you to enter reports about other cars. However, you must pay $24.99 for the first vehicle, and $14.99 for each additional vehicle, in order to (and these are quotes from the web site) * Receive the details of the driving complaints made against your registered vehicles. * Keep the complaints made against your registered vehicles confidential subject to our Terms and Conditions * Attach a dispute to any complaints made against your registered vehicles * Check any plate for violations. This sounds an awful lot like that scam that was going around a couple of years ago...Word-of-Mouth.org, right? I haven't dug deeply into this, but Yahoo reports that the unsafedriver.com site was started by Lt. Mark Hafkey of the Phoenix Police Department (though it's a "private business", not affiliated with the police department). I have successfully registered at this site, using, let's just say sketchy data. I have verified that this permits me to enter a report about an "incident". It gives me a choice, as an incident reporter to "remain anonymous" or "I am willing to be contacted by Law Enforcement or an Insurance Carrier via e-mail for clarification and/or further investigation if necessary." This smells like a scam to me, but I'm surprised that it would be perpetuated by a source as reputable as USA Today. If it's not a scam, it's an outrage.
Despite growing concerns over online fraud, a new study conducted by the Better Business Bureau and Javelin Research finds that most cases of identity theft can be traced to a lost or stolen wallet or checkbook, rather than vulnerable online financial data. Computer crimes make up just 12% of all ID fraud cases in which the origin is known, and half of those are attributed to spyware that sneaks onto computers and steals private information. [AP, 27 Jan 2005; NewsScan Daily, 27 Jan 2005] http://apnews.excite.com/article/20050127/D87SE8NO0.html
The local chain grocery store recently got rid of its personnel problem by hiring a customer-operated robot scanner. The scanner comes with a series of metal bridges that overarch the conveyor belt. The store had removed the arches from the machines because the arches prevent large items from proceeding to the item storage area at the end of the belt. I bought a large, economy size package of paper towels. It would be stopped by the arches, were they in place. The software "knows" about the arches and stopped my checkout process cold while it called a store employee to manually move the package to the end of belt, a process that had already completed. The robot scanner "weighs" items as they travel along the belt, a security measure to ensure the customer placed the scanned item on the belt. I watched the customer in front of me try to buy the candy bar she had eaten, while shopping, by placing the scanned wrapper on the belt. No soap. The wrapper didn't weigh enough. She tried three times to buy the candy bar. Her solution: get another candy bar from the handy display in the checkout aisle and buy 1, get 1 free. The robot scanner refuses to transact business while anything is traveling down the conveyor belt. Its mechanical voice instructed me to "wait" while it did its business. I was trying to pay for my order. A human clerk who did that may well lose her job. Before experience taught what the machine expects from me, I tossed items that I had scanned onto the belt. Sometimes this would put the item too far along to be "weighed." The machine refused to recognize the object, reversed belt motion to return the item, and credited my bill. There was no sufficient explanation for this behavior until a human employee provided insight. Buying fruits and vegetables with robot is a trip. You press a GUI button and are presented with page upon page of photographs of fruits and vegetables organized I don't know how. People spend a great deal of time trying to identify the item at hand and do not understand that some fruits and vegetables must be weighed, at the scanning station not the belt, for the cost to be figured. Bagging groceries with a robot is left to the customer unless some store employee takes pity. You can be bagging furiously, having paid for your items, while the next customer is sending his items to commingle with yours. The motivation for these devices is obvious: lower cost to the low margin store. The introductory customer instruction was nil and remains nil. I'm surmise there is a certain acceptable level of loss of goods not paid for because the machine cannot catch everything a customer might do.
I just got this in my e-mail. > Dear Cardmember, > > Your 2004 Year-End Summary is now ready to view online. To access your > Year-End Summary, please log in to > http://americanexpress.com/yearendsummary2004 > <http://www65.americanexpress.com/clicktrk/Tracking?mid=IUYES03020050201053636024433&msrc=ENG-YES&url=https://www124.americanexpress.com/cards/yes/yes_home.jsp?campaignid=Jan_email_05>. > > With the online version you can view charges by merchant name, date, > or charge amount; view your spending, spending of an Additional Card, > or everything at once; and print and save your Year-End Summary for > future use. As a *new* feature this year, you can also use business > and personal check boxes to sort your annual transactions. > > We look forward to serving you. As far as I can tell it's real - the sites it links to have certificates that are issued to Amex. However there is no way to tell without clicking the link and checking the certificate (something I teach my users not to do) that the mail really came from Amex. Even the message headers show it originating from aexp.com which sounds close but then so do the best phishing scams. Given that a large percentage of the world now uses s/mime capable mailers (Outlook, Outlook express, Thunderbird, Mozilla, etc.), why is it that institutions are still sending unsigned e-mail?
> I went to their web page, and filled out the form using name, address, SSN, Why, why WHY is a participant in the RISKS list submitting an SSN on-line and why is he even providing an SSN when making an address change? We gotta resist, this so that organizations are sensitized to the risks of using SSNs. Robert Ellis Smith, Publisher, Privacy Journal, PO Box 28577, Providence RI 02908 email@example.com 1-401/274-7861 http://www.privacyjournal.net
In RISKS-23.68, Tim Huckvale bemoans the fact that after giving good advice to it's clients about how to avoid phishing attacks in an e-mail it sent him, PayPal then made the mistake of making the URL in it's message a 'hot' link. I'm not sure which e-mail program he's using; he doesn't say. But it's worth noting that that e-mail (and it's sender) may not be at fault. Some *mail programs* heat up those links 'for you'. The RISK? Assuming you know where the RISKS are actually *coming* from. Mozilla's Thunderbird browser is getting anti-phishing measures even as I type. A bit later than I'd have liked. But at least they're there. Jay R. Ashworth, Designer, Ashworth & Associates, St Petersburg FL USA http://baylink.pitas.com +1 727 647 1274 firstname.lastname@example.org [We received a slew of e-mail on this subject. I picked just one thus far. PGN]
BKOPSOST.RVW 20041203 "Open Source Security Tools", Tony Howlett, 2005, 0-321-19443-8, U$49.99/C$71.99 %A Tony Howlett email@example.com %C One Lake St., Upper Saddle River, NJ 07458 %D 2005 %G 0-321-19443-8 %I Prentice Hall %O U$49.99/C$71.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0321194438/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0321194438/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0321194438/robsladesin03-20 %O tl a rl 2 tc 3 ta 3 tv 2 wq 2 %P 578 p. + CD-ROM %T "Open Source Security Tools" The tools listed in this book are for network security, almost without exception. The preface states that the book is intended primarily for systems administrators, although security professionals may find useful information as well. Howlett makes an effort to include items that have Windows versions, although only about a third do. He has also included tutorial materials on detailed aspects of the TCP/IP protocols that have a bearing on the operation of security software. Chapter one outlines the open source concept, starting with a fairly idealized scenario, but continuing with some history, advantages (and disadvantages), and a brief look at two of the major open source licences. The nominal topic of chapter two is operating systems, and so it is rather odd that most of the tools described are network utilities. However, the descriptions are better than are given in most reviews of software tools, and the details are clear for all who may read them. While chapter three does provide a quick overview of TCP/IP and filtering, it does not cover the full range of firewall types. The programs listed are comprehensively described in terms of installation and administration commands. Port scanning is covered in chapter four, and, again, while the programs are explained well, other details, such as the services that would need to be turned off to reduce the danger of open ports, are not. Much the same can be said about the discussion of vulnerability scanners, in chapter five. Chapter six looks at the most widely used network sniffers. The concepts behind, and examples of, both network- and host-based intrusion detection systems are given in chapter seven. Logging and audit data can accumulate quickly and overwhelm the administrator, so chapter eight reviews some common tools to present, analyse, and manage the information. Chapter nine lists a variety of encryption tools. Wireless tools, primarily for finding networks, are given in chapter ten. Forensic tools are examined in chapter eleven, but there may not be a sufficient distinction made between the network and data recovery tools. Chapter twelve finishes off with some more general discussion about open source software, and where to find it. There are some helpful appendices: well-known TCP/IP port numbers, and a large list of plug-ins for Nessus. The tutorial material could have had more depth and care, but there is no denying the value of the compilation (particularly with all the software included on the CD). copyright Robert M. Slade, 2004 BKOPSOST.RVW 20041203 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer