Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Amtrak will not be able to run any of its high-speed trains until the summer because of delays in getting replacement parts to correct brake problems on Acela Express cars. The brakes were to last 1 million miles; the current Acela fleet had about half of that mileage. Amtrak pulled all of its 20 Acela trains out of service on Friday after finding millimeter-size cracks in 300 of the fleet's 1,440 disc brake rotors. Each Acela train has 72 brakes. This part is unique to the Acela and there is no active production line casting them. Fewer than 70 disc brakes are currently available. [Source: The Associated Press, article by Donna De La Cruz, 20 Apr 2005; PGN-ed] http://www.boston.com/news/local/massachusetts/articles/2005/04/20/amtraks_high_speed_acela_trains_sidelined_until_summer/ [Amtrak had cannibalized parts from other trains to get one or two trains able to run, but quickly abandoned that effort. Risks of custom design and no spare parts... Risks of building a system that really required new tracks, rather than trying to run on old tracks... PGN]
A paragraph from an op-ed in *The New York Times*, 19 Apr 2005 (http://www.nytimes.com/2005/04/19/opinion/19tierney.html): "He chronicled the Acela mistakes, starting with Amtrak's decision to build a new train instead of modifying an existing European one, and to build it as a working train without first testing a prototype. The result was a long series of problems, design changes and lawsuits between Amtrak and its Canadian contractor, each accusing the other of botching the job." It seems that old-fashioned mechanical engineering is not immune from the ills commonly ascribed to its software counterpart.
I found this at http://www.stupidsecurity.com, which references http://www.wral.com/news/4354102/detail.html Wake County, N.C. uses a central computer to lock 50 of its buildings in and around Raleigh. The Wake Country Animal Shelter was closed on Easter Weekend, but the computer didn't know that. The doors were left unlocked and several animals were stolen from the shelter. It would be cynical of me to note that animal shelters are one service where pilferage of the goods reduces net costs, so I won't.
A hacker who tapped into business school computers at Carnegie Mellon University may have compromised sensitive personal data belonging to 5,000 to 6,000 graduate students, staff, alumni and others. The breach confirmed by officials in the Tepper School of Business is the latest in a recent string of campus computer break-ins nationally and the second since early March affecting Tepper. There is no evidence that any data, including Social Security and credit card numbers, have been misused, officials said. But they have begun sending e-mails and letters alerting those affected. They include graduate students and graduate degree alumni from 1997 to 2004, master's of business administration applicants from September 2002 through May 2004, doctoral applicants from 2003 to this year, and participants in a conference that was being arranged by the school's staff. ... [Source: Bill Schackner, *Pittsburgh Post-Gazette*, 21 Apr 2005] http://www.post-gazette.com/pg/05111/491836.stm
Another case of not knowing how long the exposure existed and therefore how much exposure the personal information really had. Once again we have Social Security Numbers, credit card data, etc. exposed for an indeterminate amount of time. I have gone to the university's own web site and the Tepper School web site and neither has any mention of this report as of the time I checked, which is Apr 21 at 4:45PM EDT. http://kdka.com/local/local_story_111102454.html
X-URL: http://www.nytimes.com/2005/04/21/nyregion/21check.html?pagewanted=print&position *The New York Times*, 21 Apr 2005 New York City's school system recently agreed to pay $86,000 to the lawyer of a child with autism to cover special educational services for his client. But when the lawyer opened his mail on Tuesday, he found a check for slightly more: $8.6 million. {off-by-one decimal point; usual excuses cited...}
It is widely reported in Japan that an errant virus definition distributed by a anti-virus PC software company caused a large scale disruption of businesses and individual users. The company, TrendMicro with its headquarters in Tokyo, has been selling its anti-virus PC software products for quite some time. Its first product was developed in 1991. Now, on Saturday morning 07:30 (JST), the software's automatic update site in the Philippines released a new virus definition file which, according to the company's comment, was not adequately tested. This file was picked up by many users in Japan and abroad who either automatically or manually invoked the virus definition update function of the software. Unfortunately, Windows XP sp2 and Windows 2003 server users with this software installed (there are a few variants of the products in the software suite and a few of them were affected.) and updated the definition file AND rebooted the PC after the update (as suggested by the software it seems) saw the CPU usage go up to 100% immediately after booting and could not do much on their PCs. The problem was that the incorrect update caused the infinite looping of scanning of a certain system file and no CPU time was left for any task to do. (If the user didn't boot and waited for another several hours, the re-worked update file was again automagically picked up if automatic update feature was enabled and there would be no harm.) According to the various reports, corporate licensees include media big names such as Asahi Shimbun newspaper, Kyodo wire news service, and reservation division of railway company JR East. (The company put the user number around 10 million individual users.) I noticed that the early reports of disrupted computer network at Asahi Shimbun and Kyodo wire service on Saturday morning and wondered what could cause LAN disruption at such well-protected places. (It seems that DHCP client could not get the address after boot due to the heavy CPU load inside the anti-virus service). After many inquiries began pouring, the company checked and released the re-worked virus definition file. However, 170000 download took place during the incorrect definition was at the download server. Many individual or small business users who didn't realize the problem was caused by the virus definition update brought their PCs to tech service companies or re-installed the OS, etc.. Some had their disks got re-formatted. The scale of the disruption was rather large and on Saturday evening many TV stations carried the news of the disruption with the correct cause identified. Some affected users who tried to `fix' their computer noticed these news broadcasts and could now bring their PC into normal status. The word cyberterrorism came to my mind, but it is ironical that the cause was due to the inadequate testing at an anti-virus software corporation. Of course, we will see whether the release of the definition file without adequate testing was a deliberate act or simple neglect. Lucky me: I am using Symantec Anti-Virus software on an Windows PC, and linux on another PC. Diversity is wonderful when we can afford it. PS: The remedy was to reboot the computer into safe-mode (after forced power-off in many cases) and replaced the errant file and reboot. The anti-virus software now would pick up the new corrected file. PPS: I think I should add, in order to feel the scale of the problem, we now know Monday morning that on Saturday, - JR railway reservation division could not check the reservation status (fed via network to PCs?) and so diverted (telephone) inquiring customers to manned counters at railway stations, - Kyodo wire service could not send out automatic wire service news for a few hours, and so resorted to send out important news via FAX (I believe that the initial news articles from Kyodo was sent in this manner.), - Osaka subway system saw its computer to distribute accident information to its stations failed to reboot, and - Toyama city's election committee could not handle advance voting for its mayoral and city alderman elections on their computer and had to resort to manual processing. These are just a part of problems reported in Japanese press Monday morning. However, life goes on as usual as of Monday morning as far as I can tell. (But those unfortunate companies who had suffered from the problem over the weekend may have a hectic time right now.)
Regular RISKS readers know that many things can go wrong with naming and authentication. Here is an interesting example. I opened a PayPal account on the 18th April and tried to link it to a checking account I have at a UK bank (the NatWest). The PayPal website balked at the name of the bank branch ("Cambridge King's Parade") on the grounds that it contained a non-ascii character. It was also too long for the web form. All I could do was enter "Cambridge" and hope for the best. Now it's prudent for programmers to check input, but this is rather extreme. After all, most of the names of people and places in this world are non-ascii. Compulsory asciification turns that inoffensive Italian, Signor de'Ath, into the sinister Transylvanian Mr Death. Also, when I worked in banking many years ago, a common source of fraud was that when money arrived at the wrong branch, staff put the money into a "suspense account" while they queried the sender. Fraud and abuse involving suspense accounts was a serious problem. So I tried to bring to PayPal's attention that their web page was not merely culturally inappropriate, but also a security vulnerability. I was unable to get their help-desk to link up successive e-mails about the issue, let alone refer me to someone who could talk policy. So far, so broken. I reported the incident on a local mailing list (ukcrypto) where one of the regulars informed me that the King's Parade branch had in fact closed, with all the customers being transferred to another branch. This was the first I'd heard of it! I walked by my bank branch and found it indeed closed. The two small payments that PayPal said it would send to my bank account, to check I have access to the bank statements, have vanished. You just could not make this up. PayPal relies for authentication on bank branch names, which a large UK bank will change without notifying its customers (at least, not in any way I noticed). I won't even begin to speculate about all the possible risks. Ross Anderson http://www.cl.cam.ac.uk/users/rja14/
Generally, having a distinctive forename-surname combination serves me well enough: not much chance of double-booking in hotels, and people find it easy enough to remember. There's a privacy downside, in that once you know the surname and city (country, even) I'm not hard to find. And I acquired the obvious surname-related domain, zaba.com, getting on for a decade ago. Then, about the middle of March 2005, my inbox started to attract angry emails: "remove me from your Website immediately"! Since the www.zaba.com page has been unchanged since my mid-1997 entry on "what I did in the UK crypto-policy wars", I at first thought this was a new form of e-mail address harvesting — send an angry accusation, attract an indignant response, email address confirmed. But few of the correspondents' addresses seemed suspect, and when I got one from a .mil address I started filing them away. It took another week or so for one of the e-mails to identify, by way of a screenshot, which website people were concerned about. US readers will have cottoned on by now; but for The Rest Of Us: there's a new people-searching website appeared in the US, under the name of zabasearch.com. Frantically trying to deal with their unhelpful "optout" procedures (which change frequently, and require you to submit personal data!), some people hit on the idea that zaba.com would be a better place to send emails, or Googled for the unusual word in question and found my email address. It's since been circulated in warning messages which get passed on in Craig Shergold fashion. zabasearch.com themselves say they're 'only republishing publicly available information'. RISKS readers, well-versed in notions of fair information handling, will just about be able to grasp the distance between "on file at the county records office", and "made available at no cost, pre-indexed by name". What's made available for free is basic personal info - name, address, phone numbers, years-at-address; for a fee they'll do further background checks. All with the same rigorous attention to data quality which has led colleagues to find themselves listed under addresses they left several years ago, and having 30 years added to their age. What's been interesting is receiving over a hundred angry "REMOVE ME"s, only three or four of which identified the website in question. "Clearly", with that website covered in Zaba-this and Zaba-that, the great majority of correspondents observed the name coincidence and inferred identity. Carl Ellison's "10 RISKS of PKI", and the SPKI work about the unreliability of global naming, just got validated again, at my expense. More gory details over at < http://www.zaba.com > Stefek Zaba, HPLabs, Bristol, England [Many thanks. Having a unique name sounds like a recipe for Zaba-loney. Or maybe someone is being fed Za-baloney? PGN]
Another case of "who is watching the watchers". According to a report on a local TV station, KTVU 2 in San Francisco, CA, a police officer is facing possible disciplinary action for allegedly using surveillance cameras at San Francisco International Airport to ogle women as they walked through the terminal. http://www.ktvu.com/news/4398749/detail.html
The BBC News site has an article reporting that an ID card system being used in Cornwall has been withdrawn: "Plans for national ID cards may need to be reconsidered following the breakdown of a pilot project in Cornwall. The 'smart card' was tested through the Cornish Key scheme, but now the trial is to be withdrawn, despite an investment of £1.5m of government cash." The withdrawal is being blamed on problems with the readers, and the system is being replaced by a newer system with "dumber" smart cards. http://news.bbc.co.uk/1/hi/england/cornwall/4459493.stm
The Minnesota Legislative Auditor report shut down a web service: Department of Public Safety Web-based Motor Vehicle Registration Renewal System Security Audit Security Controls as of March 2005 http://www.auditor.leg.state.mn.us/fad/2005/fad05-23.htm The report based its audit on http://www.owasp.org/documentation/topten.html the Open Web Application Security Project's top ten list and a previous audit in 2001 in which the findings and recommendations were ignored. This story was front page news in the *Saint Paul Pioneer Press* and *Minneapolis Tribune* on 19 Apr 2005. Other MN Department of Public Safety website shutdowns occurred from the Minnesota Legislative Auditor include the Bureau of Criminal Apprehension's CriMNet. The legislative auditor seems to find a lot of RISKS in the Department of Public Safety. Steven Hauser http://www.tc.umn.edu/~hause011/
http://money.cnn.com/2005/04/19/news/fortune500/usair_cheap_flights/index.htm?cnn=3Dyes Oops! US Air round trip for $1.86 Report: Carrier will honor more than 1,000 tickets sold at discounted price due to computer glitch. The airline also was hit by what its chief executive termed a "meltdown" of its baggage system </2004/12/27/news/fortune500/plane_woes/> during the Christmas holiday. That problem resulted in it sending some flights out of its Philadelphia hub without any bags.
This may have been discussed before, but with the recent spate of DNS cache poisoning attacks and fake WiFi hotspot proliferation I believe it has new relevance. I was actually rather shocked to find that U.S. Bank (http://www.usbank.com/), Chase (http://www.chase.com) and Bank of America (http://www.bankofamerica.com) all still *force* users to enter their login and password on an insecure page. This exposes account holders to a great risk of their credentials being stolen. The login forms on their genuine home pages are submitted to a secure site, as they claim. The problem is that you need security *before* you enter your data. If DNS, a router or a proxy server anywhere along the path to their server were compromised, the login page could be substituted for one that submits to another site or injected with JavaScript that sends info elsewhere, asynchronously, before it goes to the real destination. Without an SSL certificate chain there is no way to verify that the insecure page with the form came from a trusted source and no way short of exhaustive code inspection to tell where the form data is actually going. BankOne, Wells Fargo, Citi, Washington Mutual, Bank of the West, Key Bank and Sun Trust all offer SSL versions of their login page, but for some reason, U.S. Bank, BofA and Chase redirect to an insecure site or return an error when trying to connect with SSL. You *can't* log in securely, even if you try. The existence of this kind of obvious and fundamental security mistake after all the publicity about this category of attack (note that all these banks *do* have a user education page on phishing/fraud prevention!) is definitely something to keep in mind when choosing a bank.
> Ch7 is one of the three national commercial TV stations in Australia. "The national phone system failed", and what RISKS hears about is a *television* outage? Please tell me that this was just a careless wording! Mark Brader, Toronto, msb@vex.net [Probably not. TV is much more visible than electricity to many people... PGN] [On 27 Jan 2006 Mark Brader noted earlier private communications, including one that said the problem was restricted only to the internal interstate network. PGN]
While living in Florida, I always wondered what would happen if one of the message boards on northbound I-95 would have said something along the lines of "Notice - DEA Checkpoint 2 Miles"
Online security with usability problems? In RISKS-23.84 Ed Taft wrote an article about the potential drawbacks of using a keyfob device to facilitate two-factor authentication. Ed made several observations of his experience and notes that: "... while this appears to have good security, some potential deficiencies come to mind: It requires more typing than the old scheme, including an unfamiliar sequence of characters that changes every time. A better arrangement would be for the keyfob to have a USB connector that I plug into my computer to prove that I have the keyfob." This 'deficiency' has already been addressed: The solution is to allow the 'token' software to be installed on some other device such as a USB memory stick. This can then be used to prove that the authenticating user has the device (by plugging it in). For an example and explanation have a look at: http://www.passgo.com/products/softwareTokens.shtml To maintain the two-factor authentication plugging in the device by itself is not enough — the user must supply something they know. As Ed noted this is an unfamiliar sequence of characters that changes every time. With the software token installed on your USB memory stick, supported application ions can be configured to require a PIN allowing the challenge/response sequence to be handled automatically. The solution ports to other common electronics that folks have such as PDA's and Mobile devices giving even greater freedom to the end user. For further information on the need for strong two factor authentication = and solutions RISK readers can follow this up at: http://www.passgo.com/products/defender/index.shtml Jonathan Lewthwaite Technical Account Manager www.passgo.com
Ed Taft's commentary in RISKS-23.84 on E*TRADE's apparent use of RSA's SecurID system to authenticate users to their website raised a few points that I think merit additional consideration. On Ed's first point, about the added typing necessitated by the system and his desire that it have a USB plug: Having a keyfob with a display allows the device to be used with any sort of computer--not every computer out there has a USB port, or one that is user-accessible. What if you log in using a phone or a PDA? On multiple service providers using SecurID: Theoretically this could become a problem, but there's no reason why a trusted third party couldn't run a copy of RSA's ACE/Server (the app used to authenticate SecurID tokens) that others could connect to over a VPN to use for authentication. One token, many sites. (This, though, has plenty of inherent RISKs too.) Finally, on his point about the keyfob's battery dying: RSA has a good plan for that--replace the unit. It's as simple as that. Ed raises these issues as though E*TRADE is the first company to ever implement SecurID (and they may be the first to implement it for a public-facing service, but not the first ever), but in reality they are not very grave issues, and many government labs and other organizations find SecurID to be a good security method despite them The real RISK? Weaknesses in the SecurID system: http://www.homeport.org/~adam/dimacs.html.
Please report problems with the web pages to the maintainer