Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The AP reports that an Airbus flown by a Turkish charter company had landing gear problems when arriving at Ben Gurion airport. Apparently, the pilot received indications that the nose wheel had not descended properly. In fact, it was down; the plane landed normally after the tower observed it visually. The problem? According to the Anatolia news agency, it was a "glitch ina computer system". Steven M. Bellovin, http://www.cs.columbia.edu/~smb
To appreciate THE CUMULATIVE EFFECT, Privacy Journal newsletter in its May issue compiled the following list of breaches of sensitive personal information, disclosed just since January. It's not an atypical list for a three-month period, but breaches are obviously getting more press attention. * Tepper School of Business at Carnegie Mellon University reported that a hacker had access to Social Security numbers and other sensitive personal information relating to 5000 or more graduate students, staff, and alumni. Another department at the university is responsible for receiving complaints of Internet breaches and solving them. * Tufts University notified 106,000 alumni, warning of ''abnormal activity" on its fund-raising computer system listing names, addresses, phone numbers, and, in some cases, Social Security numbers and credit-card account numbers. * ChoicePoint, the insurance and employment investigative company and "information broker" based in Georgia, sold personal data on from 100,000 to 500,000 or more persons to fraud artists posing as legitimate businesses. (Still, the State of California plans to award a $340,000 contract to the Equifax-created company to gather information on suspected criminals and terrorists, according to The Sacramento Bee.) * DSW Shoe Warehouse experienced a hacking incident involving access to an estimated 1.4 million credit-card numbers and names, 10 times more than investigators estimated at first, as well as driver's license numbers and checking-account numbers from 96,000 transactions involving other customers. * A computer system breach at an unnamed retailer involved at least 180,000 customers, perhaps more. HSBC North America, which issues GM's MasterCard, urged all customers to replace their cards as quickly as possible because the personal data was compromised. The Wall Street Journal identified the retailer as Polo Ralph Lauren Corp., but the company insisted that in fact no information was leaked, although a computer flaw was discovered and fixed. * Ameritrade Holding Corp., the online discount broker, informed about 200,000 current and former customers that a back-up computer tape containing their account information was lost when a package containing the data was damaged during shipping. * Canadian Imperial Bank of Commerce, CIBC, one of Canada's leading banks, "failed to recognize" that misdirected confidential faxes sent to outside parties over a three-year period were a breach of customers' privacy that could have been prevented, according to a finding by the federal Privacy Commissioner in Canada. Bank of Montreal, Royal Bank of Canada, Scotiabank, TD Bank, and National Bank have also misdirected faxes with customer information. * Motor vehicle departments in four states have lost personal data. The Texas Department of Public Safety mailed to 500 to 600 licensed drivers renewal documents that pertained to other persons. In March, burglars rammed a vehicle through a back wall at a Nevada Department of Motor Vehicles facility near Las Vegas and drove off with files on about 9000 people, including Social Security numbers. In April police arrested 52 people, including three examiners at the Florida Department of Motor Vehicles, in a scheme involving the sale of more than 2000 fake driver's licenses. Also, Maryland police arrested three people, including a DMW worker there, in a plot to sell about 150 fake licenses. * A Boston-based storage company named Iron Mountain Inc., lost Time Warner Inc.'s computer back-up tapes with Social Security numbers and names of 600,000 current and former employees and dependents. This is the fourth time this year that Iron Mountain has lost tapes during delivery to a storage facility, according to The Wall Street Journal. * Someone gained access to the personal information of 59,000 current, former, and prospective students at California State University, Chico, the university revealed in March. * A laptop that contains about 100,000 Social Security numbers of students and personnel at the University of California, Berkeley was stolen from the school's campus. * Someone hacked into a database at the Kellogg School of Management at Northwestern University, possibly exposing data pertaining to 21,000 individuals at Northwestern. * More than 1600 parents discovered in January that records in the Colorado State Health Department relating to an autism study were lost. A laptop computer left in a health department employee's automobile was apparently stolen last October. *** A free copy of the current issue of Privacy Journal is available through orders@privacyjournal.net. Specify e-mail copy or hard copy (and include a mailing address). Robert Ellis Smith, Publisher, Privacy Journal, PO Box 28577, Providence RI 02908 401/274-7861 fax 401/274-4747 http://www.privacyjournal.net
More than 48,000 customers of Wachovia Corp. and 600,000 of Bank of America Corp. have been notified that their financial records may have been stolen by bank employees and sold to collection agencies. Nearly 700,000 customers of four banks may be affected, according to police in Hackensack, N.J. Nine people have been charged, including seven bank workers. Also affected were Commerce Bank and PNC Bank of Pittsburgh. Collection agent Orazio Lembo Jr., 35, of Hackensack made millions of dollars through the scheme. Lembo received lists of people sought for debt collection and turned that information over to the seven bank workers, who would compare those names to their client lists. The bank workers were paid $10 for each account they turned over to Lembo, Zisa said. In a separate case with the potential for identity theft, a laptop containing the names and Social Security numbers of 16,500 current and former MCI Inc. employees was stolen last month from the car of an MCI financial analyst in Colorado. [Source: An AP item by Paul Nowell, Banks Notify Customers of Data Theft, PGN-ed] http://story.news.yahoo.com/news?tmpl=story&cid=528&e=3&u=/ap/20050523/ap_on_bi_ge/data_theft
Security researcher Colin Percival recently (13 May) announced a security
vulnerability caused by the combination of the Hyperthreading and shared
cache features of Intel Pentium 4 processors. By carefully measuring the
time required for instructions to execute in one thread while the other
thread is performing a cryptographic calculation, the secret key can be
determined. A paper describing the flaw is here:
http://www.daemonology.net/papers/htt.pdf
Colin notified OS vendors about the problem some months earlier, and fixes
are available for several BSD and Unix distributions. It's been designated
CAN-2005-0109 in the Common Vulnerabilities and Exposures list; more details
here:
http://www.daemonology.net/hyperthreading-considered-harmful/
This vulnerability was also announced by Adi Shamir during the
Cryptographer's Panel at RSA in February 2005. I thought it was the most
interesting item in all the keynotes (although the hash function
announcements were a close second), but it got essentially no press coverage
(unlike this time, where it is being widely reported). Adi subsequently
told me that he had a working implementation and planned to present it at
the Eurocrypt rump session next week. The two attack implementations
(Colin's and Adi's) are apparently quite different, but yield the same
result, underscoring the severity of the problem. It's also similar to Paul
Kocher's classic timing attacks.
The problem is particularly bad for processors with simultaneous
multithreading ("Hyperthreading"), since that allows context switches to
take place at a granularity of individual instructions, and thus allows very
fine-grained time measurements. However, the same basic problem is present
in any computer with a cache that is physically shared by processes in
different security domains.
Although cache timing has been known as a covert channel for a long time, I
think this particular exploitation is really slick. I "discovered" a
similar cache timing vulnerability during the covert channel analysis in the
Multics B2 evaluation back in 1983/84, but I didn't have the wit to
understand how interesting the consequences might be. I put "discovered" in
quotes because of the way I was gently discouraged from further pursuit (or,
horrors, publication) by some of the NSA personnel who were also involved.
I was disappointed at the time, but in hindsight it seems likely they knew
precisely where such pursuit might lead. Indeed, I understand that a
similar vulnerability was uncovered by Marv Schaffer et al. in 1979 during
the KVM/370 secure operating system project.
The RISK here is a classic example of relying on underlying abstractions
(the hardware memory model) to behave in an ideal manner, rather than
understanding their implementations. Many security flaws result from the
adversary breaking the veil of abstraction to look at the soft, juicy parts
inside. Even when the higher-level model is perfect (or formally verified),
the mapping to implementation can hide a multitude of sins.
A company called MarketScore has a spyware product that includes a full-fledged man-in-the-middle attack on all web traffic, including encrypted traffic. While any malware running in administrative mode is potentially catastrophic for subsequent trust and privacy, the MarketScore attack is especially ingenious and simple. MarketScore/NS configures the user's machine to proxy all web traffic through their external server. One would ordinarily expect that SSL traffic would pass through the proxy opaquely. However, MarketScore also installs itself as a trusted root certification authority (under the name "Netsetter" or "MarketScore," depending on the version). Whenever the user connects to a secure site, MarketScore self-signs a certificate for the site and presents it to the user's machine. Since MarketScore is a trusted CA for the user's machine, the user sees no warning and gets the lock icon and yellow URL bar. However, MarketScore decrypts the traffic at the proxy server and re-encrypts it for its SSL session with the actual host. MarketScore is therefore able to play a man-in-the-middle on all traffic, including SSL traffic. Apart from this exploit, MarketScore seems to be garden-variety spyware, which offers an e-mail virus scanning service in exchange for monitoring surfing activities as a sort of Nielsen service. The risks of this technique being applied toward identity theft and other malicious ends are, however, clear. Aaron Emigh, Radix Labs 415-297-1305 aaron-risks@radixlabs.com
This week, I have begun to see evidence — in the form of "bounced" e-mails and error messages in our servers' log files — that "zombie" machines which are infected by malware (either worms or spyware) are launching aggressive "Rumplestiltskin attacks" against mail servers throughout the Internet. What is a "Rumplestiltskin attack?" As described in a paper I wrote several years ago (where I coined the term for lack of a better existing one), it is an e-mail address harvesting attack in which a machine attempts to send e-mail messages to randomly guessed addresses at a domain. It might try common first names — for example, "john@domain.com", "joe@domain.com," and "mike@domain.com" — and then proceed to common last names and combinations of names and initials. (In some cases, we've seen some very unusual guesses that appear to have been extracted from lists of AOL screen names.) If mail for a guessed address is accepted, the "zombie" machine records the address and sends it back to its "master" — a controlling machine which adds it to a database of addresses which will become targets for spam. Because the address guessing process is expensive (both in terms of computing time and in terms of bandwidth), the best way to achieve results is via a rogue form of distributed computing, in which large numbers of "zombies" (machines co-opted via malware) are pressed to the task. On our servers, these attacks and other traffic from spammers are now consuming approximately ten times more resources than all of our legitimate mail combined. Because the "zombies" are generally not mail servers, the most effective way to mitigate these attacks — though it might offend the sensibilities of the "Orthodox End-to-Endians" — is for ISPs and enterprised to block outgoing port 25 traffic from client computers that are not designated as, or intended to be, mail servers. These computers should send outgoing mail only through a designated mail server, which in turn monitors them for excessive outgoing traffic. ISPs' firewalls should monitor and log attempts to send such traffic, so that infected machines can be spotted and cleansed of their infections. As I've mentioned above, there will be some people who are philosophically opposed to the notion of restricting Internet traffic so as to limit abuse. Alas, such idealism is inappropriate for the real world, where spam is now consuming so many resources that it threatens not only to choke off not only legitimate e-mail but to consume the lion's share of ISPs' bandwidth. [IP Archives: http://www.interesting-people.org/archives/interesting-people/]
Earlier this year, we switched over to DSPAM, a fancy Bayesian spam classification system. We're also running SpamAssassin, which gives DSPAM a chance to see SpamAssassin's automatic classifications and determine, for itself, what weights are appropriate for each of those filters. After a couple months of this hybrid usage, I'm now getting about 99.4% classification accuracy (maybe two or three errors per day). What's interesting is what's still getting through. Recently, I've gotten a number of spams that have perfect spelling and vanilla plain text (as opposed to the insane HTML ov3rki!! variety). If you look at the mail headers, there's some evidence of zombie machines being used to transmit the spam (i.e., received lines not matching up to the From or Sender line) but otherwise the headers are quite clean. For the message in front of me right now, the user agent is even listed as Mozilla on Linux. DSPAM has a clever feature where it will tell you what factors in the message it used to make its decision. In this case, DSPAM latched onto the User-Agent string and other Mozilla-esque headers as having a very low probability of being spam. This outweighted a few strings that otherwise should have tipped it off (e.g., "credit history" or "secure, private"). In some sense, this is exactly what Paul Graham predicted would eventually happen in "A Plan For Spam". My hope is that I can eventually untrain DSPAM of its love for Mozilla headers; we'll see how well it does. My fear is that there will always be an avenue of attack for a "contrarian spammer" who engineers spam to be unlike all the other spams out there. P.S. At this point, virtually all of my false positives (normal messages misclassified as spam) are coming from infrequent events that DSPAM would never enough data from which to be properly trained, such as the e-mail generated by a dot-com store when I bought a new camera lens.
A large scale industrial espionage case is now unfolding in Israel (see http://www.haaretz.com/hasen/spages/581790.html ). A hacker had developed a Trojan horse application and sold it to several private eye companies — it seems the Trojan was used for keyboard sniffing as well as file transfer. The private eyes' clients chose the the targeted victims, and the Trojan was sent there by e-mail or posted CD, masquerading as legitimate business presentation. The collected info was transferred from the victims' computers into an FTP server site (it's not clear if this site was maintained by the private eyes or the hacker) to which access was sold to the clients in the form of one-time passwords at 2000 Euro per entry. It seems none of the targeted systems was hardened in any way to detect such an intrusion, and the scheme was discovered only because the hacker had posted some of the illegally obtained items over the net.
Bob Blakley writes: > To get documents onto such a server, you'd need to go through the analog > hole, which would automatically guarantee that the document's appearance IS > its deep structure. Voila. When NSA declassified the Skipjack cipher, many people laughed because the document was a scanned image. "Doesn't the NSA know how to use PDF properly?" Seems to me that NSA has understood this principle for many years.
In RISKS-23.87, "US Government to alter RFID passport regulations" "... embedded radio chip holding a digitized photograph and biographical information is more secure...." Bio*graphical* information? This is new. Hold on a cotton-pickin' minute here. What sort of biographical information is it going to hold, and what about those of us whose biographies don't fit on a smart card. Yeah, yeah, metric, graphic, what's the difference? It's just a measure of inaccuracy in the writing.
EEPI 2005
Conference and Workshop on Electronic Entertainment
Policies, Problems, and Solutions
Los Angeles, California USA
Late Summer/Early Fall 2005
(2 to 3 days)
*** Call For Interest ***
*** Conference Web Page: http://www.eepi.org/eepi2005 ***
EEPI - Electronic Entertainment Policy Initiative
http://www.eepi.org
EEPI main address: eepi@eepi.org
EEPI conference/workshop: eepi-conf@eepi.org
Greetings. EEPI is organizing a combined conference and workshop in Los
Angeles for late Summer or early Fall 2005. The purpose of this gathering
is to fulfill a number of related objectives, all aimed at fostering
cooperative, interdisciplinary work toward finding solutions to an array of
issues related to entertainment technology policies and their impacts on
other aspects of technology and society at large.
Primary goals of this meeting include both providing attendees with insight
into the many often conflicting points of view and complex characteristics
related to these issues, and to work towards establishing a long-term
framework for finding and implementing practical, cooperative solutions
wherever possible. This will not be a place for finger-pointing or
name-calling. Attendees should be interested in learning more about these
issues and helping to solve the many complex problems in this arena that we
must deal with today and that we will be facing with increasingly rapidity
in the future.
We urge you to view http://www.eepi.org for more details regarding EEPI and
the entertainment technology issues of concern, and some thoughts on the
categories of groups and individuals who may be particularly interested in
attending this meeting.
Formal papers are welcome but are not required for presentations at the
conference or workshop sessions. Student registration discounts will be
available.
Our aim is to bring together involved and interested parties from across the
electronic entertainment spectrum and beyond: record labels; film studios;
broadcasters; artists; technical development and manufacturing firms;
computer firms and organizations; Internet, government, legal, and public
interest individuals and groups; educators; students; media; concerned
members of the public, and more.
Since the focus for this gathering is interdisciplinary in nature,
highly-detailed technical presentations (as opposed to technical
"overviews") will be discouraged in main sessions, however, more detailed
technical discussions may be appropriate in particular workshop sessions
during the meeting. Sessions may be organized on multiple tracks as deemed
appropriate, to be determined as meeting details are finalized.
Below is an alphabetical, non-inclusive list of some categories of issues
that are appropriate for this gathering, as they relate to electronic
entertainment. Many of these are interrelated, of course:
- Academic Institution Concerns
- Alternative Licensing Models
- Artists' Economic Concerns
- Artists' Rights
- Broadcasting Issues (Broadcast Flag, Copy Controls, Digital TV, etc.)
- Cable TV Issues
- Children's Online Protection Act (COPA)
- Consumer Economic Concerns
- Consumer Rights
- Content Distribution Issues (Music, Films, etc.)
- Content Filtering and Blocking (Internet, Other Media, etc.)
- Copyright Issues
- Corporate Economic Concerns
- Corporate Rights
- Criminal Prosecutions
- Digital Rights Management (DRM) / Copy Protection Systems
- Digital Video Recording (DVR), etc. and Related Impacts
- Downloading of Audio and Video (Legal and Illegal)
- DVD and "Next-Generation" DVD Issues (eg. Blu-Ray, HD-DVD, etc.)
- Electronic Games (Content, Piracy, etc.)
- Fair Use Issues
- Intellectual Property Issues
- International Issues
- Internet Issues (the broad range of related Internet applications)
- Judicial Issues (court rulings and their effects)
- Lawsuits and other Civil Actions
- Legislative Issues (local, state, and federal legislative actions)
- Micropayment Issues
- Payment Models
- Peer-to-Peer (P2P) File Sharing Issues
- Piracy Issues (Music, Films, Videos, other Content, etc.)
- Regulatory Issues (Regulatory Agency Actions, e.g. FCC, DOJ, ITU, etc.)
- Streaming Audio and Video Issues
- Video on Demand Issues
- Video to Consumers over Fiber, DSL, Internet Issues
... and a host of others!
- - -
Obviously we will not be able to solve all of the many complex problems
related to these topics at this single gathering! However, we hope to
demonstrate that it is possible for people to work together on these
problems, help attendees understand other persons' points of view regarding
these contentious issues, and lay the groundwork for long-term, continuing
efforts by interested individuals and groups to simultaneously find
solutions, and to reduce the level of animosity and its counterproductive
effects in the areas of concern.
- - -
If you might consider attending, please send a note (all e-mail to
this address will be read by a human!) to:
eepi-conf@eepi.org
or FAX to:
+1 (818) 884-7502
Please let us know your level of interest, any relevant organizational
affiliations if you wish, and any related comments or questions. Unless you
specify otherwise, we'll add your e-mail address to a private mailing list,
which will only be used to provide more information as additional details of
the meeting (exact location, dates, registration fees, etc.) are determined
and finalized.
Please also feel free to contact EEPI co-founder Lauren Weinstein by phone
via +1 (818) 225-2800.
We hope to see you at EEPI 2005!
Thank you very much for your consideration.
- - -
EEPI - Electronic Entertainment Policy Initiative
"Working Together Toward Sensible Policies and Solutions"
http://www.eepi.org
EEPI main address: eepi@eepi.org
EEPI conference/workshop: eepi-conf@eepi.org
This document is subject to change and elaboration at any time. 5/30/05
Please report problems with the web pages to the maintainer