> Date: Thu, 5 Aug 2004 14:30:13 -0700 > From: "SusanMarieWeber" <firstname.lastname@example.org> > Subject: Kolwicz kicked out for submitting real election tests > This is message from Al Kolwicz. I suspect that we are all going to face > these problems during the next accuracy and logic testing of the voting > machines before the November 2004 election. Imagine having cops around to > tell people to leave. We must stop questioning authority? I don't think > so, NOW more than ever we need to keep asking these questions. > Susan Marie Weber Kolwicz kicked out for submitting real election tests Al Kolwicz, official representative to Boulder County's test of its new vote counting system, was asked by County Clerk, Linda Salas, to leave the test. When asked what happened, Kolwicz said, "we submitted sample ballots to test the security and accuracy of the county's new vote counting system." The sample ballots included tests such as - (a) what happens if a voter circles the box rather than filling in the entire box with a black pen, and (2) what happens if a voter marks over the ballot serial number in hopes that this will make the ballot secret. (Boulder County's new ballots are not secret.) Salas consulted with the Secretary of State, Donetta Davidson's office, by phone. Following their private conversation, Salas asked Kolwicz to leave. Kolwicz left immediately and went outside of the building to record some notes. Deputy P. Dunphy, who was in the room where the testing was being conducted, came out to find Kolwicz on a bench. He told Kolwicz that he was not to return to the building. "It looks like a sham is being foist upon the public", said Kolwicz. The tests prepared by Kolwicz are limited to things that can happen in this year's primary election. Al Kolwicz, CAMBER - Citizens for Accurate Mail Ballot Election Results 2867 Tincup Circle, Boulder, CO 80305, 303-494-1540 AlKolwicz@qwest.net www.users.qwest.net/~alkolwicz http://coloradovoter.blogspot.com
Robert Lemos, CNET News.com, 5 Aug 2004 http://zdnet.com.com/2100-1105-5298999.html Six vulnerabilities in a common code that handles an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X. The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image. Among the programs that use libPNG and are likely to be affected by the flaws are the Mail application on Apple Computer's Mac OS X, the Opera and Internet Explorer browsers on Windows, and the Mozilla and Netscape browsers on Solaris, according to independent security researcher Chris Evans, who discovered the issues. Apple and Microsoft could not immediately be reached for comment. Evans did not test every platform to check which vulnerabilities work, he said.
I happened to stumble upon the most recent issue of the hacker e-zine Phrack, Issue #62, of July 10, 2004, and looking over the table of contents I found article #5, "Bypassing 3rd Party Windows Buffer Overflow Protection" which can be read at the following url: http://www.phrack.org/show.php?p=62&a=5 I found the article fascinating in that it shows exactly why several major commercial anti-buffer overflow exploit programs are inadequate for their advertised purposes. The article even points out what you are going to end up with: a false sense of security. For those who are not so technically inclined, a buffer overflow exploit is one in which someone sends too much data to a program (such as a web server application), sending far more data than the program would expect, in order to force arbitrary data into a storage area (a "buffer") so the amount of data forced into the buffer goes beyond the expected limits, causing the data to overflow the buffer and makes it possible for that data to be executed as arbitrary program code. Since the attacker forces code of his choosing into the execution stream, he now 0wns your box, because as the saying goes, if I can run code on your machine - especially if it's a Windows machine where there is not much protection - I can pretty much do anything I please there. These anti-buffer overflow exploit protection programs then try to prevent this by watching for attempts to execute calls to the operating system, in places where only data should occur as opposed to program code. The article shows why these programs are inadequate both from a standpoint of how they fail to provide full protection, and how to get around the limited protection they do provide. This sort of article is an excellent example of why full disclosure of a serious problem is necessary in order to solve it. The type of response to an anti-buffer overflow exploit protection program by an attacker would, as a matter of necessity, be somewhat complicated and technical in nature, and the only way one could explain why there is a problem, what the problem is, and then allow someone to be able to solve it, is to describle how to exploit the flaw. Nothing less will do because nothing less will explain how the flaw is exploited. It is reports such as these that are important even to those that are not interested in breaking into a place, and in fact are probably of crucial interest to security people in order that (1) they not be given a false sense of security by these products that only solve part of the problem; (2) explain exactly why the products are ineffective; and (3) explain exactly what the issues are. An explanation such as the one given shows why these products are ineffective, shows what those who have to defend themselves need to look for, and can show those trying to build safety systems in the future how to better secure them. Does this mean someone can create an attack using the information shown? Absolutely. This does not make the exposure of such information any less valid. Telling someone that it is still possible to trigger a buffer overflow exploit even if a buffer overflow exploit security program is in place is probably not going to convince them without some proof. Explaining that these systems don't block everything and mentioning why will not give someone enough information to reliably check what is happening or understand how the problem affects them. Only a clear explanation of how the process is done is going to show someone how to guard against it. Digging one's head in the sand does not hide a danger, nor does making it illegal to publicize such information help, as those who will use such information for criminal purposes, since they are already breaking the law, any penalties for selling such information to other crackers (or trading it for other information) simply keeps it out of the hands of the good guys who would need it to figure out how to work around it. Additionally, by making such information available, third parties, who are neither selling security software, nor trying to crack other people's boxes in order to own them, can read this information and give an objective validation as to whether they are valid or not, and perhaps can supply solutions not requiring multi-thousand-dollar support contracts from some vendor who is more interested in what they can sell than in security, who just happen to sell this particular type of product because there is a market for it and who might not be interested in giving away information that they can sell to others. There's nothing particularly wrong with charging whatever the traffic will bear for what you know, but it creates a strong disadvantage for those kept in the dark. Which is the only thing that security by obscurity - trying to hide problems in the hope someone doesn't discover them - does, it keeps the people who most need to know how to solve the problem in the dark.
Kim Zetter, Wired.com, 6 Aug 2004 Serious flaws discovered in Bluetooth technology used in mobile phones can let an attacker remotely download contact information from victims' address books, read their calendar appointments or peruse text messages on their phones to conduct corporate espionage. An attacker could even plant phony text messages in a phone's memory, or turn the phone sitting in a victim's pocket or on a restaurant table top into a listening device to pick up private conversations in the phone's vicinity. Most types of attacks could be conducted without leaving a trace. Security professionals Adam Laurie and Martin Herfurt demonstrated the attacks last week at the Black Hat and DefCon security and hacker conferences in Las Vegas. Phone companies say the risk of this kind of attack is small, since the amount of time a victim would be vulnerable is minimal, and the attacker would have to be in proximity to the victim. But experiments, one using a common laptop and another using a prototype Bluetooth "rifle" that captured data from a mobile phone a mile away, have demonstrated that such attacks aren't so far-fetched. Laurie, chief security officer of London-based security and networking firm ALD , discovered the vulnerability last November. Using a program called Bluesnarf that he designed but hasn't released, Laurie modified the Bluetooth settings on a standard Bluetooth-enabled laptop to conduct the data-collection attacks. Then, German researcher Herfurt developed a program called Bluebug that could turn certain mobile phones into a bug to transmit conversations in the vicinity of the device to an attacker's phone. ... http://www.wired.com/news/privacy/0,1848,64463,00.html
Many popular instant-messaging tools interpret text "emoticons" and replace them with graphical icons. For example, if you send your buddy a colon-right-parenthesis, your correspondent's messaging client may replace the :) with a yellow smiley-face icon. This is very nice, but the sender has no control. And it's hard to know in advance what character-strings will be parsed into what kind of unintended image. A colleague was discussing his 401(k) plan with his boss, who happens to be female, via instant messaging. He discovered, to his horror, that the boss' instant-messaging client was rendering the "(k)" as a big pair of red smoochy lips. :(
[The "first" as far as we know.] Ina Fried, Malicious program aims for Pocket PCs, CNET News.com, 5 Aug 2004 http://zdnet.com.com/2100-1105-5298781.html A malicious Trojan horse program has emerged for Pocket PCs, antivirus companies, but they characterized the threat as relatively low. The program, known alternately as Backdoor.Bardor.A and WinCE.Brador.a, lets an attacker gain full control of the handheld and is the first such "backdoor Trojan" program to emerge for Pocket PCs. However, such backdoor programs are not capable of propagating on their own and instead must be sent as e-mail attachments or through similar means, making them less dangerous.
TD, CIBC glitches bring down key banking systems, ITBusiness, 29 Jul 2004 http://www.itbusiness.ca/userredirect.asp?linkid=37706&userid=5 Two of Canada's best-known financial institutions join RBC in the annals of IT horror stories. Find out what went wrong, and to what extent customers' loyalty will be tested. * The CIBC error was definitely a program change that made it through testing and was put into production with an uncaught error in the code. * The TD error was still being investigated at the time of the article I reference above. Basically, more of the same, and impacting a lot of customers in Canada and elsewhere. Proof that as many times as it gets pointed out to them, it still happens, and will continue to happen.
Time Warner Cable, Cablevision and other cable giants have begun setting up their own Voice over Internet Protocol (VoIP) services for American consumers, says a new Yankee Group report, aimed at quickly gaining the lead over alternative Internet telephony providers in 2004. "After many years of testing, the VoIP technology is finally available and ready for prime time. The U.S. market, which represents almost all the cable VoIP market today, also will drive the global MSOs (multiservice operators) to move forward," says a Yankee Group analyst. Already, some alternative providers such as Vonage and Net2Phone are collaborating with cable and other broadband partners to offer their services, but in the long run, consumers likely will opt for VoIP service straight from their local cable or phone company. In a separate report on the U.S. broadband market, Yankee predicts that subscriptions to high-speed services will overtake narrowband signups by 2006. That study listed Comcast as the leader in cable modem subscribers and SBC as the dominant DSL provider. [CNet 3 Aug 2004; NewsScan Daily, 4 Aug 2004] http://news.com.com/2100-7352-5295023.html
Independence Air (www.flyi.com), a newly formed airline, suffered from a rather severe computer outage yesterday from about 3pm-9pm (not sure exactly). The result was that they couldn't check passengers in, couldn't track baggage, etc. The front-side people had no way of knowing which flights were in the air or who was on them. This may have been related to a severe round of thunderstorms that went through the Washington DC area at about the same time. One would hope they had backup computer systems (or power supplies, or network connectivity), but that's just a guess. What made this particularly nasty as an outage is that they didn't have backup procedures - no one had phone numbers, as they rely on getting those from the computer system. It made for a particularly long evening waiting 7 hours to pick my daughter up, since no one could tell us what the status was of any flight, or even what flight she was on. So when she walked out from the security area, it was something of a surprise....
EarthLink and Webroot Release Six-Month SpyAudit Report; CoolWebSearch Identified as the Most Virulent Adware Program (PR Newswire, 4 Aug 2004) http://finance.lycos.com/home/news/story.asp?story=42899777 EarthLink and Webroot Software (a producer of award-winning privacy, protection and performance software) released their third SpyAudit Report, which has tracked the growth of spyware on consumer PCs for the first half of 2004. Since the SpyAudit report's inception on 1 Jan 2004, more than two million scans have been performed. The scans discovered approximately 54.8 million instances of spyware, for an average of 26.5 traces per SpyAudit scan. Scans nearly doubled from the first to the second quarter. For each category, the instances of adware increased month-over-month, while adware cookies, system monitors and Trojans decreased slightly overall. The complete report is available at <http://www.earthlink.net/spyaudit/press>.
Since we're talking about memory errors, there's a nice paper on memory vs a light bulb: A. Appel and S. Govindavajhala. "Using Memory Errors to Attack a Virtual Machine" in IEEE Symposium on Security and Privacy, 2003. http://www.cs.princeton.edu/~sudhakar/papers/abstracts/memerr.html http://www.cs.princeton.edu/~sudhakar/papers/memerr-slashdot-commentary.html I guess people designing voting machines without using some kind of heat sensor with alert procedure, using properly shielded case, ECC memory, etc... are not doing their engineering job. Not adding a paper trail at all is also a real bad idea, but that's just me :).
I got this a few weeks ago, and just noticed it. As with so many risks, the problem isn't the technology, but rather the unexpected combinations of technologies (i.e., cell phones left on all night along with automated calling systems). >I wanted to open this month's newsletter by sincerely apologizing to the >almost 60 people in our database who mistakenly received a call in the >middle of the night to remind them of our upcoming webinar held on [date]. >[Vendor] does not usually "telemarket" to our database - in fact, we >had never done so before. But when the webinar company offered us a chance >to broadcast a pre-recorded VM reminder at no charge, we fell for the lure >of the "free" opportunity against our better judgment. The theory was >that if it was sent after hours, it would not disturb anyone during their >work day. It sounded good in theory... > >The result? Four complaints the next morning from people notifying us that >we had woken them up by calling their home offices or cell phones that had >not been turned off that night. I asked the webinar company to run a call >report afterward and although we only received a few actual complaints, >the data showed that up to as many as 60 of you may have received these >disturbing calls. All I can say is that I am extremely sorry for the >inconvenience and I assure everyone that we will never mass call to our >database again. I do hope you accept my sincere apology for the mistake.
Major events in Internet Voting are taking place in The Netherlands. The Dutch government tested an Internet voting system called "KOA" in the European Elections last month. A portion of that system was written by the Security of Systems (SoS) Group using formal methods. Additionally, partially based upon my group's work and influence, the entire KOA system has been Open Sourced under the GPL license. I have written a short article "Electronic and Internet Voting in The Netherlands" on what has been happening here over the past few months. See <http://www.cs.kun.nl/sos/> and <http://kind.cs.kun.nl/~kiniry/papers/NL_Voting.html> for more information.
I was struck by the parallels between the risks discussed by Michael Bacon and those arising in backcountry skiing and mountaineering. For example, his risk (4) pretty much corresponds to the failure to set a firm turn-around time that allows for a safe return. See Chapter 18 of "Mountaineering: the Freedom of the Hills" (6th edition, Graydon & Hanson, 1997) for additional interesting parallels. Articles like Ian McCammon's "Evidence of Heuristic Traps in Recreational Avalanche Accidents" http://www.snowpit.com/articles/traps%20reprint.pdf give independent evidence of decision-making bugs that are quite familiar to us in the computing realm: "Even though people are capable of making decisions in a thorough and methodical way, it appears that most of the time they don't. A growing body of research suggests that people unconsciously use simple rules of thumb, or heuristics, to navigate the routine complexities of modern life. In this paper, I examine evidence that four of these heuristics -- familiarity, social proof, commitment and scarcity -- have influenced the decisions of avalanche victims.". Fernando Pereira, Dept. of Computer and Information Science U. of Pennsylvania
A while ago, I tried to find out the empirical basis for claims such as these made by the Business Software Alliance. After all, they can't actually be going round and physically inspecting the software being run on people's computers, can they? Nor, presumably, are they relying on conviction rates! After some digging, I found that in 2002 their basic methodology was to count up the number of computers sold per year, and then check against the revenue from licensed software sold. They make the assumption that each computer should be loaded with X amount of licensed software. There is of course an imbalance between predicted and actuals and this is the inferential support for the detailed lists of amounts of software fraud per country they publish. The hazards of this methodology are (1) you don't check with enough software vendors, only, say the top 1,000 big ones; and (2) you don't consider that especially in economically poor countries, users may be using free-ware and open-source software. Much of the latter may simply be downloaded anonymously and you don't need to register. Even in more affluent countries the use of open source software is spreading - not only because of price, but because it is usually better written and subject to less invasive user agreements than software created by many members of the Business Software Alliance.
BKSFWRFR.RVW 20040706 "Software Forensics", Robert M. Slade, 2004, 0-07-142804-6, U$39.95/C$3.95/UK#29.99 %A Robert M. Slade email@example.com firstname.lastname@example.org %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2004 %G 0-07-142804-6 %I McGraw-Hill Ryerson/Osborne %O U$39.95/C$3.95/UK#29.99 800-565-5758 fax: 905-430-5020 %O http://www.amazon.com/exec/obidos/ASIN/0071428046/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0071428046/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0071428046/robsladesin03-20 %P 215 p. %T "Software Forensics" As long as I'm reviewing books about which I can't be objective, I might as well review my own. This book is about software forensics. Nobody seems to know what that is. "Oh, you look for child porno and drug dealer addresses on seized computers, right?" Umm, no. That's computer forensics which, although it should be broader, has become limited to the basic data recovery aspect of the wider field of digital forensics. Software forensics delves into what evidence you can glean from software itself. This is useful in malware and virus research (where it has long been known as forensic programming), as well as in cases involving intellectual property and plagiarism. The study and tools utilized in software forensics can assist with determining the intent and authorship of a piece of software. At times it can even help with tasks such as recovering source code with legacy programs, or porting to new systems. In the book there is an overview of software forensics itself. One chapter looks at blackhat sociology and culture, since those characteristics can be evident in the programming style. There is material on the various tools, and properties of malicious software. Presentation of this type of evidence in court is difficult, so chapter five reviews expert witness restrictions and other legal issues. Content is included on programming cultures, stylistic analysis, and authorship analysis. I can say, without any bias whatever, that this is the finest work on this topic available today. I can say that, because it's the *only* book that is dedicated to the subject. copyright Robert M. Slade, 2004 BKSFWRFR.RVW 20040706 email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [Incidentally, Tim Grance at NIST noted out of band that a draft of a new guide on PDA Forensics is soon to be released by NIST. Stay tuned. PGN]
Please report problems with the web pages to the maintainer