Connecticut state emergency management officials said a worker entered the wrong code during the weekly test of the emergency alert system, leading television viewers and radio listeners to believe that the state was being evacuated: "Civil authorities have issued an immediate evacuation order for all of Connecticut, beginning at 2:10 p.m. and ending at 3:10 p.m." The code that was mistakenly entered appeared on a monitor one line above the intended code for the test. As soon as the error was detected, faxes went out to every police department in the state. Source: Emergency broadcast test mistakenly calls for evacuation, AP item [PGN-ed], The Hartford Courant, 1 Feb 2005, http://www.ctnow.com/ http://www.nynewsday.com/news/local/wire/ny-bc-ct---evacuationerror0201feb01,0,6738941.story
Moto, a Chicago restaurant, serves "sushi" with maki-like images printed with a Canon i560 inkjet printer using organic food-based inks jetted onto edible "paper" made from soybeans and cornstarch and flavored with powdered soy and seaweed seasonings. Even the menu is edible. http://www.nytimes.com/2005/02/03/technology/circuits/03chef.html?ei=5088&en=86bc342e2ce05d47&ex=1265086800&partner=rssnyt&pagewanted=print&position= [This article has been severely PGN-ed. Actually, squid ink might be an interesting choice, unless it would clog the jets. Joyce wondered whether a diner could be poisoned by the inkjet food. But perhaps the menu is also printed from the same printers, using the same inks, and not used for other porpoises? You might ask, what do they do for cuttlery? (That's a pun, not a mispeling; a cuttlefish has 10 arms, and is related to the squid. A live one might make an interesting array of chopsticks.) And, if you knew Sushi like I know Sushi, you might want to Moto-r on over. Or maybe not. It might be overpriced, but not overriced. And the chef will maki-a-velli nice presentation. PGN]
The topic of software flaws in the embedded systems within modern automobiles has been discussed in RISKS several times. But here's a new twist (to me, at least), a case where the on-vehicle software is corrupted by a virus, inserted into the automobile's computing systems, via a blue-tooth enabled cell-phone: URL CHANGED FROM http://www.infosecnews.com/news/index.cfm?fuseaction=newsDetails&newsUID=bc5789cf-e448-4a6e-bee9-a5dd291405ed&newsType=News TO (CORRECTED): http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=bc5789cf-e448-4a6e-bee9-a5dd291405ed&newsType=Latest%20News [ Same article in shorter URL: http://tinyurl.com/5p3jh ] There's the obvious risk here... a vehicle can be infected by the cell-phone in the vehicle next to you while stopped in traffic or sitting in a parking lot. As this vulnerability becomes known in the cracker community, how long before someone tailors a virus specific to a vehicular target — perhaps creating runaway-vehicle scenarios similar to the "faulty cruise control" incidents reported here in RISKS.
Tim Moran, What's Bugging the High-Tech Car? *The New York Times*, 6 Feb 2005 http://www.nytimes.com/2005/02/06/automobiles/06AUTO.html?oref=3Dlogin On a hot summer trip to Cape Cod, the Mills family minivan did a peculiar thing. After an hour on the road, it began to bake the children. Mom and Dad were cool and comfortable up front, but heat was blasting into the rear of the van and it could not be turned off. Fortunately for the Mills children, their father - W. Nathaniel Mills III, an expert on computer networking at I.B.M. - is persistent. When three dealership visits, days of waiting and the cumbersome replacement of mechanical parts failed to fix the problem, he took the van out and drove it until the oven fired up again. Then he rushed to the mechanic to look for a software error. "It took two minutes for them to hook up their diagnostic tool and find the fault," said Mr. Mills, senior technical staff member at I.B.M.'s T. J. Watson Research Center in Hawthorne, N.Y. "I can almost see the software code; a sensor was bad."
On Monday, 7th February the central computer at the rail control center for Zuerich main station in Switzerland failed. The outage was noticed at 08:40, and had deleterious consequences for further control centers which were dependent on the Zuerich center. It was partially back on-line at 13:40. No cause has yet been announced. Zuerich is the largest city in Switzerland, and the train lines converging on the main railway station are fairly complicated. Chaos was reported. The Associated Press reported that trains between Zuerich and Pfaeffikon, a commuter line on the left bank of Lake Zuerich, were all canceled for nearly four hours. Buses were used to ameliorate the situation, for example for trains in the direction of Chur. The Swiss television SF-DRS was reporting on its WWW site that many commuters were delayed by two and a half hours. Also that the trip between Lachen SZ and Zuerich, normally 45 minutes, took four hours. The Swiss railway is renowned for its punctuality. They are amongst the foremost, maybe the foremost, in the world in research into railway scheduling and its implementation in the RAIL 2000 program. I heard a talk at the FORMS/FORMAT 2004 conference from Oskar Stalder about experiments in continual punctuality information transfer to drivers, which enabled the equipped trains to maintain a schedule on certain main lines to within a ten-twenty-second margin of error - almost unthinkable. This incident will worsen the stats for 2005 just a little. The information about the outage came from http://www.sfdrs.ch/system/frames/news/sda-news/index.php?/content/news/sda-news/meldung.php?docid=20050207d395595158238553833 Peter B. Ladkin, University of Bielefeld, Germany www.rvs.uni-bielefeld.de
Excerpted from an article by Jo Best, news.com, 1 Feb 2005 A supermarket has given its customers the choice of paying by fingerprint at a store in the state of Washington--and has found them surprisingly willing to use the biometric system. U.S. chain Thriftway introduced the system, which uses technology from Pay By Touch, in its store in the Seattle area in 2002. It said it now sees thousands of transactions a month using the payment method. Once people have enrolled in the Pay By Touch system, they have their fingerprint scanned as verification of identity at the checkout. They then choose which credit card they want to pay the bill with, having already registered the credit cards with the store. Thriftway President Paul Kapioski said rather than shying away from the technology because of concerns about protecting their privacy, customer demand ensured that the biometric payment system made it past the pilot stage. ... http://news.com.com/2100-1029-5559074.html
Spiegel Online has an article about the impact of GPS systems on Lighthouses. They claim that the popularity of the satellite-based global positioning system has led to the closure of lighthouses along the German coast. Critics question whether the new system is reliable and safe enough to warrant the closure of these historical beacons of safety. http://service.spiegel.de/cache/international/0,1518,340729,00.html
J.K. Rowling, author of the mega-popular Harry Potter series, is warning fans to beware of Internet "phishing" scams claiming to sell electronic copies of her latest book, "Harry Potter and the Half-Blood Prince." "The only genuine copies of Harry Potter remain the authorized traditional book or audio tapes/CDs distributed through my publishers," says Rowling, and her copyright lawyer, Neil Blair, notes that Rowling has never granted licenses for electronic versions of her books. "Please, please protect yourselves, your computers and your credit cards and do not fall for these scams," says Rowling. Police say they suspect organized crime gangs in Eastern Europe are behind the fraudulent e-mail offers. [Reuters/*The Washington Post*, 2 Feb 2005; NewsScan Daily, 2 Feb 2005] http://www.washingtonpost.com/wp-dyn/articles/A56379-2005Feb2.html
The most malicious forms of spyware, system monitors and Trojans, increased in the last three months of 2004, according to the quarterly SpyAudit report, the nation's next-generation Internet Service Provider, and Webroot Software, a producer of award-winning privacy, protection and performance software. The report also documents the complete SpyAudit results for 2004, which tracked the growth of spyware on consumer PCs since the report's inception on January 1, 2004. It shows the instances of system monitors rose 230 percent, while the instances of Trojans rose 114 percent from October 2004 to December 2004. Trojans, keystroke loggers and system monitors are capable of capturing keystrokes, online screenshots, and personally identifiable information like your social security number, bank account numbers, logins and passwords, or credit card numbers. The number of SpyAudit scans performed during the fourth quarter also rose with an increase of 72 percent from October 2004 through December 2004. In total for 2004, more than 4.6 million scans were performed, discovering approximately 116.5 million instances of spyware, adware or potentially unwanted software. An average of 25 traces were found per SpyAudit scan for 2004. The complete report is available at http://www.earthlink.net/spyaudit/press . ... PR Newswire, 2 Feb 2005 http://finance.lycos.com/home/news/story.asp?story=46604321
Tired of being blocked by "blacklists," spammers are turning to a new technique — routing it directly through the computers of their Internet service providers, rather than sending it from individual machines. The result poses a dilemma: to block spam coming directly from an ISP's servers would mean blocking all its mail, crippling the system. "From what we've seen, the volumes of this type of spam are going up dramatically," says Steve Linford, who heads up the Spamhaus Project. "We're really looking at a bleak thing" if ISPs don't quickly deploy countermeasures, he adds. Such measures could include more aggressive monitoring and limiting how much mail is being sent from individual machines on their networks. In addition, ISPs should beef up efforts to authenticate mail they pass on through their own computers, says Linford. A study released yesterday estimates that deleting spam costs nearly $22 billion per year in lost productivity, based on a survey of 1,000 adults who said they spend about three minutes per day trashing spam when they check their e-mail. (*The Washington Post*, 4 Feb 2005; NewsScan Daily, 4 Feb 2005) http://www.washingtonpost.com/wp-dyn/articles/A61901-2005Feb3.html
To make a fairly long detective story very short, I have discovered that amazon.com uses not only your e-mail address, but also your password, to uniquely identify your account. It is perfectly possible to have two completely different accounts under the same e-mail address, distinguished only by the password. Huh? My guess is that Amazon does this to make it possible for people who share a single e-mail account to have different accounts at Amazon. But it's not documented anywhere, and can lead to great confusion for those who forget that they have an account, create a new one, and later use the original one's password. And I wonder what happens when you click on the "Forgot your password?" link. Do they reset the passwords on all accounts? When I have a bit more time, I might set up some accounts on a dummy e-mail address to answer to latter question. — Geoff Kuenning firstname.lastname@example.org http://www.cs.hmc.edu/~geoff/
The UK Government has decided to make the Land Registry available online. For those who don't know, this says who owns a property, what the property is (i.e., the boundary), who has charges on the property, similarly whether covenants apply, and so forth. I suppose this risk isn't new, since this information was available offline, but ... one of the people with a charge on your house is your mortgage lender. This is clearly stated in the Land Registry document. What an excellent resource for phishing and other fraud - both via e-mail and more personal contact. The relevant Land Registry data is available to all comers for 2 pounds. No restrictions. And now, much easier to get. http://www.apache-ssl.org/ben.html http://www.thebunker.net/
Elias Levy (Symantec) noted a cute illustration of the weakest link in a would-be security system: http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg
The University of Calgary is back at it again. http://www.cbc.ca/story/canada/national/2005/02/05/email-course050205.html http://pages.cpsc.ucalgary.ca/~aycock/ email@example.com, firstname.lastname@example.org (Interesting that his homepage is entitled "Unfettered by Content." He certainly seems to be unfettered by logic.) This time they are adding spam and spyware to the curriculum. I can vaguely see a dim advantage to having students write viruses in order to understand them (rather inefficiently, in terms of time spent), but getting them to write a spamming program in order to understand how to fight spam seems even less effective. As previously noted, John Aycock doesn't seem to have any credentials in security or malware (no papers published prior to the virus course, nobody in the field seems to know him), so why he, and the university, chose to do this, other than pure self-promotion, is completely beyond me. I am somewhat relieved by the fact that the paper submitted to EICAR shows that a modicum of thought was given to the security of the laboratory. The irrelevance of the measures undertaken is no great surprise. The bibliography is interesting: Lugwig's second edition is there, along with Mitnick's "19 chapters of gotcha," but on the AV side Cohen's 1994 edition stands alone with Skoudis' rather pathetic work. I would have thought that anyone with even a pretence of academic intentions would have consulted Ferbrache, and possibly Nazario's pompous but flawed attempt at worm analysis. Given Aycock's involvement in a rather banal crypto lab, I'm a bit surprised that he hasn't tried to create Young and Yung's proposed crypto-nasties. email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
I'm late reading and others have probably pointed this out, but Chris Leeson misstates the purpose of the RFID chip in car keys. These are "immobilizer" systems, designed to keep the car from starting, even with a physical key present, unless the RFID tag responds correctly to a crypto challenge. The full paper, by Steve Bono, Matthew Green, Adam Stubblefield, and Avi Rubin of Johns Hopkins and Ari Juels and Michael Szydlo of RSA, is available at http://rfid-analysis.org <http://rfid-analysis.org/> . Steve Wildstrom, BusinessWeek 1200 G St NW Suite 1100, Washington, DC 20005 www.businessweek.com/technology/ [Also noted by Alexandre Peshansky. PGN]
> a non-printable PDF file ehhh... non-printable? Hit "print screen"... If you want it to look nicer, OCR the screendump. Even the press should be able to figure this one out. Obviously the Govt. agency responsible for the mess hasn't, which could explain why it is such a mess... [Dag-Erling Smørgrav says use GNU Ghostscript. PGN]
There's a small fact error in this piece: Mozilla Thunderbird is an e-mail client. Mozilla Firebird (and Camino (for the Mac)) are the browsers.
In RISKS-23.68 I wrote about security problems with changing my address online through Bank of New York, and in 23.69 Robert Ellis Smith (justifiably) criticized my original action, saying "We gotta resist, this so that organizations are sensitized to the risks of using SSNs." After feeling suitably red-faced about my error, I pondered his point. How much can and should we, as the cognoscenti, do in our every day lives to fight silly security? I know full well that most of the airport security is useless (Schneier and others have done a great job pointing this out), but I don't have the luxury of fighting it every time I make a trip. While I might object to showing an ID, unlike John Perry Barlow, I need to earn a living. I don't have the financial or time option of fighting a court case because I think the rule is wrong. I don't even have the time to argue with the underpaid TSA person about the rules, which say you don't have to take off your shoes (but woe be unto you if you refuse). This was recently driven home to me as I helped my daughter with college applications, which routinely ask for SSNs. We compromised that when the form is asking about financial information, we'd provide the SSN, since they're asking for copies of tax returns which have the SSN anyway, but we wouldn't put the SSN on the general application for admission. Is this the right tradeoff? If she weren't asking for financial aid, I'd probably refuse to provide the SSN at all. What are some *practical* measures that we can and should be doing as computer security professionals to help further understanding? I agree with Robert Ellis Smith that I shouldn't provide the information I did to change an address, but I need to get the procedure done, and not spend a week arguing that they shouldn't need my SSN to do a change of address. I suggest that we'd be more effective if we all tried to do *something*, rather than despairing about our inability to accomplish all the changes we'd like to see. Smith's web page has a good list (http://www.privacyjournal.net/bio.htm); how many of us have the time & energy to do more than a handful of them? He hits the nail on the head when he says ``Choose your battles. Not every collection of personal information or every intrusion is worth expending your energy. Decide which information is most sensitive to you and which moments in your life are most important to protect.'' Where can and should working security professionals draw the line?
BKMSWSIT.RVW 20041106 "Managing Security with Snort and IDS Tools", Kerry Cox/Christopher Gerg, 2004, 0-596-00661-6, U$39.95/C$57.95 %A Kerry Cox %A Christopher Gerg %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2004 %G 0-596-00661-6 %I O'Reilly & Associates, Inc. %O U$39.95/C$57.95 800-998-9938 fax: 707-829-0104 firstname.lastname@example.org %O http://www.amazon.com/exec/obidos/ASIN/0596006616/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596006616/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596006616/robsladesin03-20 %O tl a rl 2 tc 3 ta 3 tv 2 wq 2 %P 269 p. %T "Managing Security with Snort and IDS Tools" Chapter one explains what Snort, and network intrusion detection, is. The basics of network traffic sniffing and analysis, and the operation of tcpdump and ethereal, are described in chapter two. Installation, options, and the basic operation of Snort are outlined in chapter three. Chapter four details the different types of blackhat and intruder activity in terms of network intrusion. Chapter five details the configuration file and choices. How, and where, to use and set up Snort is the topic of chapter six. Snort rules are explained in chapter seven, which also outlines the system for creating them. Snort can also be used for intrusion prevention, as chapter eight points out. Tuning sensitivity, and establishing thresholds and clipping levels, is discussed in chapter nine. Chapter ten reviews the use of ACID (Analysis Console for Intrusion Detection) as a management console. An alternative program is SnortCenter, described in chapter eleven, and more options are listed in twelve. Chapter thirteen notes possibilities for the use of Snort in high bandwidth situations. For those interested in the standard intrusion detection program, here is a set of useful explanations for its use and operation. copyright Robert M. Slade, 2004 BKMSWSIT.RVW 20041106 email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
The 29th Annual International Computer Software and Applications Conference COMPSAC 2005 Edinburgh, Scotland, July 25-28, 2005 http://aquila.nvc.cs.vt.edu/compsac2005 The major theme will be HIGH ASSURANCE SOFTWARE SYSTEMS. Please note that the deadlines for submission of both regular and workshop papers to COMPSAC 2005 have recently been extended. The EXTENDED deadline for paper submission is only three weeks away: ** Extended deadline for conference papers: Feb 28, 2005 ** ** Extended deadline for workshop papers: Feb 28, 2005 ** Deadline for fast abstracts (unchanged): Mar 21, 2005 E-mail enquiries -Program Co-Chairs: firstname.lastname@example.org email@example.com firstname.lastname@example.org -Workshop Chair: email@example.com -Fast Abstract Co-Chairs: firstname.lastname@example.org email@example.com -Steering Committee Chair: firstname.lastname@example.org Y T Yu, Publicity Chair, COMPSAC 2005 Department of Computer Science, City University of Hong Kong email@example.com http://www.cs.cityu.edu.hk/~ytyu COMPSAC is a major international forum for researchers, practitioners, managers, and policy makers interested in computer software and applications. It was first held in Chicago in 1977, and since then it has been one of the major forums for academia, industry, and government to discuss the state of art, new advances, and future trends in software technologies and practices. The technical program includes keynote addresses, research papers, industrial case studies, panel discussions and fast abstracts. It also includes a number of workshops on emerging important topics. For more detailed and updated information, please refer to http://aquila.nvc.cs.vt.edu/compsac2005 For further information, please contact: Stephen S. Yau, Arizona State University, USA E-mail: firstname.lastname@example.org
Please report problems with the web pages to the maintainer