On 22 Jun 2005 at 5.08pm, a power short occurred between Amsted (Canton Uri) and Rotkreuz (Canton Zug, which in German means "train") on the Swiss train line. The SBB (Schweizerischen Bundesbahnen) operated their own power lines, and this short circuit caused a sharp drop in voltage, which quickly spread throughout the ENTIRE country of Switzerland. Trains were stalled in the middle of nowhere, with no air conditioning in the heat of the summer. Some train doors could not be opened. More than 200,000 passengers were affected. It took about two hours to get everyone out of the trains. SBB used busses to transport stranded passengers and diesel locomotives to drag trains to the nearest station. It took two more hours before enough power was restored in order for the trains to begin moving. But the efficient Swiss worked all night moving trains so that everything moved rather smoothly the next day. There were allegedly no computers involved, but the single point of failure was a vivid illustration of many RISKS concepts, not the least of which is: don't throw out those diesel locomotives yet! Debora Weber-Wulff, FHTW Berlin, FB 4, Intern.Medieninf. Treskowallee 8, 10313 Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/
[...] My concern --and arguably the risk-- is the impact of such an incident on passenger trains in the new Gotthard "base"-tunnel which will open in 2011. This will be 57 Km (35 miles) long and run at depths up to 2000 meters (7000 feet) which means that the tunnel temperature will exceed 45 C. (113 F). If a train is stopped in the tunnel a very rapid response would be required to avoid a catastrophe.
In our previous installments (RISKS-23.53 and 23.60), we heard about problems with the new German combined unemployment and social fee scheme. Because of so much public unrest about the scheme, the parliament decided to pass new rules permitting people to earn a little bit more money each month before the entitlement is cut off. Just a small program change, one would think, and with time until 1 Oct 2005 it should be no problem. The *Berliner Zeitung* reported on 25 Jun that the program change will not be finished until early 2006. The new rules are too complicated for the software authors, T-Systems, it seems: * Everyone can earn 100 Euros a month additionally without penalty. * If you earn up to 800 Euros you can keep 20%. * If you earn more, you get to keep 10% of what you earn above that, until your earnings reach the point where you no longer get the social fee. About 700.000 people are affected, the administrative workers will have to do the calculations by hand until the software is finished - meaning they have no time to advise people on strategies for finding work. Maybe I am being naive, but how difficult is it to set up a new table "Earnings" with (Pnr, date, earnings) and fixing the method "calculate_entitlement" to consult this table. There needs to be a screen for entering in the data and recording who entered it in when. This takes a large company > 6 months to fix? http://www.berlinonline.de/berliner-zeitung/politik/460429.html
The new trains whilst widely advertised as 'Heathrow Connect' (in the local press, on the HC website, etc.) have now stopped connecting to Heathrow altogether!! Passengers are now being advised to detrain at Hayes & Harlington - the local stop before - and catch a 140 bus to the Airport. This only costs an additional 1.20 (pounds) rather than the 6 (pounds) - but entails negotiating a steep flight of steps - not easy with heavy luggage and no station staff to help. The reason for this curtailment is a signal fault - apparently when the trains reach Heathrow the signalling system there wont change aspect to let them back out again!! Also the Heathrow Connect trains use the two local slow tracks in order to stop at local stations. The other two tracks (there are four in total) are for high-speed Intercity services. In order to swing off the local tracks into/out of the Airport Branch the Connect Trains have to cross over the Intercity tracks. This means stopping all other trains to allow them to do so. This is playing havoc with the timekeeping for all of the other services using this very busy route. The Risks: * Didn't the planners realise the operational (and safety) problems of local trains crossing Intercity tracks every 30 minutes and thereby holding up high speed (100 mph) trains? * For a multi-million pound prestige project shouldn't there have been something called 'UAT' (user acceptance testing)? * Actually shouldn't there have been something called 'testing' prior to launching such a high profile service? * The other problem is the young staff checking tickets whilst ensuring that bona-fide passengers have paid, are starting to get bullied by the local feral youths who on the late evening trains are damned if they are going to pay whatever. * Meanwhile the many computerised on-board inane announcements are beginning to grate for regular passengers and are still frequently wrong - and they can't even be changed to omit 'Heathrow' from the current list of destinations.
Joint Commission Resources, a unit of the Joint Commission on Accreditation of Healthcare Organizations that enforces quality standards for hospitals found a flaw in software that it had sold to more than 1,000 hospitals that helps qualify for accreditation and payments from Medicare. The problem was a missing identification marker that alerts a hospital to the 250 standards among the 1,300 that the commission and its auditors regard as essential. [Source: Milt Freudenheim, *The New York Times*, 24 Jun 2005; PGN-ed] http://www.nytimes.com/2005/06/24/technology/24glitch.html?ex=1277265600&en=ad248571c0f51b3d&ei=5090
Staff and patients at San Francisco's UCSF Medical Center were left fearful and shaken last week, when a robotic nurse threw off its shackles and went on the rampage. http://www.theregister.co.uk/2005/06/15/psycho_robot/ Thomson Kuhn, American College of Physicians
As my dear laboring spouse was rolled into the O.R. to deliver twin boys last month, all of the machines in the room were happily humming along, including several displaying a far too familiar screensaver. Oone of the attending physicians ordered "a quick ultrasound" to ensure things were indeed as they should be. The nurse turned to one of the machines with little windows flitting about on the screen. Just as she moved the mouse to wake up the machine, the flitting stopped and the machine was no more. All fifteen people in the room, including the soon-to-be mommy of plummeting patience, then waited for the nurse to power-cycle the machine and await its resurrection. While this turned out not to be a life and death situation, it very well could have been, especially with a multiple birth. In addition to checking the background of physicians, do we now have to check what software they're running??? PS: the twins Bennet and Bryan, while premature, are gonna be ok over time. Charles C. Palmer, IBM Research
*The New Zealand Herald* 20 Jun 2005 had this explanation for the telecommunications failure noted in RISKS-23.91: A fibre "ring" exists between Auckland and Wellington running up the east and west sides of the North Island. In theory at least if one cable fails the other can continue at reduced capacity. Apparently in this case they lost both cables - one to a contractor digging and the other possibly to a rodent. http://www.nzherald.co.nz/index.cfm?c_id=1&ObjectID=10331826
Greetings. It only took around a week for the exploit to evolve from unwieldy but powerful hack, to user-friendly production program, but the "signed-code" security system of the Sony PSP Portable running 1.5 firmware, designed to prevent the execution of pirated or other "unofficial" (e.g. homebrew) code, appears to have been obliterated. I note in: "The Camel Fully Enters the Tent?": ( http://www.eepi.org/archives/eepi-discuss/msg00109.html ) that only about seven days after the release on the Internet of an exploit permitting running of unsigned code via an "impractical for routine use" memory-stick swapping technique, rumors were already circulating that a program eliminating the stick swap was about to be released. This appeared on schedule this morning, meaning that for all practical purposes the widely available U.S. version of the Sony PSP with 1.5 firmware is now as fully exploitable as the original limited-quantity Japanese-market 1.0 firmware units. As mentioned in the referenced link above, Sony will attempt to minimize the damage from these events. But any path they choose is strewn with potential pitfalls. Newer firmware versions in shipped units may prove to be more difficult or impossible to hack through non-hardware-invasive techniques. But forcing firmware upgrades with new game releases may have the effect of actually suppressing purchases of legitimate copies of games, and encourage the use of pirated copies that won't trigger the firmware updates and the likely loss of the ability to run unofficial, homebrew programs. In an ever more pervasively Internet-connected world, it appears increasingly likely that any error -- any opening -- in the implementation of a security system for a "desirable target" will be quickly exploited and that exploit widely distributed -- and probably much more rapidly than the designers of the system would imagine in their worst nightmares. This is a security vulnerability "sea change" that we really haven't come to grips with either as technologists or as businesses, and it goes far beyond the running of programs on a portable gaming device. There's a key question that we need to explore. Given this new environment, to what extent do "closed" systems still make sense? The answers will vary between applications and situations, but it clearly is foolhardy in the extreme to simply assume that security paradigms, even those based on the most advanced encryption and signature models, will long remain invulnerable to successful attacks. These penetrations will range from those initiated by persons who are simply intellectually curious without evil or financial motivations, to individuals who may have very dark intentions indeed. Something to think about. Lauren Weinstein, +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR People For Internet Responsibility http://www.pfir.org Co-Founder, EEPI Electronic Entertainment Policy Initiative http://www.eepi.org Moderator, PRIVACY Forum - http://www.vortex.com Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com
Well the state of Minnesota had better start renting rooms in the prisons of other states, since the Minnesota State Web site supports encryption. About the third URL I tried after accessing the web site showed a secure URL. https://www.officesupplyconnection.org/statemn/catalog.srv Unless they have set up these computers in a different state or country that allows the use of encryption! If that is the case, maybe the FBI would like to get involved since they would have crossed state lines to avoid prosecution.
[O UK ID? O U KID! Who U KIDding? PGN] -------- Original Message -------- Date: Tue, 28 Jun 2005 20:05:49 +0100 From: Ben Tudor <Ben_Tudor@vnu.co.uk> Subject: Oh dear - Don't worry about UK ID card insecurity - here's a totally 'hacker proof' system This press release makes an IT journo's job look rather like shooting fin tuna in a barrel. Using cluster bombs. There's so many holes in the argument presented in this press release that I almost don't know where to start. Now that I know a company has been working on 'hush-hush software', of course, all my concerns about national ID cards have simply sloughed away. Cheers, Ben Ben Tudor, Features Editor, Computer Reseller News firstname.lastname@example.org http://crn.vnunet.com Subject: Biometric ID Card breakthrough PRESS RELEASE, June 29th 2005 Further information: 02476 236644 Press Office: John Fisher - 01785 840978 M: 07808 171 664 John.email@example.com firstname.lastname@example.org http://www.senselect.com Biometric Innovation Breakthrough answers UK ID Card Security Fears A biometric identity card system that is hacker and thief-proof and puts the missing privacy and security into the UK ID project - has been unveiled today (Wednesday). The British inventors of the BiometricPIN system say the system can be used in the new UK ID cards, overcoming all security fears and objections and putting control on the use of biometrics in the hands of the user. Instead of using a single, easily lifted or stolen fingerprint, BiometricPIN will allow any sequence of finger prints determined by the user. No one has been able to achieve this so far and the implications will be global as spin-off projects emerge. The sequence creates a digital pattern that can only be recreated by the user. When it is stored on a Government or central database it simply becomes an unidentifiable "blob" that cannot be stolen. Behind the world-first breakthrough is West Midlands biometric company, Senselect Limited, which has been working on the hush-hush software-based system for five years. John Topping, Managing Director of Senselect, said BiometricPIN would have implications for everyday life across the world, but the company has concentrated so far on the ID card security problem and the "big brother" fears it instills in people. "This is totally secure, fast and "hacker-proof", said Mr Topping. "The sequence simply cannot be replicated by anyone other than by the user. It also allows the user to determine just how much information others can see about them. A doctor, for example, could be restricted to medical history whilst a bartender will only get confirmation that the customer is over 18." With BiometricPIN there will be no "big brother", said John Topping and identities stored on Government databases are safe from theft. With single finger biometrics everyone has a right to be scared because, while you can change a pin number if you are compromised, fingerprints are for life. Biometrics using single fingerprints as an identifier have been used for some years, and despite them being capable of being "lifted", their use has grown. Their use in government ID cards - even with the backup of iris and facial biometrics - is considered a step backwards by many. "With BiometricPIN there would be total security as the pattern decided on uniquely by the user cannot be lifted from a single finger reader or hacked from a database", said John Topping. "BiometricPIN produces a unique biometric print that just cannot be copied. It also needs live fingers." Mr Topping said BiometricPIN would solve a huge worldwide problem. Anyone concerned that their ID could be copied can rest assured that this will allay all their fears. Protecting peoples ID is already written into our law but with BiometricPIN it will be in the hands of the user. Senselect says BiometricPIN, because it is software-based, can be used in conjunction with all existing technology, along with iris and facial biometric systems. The company says it already has several European governments interested in implementing BiometricPIN and Senselect has produced a set of security standards for cross border biometric identification. This is now being considered by the European Union for adoption. Added John Topping: "We believe we have solved a huge problem for the world and are ready to share our knowledge. This is the biggest breakthrough in computer technology for many years and will have a huge impact on everyday commerce as further applications for BiometricPIN emerge". Senselect Limited, Coventry University Technology Park, The Innovation Centre Puma Way, Coventry, UK, CV1 2TT http://www.senselect.com For further information, please reply to email@example.com
Marion Davis, pbn, 22 Jun 2005 The CVS Corp. has cut off Web access to ExtraCare card holders' detailed purchase information after a consumer group showed reporters how easily an intruder could log into the system and find out, say, how many condoms or enema kits someone's bought. CVS has issued about 50 million of the loyalty cards, which allow the drugstore chain to track each customer's purchases and, in exchange, provide a 2-percent rebate on those purchases, along with customized coupons. To log into your account on CVS.com, all you need is the card number, your ZIP code, and the first three letters of your surname. Even now, anyone with that information can easily find out the card holder's home address, phone number, and total purchases each quarter. But until last week, the Web site also allowed customers to request a detailed purchase report to be e-mailed to them - to any address they put in. ... http://www.pbn.com/contentmgr/showdetails.php/id/115431
I take phishing scams a little more seriously than other spam, and often spend a few minutes directing complaints to the right places. A phishing e-mail this week used a link in a domain registered using Yahoo's domain registration. Pinging the domain name revealed an IP number that ARIN says is Yahoo's. So, I sent off a copy of the message with full headers etc. etc. to firstname.lastname@example.org. It was rejected by Yahoo's spam filter because, so the bounce said, it was a phishing e-mail. Well, duhhh! Undeterred, I send another message to email@example.com, explaining that I had received a phish that pointed to one of their machines and provided the URL of a page that imitates an on-line payment service. It got an auto-response that told me I needed to send the full message, including headers. Double-duhhh! No doubt Yahoo will be shocked, *shocked*! when a TV station or law enforcement agency reveals that Yahoo's Web hosting service is being employed to run scams, just as they were when a television station reported last week that their user-created chat rooms were being used to attempt to lure children into having sex with adults.
> I'm sorry, but the Internet is not your private playground. If you have a > spam problem, deal with it or buy your own intranet. Such "idealism" is > what lets people use the Internet to communicate. <freedom argument > continues> This is so deeply wrong that I feel I must rebut. Bandwidth-based DoS attacks are fundamentally impossible to stop. If an attacker can compromise even a trivial fraction of the Internet, and then command those nodes to all flood your site with traffic, then your site collapses under the load, and no legitimate traffic can reach you because your connection is full. There is nothing to be done except track down the attacking nodes and have them shut down until they are cleaned up. This is an extortion attack that is in widespread use now, particularly against sites that have time sensitivity, such as gambling sites that hope to take bets on some big game: pay up, or we DoS you into the ground during your critical period. Widely enforced Internet hygiene of some form would go a long way towards stopping this kind of attack. At some point in the future, this DoS attack is going to become so pervasive that there *will* be Internet hygiene rules imposed. Get used to it. Personally, I hope that it comes sooner than later. That would mean that it is at least an industry self-imposed practice, rather than a government requirement. Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix, a Novell Company http://immunix.com
Since many of the entries in RISKS have been on security breaches, I'd like to draw your attention to my weblog: http://www.emergentchaos.com I've been cataloging breaches, and the fairly extensive (albeit not complete) is at http://www.emergentchaos.com/archives/cat_breaches.html
BKSPAMUS.RVW 20050531 "Spies Among Us", Ira Winkler, 2005, 0-7645-8468-5, U$27.50/C$38.99/UK#16.99 %A Ira Winkler www.irawinkler.com %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2005 %G 0-7645-8468-5 %I John Wiley & Sons, Inc. %O U$27.50/C$38.99/UK#16.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764584685/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764584685/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764584685/robsladesin03-20 %O Audience n+ Tech 1 Writing 3 (see revfaq.htm for explanation) %P 326 p. %T "Spies Among Us" In the introduction, Winkler admits that the title is slightly misleading: most surveillance is not done by international spies, but by common or garden thieves, competitors, and so forth. The point that he is trying to make is that non-terrorists can hurt you, although he raises the issue with illustrations that are not completely clear. Part one deals with espionage concepts. Chapter one reviews spying terminology, but makes points about the process by explaining the jargon and distinctions. Risk analysis is introduced in chapter two, but the calculations used may not be clear to all readers. An attempt to assess the value of information is made in chapter three. Chapter four outlines threats (entities that might harm you) and five covers vulnerabilities--the way your own operations can make you subject to attack. Part two describes some case studies of spying. The content is interesting, although the value is rather concentrated in the short "vulnerabilities exploited" section at the end of each chapter. I must say that I've read all manner of similar stories and case studies in various security books, and Winkler's are more interesting than most. Part three deals with protection. Chapter twelve lists a number of countermeasures. These are described in a level of detail that is appropriate for non-specialists (in security), although the content related to technical safety might be a bit thin. How to plan and implement an overall security program is outlined in chapter thirteen, which includes a very interesting section on how the Department of Homeland Security has taught us valuable lessons about how *not* to execute safeguards. While not structured in a formal manner that would make for easier reference, this book nonetheless has some excellent content. Like Schneier's "Beyond Fear" (cf. BKBYNDFR.RVW), it is easy enough, and engaging enough, for those outside of the security profession to read. Busy managers may find the work a bit wordy and disorganized, but it makes useful points, and has constructive suggestions. Home users and amateurs will find the style most suited to them, although the recommended controls are aimed at businesses. Security professionals will not (or should not) find anything new here, but may appreciate the "war stories" and explanations that can be employed in security awareness training. copyright Robert M. Slade, 2005 BKSPAMUS.RVW 20050531 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer