Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Mark Johnson contributed this item from the Colorado Rockies' website: http://colorado.rockies.mlb.com/content/printer_friendly/col/y2007/m10/d22/c2276226.jsp Sales of World Series tickets in Denver had to be suspended after "too much activity" on the servers. Fewer than 500 tickets were sold out of over 50,000. The current plan is to fix the online system and try again. Mark also added: Even more interesting is a *Denver Post* opinion piece that indicates over 200 clients lost the ability to sell tickets due to this server failure. Nothing like putting all your eggs into one basket. Joe Loughry added this gem from *The Denver Post*: http://www.denverpost.com/ci_7248448 But some people found glitches, such as being told to "enable cookies" and to set their computer security to the "lowest level." And some fans couldn't log in at all. Alves explained that those who saw a "page cannot be displayed" message had "IP addresses that we blocked due to suspicious/malicious activity to our website during the last 24 to 48 hours. As an example, if several inquiries came from a single IP address they were blocked." With baseball's so-called World Series between the Rockies and the Red Sox about to start on 24 Oct, this item seems timely. Maybe simultaneous overly large orders from scalpers brought down the server? All games will be broadcast on Fox, but will there be anyone in the stands? With Rocks in their Socks, And their Jocks on Fox, The Rox in the Box May get some Knocks Off the Sox -- If they can DeTox, Fix the Tix-Nix Mix- up, and get in some Lix. Rox or Sox in six? Seven is heaven. PGN
http://www.mg.co.za/articlePage.aspx?articleid=322117&area=/breaking_news/br eaking_news__national/ The story speaks for itself. After the operators cleared a jam in a Swiss/German Oerlikon 35mm Mark V anti-aircraft twin-barreled gun during a live-firing military exercise [at the South African National Defence Force Lohatlha training grounds], the gun turned to the left and fired a rapid burst of cannon shells directly at adjacent guns in the line, killing 9 soldiers and injuring 14. At the time, the gun was supposedly on 'manual', locked on to a target 1.5 to 2km away. On 'manual', it should not have turned at all. http://www.itweb.co.za/sections/business/2007/0710161034.asp?S=IT%20in%20Defence&A=DFN&O=FPTOP, According to "Defence pundit Helmoed-Roemer Heitman told the Weekend Argus that if 'the cause lay in computer error, the reason for the tragedy might never be found.'" If 'computer error' equates to bug, then I can only assume the software must be horrendously complex and opaque to be so resistant to analysis ... which it probably is if it combines target acquisition/identification, range finding, gun control, oh and safety. The South African Department of Defence is under pressure to conduct an inquiry. http://www.mg.co.za/articlePage.aspx?articleid=321877&area=/breaking_news/breaking_news__national/ Don't the procurers of such automated weaponry specify mechanical safety interlocks capable of physically preventing the turret from turning beyond set azimuth (and perhaps elevation) limits? [Other reports on this noted by Ilya Gulko, Martin Ward, and Kurtis Lanovaz. PGN]
A Russian spacecraft came down a minute early, on a steeper-than-planned descent, and landed 210 miles off from its designated site, due to a "computer glitch." And nobody got hurt. Said Alexei Krasnov, head of the Russian space agency's manned space programs, "It's difficult to immediately name a specific reason behind the problem. We need to do an in-depth analysis." (AP 21 Oct 2007) http://www.abcnews.go.com/Technology/wireStory?id=3756743
AVweb has a good article on the recent loss of control and crash of an UAV (Unmanned Arial Vehicle). http://www.avweb.com/avwebflash/news/NTSB_CustomsBorderPatrol_UAVcrash_196405-1.html The full article is an even better read. See the full NTSB report: http://www.ntsb.gov/ntsb/brief2.asp?ev_id=20060509X00531&ntsbno=CHI06MA121&akey=1 There are numerous automation and user faults that RISKS readers will find familiar. I think what is poignant here is that although these vehicles have a fairly long history of use within the military these aircraft are now being integrated into the civilian airspace. They are also flying along international boarders and potentially in international airspace. Especially troubling for me is this quote: "...Because of national security issues and past experience with similar UASs, the FAA temporarily waived this requirement for the issuance of the Certificate of Waiver or Authorization (COA) to operate in the National Airspace System (NAS)..." Ian Staines, Delta, BC, CANADA, istaines@shaw.ca
The railroad now says that the problem was caused by a software update in late September, rather than an error undiscovered since 2001. They have reverted to the previous version of the software and are revising their testing procedures. http://www.newsday.com/news/local/wire/newyork/ny-bc-ny--lirrdoublebilling1011oct11,0,3782883.story
Anybody want to bet that the problematic limit was precisely 32,767? :) This glitch actually hit me personally - I had a LIRR ticket double-billed. I didn't bother with LIRR customer service, since I had no evidence to convince a commuter railroad that I didn't ride it two days in succession. I was waiting for the credit card statement to cycle so I could dispute it at that level, but fortunately the merchant (the railroad) discovered its error and credited the account. 'Twas strange, after reading RISKS for years to find myself actually caught in one! [R.G. Newbury and Scott Nicol also suggested this likely explanation. Scott: "Could this have been a 16-bit signed int rollover bug?" PGN]
For what it's worth: in the meantime some minor inconsistencies (spelling errors, very broad error messages that include instructions on how their cards are numbered) have been detected on their website. Also, and of more interest, is the way their privacy policy is set up: they point for part of the transaction process to another company (owned by 5 large Dutch public transport organizations), who in return point back at them. Bottom-line: they can (and will) identify you, even if you are using an anonymous card, through the bank-transaction that is needed to buy the (anonymous) card... Noothoven van Goorstraat 14, 2806 RA, GOUDA http://leon.kuunders.info W: +31 641 164 995 P: +31 620 624 702
Recently here in the Denver area, a very cute e-mail has been making the rounds. The story goes: -----Original Message----- Scott rescued 6 black lab (mix) puppies out of the middle of the road on Saturday. PLEASE help me find them homes - otherwise, it's Animal Control - which means they only have 5 days. We've bathed them, sprayed them for fleas and wormed them....but we can't keep them. They are currently in a kennel in my basement since I don't have a fence. I've lost count of the number of rescue groups that I've contacted, only to be turned down due to no room. Please check with every dog person you know to see if they need a puppy. Regards, Tim Aumack If you know someone looking for a pet, please contact: Bryan Pratt , CPA, Manager - Corporate Tax, Bill Barrett Corporation .... 18th Street, Suite 2300, Denver , CO 80202 PH: 303-293-.... FAX: 303-291-.... DIR: 303-312-.... bpratt@<domainname deleted> -----End Message----- And of course there was a appropriately cute picture attached of six black lab mix puppies (omitted here). I first saw this e-mail early last week as it made the rounds at my girlfriend's place of work. A day or so later I heard from several other friends and they forwarded it along as well. Now this week it appears to still be circulating as it made it to my work as well. It does appear that this is (or was originally) a legit e-mail and the photo attached was just that, but the RISKS here are several: 1) Who needs a bot army to send spam/viruses when you can get people to willingly forward things along for you? 2) If you attach a picture with something as cute as puppies looking for a home, everybody is going to open it. 3) Since this appears to have started as a local phenomenon and has slipped by every anti-spam and anti-virus engine, the potential for malice is high. 4) Before speculating on the legitimacy of something in a public forum, research, research, research! A search of the interwebs revealed this e-mail to be a nationwide phenomenon. Despite the fact this e-mail is indeed a hoax, it doesn't detract from the validity of the first three RISKS. It will be interesting to see if this e-mail makes it out of the Denver/Boulder area to other parts of the country or if we see someone on the dark side take this localized phenomenon and twist it to work for the dark side. chris williams, manager of information technology, jabber, inc. 1-303.308.3292 [Address, phone numbers & e-mail address in the original e-mail suppressed.-c]
2008 IEEE Symposium on Security and Privacy The Claremont Resort, Berkeley/Oakland, California, USA, May 18-22, 2008 PAPER SUBMISSION DEADLINE: Friday, 9 Nov 2007 23:59:00 EST (GMT-5) (No extensions!) For more information on the symposium, please visit: http://www.ieee-security.org/TC/SP2008/oakland08.html
BKEXONGA.RVW 20070913 "Exploiting Online Games", Greg Hoglund/Gary McGraw, 2008, 0-13-227191-5, U$44.99/C$55.99 %A Greg Hoglund www.rootkit.com %A Gary McGraw www.exploitingonlinegames.com gem@cigital.com %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2008 %G 978-0-13-227191-2 0-13-227191-5 %I Addison-Wesley Publishing Co. %O U$44.99/C$55.99 416-447-5101 fax: 416-443-0948 bkexpress@aw.com %O http://www.amazon.com/exec/obidos/ASIN/0132271915/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0132271915/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0132271915/robsladesin03-20 %O Audience i+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 340 p. %T "Exploiting Online Games: Cheating Massively Distributed Systems" Shall We Play A Game? or Being a Review of "Exploiting Online Games" With Much Editorializing and Extensive Digressions Fair warning, then: this review is going to be a bit different. Why games? Isn't this topic a bit trivial? After all, Hoglund and McGraw are among the very select few who have been able to use the "hack to protect" style work. By examining vulnerabilities they have created books like "Software Security" (cf. BKSWSBSI.RVW) that have contributed useful guidance to those attempting to build more robust and reliable programs. Therefore, the foreword, preface, and first chapter all attempt to provide reasons why such a book is needed. First off, there is a very large virtual economy that interpenetrates with the [real|cash] one. Since gamers have started selling abilities, "game gold," and even characters, game objects now have cash values in the real world. As with anything that has an exchangeable value, the criminal world has taken an interest. Trade in game objects now comprises a large fraction of online frauds, identity theft, and money laundering. (The trojan posted at the Dolphin Stadium Website, and others, around SuperBowl time had a subordinate payload looking specifically for "World of Warcraft" accounts.) Everything that relates to software insecurity (and security) in the online gaming environment applies (though possibly not equally) to security in other systems. Therefore, a book noting the security vulnerabilities of game systems provides an introduction to system security in general, and application security in particular. It helps that the gaming topic is of intrinsic interest to a number of people, and therefore may spark interest in information security. (Interestingly, no argument is made in the book is that the existence of vulnerabilities in the game system itself, and particularly on the client side, may open the gamer to various forms of attack [and not just by axe-swinging berserkers]. Loopholes in the client software could lead to openings for intrusions, means of gaining information about the user or system, or entry points for malware. We have seen numerous instances of problems associated with widely used client software packages, such as those for instant messaging and peer-to- peer file sharing.) Chapter two contains a discussion of various ways of manipulating games. Most of these are at a conceptual level, although some are extremely detailed, including macro and C code. The material also addresses some countermeasures to the cheats, and a few ways to defeat the safeguards, as well. Instances and examinations of the virtual economies that have sprung up around online games are presented in chapter three. Given the earlier stress on the importance of the point (as a rationale for the book itself), the content is disappointingly thin in this separate chapter. American copyright and related laws (particularly the Digital Millennium Copyright Act) and End-User Licence Agreements are the substance of chapter four. Chapter five notes a number of bugs, primarily those involving interactions of complex functions and states of games. Tools and techniques for examining and manipulating client software are described in chapter six. There is a lot of C code, and, although the programming is extensive it can't be exhaustive, since the chapter basically covers a topic to which whole books are devoted. (Most of the suggestions are directed at attacking the server, and, again, there are few mentions of the risks of vulnerabilities in the client.) Chapter seven provides C code for programming robots to cheat at the game for you. The chapter seems oddly placed, since eight returns to the topic of reverse engineering of software, and lists more tools. (There is also a rather comprehensive guide to basic functions in assembly code.) Advanced game hacking, in chapter nine, deals mostly with the modification of clients or the creation of alternate game servers. Chapter ten starts off with the statement that the primary goal (of the book) is to "understand the security implication of massively distributed software systems that have millions of users." That's a worthy goal, and one that is indicated by the subtitle. Therefore, it is strange to note that not only is this intent omitted from the rationale given at the beginning, but also that the topic really isn't addressed in the text. There are so many notions that could be explored under that subject, such as the social engineering aspects of working with large groups, the emergent properties that might arise from simple functions operating in large numbers of nodes, the massive power of distributed systems, or even the relation to the botnets that are currently such a concern. None of these ideas are explored in the book or in chapter ten itself, which is simply a fairly brief review of some decent but basic software security guidelines. The book is, therefore, a partial success. The introduction to the fundamentals of software security via the gaming medium is a potentially useful and valuable device. The work does tend to concentrate more on the game aspects, and less on the generic principles, but that emphasis is not necessarily a flaw. The precepts are sound, and those who do become interested in security will be able to apply them, and move on to more advanced areas. copyright Robert M. Slade, 2007 BKEXONGA.RVW 20070913 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org http://victoria.tc.ca/techrev/rms.htm
Please report problems with the web pages to the maintainer