[Source: Brad Stone, Pinch My Ride, *WiReD News*; PGN-ed] http://www.wired.com/wired/archive/14.08/carkey_pr.html To make a long story short, Emad Wassef had his Lincoln Navigator stolen from a Target parking lot in Orange County, California. He reported the theft to police and his insurance company. Two weeks later the SUV turned up near the Mexican boarder, stripped. His insurance company (Unitrin Direct) claimed the transponder antitheft system is absolutely nonspoofable. Brad Stone (the author of the article) himself had had a similar experience two years before, which he had written up for *Newsweeek* in 2004, which led to many letters reporting similar thefts. Brad suggests various possibilities. Cloned key? Masquerader requesting a duplicate for an observed vehicle identification number? He also discovered there is an emergency override known to insiders, involving a particular nongeneric sequence of mechanical actions. The moral of this story is that if you believe your transponder makes you more secure and less likely to get stiffed by your insurance company, forget about it.
A joint European effort is working on software that would enable remote control of an aircraft that could override any attempts by hijackers to control the plane, and force a safe landing. "The system would be designed in such a way that even a computer hacker on board could not get round it." If successful, it would resolve various debates such as those going on in Germany about shooting down hijacked commercial airliners. The project is budgeted for 36m Euros. [Source: Yahoo News, 22 Jul 2006; PGN-ed] http://news.yahoo.com/news?tmpl=story&cid=1509&e=10&u=/afp/20060722/tc_afp/germanyeuunrest If only it were April Fools' Day... Nickee Sanders, Software Engineer, Auckland, New Zealand [Ah, perfect security at long last! How reassuring to RISKS readers. PGN]
Today's issue of *The Australian* has two stories about a new accounting system that Australian Pharmaceutical Industries installed when it outgrew Excel. The one in the IT section  features the company's information management leader congratulating himself on how quickly he got the new system got up and running. The one in the business section  reports that the company's shares have been suspended from trading because the new books don't balance, and no one knows whether the company made 20 or 40 million Australian dollars last year.  "Finding the right modelling tool", The Australian, 15th August 2006, <http://australianit.news.com.au/articles/ 0,7204,20098218%5E24170%5E%5Enbv%5E24169,00.html>  "API mystified by missing millions", The Australian, 15th August 2006, <http://www.theaustralian.news.com.au/story/0,20867,20129112-643,00.html>
[Source: Eric J. Sinrod, CNet (08/17/06) via ACM TechNews; 18 Aug 2006] http://news.com.com/Sober+warnings+about+e-voting+systems/2010-1071_3-6106187.html In its analysis of three of the most widely used electronic voting systems, the Brennan Center for Justice at New York University found significant security and reliability flaws in each of them that could compromise the integrity of local, state, and national elections. With sufficient precautions at the state and local levels, the most serious vulnerabilities can be addressed, but few jurisdictions have implemented the necessary countermeasures to shore up their systems. The study analyzed the Direct Recording Electronic (DRE) system, which directly records a voter's choices with a ballot that appears on the screen; DRE with Voter Verified Paper Trail, which captures the vote both electronically and on paper; and Precinct Optical Scan, which enables the voter to mark a ballot with a pen and then carry it to a scanner. It would be fairly easy for someone to deploy software attack systems to alter vote counts or launch an attack on the system with a wireless device. New York and Minnesota are currently the only two states that prohibit wireless components on all voting machines. The Brennan Center report recommends automatic, routine audits that compare electronic tallies with voter-verified paper records after every election. The report also urges states to adopt wireless bans and randomly examine machines on Election Day for viruses and worms.
[Source: Dan Eggen and Griff Witte, The FBI's Upgrade That Wasn't: $170 Million Bought an Unusable Computer System, *The Washington Post*, 18 Aug 2006, A01; PGN-ed] http://www.washingtonpost.com/wp-dyn/content/article/2006/08/17/AR2006081701485_pf.html It was late 2003, and a contractor, Science Applications International Corp . (SAIC), had spent months writing 730,000 lines of computer code for the Virtual Case File (VCF), a networked system for tracking criminal cases that was designed to replace the bureau's antiquated paper files and, finally, shove J. Edgar Hoover's FBI into the 21st century. It appeared to work beautifully. Until Azmi, now the FBI's technology chief , asked about the error rate. Software problem reports numbered in the hundreds, and were multiplying as engineers continued to run tests. Scores of basic functions had yet to be analyzed. "A month before delivery, you don't have SPRs," Azmi said. "You're making things pretty. . . . You're changing colors." [This is more on an old story that was foreordained a long time ago. PGN]
Last night at around 2:15am (yup, everyone's just leaving the bars) my area had a widespread power failure when someone wrapped themselves around a main distribution line power pole (this is a Friday and Saturday night tradition of course). While LADWP started on it pretty quickly, power was not restored for around seven hours. That long an outage is enough to expose one of the serious weak points in our telecom networks -- remotely situated batteries. They don't last very long without external charging power, and we already know that microcell sites tend to go down quickly for this reason when power fails. Early this morning when I started walking the area to see the effects, I quickly found an unmarked white bucket truck with engine running, parked at a nearby corner, with an orange extension cord running from its open hood to the open cable backup power box on the nearby pole, containing what looked like about three gel cells. When I went over and talked to the friendly cable guy splicing wires on the back of his truck, he told me that he wasn't even trying to charge the batteries, all he could do was try to keep the system running from his truck until power was restored. Cable modems? Cable VoIP? Our whole world of modern cable telecom, dependent on a guy with an extension cord and an old bucket truck. I found it rather amusing, in a "sad commentary" sort of way. Lauren Weinstein +1 (818) 225-2800 http://www.pfir.org/lauren Moderator, PRIVACY Forum - http://www.vortex.com Blog: http://lauren.vortex.com
Bank account details belonging to thousands of Britons are being sold in West Africa for less than £20 each, the BBC's Real Story programme has found. It discovered that fraudsters in Nigeria were able to find internet banking data stored on recycled PCs sent from the UK to Africa. [http://news.bbc.co.uk/2/hi/business/4790293.stm]
Recently my wife received a letter from Ernst and Young, regarding the loss of a laptop containing credit card information for customers of various travel websites. I don't recall seeing it mentioned on RISKS, so I thought I'd add it to your collection. The letter states that "For the past several years, Ernst and Young has been the auditor for IAN.com, a travel company which provides the hotel product and booking technology to may leading travel websites." ... "An Ernst and Young employee's backpack containing his laptop computer was stolen from his locked vehicle in the US." ... "Following the theft we commenced an internal investigation of this matter and determined that the stolen computer contained certain customer information regarding some IAN.com customer transactions primarily from the year 2004. There were also a small number of transactions from 2003 and 2002. We believe the transaction information may have included a transaction you made with IAN.com and, specifically, that the information on the laptop may have included your name, address and some credit or debit card information you provided. " The laptop required a password to use it. To date we have received no information from law enforcement officials that any of the data stored on the computer has been accessed by an unauthorised person or used improperly. There is insufficient information in the letter for me to determine which website was involved and which credit card might be affected. Ernst and Young do say at the end "We have put in place enhanced security procedures, including encrypting our laptop computers, to provide additional protection for sensitive information and have taken other measures to designed to protect against this type of incident happening again."
Quoted from BBC News article: "A recent court case, which saw a West London man fined =A3500 and sentenced to 12 months' conditional discharge for hijacking a wireless broadband connection, has repercussions for almost every user of wi-fi networks. It is believed to be the first case of its kind in the UK, but with an estimated one million wi-fi users around the country, it is unlikely to be the last. "There are a lot of implications and this could open the floodgates to many more such cases," said Phil Cracknell, chief technology officer of security firm NetSurity." Apparently, the convicted man had used his laptop from his car while parked outside a house in which the resident was using an unsecured wi-fi connection, over a period of three months. Neighbours noticed him and reported his behaviour to the police as suspicious. For the full article, see: http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/4721723.stm Peter Mellor; +44 (0)20 8459 7669 MellorPeter@aol.com (new)
Dell has set up a website where you can check to see if your laptop battery is one of the group being recalled, due to overheating. See https://www.dellbatteryprogram.com/batterymodels.aspx If your laptop belongs to a certain subset of models, you need to find your battery ID (printed on the battery itself). The code is of the format zz-zzzzzz-zzzzz-zzz-zzzz; a combination of 20 numbers and uppercase letters. If the last 5 characters of the second group match one of 36 combinations, you are directed to enter the entire ID to see if your battery needs replacement. See https://www.dellbatteryprogram.com/Identify.aspx. The form in question allows you to enter one or more 20-character codes and hit a Submit button. If your battery is OK, the phrase "No need for replacement" appears next to the entered ID. I don't know what it says if your battery does need to be replaced. Unfortunately, there appears to be absolutely no check to verify you entered a proper ID. Apparently, battery AB-CDEFGH-IJKLM-NOP-QRST is OK, as is 00-000000-00000-000-0000, and ten random combinations of numbers and letters. So you'd better heed the warning at the bottom of the page to "Please verify you entered your PPID correctly before submitting". You can tell a zero from a capital letter O if only one of them appears on a label, right? http://www.nytimes.com/2006/08/14/technology/14cnd-battery.html?hp&ex=1155614400&en=499692c95b993103&ei=5094&partner=homepage [Of course, if you were injured in the process, you could call on the Pharma in the Dell. E-EYE-E-I-O. PGN!!!]
To be, perhaps, all too kind, the claim is nonsense, and the fact that its sole support is an argument about bombs at airports (which I've snipped) is good reason to suspect as much as soon as you see it. The "bomb" example is an exercise in emotional manipulation through the presentation of an immediate, vivid, highly aversive consequence, intended to trick the reader into miscomputing the actual cost and benefit of the other problem it accompanies (the "telling the news media about a security flaw" problem) for emotional reasons. To be clear, let's look at the actual ethical problem here in simple consequentialist terms. To believe that "you have a responsibility NOT to be telling the news media", you have to believe that the negative consequences of you telling the news media outweigh, for ever and ever going forward from today-here-now, the positive consequences of you doing so. Is that really plausible? Absent the specious "bomb" example, why should we think so, when we have been given, as the conditions of the problem, that "you report it to the institution and to law enforcement, and they do not seem to take you seriously"? That suggests that (at least) whatever level of harm is currently occurring will continue indefinitely -- unless, that is, someone _else_ were to make a public disclosure, and thus even more dramatically absolve you of this phantom 'responsibility' Al is claiming that you have. At some point in time, it is clear that the small continuing harm of continual abuse of the security flaw would in fact far outweigh the (allegedly) larger, very temporary harm of which your disclosure of the flaw to the media would purportedly be the cause -- after which disclosure, of course, all harm would stop, since fear of liability would cause the institition to plug the hole. The correct choice as a matter of consequentialist ethics is plainly to continue to attract the correct attention from the appropriate authorities, but to be prepared to publicly disclose the problem _before_ that small continuing cost swamps the one-time cost of disclosure. To claim that one has some kind of absolute responsibility to not disclose such problems as a matter of ethics is balderdash, and emotional appeals to examples about ticking bombs do not (as they usually do not) help.
>World class first tier facility, two redundant grid hookups, backup battery >array with two separate sets of diesel generators. Trucks full of diesel are >on standby and the datacenter is run on each for 12 hours each month to make >sure everything is working as it should. I had a girlfriend who worked as a programmer for Carter Hawley Hale. This was a good sized California department store chain back in the 1980's. They built a huge data center in Orange County, CA. They made the same kind of plans for their mainframes. Tied into multiple grids for power backup, got permission to use the cities fire hydrant water system for cooling as backup to the regular water supply. They thought they had everything covered. Anyway, one day a car hit a hydrant about a block away. A valve that was supposed to stop backflushing hadn't been installed properly and when the city tried to shut off the hydrant break they found that the datacenter was pumping water from the city lines into the emergency system with no way to shut it off without turning off water to the whole data center. They were down for about 4 days and it was pretty disastrous.
After publishing this deprecation of the current administration from the loyal opposition, our moderator makes a weak call for "a similar message from a republican". I have a further request: How about not publishing things that are obviously political diatribes masked as legitimate technical criticisms and comments? It does bother me that the moderators seem to be unable to tell a polemic, complete with vague, denigrative suggestions from a legitimate technical criticism. I won't bother with a point by point response, that would give too much attention to a content-free political speech. One thing does scare me about Reid's polemic. Toward the end, flag firmly in hand, he refers to 911 and then makes the following comment: > it is critical that the American people trust that their > government is taking every possible step to protect them. No, every reasonable and constitutional step, not every possible step. We have already had a series of unreasonable steps, like no nail clippers on airplanes, and losing your items rather than having them mailed or checked through as punishment for accidentally bringing them (still in effect). The "every possible" language is tossed about by both sides, and it is tossed about by people who probably are not affected by either the measures they take or their results, short or long term. Yes, we are at war, and at war, you take some special actions. -- Blog: http://majordomo.squawk.com/njs/blog/blogger.html Atom: http://majordomo.squawk.com/njs/blog/atom.xml RSS: http://majordomo.squawk.com/njs/blog/atom.rdf
BKRMSSOX.RVW 20060722 "Risk Management Solutions for Sarbanes-Oxley Section 404 IT Compliance", John S. Quarterman, 2006, 0-7645-9839-2, U$50.00/C$64.99/UK#31.99 %A John S. Quarterman %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2006 %G 0-7645-9839-2 %I John Wiley & Sons, Inc. %O U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0764598392/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0764598392/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0764598392/robsladesin03-20 %O Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation) %P 278 p. %T "Risk Management Solutions for Sarbanes-Oxley Section 404 IT Compliance" There is a problem with the title, quite apart from the fact that it is just too long. This book is not about "Sarbanes-Oxley Section 404" (which is in the largest type on the front cover) as such. In the preface, Quarterman explains that this work addresses risk management, and, specifically, those risks related to the Internet. The text is intended for a wide ranging audience: C-level executives who need to manage and report risk, IT professionals needing information about non-technical control of risk, insurance and financial organizations needing to make monetary assessments of risks and benefits, employees of Internet related companies, and business risk management students. Having been through the publishing process myself, I know that the title and cover are not Quarterman's fault: publishers get to choose. (And, somewhere in Wiley, there is a marketing person just bouncing up and down with glee at finally being able to publish a SOX book.) On the other hand, the title is not completely misleading: SOX 404 is about the proper assessment and reporting of potential risks, and pretty much every company these days has to factor in the perils of dependence upon the Internet. Chapter one is an introduction, noting that, contrary to standard risk assessment ideology, some threats are beyond the control of the enterprise, and not subject to any kind of technical safeguards. Perils may be too large for the company (some financial losses are simply too great for an individual company to survive) and difficult to quantify. Quarterman points out that, rather than a fixed value resource, the Internet may be more similar in valuation to a stock option, or other financial instrument, and doesn't fit older cost/benefit models. A variety of hazards from and to the Internet are listed in chapter two. Solutions are addressed in chapter three, and the author also examines proposed solutions that do not work. For example, the difficulties of the Internet are frequently blamed on the fact that there is no central authority and management, and it has often been proposed to implement (or impose) such centralized command structures on the net. However, Quarterman demonstrates that decentralization has worked in a number of cases, including a number of Internet applications. Chapter four, is problematic: options for risk transfer are discussed before the concept is raised, and although the title talks about strategy it is hard to pick strategic measures out of all the tactical measures. The work of Basel II, with the concepts of credit and operational risk calculations, are outlined in chapter five. Examples of risks that are troublesome to quantify are given in chapter six. Chapter seven turns to large enterprises, noting some threats that are somewhat intrinsic to the breed. Quarterman doesn't stop with the "trite but true": some of the perils are hubris and a reputation for bullying behaviour. Small enterprises might not find the same kind of help in chapter eight: the material here talks more about opportunities and benefits. Various aspects of bonding, insuring, and service level agreements (SLAs) for Internet service providers are examined in chapter nine. There is an interesting discussion of third-party bonding, and the advantages that automatically accrue to all parties under such a situation. Chapter ten turns to the government, and the ways in which it can, and can't, help. Numerous aspects of insurance; policy language, legal precedents, new concepts, and the lack of hard data for the effectiveness of the new instruments; are reviewed in chapter eleven to address the possibilities, limits, and restrictions of new forms fo risk transference. Chapter twelve summarizes the reasons why Internet risk is different than others. This book has a rushed feeling to it, and there are a number of odd errors. The "Acknowledgements" section is, instead, a repeat of the first page of the preface. Text and phrases are repeated ("cyberhurricanes"), often without definition and sometimes in contradictory fashion. There is, for example, an amount of $100 billion for risk from the Internet. This number is repeated on pages xxiii, 1, 30, 146, and 256 but seems to be used in one place for a global figure, and in another for the risk to an individual company. The structure of individual chapters can be difficult as well: it is hard to determine threads of specific arguments out of the (admittedly intriguing) stream of information. There are three threads that are repeated again and again in the book: diversity, insurance, and mapping of the Internet. But there is much more: Quarterman does not address the standard picture of risk management, since he is pointing out that the Internet throws our usual tools for quantified risk analysis into disarray. Instead he notes areas that have been neglected, because of the difficulty of fitting them into standard models, and proposes new, if somewhat vague, risk paradigms. This is not a text that can be used as a reference for ordinary threat analysis, but should be thoroughly studied by anyone involved with protecting information (and particularly communications) for a large company, anyone with a major involvement in the Internet itself, and anyone responsible for business risks in a rapidly changing environment. copyright Robert M. Slade, 2006 BKRMSSOX.RVW 20060722 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev/rms.htm
Please report problems with the web pages to the maintainer