Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A drive by the Federal Aviation Administration to cut the number of air traffic controllers nationally by 10 percent below negotiated levels, and even more sharply at places like the busy radar center here, is producing tension, anger and occasional shows of defiance among controllers. One of the new changes may have safety implications: ending of contractual protection against being kept working on a controller's radar screen for more than two hours without a break. Having just one controller on duty is also problematic [as noted in the recent wrong-runway episode in Lexington KY (RISKS-24.41)]. [Source: Matthew L. Wald, *The New York Times*, 20 Sep 2006; PGN-ed, TNX to Lauren Weinstein] http://www.nytimes.com/2006/09/20/washington/20control.html
We've had previous discussion in RISKS of the unexpected side-effects that can result when human beings respond to safety measures by changing their behavior, taking on risks that previously were too great to feel acceptable. http://www.eurekalert.org/pub_releases/2006-09/uob-wah091106.php is a news release about some research in this area. Dr. Ian Walker spend a great deal of time bicycling around the UK on a bicycle with equipment that measured how close drivers of different kinds of vehicles came to him when passing. Half the time, he wore a helmet; half the time, he didn't. Result: Drivers approached closer (and average of 8.5 cm) when he was wearing a helmet. Walker's hypothesis is that drivers see bicyclists wearing helmets as more experienced and competent, hence not in need of consideration. In other interesting results, when Walker wore a wig so that he looked like a woman, he was given significantly more room. He also confirmed a feeling all bicyclist have: Yes, indeed, trucks and buses do approach bicycles more closely (average of 19 cm for trucks and 23 cm for buses) than cars do. As Walker points out, helmets definitely do protect a rider in low-speed falls. How much they help in collisions with vehicles is harder to say - and if wearing a helmet makes a collision more likely, the net effect is difficult to predict. (Walker was hit twice, once by a bus and once by a truck, during his experiments. He was wearing a helmet both times.) [Spelling correction in archive copy.]
Grete Fossbakk wanted to transfer NOK 500,000 (USD 76400) to her daughter using her online bank account, but entered a digit too many in the account number field. The bank software stripped it silently and transferred the money to a third party. Unfortunately, the recipient immediately withdrew the bounty and started to gamble it away. Meanwhile, the daughter was on vacation, so the mishap wasn't discovered until three weeks had passed. The matter was reported to the police, and they were able to reclaim NOK 100,000 in cash in the man's apartment. Ms Fossbakk has launched a civil claim against the man for the remainder of the money, but since he lives off social security, the chances of getting it back are slim. The bank, Sparebank1 Nord-Norge, claims that if you type the wrong number, you have the bear the consequences yourself. The Norwegian bank industry's board of complaints (Bankklagenemnda) will hopefully decide in the case in time for Christmas. The Minister for Consumer Affairs, Karita Bekkemellem, has stated this is an important issue, and will consider to propose new legislation if the banks don't accept responsibility. Articles in Norwegian: http://www.dn.no/privatokonomi/article875204.ece http://www.dn.no/forsiden/politikkSamfunn/article876885.ece [Also noted by Tore A. Klock. PGN]
Surveillance footage on a gas station ATM shows a man swiping an ATM card, punching in a series of numbers, and breaking the machine's security code. He apparently reprogrammed the ATM to disburse $20 bills while recording the transaction as a $5 debit. He then apparently used a prepaid debit card. The shortfall was not noticed until nine days later, when a customer reported receiving four times what was requested. [PGN-ed] http://apnews.myway.com/article/20060913/D8K496CO4.html
[Source: Linda Rosencrance, Software glitch prompts Segway recall; Six injuries reported when transporter unexpectedly reverses direction *Computerworld*, 14 Sep 2006, PGN-ed; TNX to Nelson H. F. Beebe, U Utah.] http://cwflyris.computerworld.com/t/854524/419952/33869/2/ Segway Inc. is recalling all of its 23,500 Segway Personal Transporters because of a software problem that can cause the wheels of the device to unexpectedly reverse direction and cause a rider to fall. Consumers should stop using the device immediately and contact the company for a free software upgrade, according to the U.S. Consumer Product Safety Commission, which is working with Segway on the recall. Bedford, N.H.-based Segway said no hardware changes are required. A commission spokesman said Segway received reports of six incidents that involved facial and wrist injuries. One user required facial surgery and another was hospitalized overnight. Others suffered broken teeth, he said. "A condition has been identified in which the Segway PT can unexpectedly reverse the direction of the wheels, which can cause a rider to fall," the company said today. "This can occur when the PT's Speed Limiter tilts back the machine to slow it down and the rider goes off and then back onto the PT within a short period of time." The voluntary recall applies to all Segway PTs sold to date, including all Segway PT i Series, e Series, p Series, XT, GT and i2 models. The Segway x2, due for release later this month, is not affected by the recall. All new shipments of the I2 are being shipped with the new software release, the company said in the statement. [This was also noted by Howard Israel and Jeremy Epstein.]
Here's yet another power outage story that features a failure mode that I don't think has been mentioned yet. Back around 2000 or so, when I was at Enron, we lost power to most of the production database servers used for gas and power trading. Only the servers were affected, and the power outage wasn't caused by the failure of anything electronic. The raised floor under the power director feeding the servers collapsed. When the director sensed the sudden motion, it immediately shut off, taking all of the servers with it. After a couple of hours it was jacked back into a level position, and turned back on, bringing everything else back to life. That weekend the floor was repaired. Mike Swaim swaim@hal-pc.org MD Anderson Dept. of Biostatistics & Applied Mathematics mpswaim@mdanderson.org or mswaim@mdacc.tmc.edu at work
Sending packages with Fedex is now easier than ever, thanks to the fedex.com website. Unfortunately, it's too easy. In most cases, if you know a company's account number, you can send whatever you like using the site, assuming you have a pulse, a browser, and access to the Internet. We recently had an angry ex-employee use our account number to send multiple small dollar amount packages all over the place. The dollar value was too low for the authorities, and it was really just a nuisance. Our "Fedex person" called Fedex to stop this, and customer service told her the only way was to change our account number. This would be painful, so we sent him letters telling him to stop. It didn't. We called Fedex again, this time asking for security, using words/phrases like "fraud," "theft," and "you will have to pay when we reverse the charges." We didn't get anyone from Security, but they did begin to listen. After being bounced around at fedex, we learned the following: * Unless you take specific action (enable and configure Shipping Administration for your account within Ship Manager on the website), anyone on the planet can create a fedex.com account, associate it with your account number, and ship whatever, wherever they way, third party included. * there is no way, even with shipping administrator, within fedex.com, to view the logins associated with your account. We had to call and insist on a list - for "security" reasons they could not email or otherwise send us a list, but were able to tell us logins, names, last login, and email of active accounts. After setting up Shipping Administration, we verified that this ex-employee (or anyone else we don't approve) can no longer set up a new login and associate it with our account. After about an hour on the phone, we were able to get his login deleted (and learn all of this additional information about their system). Risks? For Fedex? Not defaulting to a more secure configuration (like, want to use fedex on the web? First sign-in associated with that fedex account must set up "Shipping Administrator" to prevent unauthorized use). Building an application with all the shipping capabilities imaginable available, and very little for the account holder to manage access and security. Not having a security contact or phone number listed, or accessible by calling in to customer service. Money lost to fraud by abuse of this system. For the Fedex user? Giving your fedex account number to third parties who may ship things to you, unless you know and trust them, and trust their handling of your account number. Not watching your bills closely. Signing up and using for a service that, when you think about it, is far too easy to use to have any built-in safety.
The access panel door on a Diebold AccuVote-TS voting machine --- the door that protects the memory card that stores the votes, and is the main barrier to the injection of a virus --- can be opened with a standard key that is widely available on the Internet. ... we did a live demo for our Princeton Computer Science colleagues of the vote-stealing software described in our paper and video. Afterward, Chris Tengi, a technical staff member, asked to look at the key that came with the voting machine. He noticed an alphanumeric code printed on the key, and remarked that he had a key at home with the same code on it. The next day he brought in his key and sure enough it opened the voting machine. See Ed Felten's blog: http://www.freedom-to-tinker.com/?p=1064
Cuyahoga County [which includes Cleveland] had a major meltdown in their May 2006 primary election. A Review Panel [comprised of a local judge, the head of the Ohio Lottery, an academic, with local law students as staff] issued a report on the event, and what needs to be fixed. <http://www.votingintegrity.org/pdf/cerp_rpt06.pdf> While Diebold DRE machines are deeply embedded in the debacle, the report is not about the problems with machine's security [as Ed Felten's is] as much as the issues of acquiring, configuring and deploying them. The Road To Hell is paved with good intentions, and this report has asphalt enough to go around. It's an example of how you can you can make any problem too hard to handle if only there is enough money & patronage floating around... RISK readers can easily identify all the Usual Suspects; you could almost duplicate it with cut and paste from say, DIVAD/Sergeant York, Virtual Case File, and oh the Second Ave subway project escapades. Cuyahoga County Board of Elections says they were told they were buying, from the sole source vendor, "seamless integration" between the registered voter database and ballot creation processes; while the vendor was seemingly wearing hooded white robes. [Diebold bought the West Coast voter database company but it was still a separate operation who {oops} wanted to be paid extra for their added work; work allegedly never mentioned by the corporate salesman who sold the "seamless" package to the BoE.] The BoE didn't even have the authority to spend the money they thought was "theirs" and thus never asked the County Commissioners. It also touches on the very real issue of poll workers/election day staff. Elections are transient events, and many of the polling places are likely to be staffed by people not just with little or no computer experience; but often computerphobia. Add training problems and you have a disaster brewing. There are VERY few Avi Rubin's working at polling places; and outside of Silicon Valley, I bet do no more than start Word. I wonder how many RISK readers do so? I'm almost tempted to say there should be Election Day Duty al-la Jury Duty. For now, employers could show their support by encouraging both senior staff & IT support to volunteer. Both would get a valuable reminder in Real World 101. The only good aspect is the Ohio Legislature required honest-to-gosh paper as the ballot of record. While that makes jammed printers important, it means there is something to recount when, not if, things go wrong...
I'm a Swede and is a bit puzzled about the eletronic voting that seems to become so popular in the US. As we are going to have a general election this sunday (sept 17), I can't help making a comparison. The precinct Avi was reporting from had over 1000 voters. The precinct I am going to use this sunday has around 1200 voters of which around 1000 usually show up. Thus quite similar in size. Avi had 12 machines and 16 judges, opening hours 0700 - 2200, long queues. We have no machines (old fashion paper ballots) and 3 + 3 layman officials, opening hours 0800 - 2000, no queues. After 2000 (8 pm) the votes for the the Swedish Parliament are handcounted at the precinct in the presence of all interested. That takes about one hour. These results are then telephoned to the central authority. All votes are then recounted a couple of days later, to get the official result. This recount is also performed in the presence of all interested. All votes are kept in sealed and secured boxes during transport. What are the advantages with electronic voting? Reading Avi's blog makes one wonder.
The insecure method of trying to use a verbal report of a U.S. Social Security Number (SSN) as personal identification is coming under wider scrutiny because of the brouhaha about the Hewlett-Packard board. The Chairman apparently ordered an investigation into who was giving privileged information to news media, and the investigators hired pretexters to obtain phone records of board members. Pretexters are people who use "social engineering" skills to impersonate a third person while communicating with a service provider, in order to obtain information about the services provided to that person. In this case, the pretexters wanted to obtain the telephone-call records of HP board members. The International Herald Tribune recounts the practice at http://www.iht.com/articles/2006/09/11/business/hpspy.php in a story from the New York Times by Matt Richtel and Miguel Helft. One investigator who helps auto-repossession agencies demonstrated: "In most cases [the investigator] said, he already had the Social Security number from the lien holder. But if necessary, he could find it in commercial databases. To demonstrate, he asked a reported his full name and state of residence, and read him back his Social Security number within seconds." [op.cit.] Among companies who have adapted belatedly to this reality are Verizon, who apparently stopped using SSN as "a chief way to establish [a customer's] identity" last year. Among those who have not yet adapted are AT&T, which "[continues] to accept Social Security numbers as a central means of identification." The article discusses the legality of pretexting, which may already be generally illegal in many jurisdictions and is so for particular goals such as obtaining financial records, and efforts to make it more explicitly illegal. The legality of pretexting is obviously a different issue from the insecurity of authentication through SSN, just as the legality of thievery is a different issue from whether I lock my front door when I leave the house. It has been known for years, and not just to RISKS readers, just how dysfunctional the practice is of trying to authenticate people through basic information such as residential address and SSN. Perhaps it persists because the perpetrators (service companies) are not the sufferers (their customers). There is, however, a general legal notion of "due diligence", whereby if a company uses a method which is known to be ineffective, it can be held responsible for deleterious consequences, as having not exercise due diligence. So, when it becomes sufficiently "well known" that divulging SSN is ineffective as authentication, practice could change. The HP story might help to tip the scales. Peter B. Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
Dutch media report on a new way thieves are using to break into cars with electronic locks, see for instance: http://www.rtvnoord.nl/nieuws/index.asp?actie=totaalbericht&pid=60184 In Stadskanaal, in the North of the Netherlands, at least 30 cars have been illegally opened without any trace or damage. Thieves appear mostly to look for car documents. The police don't have any clue how the cars have been opened. One of the possibilities being looked into is the existence of some new electronic device acting as a passkey. If such an electronic passkey would exist, then we see the next phase in the (electronic) security rat-race. Gaudi systems architecting <http://www.gaudisite.nl/>
Several Dutch media report the sabotage of telecom infrastructure at a business park in Blerick, near Venlo, in the South of the Netherlands, e.g., http://www.telegraaf.nl/binnenland/49777581/KPN_heeft_handenvol_aan_gesaboteerde_kastjes.html In Blerick the cabinets of KPN (Dutch Telecom provider) were broken down. Apparently the inflictors wanted to eliminate the security of businesses at the park. They succeeded and stole for 100k's Euro's from DHL, the courier company. The same attempt was made at the business park in Herkenbosch, another small town in the South. However an attempt to break in at an attraction park here didn't succeed, because the alarm was still functional. This example again illustrates the often invisible dependencies of modern interlinked systems. Many modern security services depend on public infrastructure. How many of them have these single points of vulnerability?
Westword, a Denver area weekly, has published a long article on the teen who was arrested for impersonating an officer on local police radio bands in 2001. According to the article, he had been routinely communicating on police bands for about three months, requesting licence plate checks and once reporting a fake hit-and-run accident. He was found guilty and sentenced to six months in the Division of Youth Corrections and two years' probation. The article provides some mundane technical details on the incident. RISKS readers may be interested in the somewhat dramatized events and motivations that drove the teen to impersonate a law enforcement officer. In 2006, he was arrested and charged with impersonating an EMT and theft by receiving. The article will be available for some amount of time here: http://www.westword.com/Issues/2006-08-31/news/feature.html
During the early 1980's the place I worked at had a Honeywell-compatible version of the venerable IBM 1401. It came in several models (I don't remember the model numbers - call them Model A for the lowest end up to Model D for the top end). We found out the hard way that the only difference between them was one resistor - take it out and a Model A was as fast as a Model D (but leased for tens of thousands less). Our field engineer did not like to waste time, so he always disconnected the resistor when he did his P.M. In fact he hated wasting time so much that he never bothered to reconnect it. On one periodic maintenance day, he was on vacation and a somewhat more conscientious engineer took his place. The resistor was replaced. The director wanted to know why everything slowed down. When he found out, he immediately terminated the lease. [This is indeed an old phenomenon. Long ago, during my Bell Labs days, I requested an upgrade for a telephone modem, which was made by snipping a single wire with a disproportionate increase in the monthly rental. PGN]
BKCMPSEC.RVW 20060819 "Computer Security Basics", Rick Lehtinen/Deborah Russell/G. T. Gangemi Sr., 2006, 0-596-00669-1, U$39.99/C$51.99 %A Rick Lehtinen %A Deborah Russell %A G. T. Gangemi Sr. %C 103 Morris St., Suite A, Sebastopol, CA 95472-9902 %D 2006 %G 0-596-00669-1 %I O'Reilly and Associates, Inc. %O U$39.99/C$51.99 %O http://www.amazon.com/exec/obidos/ASIN/0596006691/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596006691/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596006691/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 296 p. %T "Computer Security Basics, Second Edition" I've been waiting a long time for an updated version of this classic. "Computer Security Basics" was a pretty accurate name for the first edition. The book was an overview of many aspects that go into the security of computers and data systems. While not exhaustive, it provided a starting point from which to pursue specific topics that required more detailed study. Such is no longer the case. Part one looks at security for today. Chapter one starts with 9/11, then talks about various infosec groups, and only then gets to an introduction of what security is, and how to evaluate potential loopholes. The definition points out the useful difference between the problems of confidentiality and availability, and now adds integrity. The distinction between threats, vulnerabilities and countermeasures is helpful, but may fail to resolve certain issues. Ironically, in view of the title of this section, chapter two gives some historical background to the development of modern data security. Part two deals with computer security itself. Chapter three looks at access control, but is somewhat unstructured. Malware and viruses receive the all-too-usual mix of advice and inaccuracies in chapter four. Policy is supposed to be the topic of chapter five, but most of the text is concerned with matters of operations. Internet and Web technologies, and a few network attacks, are listed in chapter six. The prior inclusion of network topics is rather funny, since part three delves into communications security. Chapter seven turns first to encryption, which could be presumed to have applications in more than communications, although it is important in that field. The material on encryption is quite scattered and disorganized, and the explanation of asymmetric systems is probably more confusing than helpful. A lot about networks, a list of network security components, and not much that is useful makes up chapter eight. Part four turns to other types of security. Chapter nine takes a confused look at physical security, and includes biometrics: as with encryption and communications, the topic that could be related to physical security, but might more properly be dealt with elsewhere. Chapter ten reviews wireless LANs, mentioning threats, but only tersely listing security measures, with no detail for use or implementation. The original version of the book was a good starting point for beginners who had to deal with computer security at a basic level. This second edition is a tremendous disappointment: Lehtinen has done a disservice not only to Russell and Gangemi, but also to those relying on this foundational guide. The tone of the first edition may have been too pompous, but the contents were informed by the primary concerns for information security. This update has introduced random new technical trivia, muddied the structure and flow, and reduced the value of the reference overall. copyright Robert M. Slade, 1993, 2002, 2006 BKCMPSEC.RVW 20060819 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org http://victoria.tc.ca/techrev/rms.htm
Please report problems with the web pages to the maintainer