I had the opportunity to review the Florida Voting System Standards (at <http://election.dos.state.fl.us/laws/proposedrules/pdf/dsde101Form.pdf>) and have found them to be inadequate in numerous regards. My 3-page comment on the potential inequities, inadequacies and omissions of Florida's voting system certification process can be found at <http://www.notablesoftware.com/Papers/FLVSSRMComment.pdf> Rebecca Mercuri. Permission granted to post and forward this e-mail message in its entirety.
On 29 Sep 2006, a midair collision occurred in Brazil on Airway UZ6, between Brasilia and Manaus, at Flight Level (FL) 370 (an altitude at an air pressure equal to that at 37,000 ft in an International Standard Atmosphere). An Embraer Legacy business jet, on a delivery flight from the manufacturer to a U.S. owner, apparently collided with a B737 transport aircraft, GOL Flight 1907. The GOL aircraft subsequently broke up in flight and crashed into the jungle, with the loss of all on board. The Legacy continued flying and made an emergency landing at a military airbase. New York Times columnist Joe Sharkey was on board and related the tale. (David Magda noted this accident in RISKS-24.45.) Both aircraft were equipped with Honeywell's TCAS 2000 collision-avoidance systems. It has not yet been determined why the collision avoidance systems did not issue a warning. It is suspected that the Legacy transponder, an essential component on which the TCAS is dependent, was not operating but it has not yet been determined why this would have been so. Transponders on other Embraer jets have been recently subject to an Airworthiness Directive (AD) from the U.S. FAA because of incidents in which the transponders have ceased operating during a code change without sufficient notification to the pilots, but it has been pointed out that this AD is not related to the Brazilian midair (as far as one can tell). The flight plan of the Legacy called for an altitude of FL 360 when joining UZ6. However, the Legacy had been previously cleared to FL 370, and had subsequently lost contact with ATC, who had tried but failed to issue a descent to FL 360. US rules under such circumstances require pilots sometimes to maintain last cleared FL; sometimes to revert to flight plan, according to circumstance. I know of no source which clearly states Brazilian rules. The GOL aircraft was cleared on UZ6 in the opposite direction at FL 370. The Legacy pilots have had their passports impounded and an investigation is underway to determine whether they have any criminal responsibility. Besides the human cost (they are holed up in a hotel in Rio with their lawyer and don't go outside), such a judicial process in advance of the causal investigation has been criticised by the Flight Safety Foundation, the (British) Royal Aeronautical Society, the (French) Academie Nationale de l'Air, and the Civil Air Navigation Services Organisation. FSF President Bill Voss has said "We are increasingly alarmed that the focus of governments in the wake of [civil aircraft] accidents is to conduct lengthy, expensive and highly disruptive criminal investigations in an attempt to exact punishment, instead of ensuring the free flow of information to understand what happened and why, and prevent recurrence of the tragedy" (cited in Pierre Sparaco's column A European Perspective, entitled "Unwarranted Criminalisation", in Aviation Week and Space Technology, 13 Nov 2006, p43. Sparaco has addressed this issue three times this year, the first two on 22 May 2006, p45 and 3 Jul 2006, p42, in the wake of the Concorde accident, and the fourteen-year-old Mont St.-Odile accident, which only this year came to court: the defendants were acquitted.) Similar jurisdiction conflicts arise in Germany, with investigations into accidents on the railways, and have been most recently pointed out in consequence of the Maglev accident (Weber-Wulf, RISKS-24.45; Weber-Wulf, Virtel, Ladkin, RISKS-24.44). But the computer-risk connection is this time not with TCAS. David Kaminski-Morrow reported in Flight International, 5-11 Dec 2006, p15, that the Cindacta-1 display software running at the ATC center controlling the flights can automatically update altitude-clearance information without controller intervention. As the Legacy joined UZ6, the system automatically updated the Legacy's cleared flight level to FL 360. "Loss of the Legacy's transponder information [which includes the actual FL] shortly afterwards ... eliminated a crucial indication to controllers that there was a mismatch over its altitude." In other words, the Legacy was flying at FL 370 and the controller's display was showing FL 360. I omit the justified criticism from the Brazilian arm of the International Federation of Air Traffic Controllers' Associations, which visited the Cindacta-1 center and discovered this, um, feature of the SW, because I am sure that RISKS readers can supply their own, similar, reactions. Peter B. Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
David Learmount reports in Flight International, 12-18 Dec, p16, on a Ryanair B737-800 which almost flew into terrain on 23 Mar 2006, on approach to Knock airport, Ireland. The Irish Air Accident Investigation Unit (AAIU) determined the principal cause to be that the "pilots fixated on reprogramming the flight management computer (FMC) while the aircraft continued its descent". A contributory cause was reported to be a "systemic failure" at the airline and the chart supplier Jeppesen (owned by Boeing) that failed to supply the pilots with up-to-date information about the navigation aids available at Knock. Peter B. Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
Too many systems to itemize here rely on the 'unique ID' of an RFID token to grant access to a system or building, and, in the case that these tokens are based on 125kHz or 134.2kHz standard tags, many of them may be vulnerable to relatively simple cloning attacks. In a way this is nothing new - several researchers have previously presented attacks whereby RFID tags were emulated by custom built circuits which were able to fool readers into thinking that a genuine tag had been presented. However, the industry response was normally that this was not a 'real' threat, as it required specialist knowledge and equipment, and the resulting device was not a 'true clone' as it didn't have the same form factor as the original. The difference here is that the 'clone' may actually follow the same form factor as the original, and is therefore indistinguishable not just to the reader, but also to the human eye. In addition, no specialist equipment or custom circuitry is required, and the 'clones' can be produced using off the shelf equipment, software and blank tags purchased perfectly legally over the Internet. In fact, the tags are only doing what they were designed to do in the first place: implement industry standards. The problem is that many security system suppliers are integrating industry standard tag readers, and promoting the 'uniqueness' of the tag ID as a guaranteed certainty when it isn't, and thereby compromising the security of the entire system. The two specific tag types I've looked at are: * Trovan 'Unique', aka EM4x02 * FDX-B, aka EM4x05 - ISO-11784/5 (animal tags) The description of the 'Unique' tag, from the Trovan website is as follows: "The TROVAN UNIQUE (c) Read-Only System is well-suited to applications that require a high level of data security. Unlike other vendors' factory preprogrammed lines, the protocol of the TROVAN UNIQUE (c) line is patented, providing unmatched protection against unauthorised third-party cloning. Each transponder is programmed with a unique 10-digit ID code during manufacture. Comprehensive automatic test methods ensure that no code exists in duplicate in any of the TROVAN UNIQUE (c) transponder types, and that codes are programmed correctly in a readable manner. Once the code is programmed at the time of the transponder's manufacture, it cannot be counterfeited or tampered with. A total of 550 billion unique ID codes is available." Q5 are general purpose, multi-standard tags, that are capable of emulating other devices. I found that it was a standard feature of the Q5 chip to emulate a 'Unique' tag, and it was trivial to program a duplicate ID into one. The resulting tags were tested against three different systems that I have access to, and all three systems were unable to distinguish between the original and the 'clone'. In response to my questioning the security of the Unique tags, the response I got from Trovan was: "There are a variety of H4102 versions, some of which can be emulated by a Q5 tag. Our tags are a custom version of the H4100 tag.". It should be noted that I am not pointing the finger at Trovan devices here, but the 'Unique' standard some of their tags implement and which are generally available as a generic tag type - it is sometimes hard to tell exactly who's devices or tags are used in a specific installation, but suffice it to say that I have found 3rd party systems (one at a very recent security systems show in London) that were vulnerable to EM4x02 style cloning. The equipment required to do this was a laptop and off the shelf RFID reader/writer, but it could just as easily have been a small handheld, and so a credible threat exists of simply swiping an access tag ID in a 'walk-by' of someone leaving a building, and then producing a clone which will give full access. I am also able to produce what seem to be accurate clones of FDX-B tags (such as the one in my dog), and also VeriChip tags, in as much as a standard FDX-B reader such as you might find at your local vet will not be able to tell the difference. I have not been able to test if a genuine VeriGuard system would also be fooled, but VeriCorp's response when I took it up with them was: "You can take a write-once and re-writable chip and put the VeriGuard ID number on this chip, and a lot of readers will read the ID and including the VeriGuard reader. I can not tell you every but their three things that tell are unit that it is a VeriChip 16 digits not 15, timing and one other thing. We call it copying not cloning because the can't get all the information need to send to the VeriGuard reader at the right time." [sic] The latest release of the open source python library, RFIDIOt (v0.1h), contains tools for programming both EM4x02 and EM4x05 tag IDs to Q5 or Hitag2 tags, and I would suggest that if you own (or supply) systems based on either of these standards, that you use them to audit for this vulnerability. Full details at http://rfidiot.org Adam Laurie, The Bunker Secure Hosting Ltd., Ash Radar Station, Marshborough Road, Sandwich Kent CT13 0PL UK +44 (0) 1304 814800 http://www.thebunker.net
How Pop-Ups Could Brand You a Pervert or Crook http://lauren.vortex.com/archive/000203.html Greetings. An article in *The New York Times* today explores the problem of Web-based "pop-up" ads being used to artificially inflate Web traffic. http://www.nytimes.com/2006/12/11/technology/11push.html I'd like to point out a potentially much more serious problem related to pop-ups that can access arbitrary Web sites — they could be used for purposes that could get innocent Web users into major legal problems. The issue of sites triggering unsolicited access to other sites is not new. In an IP message over a year ago ("Google's new feature creates another user privacy problem" -- http://lists.elistx.com/archives/interesting-people/200506/msg00190.html ), I discussed how Google's triggering of top item "prefetch" in returned search results could result in Firefox browsers visiting the referenced site -- and collecting any associated cookies — without users' knowledge (I also suggested ways to prevent this behavior). The essential problem is that Web logs that record users' access to sites would record such visits as if they had been voluntarily initiated by those users. If those destinations happen to be sites with various forms of "illicit" materials that could be the subject of government or other investigations that would go digging through associated access logs... Well, you can imagine the possible complications. Google's prefetch behavior is an example of a well-intended feature with unfortunate negative side-effects. On the other hand, the sorts of nefarious pop-ups described in the NYT piece have much greater potential for intentionally serious sorts of damage, since they can be far more flexible and directed than simple Web prefetches, and so could put innocent consumers at even greater risk. They might not only access pages that could get people arrested (perhaps c-porn?), but also download files that could trigger RIAA and/or MPAA "automatic" lawsuits, or any number of other nightmare scenarios. It's fair to ask why anyone might want to set loose such technical monsters on innocent victims. The simple answer is that there are quite a few people out there who just want to score a point — to prove that they can do it -- plus of course the sick minds who enjoy watching other people suffer. If nothing else, this specter is yet another reason to block all pop-ups routinely and to disable browser prefetch as appropriate. Most of all it is a reminder to authorities that just because particular entries are present in subpoenaed Web logs, does not necessarily mean that they are accurate representations of user intent. In many cases you may actually be looking at victims, not perpetrators. Lauren Weinstein email@example.com or firstname.lastname@example.org +1 (818) 225-2800 http://www.pfir.org/lauren http://lauren.vortex.com http://daythink.vortex.com
The Kim family were not misled by computerized navigation. They fell off their plotted route when they missed an exit on I-5, then tried to reroute using paper maps. The fatal error was that they mistakenly turned onto a road whose gate had been closed and locked for the winter but which had been broken open by vandals. [Perry Clarke had a similar take. PGN]
Time Warner Cable are mailing out Christmas cards to their customers with an offer for a free DVD promoting the Showtime cable channel. The instructions are simple. Customers visit a web page provided with the Christmas card and enter their phone number associated with their account. There's also a privacy notice on the resulting web page that says: "Privacy notice: Time Warner Cable respects the relationship we have with our subscribers. We will never sell or disclose your personal account information or e-mail address." After entering their phone number, customers then receive a confirmation page with their name, address and telephone number printed on it. You guessed it. Anyone who knows the location of the Showtime offer can go fishing for Time Warner Cable customer names, addresses and telephone numbers just by entering random phone numbers.
This is a repost from my blog: http://jc.ngo.org.uk/blog/2006/12/14/identify-theft/ I've just discovered that I've been an unwitting participant in an identify theft. But not, perhaps, in the way that you might imagine. Some of my writing recently made it into *The Guardian*. As is the way of these things *The Guardian* like to pay their writers, so I sent off my details to their billing department and waited for the money to come rolling in (as you do). It turns out that, by an odd coincidence, I'm not the only Nik Clayton to write for *The Guardian*. I'm not even the first. This other Nick Clayton (note the extra c) has written a number of columns for them, and they're also about technology matters. This much became apparent when I received an e-mail from *The Guardian*'s billing department today confirming that they had dispatched payment for two articles that Nick had written to me. This e-mail contained Nick's name and address details, and the payment details (amounts) for the articles he's written. But it also contains my bank details (account number and sort code). The money hasn't been deposited in to my account yet, but I imagine it soon will be. A bit of Googling turned up Nick's site, and a bit more Googling turned up a phone number, so I've called him, and had the slightly surreal experience of: NC: Good evening. Could I speak to Nick Clayton? TG: Speaking NC: Hi. It's Nik Clayton here! Now I know how Dave Gorman must feel. I've tried calling The Guardian's billing department but the number given in the e-mail redirects to voice mail at the moment, so I'll be in touch with them again tomorrow morning. There are at least four risks here. First, The Guardian's billing department will apparently change the sort code, bank account, and e-mail address details that they hold for writers on the basis of a single unauthenticated e-mail. My message to them was: Charles Arthur asked me to send my payment details for http://technology.guardian.co.uk/online/insideit/story/0,,1954392,00.html to you. Sort code is ZZ ZZ ZZ, the account number is ZZZZZZZZ. Please let me know if there are any problems. Second, when they pay their writers they send out an e-mail that contains, in clear, the writer's name, reference number, full address, sort code, bank account number, and the values of the payments. This may well be enough to carry out a social engineering attack. Third, this could easily have gone the other way, and my bank account details could have been forwarded to Nick Clayton. Had he been nefarious I imagine that (given that we share the same name) these could have been used to carry out a very effective identity theft. Fourth, had I not been quite so honest I could probably have got away with this for some time --- at the very least, continuing to earn interest on the money that The Guardian have paid. Hmm. I wonder if The Guardian would like to use this as the basis for an article.
BKUMCBCR.RVW 20061105 "Understanding and Managing Cybercrime", Samuel C. McQuade, 2006, 0-205-43973-X %A Samuel C. McQuade email@example.com %C 75 Arlington Street, Boston, MA 02116 %D 2006 %G 0-205-43973-X %I Allyn and Bacon (Pearson) %O U$60.80/C$77.200 www.ablongman.com %O http://www.amazon.com/exec/obidos/ASIN/020543973X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/020543973X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/020543973X/robsladesin03-20 %O Audience i+ Tech 1 Writing 2 (see revfaq.htm for explanation) %P 500 p. %T "Understanding and Managing Cybercrime" The preface states that this book should be considered an introductory text to the field of cybercrime (although it does not define what that topic is until chapter one of the book). The guide is addressed to two audiences of students, those in the field of information technology administration and management, and those in the field of criminology. McQuade suggests that the work can be used as a primer in basic courses expounding on information systems security, and may also be used as a supporting volume for curricula in sociology, law, public administration, public policy, or ethics courses that deal with information system crime and abuse. In the Foreword, Charles Wellford notes the increase in significance of crimes related to, or perpetrated via the use of, computers. Whereas crime statistics of traditional types have been falling in recent years, cybercrime has exploded in an environment where traditional law enforcement has been largely unprepared. Part one introduces the field, and outlines the growth, of cybercrime. Chapter one starts out with a valuable addition to the discussion of the sociology of cybercrime: the concept of "relative" normality and deviance of behaviour in a new and rapidly changing field. The author then moves on to note the range of terms and activities covered under the cybercrime reference, and to note the importance of defining those terms not only in regard to research, but particularly in relation to law and prosecution. (Sam, since I have attacked the whole *concept* of salami scams for years, and have received only a single [and minimal: the "drive-through" incident noted in the RISKS-FORUM Digest] instance of one occurring, you can*not* expect me to let footnote 11 pass unchallenged: it should be a documented citation, not a mere explanation.) The questions provided at the end of the chapter are not simply reading checks, but thoughtful items to prompt discussion of critical concepts. The protection of information and other assets is covered in chapter two, starting with the nature of information itself, moving through the standard concepts of information security, and ending up with critical infrastructure protection (which may be a bit of overkill). Chapter three reviews the various types of cyber attacks and crimes. I was intrigued to note the inclusion of a section on academic computer abuses (generally a neglected topic), and pleased with the realistic assessment of cyberterrorism, but the structure and taxonomy of attacks could use some work. In addition, the material on malware is quite weak: the definitions for differing types are better than many in general security works, but many of the surrounding explanations are false or misleading. For example, McQuade partially uses the Cohenesque definition that viruses must infect existing programs (which is no longer true of recent versions), and implies that a user is required for viral reproduction and spread (viruses generally require some user action for invocation, but spread is usually automated). Additionally, he makes the rather questionable assertion that the skills necessary for creating malware are the same as those required to defend national security. The psychology of cybercriminals and abusers is reviewed in chapter four, which also provides a very detailed classification for social engineering, and Donn Parker's SKRAM (skill, knowledge, resources, access, motivation) model for assessing attackers. McQuade notes the difficulty in getting agreement on a profile for computer abusers, but does not address the changing style of attacks and attackers over time. It is interesting that chapter four is not contained within part two, which addresses social thought on cybercrime. Chapter five, in a sense, extends chapter four's discussion of categories of criminals by providing an overview of major criminologic theories: it would have been interesting to see the classification schema analyzed in light of the hypotheses, but simply having the philosophies outlined here is a major contribution to the information security literature. In assessing the impact of cybercrime, in chapter six, McQuade notes that there is both economic and social damage to be determined. However, this merely exacerbates an existing problem: the author also points out the lack of reliable information, even in regard to economic losses alone. It is difficult to know what to make of chapter seven. Titularly it promises emerging and controversial topics in cybercrime. However, the discussion of the necessity for attack skills in regard to defence (promised in chapter three) never appears. The topics that are presented would seem to extend either the first section of chapter one (noting that computers are changing various activities in society), or chapter three (listing different types of attacks). Part three moves to the management of cybercrime: prevention and protection. Although chapter eight deals with legal philosophies and types of laws, most of the material is only relevant to the United States. The limitations on investigators, which is the primary content of chapter nine, is again mostly restricted to the United States. There is material on investigation and computer forensics (although network and software forensics do not appear to be covered), but it is fairly brief. Chapter ten's review of information security is oddly disjointed: parts are academic in tone, parts read like a "secure your home computer" pamphlet, and parts promote risk assessment models best suited to major corporations. Future activities (mostly at the federal government level) that might help reduce cybercrime is one part of chapter eleven, the other is a discussion of computer ethics. The book is readable, and entertaining in sections. Most of the information is reasonable. However, suggesting this as a sole text for an information security course would be unwise: it is weak in a number of technical areas. As an adjunct text it would be excellent: the law enforcement perspective is all too often neglected in security literature. copyright Robert M. Slade, 2006 BKUMCBCR.RVW 20061105 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev/rms.htm
Please report problems with the web pages to the maintainer