A visitor to the site with an unpatched Windows machine will connect to a remote server registered to a nameserver in China and download a Trojan keylogger/backdoor that gives the attacker full access to the compromised computer." http://blogs.zdnet.com/security/?p=15
AACS Decryption Code Released Monday January 8, 2007 by Ed Felten Decryption software for AACS, the scheme used to encrypt content on both next-gen DVD systems (HD-DVD and Blu-ray), was released recently by an anonymous programmer called Muslix. His software, called BackupHDDVD, is now available online. As shipped, it can decrypt HD-DVDs (according to its author), but it could easily be adapted to decrypt Blu-ray discs. Commentary has been all over the map, with some calling this a non-event and others seeing the death of AACS. Alex Halderman and I have been thinking about this question, and we believe the right view is that the software isn't a big deal by itself, but it is the first step in the meltdown of AACS. We'll explain why in a series of blog posts over the next several days. Today I'll explain how the existing technology works: how AACS encrypts the content on a disc, and what the BackupHDDVD software does. ... http://www.freedom-to-tinker.com/?p=1104 [See Ed's blog for many other RISKS-relevant items on AACS and more. PGN]
I leave it to aviation experts RISKS readers to elaborate on the following: A French Boeing 747-400 fully packed with passengers bound to the Caribbean suffered a "tail strike" incident in December 2006. The "Bureau d'Enquêtes et d'Analyses" issued a report (http://www.bea-fr.org/docspa/2006/f-ov061210/pdf/f-ov061210.pdf, available in French only) that explains how a misused "Boeing Laptop Tool" (laptop PC) was involved in this incident: 2 BLTs are available in the aircraft. They are used to compute important take-off parameters including Vr (rotation speed) and EPR (engine thrust). One of them had an empty battery. The other one was switched off mistakenly during the flight preparation procedure. After restart, wrong parameters were entered by the crew member and a mix-up between ZFW (Zero Fuel Weight) and TOW (Take-Off Weight) occurred, resulting in incorrect flight parameters displayed on the BLT and entered in the Flight Management System. Fortunately, the crew noticed that parameters were wrong while attempting take-off and took appropriate action, resulting however in this "tail strike". As a consequence, the aircraft was visually inspected by a fighter for damages and landed safely at the departure airport after dumping fuel. The airline issued recommendations to the crews so that they make sure that BLTs are properly plugged into AC power while the aircraft is on the ground (flat battery, hibernation risk) and described cross-check procedures avoiding over-reliance in BLT output.
http://news.bbc.co.uk/1/hi/scotland/north_east/6310633.stm An Aberdeen woman who asked for her bank statement was sent those of 75,000 other customers. Stephanie McLaughlan, 22, was shocked when Halifax Bank of Scotland (HBOS) sent her the unexpected financial details by mistake. Ms McLaughlan received several large packages in the post and said she was concerned it could happen. HBOS apologised and said it was carrying out an investigation into the "serious" but "isolated" incident. HBOS said in a statement: "We are treating this matter very seriously and are investigating in full. "This is a very specific, isolated incident and we will take steps to ensure there is no security issue for customers as a result of this matter. "We apologise for any concern this has caused customers." [Also noted by Bernhard Riedel: ``I have real trouble trying to imagine how many 'pilot errors' it requires for such a report to be mailed to an ordinary customer. Banks should be more accountable than that.'' PGN]
Bad Software All Around http://avi-rubin.blogspot.com/ Earlier this week, I took a train up to NYC to give a talk to some potential <a href="http://securityevaluators.com">ISE</a> customers on Wall St. A collection of Chief Information Security Officers and other executives from financial firms. I was asked to speak about software security, and two things happened on this trip that put to rest any doubt that the current state of software security and network security is dismal. I didn't doubt it, but I thought it was particularly humorous that these happened on a trip whose purpose was to give this particular talk. I arrived at my hotel about an hour before I was scheduled to speak. Since the hotel was only a couple of blocks from Wall St., I figured that I had time to go online and read my email. I opened up my laptop in my room and saw that there was a WiFi base station whose SSID was "Exchange" (which was the name of my hotel) along with several other available base stations. So, I connected to my hotel's access point. I had full bars, so the connection was strong, but I was unable to reach my email server. I had a look at the IP address assigned to me by the network and noticed that it was a factory default address that was probably not what the hotel was using. So, I called the front desk, and I told the woman who had just checked me in that I was having a problem with the wireless network. It seemed that I was not getting a valid IP address. She said something about their street address, and I realized that while this nice lady was very good at checking me into my room, she was not going to be the best tech support person I had ever had. I explained to the woman that I was able to connect to the wireless network, but that I was unable to read my email because the network was not working. She understood that and said, "Yes, this happens all the time. I will just reboot the thingy. Give it a few minutes and try again." That sounded like a reasonable solution. Meanwhile, I tried the other wireless networks, and none of them would allow a connection without a password. I chalked this up to progress. Several minutes later, I reconnected to the Exchange network, and I was assigned what looked like a normal NATed IP address. But, I was still unable to connect anywhere. So, I opened up a browser window to see if I needed to log in. What I saw surprised me at first. It looked like some kind of menu console for managing an appliance. I clicked around and realized that I had the ability to configure routing and firewall rules. In fact, I was logged into the hotel's router - the "thingy" if you will. I smiled to myself at the thought of what I could do if I wanted to, but I quit out of that and was able to access the Internet. The connection was pretty slow, and I chuckled at the thought of getting back into the administration console to filter out the other users in the hotel. Of course, I decided against that. Unbelievable! But, it gets better. When I arrived back at Baltimore Penn Station, I left the train and walked to my car. I drove up 2 levels in the parking garage, and I arrived at the exit gate. This parking garage installed an automated system where you use a credit card to get in when you arrive, and if you use the same credit card when you leave, you don't need to take a ticket, and it charges that card and lets you out. At least that's the theory. It didn't work that way on this trip. As I approached the exit, I saw that there were two lanes open for exiting, and that the car in front of me had pulled into one of them. So, went to the other one and inserted my credit card. On my mind was my daughter's school play, which started in about an hour. I had time to grab a quick sandwich and then head to her school. I had planned my trip so that I could be back in time to see her perform. After about a minute, it seemed odd to me that my credit card had not come out yet. The machine said that it was validating ticket data. But, I had not inserted a ticket. So, I pressed the intercom button, and an attendant asked if she could help me. I told her that I put my credit card in a while ago, and that I wanted to pay and leave. The gentleman in the truck in the other lane yelled to me that he was in the same boat, so I told the woman that neither one of us could leave. She asked us to hold on a second, and in about another minute a woman in a parking attendant uniform appeared. She told me that it might be that the other gentleman and myself inserted our credit cards at the exact same time in the two different machines. I agreed that this was indeed possible. In the meantime, I rather long line of cars had formed behind us. The parking attendant backed up all of the cars and suggested that I back up about one car length, and that the other gentleman do the same. Then, she suggested that I drive back up to the machine, which I did. My credit card came out, but she said I had to reinsert it. I did, and it said that it was validating ticket data. The attendant said, "oh no." That didn't sound good. I asked what the problem was. She said that every once in a while, when two people insert their credit cards at the exact same time, it crashes their whole system. We did the back up thing again to retrieve our cards. Since the other guy was first, she went and processed his payment manually. That took about 3 minutes. Then, she took my credit card and went to do mine. In the meantime, another car behind me drove into the other lane, which was now available and inserted his card. The system did not respond. It was hosed. A few minutes later, she came back and gave me my credit card and receipt and opened the gate so that I could exit. The line of cars was now very long, and she said she would have to do them all by hand until a technician could come. I have no idea where this technician was coming from, but I was glad to be on my way. I got that sandwich, but because of my delay, I had to eat it in the car on the way to my daughter's play. What kind of software design results in this kind of crash? The answer is pretty clear to anyone who has worked with software. While they may have tested the system exhaustively, they probably did not test the possibility of putting credit cards in two different machines at the exact same time. Which brings me back (as usual on this blog) to voting machines. They may be tested and tested and certified and verified and validated. But, if on Election Day something unusual happens, a scenario that was not anticipated, something might go very wrong. And, if there is no tangible, physical record of the votes that were cast on the machine, then votes might be lost in an unrecoverable way. Given what I've seen about voting system standards and voting system testing labs, I would bet money that the parking garage system at Baltimore Penn Station was tested more extensively before it was deployed than the Diebold voting machines that we use in Maryland. Avi Rubin, Johns Hopkins University, Computer Science, Tech.Dir. Information Security Institute 1-410-516-8177 http://www.cs.jhu.edu/~rubin/ firstname.lastname@example.org
Here's a good one: 1. Microsoft Windows Vista comes with voice recognition installed and active by default. 2. Voice services has tons of security privileges, since it is a "local" service and therefore safe, right? 3. Playing a sound through the speakers on Vista requires almost no security privileges, since that's a harmless operation, right? 4. By playing a prerecorded file of spoken commands, an unprivileged process can execute arbitrary processes that get executed with elevated security privileges. http://isc.sans.org/diary.html?storyid=2148 Microsoft promises to have a patch for this "real soon now."
When few people were paying attention in August 2005, Congress lengthened daylight saving time by four weeks in the name of energy efficiency. The change takes effect on 11 Mar 2007. It has angered airlines and creates many problems for automated systems that are preprogrammed to switch by the old schedule. [Source: Charles Babington, Clocks' Early Spring Forward May Bring About a Few Falls *The Washington Post*, 1 Feb 2007; PGN-ed] [This is another iteration on an old RISKS topic. Each year brings more new items. Stay tuned for this one in five more weeks! PGN]
*The Boston Globe* story looks like the best coverage. http://www.boston.com/news/local/massachusetts/articles/2007/01/19/just_seated_ag_nearly_gets_burned_by_fraud/ *Boston Herald* http://news.bostonherald.com/localRegional/view.bg?articleid=177931 This story is not being reported outside of Boston. It has appeared only in the Boston newspapers and television stations. The new Massachusetts Attorney General, Martha Coakley, was the target of attempted credit card fraud a week before she was sworn into office. Coakley received a telephone message from Dell Computer asking to confirm whether she had ordered a $1,200 computer to be shipped to an address in Texas. She had not. She quickly canceled the transaction and also closed her credit card account. *The Boston Globe*: "As a prosecutor, however, Coakley said she couldn't help being frustrated that no one was going after the perpetrator. She doesn't know how someone obtained her credit cards number — or how Dell found her phone number." Or whether the call was really from Dell, I think. That must be one of those "unknowns we don't know we don't know." If a state Attorney General is helpless against card fraud, what chance do the rest of us have? Mark Lutton, Business Intelligence Services, a Thomson Business
Canadian coins containing tiny transmitters have turned up in the pockets of at least three American defence contractors... http://www.cbc.ca/technology/story/2007/01/10/rfid-defence.html
The (possible) risks of well-intentioned but (apparently) uncoordinated censorship Who's watching the watchers? (StopBadware blacklists a cartoon book site) Capefeare.com, described as "The Ultimate Life in Hell Website", is blacklisted in Google, which cites StopBadware.org as the source. However, StopBadware.org doesn't list the site in its database. I can't find anything wrong at the site and it seems to be legit (and popular). What's going on here, and who's watching the watchers? 11 Jan 2007 http://bbaadd.com/blog/2007/01/whos-watching-watchers-stopbadware_11.html
[perhaps it was a dermatology tool?] Laser pointer causes Miracle Mile office fire [Associated Press, 21 Jan 2007] A hand-held laser pointer caused a fire at a Miracle Mile high rise that caused $200,000 in damage, a fire official said. The blaze at the 17-story office building at 6200 Wilshire Blvd. began just after 10 a.m. Saturday, said Los Angeles city fire spokesperson Brian Humphrey. The laser device had been laid on an examination table in a 12th floor dermatologist's office, Humphrey said. The device ignited surrounding furnishings, sparking the fire. The fire was extinguished by the building's sprinkler system, Humphrey said. Firefighters mopped up about 3 inches of water. There were no reports of injuries. http://www.mercurynews.com/mld/mercurynews/16513705.htm
Paul Robinson complains about compilers that use hardware square-root instructions instead of software-based math libraries. I believe that in the specific case of square root, this complaint is misplaced on IEEE-754 compliant processors, because the IEEE 754 standard requires compliant processors to compute square roots accurately. It is true that a processor whose manufacturer claims that it complies with the standard might not actually comply, either because of defects or design errors. However, that problem exists for more primitive instructions as well, as we saw with the Intel floating-point division bug. In such cases, the solution lies in testing the hardware, not in refusing to use it. [Something like trying to fit square roots in a round-off? PGN]
> the sudden energy of all the bits turning from 1 to 0 got coupled into > that wire and caused the fault. Well, maybe, but I have to wonder. The PDP-1 was a one's complement machine with two arithmetically equivalent representations of zero. Most current machines are two's complement; the word with all bits set represents the arithmetical value -1. On the PDP-1, all bits set was "minus zero" and all bits clear was "plus zero." The two values were equivalent when functioning as operands in arithmetic operations. But there was also a special, designed-in feature, colloquially referred to as "minus-zero gronking." On arithmetic operations (and only on arithmetic operations) if the result of an operation was minus zero, it was automatically changed to plus zero. I forget what the rationale for this was; presumably it was for convenience in testing whether results equaled zero. But the two values ought to have displayed identically on the screen, too. Was this really an electronic error or was it an unexpected (and poorly understood) consequence of the PDP-1's intended functioning?
It's hard for me to believe that any developer doesn't know about the Excel date problem, which has actually been around since Lotus 1-2-3. The history of the bug, as well as Microsoft's explanation for why fixing it would cause more problems that it would solve, is at http://support.microsoft.com/kb/214326/en-us. Steve Wildstrom, Technology & You Columnist, BusinessWeek 1200 G St. NW Suite 1100, Washington, DC 20005
This story has already been debunked. Not true. [I suppose the man de-bunked himself fairly quickly as well. PGN]
BKSECGOV.RVW 20061110 "Security Governance", Fred Cohen, 2005, 1-878109-37-5 %A Fred Cohen http://all.net %C 572 Leona Dr, Livermore, CA 94550 %D 2005 %G 1-878109-37-5 %I Fred Cohen and Associates %O 925-454-0171 all.net %O http://www.amazon.com/exec/obidos/ASIN/1878109375/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1878109375/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1878109375/robsladesin03-20 %O Audience a Tech 1 Writing 2 (see revfaq.htm for explanation) %P 96 p. %T "Security Governance: Business Operations, Risk Management, and Enterprise Security Architecture" Most of the security frameworks available are in the form of a checklist, so why shouldn't Cohen's CISO Toolkit (see also BKCISOGG.RVW for the "Governance Guidebook" and BKCISOHB.RVW for "The CISO Handbook") have one? In fact, Cohen's version may be considerably easier to understand and use, particularly for those with a business, rather than a security, background. While most security frameworks are structured according to a taxonomy of security concepts, the checklist in "Security Governance" is based on business models and concepts. For example, the four major divisions are made on the basis of business functions and modelling, oversight, business risk management, and enterprise security management. Therefore, the businessperson working through the points will start with the familiar, and only later have to face items directly discussing security. (Even then, the security issues are those regarding the position and management of security within the organization.) Regardless of other security frameworks that you may use, Cohen's checklist will be of value. While many items will have relations to details in other indices, the articles and entities in "Security Governance" address a number of issues that are not found in most security frameworks. Let's face it: regardless of the emphasis or perspective, security frameworks tend to follow the same general outline. Cohen's work is idiosyncratic--and, in this case, that's a useful characteristic. Also, most security frameworks give you a checklist of about 135 items for roughly U$150: Cohen gives you over 900 points for U$49.00. copyright Robert M. Slade, 2006 BKSECGOV.RVW 20061110 email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev/rms.htm
BKKPIPIP.RVW 20061119 "Knowledge Power: Intellectual Property, Information and Privacy", Renee Marlin-Bennett, 2004, 1-58826-281-2, U$23.50 %A Renee Marlin-Bennett %C 1800 30th St., Boulder, CO 80301 %D 2004 %G 1-58826-281-2 %I Lynne Rienner Publishers %O U$23.50 www.rienner.com %O http://www.amazon.com/exec/obidos/ASIN/1588262812/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1588262812/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1588262812/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 273 p. %T "Knowledge Power: Intellectual Property, Information and Privacy" Chapter one examines the idea of intellectual property (IP). This analysis could have been either prescriptive (what IP should be) or descriptive (what IP is, usually in terms of law), but instead it mostly opines prescriptively, and, when there is a need to take a stand, cravenly goes to what the legislation (generally from the United States) says. (There is some mention of international differences.) A link between privacy and IP is promised in one section, but not delivered. A historical overview of the development of IP is given in chapter two: when it gets to current definitions we are again presented with US law. Treaties and organizations attempting to bridge national differences in IP are listed in chapter three. Chapter four presents some examples of problem areas in IP, such as pharmaceutical patents and those on sections of the human genome. A few philosophical views and theories of information are outlined in chapter five, followed by a discussion of information of various types and values. (The deliberation would have been more interesting if the types had been analyzed in light of the different theories.) Chapter six looks into the pros and cons of "ownership" and limitation of public types of data, such as that in regard to weather and geography. Similarly, chapter seven has the same type of discussion regarding information about people (much of it in relation to issues of surveillance.) Chapter eight has the same problems with the definition of the topic that most other works have had, which is possibly why the remaining examination seems unhelpful. There are numerous technical errors ("Magic Lantern" is *not* a virus) in chapter nine's discussion of privacy breaches. Similarly, the deliberation on privacy protection technology, in chapter ten, is flawed. Chapter eleven finishes off with vague opining. There are a number of other books that address the topic of privacy at the same superficial level, such as "Benjamin Franklin's Website" by Robert Ellis Smith (cf. BKBNFRWS.RVW), Simson Garfinkel's "Database Nation" (cf. BKDBSNTN.RVW), Peterson's "I Love the Internet But I want My Privacy Too" (cf. BKILIWMP.RVW), Cannon's "Privacy" (cf. BKPRVACY.RVW), and "The Privacy Papers" by Rebecca Herold (cf. BKPRVPAP.RVW). Then there are the superior works that define the field, like "Technology and Privacy: The New Landscape" by Agre and Rotenberg (cf. BKTCHPRV.RVW), 1997, Cady and McGregor's surprisingly good "Protect Your Digital Privacy" (cf. BKPYDPRV.RVW), "Internet and Online Privacy" by Frackman, Martin and Ray (cf. BKINONPR.RVW), Schneier and Banisar's entertaining and informative "Electronic Privacy Papers" (cf. BKELPRPA.RVW), and "Privacy on the Line"by Whitfield Diffie and Susan Landau (cf. BKPRIVLN.RVW). True, as with David Brin's "The Transparent Society" (cf. BKTRASOC.RVW), Marlin-Bennett promises a unique premise, in this case a tie between privacy and intellectual property. Unlike Brin, in this book the link is not strongly demonstrated. We are, therefore, left with a somewhat simplistic review of the topics listed in the title. copyright Robert M. Slade, 2006 BKKPIPIP.RVW 20061119 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev/rms.htm
Please report problems with the web pages to the maintainer