At least 45.7 million credit and debit card numbers from customers in the United States, Britain and Canada were stolen over a period of several years from the computers of TJX. ... The computer breach is significant not only because of its scope but also because the hacker or hackers had access to the decryption tool used to decipher sensitive encrypted information and an ability to intercept data as shoppers' credit transactions were being approved.  Encryption alone is no panacea for threats to consumer data. ... recent details ... show how encryption can be defeated by clever thieves — and suggest the breach may have been an inside job.  [Sources (PGN-ed): 1. Ellen Nakashima and Ylan Q. Mui, Data Theft Grows To Biggest Ever; Fraudulent Purchases Pop Up in Breach Of 45.7 Million Shoppers' Records *The Washington Post*, 30 Mar 2007 2. TJX breach shows that encryption can be foiled Ross Kerber, *The Boston Globe*, 31 Mar 2007] http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_shows_that_encryption_can_be_foiled/
RISKS has included items on some of the largest system development failures. An article by Shane Harris documents difficulties uncovered by Siobhan Gorman, going back to the failure of the National Security Agency's $1.2 billion Trailblazer electronic filtering system development, and continuing with Turbulence, a new data-sniffing system development that is costing about half a billion dollars annually and also in trouble. The article also notes previous development failures of the FBI and IRS. A few excerpts: "The reasons for these disasters are well-documented and maddeningly similar: insufficient agency management, contractors that over promised and anemic-to-nonexistent congressional oversight." SAIC, the company NSA hired to fix Trailblazer in 2002, was the lead contractor on the FBI's Virtual Case File [RISKS-23.89 and 24.03]. "And according to its 2006 proxy statement, SAIC is running another NSA program called ExecuteLocus, which it describes as a successor to Trailblazer. Out-of-control projects breed more projects ostensibly to right what went wrong." "Even if they don't know why, there's a reason people keep making the same mistakes: Failure is one of the most successful things going." [Source: Shane Harris <email@example.com>, The Success of Failure, *National Journal*, 4 Apr 2007; PGN-ed] http://www.govexec.com/dailyfed/0407/040407mm.htm
'Electronic Medical Records' are one of the latest "Gee Whiz; we aren't keeping up with the Jones" issue in both private & USG arenas. Aetna is even running TV ads hoping you'll surrender all your private medical records to their database...and whomever gets into it, with or without your permission. But besides the obvious privacy sacrifice, there's another gotcha. If the treating hospitals & MD's assume 'the computer knows all' then when it does not, guess who suffers? This is not the only article on soldiers who have suffered from the DoD's record-keeping. As part of the *WashPost* series on Army Medical problems, both at Walter Reed and elsewhere, they detailed a soldier with after-effects of an explosive concussion. But when they could not come up with his medical history, they ruled that his depression/PTSD were a pre-enlistment condition, and discharged him sans disability rating. The RISK? If you put all your data eggs in one basket; the yolks on you if they drop it... > Disuse of System Is Cited in Gaps in Soldiers Care > Ian Urbina and Ron Nixon, *The New York Times*, 30 Mar 2007 Lapses in using a digital medical record system for tracking wounded soldiers have led to medical mistakes and delays in care, and have kept thousands of injured troops from getting benefits, according to former defense and military medical officials. The Defense Department's inability to get all hospitals to use the system has routinely forced thousands of wounded soldiers to endure long waits for treatment, the officials said, and exposed others to needless testing. Several department officials said the problem may have played a role in the suicide of a soldier last year after he was taken to Fort Lewis in Washington State from Iraq. His intentions to kill himself were clearly documented in his digital medical record from overseas, but doctors at Fort Lewis did not consult the file and released him, according to department records and defense officials. "The D.O.D.'s failure to share data and track patient records is truly a matter of life and death," Senator Patty Murray, Democrat of Washington, said in a statement. "This isn't an isolated case, but a system-wide failure."
http://www.epic.org/alert/EPIC_Alert_14.05.html "...In a July 2006 report, the Department of Homeland Security's Inspector General echoed EPIC's concerns, stating that the US-VISIT border security program fails to protect data collected through the use of RFID tags. The report found "security vulnerabilities that could be exploited to gain unauthorized or undetected access to sensitive data" associated with people who carried the RFID-enabled forms. ..." but this sentence seems more telling: "...Essentially, the I-94 form could not guarantee that the person to whom the form was issued would be the same individual exiting the country with the form. ..." Classic instance of "magic tokens" being mistaken for a tightly bound secure outcome, forgetting that who *holds* the magic token probably matters more than whats *in* the magic token. I'd rather go with tally sticks, or a torn postcard. Actually, if they just tore the I-94 jagged and gave me back half, that would work for me..
In http://news.com.com/2100-1012_3-6168226.html, the writer notes that Microsoft's new business phone system (where are the Ctrl, Alt, and Delete keys?) will Rather than [...] multiple buttons for transferring calls and for checking voice mail, [have] a single button [which] will enable users to speak to identify the function they want. Now, press-to-speak is not quite as bad as "one button for multiple functions" (ask a new BMW owner about iDrive), but "speak the function you want" has — as has been covered in RISKS before — its own set of problems... even if you rule out Spider Robinson's famous 'speech-activated bomb/cub news photog who thinks (aloud) "that'll make a great page-one blow up".' :-) As usual, though, design by people who don't know what to optimize for is usually a bad thing, and optimizing for training over use (which tends to cast your staff turnover rate into question) is always bad — ask Allied Van Lines, whose AMS replacement for CAMIS more than tripled their mainframe's load (a 2-transaction CICS process became a 7-transaction one) as well as the staff time to do the work — or so I was told. On an unrelated topic, one of the choke points in the food distribution business was illustrated this week by the Great Pet Food Scare of 2006; Ontario based Menu Foods apparently manufactures wet petfood for 17 of the 20 brand names in that market (a fact mentioned, but not explored, by one of the wire-service pieces on the story), and some problem with that food has killed roughly a dozen house pets in the last month. The waitress who feeds me lunch most days asked me today if I thought that was a low-grade terrorist attack... a thought which some prompt Googling failed to turn up anyone else considering. Hmmm... Homogeneity, though, is still a bad thing, whether someone's out to get you or not. Concealed original-sourcing can be intrinsically bad too, apparently. Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA +1 727 647 1274 http://baylink.pitas.com firstname.lastname@example.org
This is apparently the first French election to use paperless electronic voting systems, although only for about 1.5 million of the 44.5 million voters. Three weeks before the election, Elaine Sciolino reports that many doubts are being raised. One candidate's spokesperson said, "I don't want to lecture America. But we don't want France to fall into the same Kafkaesque balloting as happened in the United States." 80% of the machines will be the Dutch NEDAP (which Ireland used in 2004 and 2006, but has now suspended — see RISKS-24.61 and the next item below). 160 additional machines will be ES&S-iVotronic (which is the system used in the still-disputed Sarasota election in November 2006), with others being Spain's Indra. Two vendor spins stand out for RISKS readers to chew on: Matthijs Schippers, director of election systems for NEDAP [see next item]: "The systems we have developed for France comply with all legal standards and regulations that are incorporated in French electoral law. The accusations have no factual basis." Rob Palmer, director of marketing and communications for ES&S-iVotronic "We have an extreme amount of confidence in our machines in France," said Rob Palmer, director of marketing and communications for ES&S-iVotronic. "Our machines have proven themselves in thousands of elections in the United States and elsewhere." [Source: Elaine Sciolino, Opposition to e-voting grows in France, *The New York Times, 4 Apr 2007, A3 in the National Edition; PGN-ed]
Mike Smith writes about what is known in Europe as the "NEDAP hack". I had the privilege of seeing Ron Gonggrijp present this at the CCC conference in Berlin in December 2006. I was shocked at the old, simplistic architecture and the easiness of the "hack". The Dutch group "We don't trust voting computers" reported in February 2007 on a further twist in the story: (English version: http://www.wijvertrouwenstemcomputersniet.nl/English/Groenendaal : Voting systems company threatens Dutch state - "Buy my company now or you won't have provincial elections") It seems that the Dutch government has become entirely dependent on the insecure and rather outdated NEDAP voting machines. Sensing a good opportunity to make a bit of cash instead of investing in an upgrade, Jan Groenendaal, the owner of the company apparently blackmailed the Dutch government. Wijvertrouwenstemcomputersniet obtained documents under the Dutch freedom of information act which include an email (English translation: http://www.wijvertrouwenstemcomputersniet.nl/English/Mail_Groenendaal) from Groenendaal to the ministry threatening to quit all work if the government appoints "Hacker" Rop Gonggrijp (the guy who led the chess-playing implementation on the NEDAP computers) to the independent commission for investigating the future of the electoral process, i.e., which software/hardware the government needs to purchase for the next elections. Groenendaal make an offer the government can't refuse: "The ministry buys the shares of our company at a reasonable price, [...] and we will still cooperate during the next election [the Dutch 2007 provincial elections to be held March 7th]." But the government does not, strangely, snap up the shares offered, so he repeats his "offer", then informs the government that he has told his workers to cease activity "until we have received an answer that is acceptable to us". The elections were held (if, indeed, they actually were elections) and Wijvertrouwenstemcomputersniet has written to the new minister Ter Horst, calling on her to "take the necessary measures needed to restore confidence in the electoral process and in the notion that our government can not be blackmailed." So we have one more risk in the area of eVoting - not some dark, unknown "hacker" throwing the election, but the seller of the hard- or software blackmailing the government because they are helpless to conduct an electronic election without their help. I vote for paper ballots, anyone with me on this one? (Sarcastic side note: The German government seems to be considering purchasing NEDAP computers. They are getting a good deal on some used Dutch ones....) Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Treskowallee 8, 10313 Berlin +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/
This has been brought up before in RISKS-22.01: http://catless.ncl.ac.uk/Risks/22.01.html#subj11 Alistair McDonald, InRevo Ltd :- http://www.inrevo.com/ Author of the SpamAssassin Book (http://spamassassinbook.packtpub.com/) Tel: +44 7017 467 386 (Work) +44 7812 829 020 (Cell)
I'm pretty sure this has come up here before. A quick search of Risks shows some cautionary tales. I like this one best: http://catless.ncl.ac.uk/Risks/24.05.html#subj1.1 A word from a pilot: http://catless.ncl.ac.uk/Risks/24.25.html#subj7.1 Rick Damiani, Applications Engineer, The Paton Group California: (310)429-7095 Hawaii: (808)284-3033
> ... anyone with a computer can knock up a `valid' certificate of insurance > preferring to believe what the database told them. Neither the paper document nor the computer record is proof of insurance. (A relative found this out the hard way with a surveyor's Professional Indemnity insurance.) However, both give a reference that allows you to contact the insurance company and find out whether it is valid. The police could have confirmed by phoning the insurance company help line and giving the car and driver details.
I have been using some prepaid American Express cards that I get through a hotel timeshare program. I just found out something interesting about them. About 3 weeks after using one of the cards at a hotel in San Francisco, I received a letter from AEIS or American Express Incentive Services, explaining that my prepaid card number was in overdraft by a significant amount. I had directed the hotel to deduct the exact value of the card, and then charge the remainder of the bill to another credit card. By checking the hotel billing statement, I quickly figured out that the extra amount was not charged to the different card, but was erroneously charged to the same prepaid card number. I was mystified how this was possible. A complicating factor was that I no longer had the physical card, I unintentionally left it there at the hotel checkout desk instead of bringing it away with me. So, I called the customer service number on the letter, and explained what happened. The rep explained that it is possible for a merchant to overcharge the card if they force the transaction, and do not abide by the rejection of the amount. I did not know this could be done. So, the letter and the representative directed me to mail in a check for the balance, which was no problem since I verified that the amount was valid and did not get charged to the other card. I asked that the card number be canceled, since I no longer had the card in my possession, and the representative explained that that was automatically done when the card went into overdraft. Apparently these cards do not automatically cancel when their value goes to zero. The card number apparently remains valid until the card expires. This is very, very dangerous. Lessons: 1) Make certain that only the correct amount gets charged to one of these prepaid cards. 2) Do NOT throw it away after you have charged the balance. If someone forces another transaction on the card (and this is possible), the bill comes back to you. Destroy the card securely after you have used up the balance.
THE 10TH IEEE HIGH ASSURANCE SYSTEMS ENGINEERING SYMPOSIUM November 14-16, 2007, Dallas, Texas http://hase07.utdallas.edu/ The IEEE International Symposium on High Assurance Systems Engineering is a forum for discussion of systems and software engineering issues to achieve high assurance systems. The focus is on integrated approaches for assuring reliability, availability, integrity, privacy, confidentiality, safety, and real-time of complex systems and the methods for assessing the assurance levels of the systems to a high degree of confidence. Technical and experience papers on algorithms, policies, middleware, tools, and models for high assurance systems development, verification and validation, and assessment are welcome. Papers due by 1 Jun 2007
BKBOTNTS.RVW 20070126 "Botnets: The Killer Web App", Craig A. Schiller et al., 2007, 1-59749-135-7,U$49.95/C$64.95 %A Craig A. Schiller email@example.com %A Jim Binkley %A David Harley firstname.lastname@example.org %A Gadi Evron email@example.com %A Tony Bradley firstname.lastname@example.org %A Carsten Willems %A Michael Cross %C 800 Hingham Street, Rockland, MA 02370 %D 2007 %G 1-59749-135-7 978-1-59749-135-8 %I Syngress Media, Inc. %O U$49.95/C$64.95 781-681-5151 fax: 781-681-3585 www.syngress.com %O http://www.amazon.com/exec/obidos/ASIN/1597491357/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1597491357/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1597491357/robsladesin03-20 %O Audience i Tech 2 Writing 1 (see revfaq.htm for explanation) %P 464 p. %T "Botnets: The Killer Web App" I'm starting the review of this book sitting in the Baker Room at the Microsoft Conference Center, attending ISOI II (the second set of Internet Security Operations and Intelligence meetings). We have just finished singing along with Gadi Evron (who arranged both the community and the meetings) to an Israeli pop song from a few years back (and from a band with the oddly appropriate name of Mashina). Craig Schiller gave me a copy of the book last night at dinner. (When I asked Jim Binkley to autograph it for me he was jealous because he hasn't yet received his own copy.) Carsten Willems was here yesterday, but I haven't seen him to ask him to sign it this morning. I'll have to ask for David Harley's autograph the next time he visits Vancouver. All of which is by way of saying that it may be difficult to be objective about this book, but ... The subtitle of chapter one, "A Call to Action," is correct. Normally one would expect a definition of the topic or technology of botnets, but the text is more of an exhortation to pay attention to the problem. The history provided is piecemeal: it does not mention the early DDoS (Distributed Denial of Service) systems (which were application-specific botnets) nor the spambotnet wars of 2004. The definition of botnets in chapter two tends to be technical, rather than functional, and the descriptions and categories could be grouped in a more logical and organized manner. A variety of alternative command and control systems are described in chapter three: the material is well written. The one weakness is the lack of detail on the standard IRC (Internet Relay Chat) control system, but this should probably have been covered more fully in the introductory chapters. Chapter four describes some of the major botnet "client" software families. The content is too technical to be of use to the average computer user, but isn't really all that detailed. Technical information about a variety of possible indications of botnet activity is listed in chapter five. The use of the Ourmon tool for detecting botnet traffic is discussed in chapters six and seven. (The structure of the text, and the reason for two chapters, is not completely clear, although six is more on installation and seven is more on use.) Ourmon's examination of IRC traffic is covered in chapter eight. Chapter nine deals with more advanced techniques. Using the CWSandbox program for malware analysis is examined in chapter ten. Software tools, research communities, and other sources of information are listed in chapter eleven. Chapter twelve is a (mostly) philosophical look at how we, as a society, should respond to botnets. There is also a brief section on protecting your own computer so as not to become part of the problem, although assessment and use of a number of the recommendations would be beyond the capabilities of the average user. Botnets are a significant problem, and one which has not been adequately addressed in the current security literature. Therefore, this work is of major importance. The book does provide a good deal of useful information for network administrators and security professionals, although better arrangement of the data and more technical detail would have been even more helpful. (The brief attempts to address individual users are not successful.) The text is a decent professional reference, and hopefully it will promote further attention and activity in this area. (Security activity. We don't need any more botnet activity.) copyright Robert M. Slade, 2007 BKBOTNTS.RVW 20070126 email@example.com firstname.lastname@example.org email@example.com http://victoria.tc.ca/techrev/rms.htm
BKBECOSO.RVW 20070218 "Beyond COSO", Steven J. Root, 1998, 0-471-39112-3, U$65.00/C$84.99 %A Steven J. Root %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 1998 %G 0-471-39112-3 %I John Wiley & Sons, Inc. %O U$65.00/C$84.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471391123/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471391123/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471391123/robsladesin03-20 %O Audience i Tech 1 Writing 2 (see revfaq.htm for explanation) %P 340 p. %T "Beyond COSO: Internal Control to Enhance Corporate Governance" In the preface, the author notes that it is impossible to have complete control of any situation: problems and fraud will happen despite all of our efforts. Root recommends that companies should implement internal controls as suggested by COSO (the Committee of Sponsoring Organizations of the Treadway Commission), but must also go beyond them, in a manner similar to the layered defence or defence in depth models. Chapter one contains an analysis of the limitations of the COSO directives (and ends with a rather odd overview of the book itself). The concepts of, and problems with, internal control is covered in chapter two. Chapter three presents a history of twentieth century corporate frauds and the attempts to restrict them. Business ethics and values are discussed in chapter four. Chapter five outlines the COSO framework, noting that internal controls provide assurance of the efficiency of operations and reliability of financial reporting--as long as there is compliance with the laws and regulations. (As this material is based on the 1992 version of COSO, it is interesting to note that the components of risk management are pretty much the same, but that the dimensions of objectives categories and unit-levels had not yet been added to the model.) Further concerns and limitations of COSO are expressed and analyzed. Additional frameworks are reviewed in chapter six. Using a hybrid of devices from these other frameworks, chapter seven suggests the extension of internal controls with additional management aspects. Chapter eight recommends that an oversight process be established for internal controls, noting particularly legal obligations and related factors such as standards of care, generic corporate organization and business roles and tasks. The oversight issues are extended in chapter nine, looking in more detail at job roles, and also insights that arise from chaos theory. Chapter ten finishes off the book with a review of the reporting of internal controls: much of this is concerned with the wording used in such statements, and the ineffectiveness of such reports to control incidents and fraud. Despite its age, this book is one of the more useful guides in the area of governance and controls in corporations. Root was willing to go beyond the usual promotional jobs that masquerade as management advice. While he does not solve the problem, he at least makes the issues clearer, and raises interesting points in regard to solutions. copyright Robert M. Slade, 2007 BKBECOSO.RVW 20070218 firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev/rms.htm
Please report problems with the web pages to the maintainer