After last Monday's (22 Oct 2007) presumed denial-of-service attack that hindered Denver's World Series ticket sales, reportedly with over 8 million bogus hits on the website, Tuesday's efforts were much more successful. The Rockies sold out every ticket for games 3, 4, and 5 [which, as it turns out, was not needed] in about 2.5 hours. That's a total number of tickets three times the seating capacity of 50,445, which works out to an average of just about 1000 tickets per minute. It would take a large cadres of human ticket sellers to keep up that rate. Thus, automation of this kind clearly has its merits — when it works securely and reliably (modulo some presumed amount of credit-card fraud). However, blocking multiple requests from the same IP address seems to be overly aggressive — for example, for groups of would-be buyers behind firewalls, although it might have slowed down the scalpers. [Actually, the Rockies suffered a much more costly denial-of-service attack at the hands (and feet) of the Red Sox.]
Microsoft attempts to determine when your *registered* copy of their Operating System has been moved to another computer. The concept is simple...: Different hardware components are identified during the registration process and a *weighted* hash is computed from model numbers, MAC addresses, etc. This can — supposedly — differentiate innocent user-upgrades from proscribed outright copying. At least, that is their claim and the heuristic's intent. When it comes to monitoring Microsoft Vista(tm), this process may not be perfect. Perhaps it is is bit too touchy in the ''False Positive'' department. At least this is what Slashdot reports, at...: http://slashdot.org/article.pl?sid=07/10/23/1255235. As reported in the 23.X.2007 issue of the Australian Consolidated Press (ACP) magazine, ''... something as small as swapping the video card or updating a device driver can trigger a total Vista deactivation.'' The full ACP story is at http://apcmag.com/vista_activation ,,, This article seems to identify a major hazard (read ''show-stopper'') to everyday regular maintenance!
On 29 Oct 2007 a software update to a billing server in the network of the former Deutsche Telekom (German Telecom) in Düsseldorf resulted in many telephone numbers nationwide becoming unreachable. The outage lasted between about 4pm and 9pm. Apparently it also affected some portions of the mobile telephone network. (It affected me also, but one of my numbers carried on working. I contract with another service provider.) Deutsche Telekom is the privatised former state telephone network and still the majority infrastructure owner in Germany, which is why the outage affected those such as myself who do not contract for service with DT. It affected people all over Germany, but DT doesn't say how many. SW updates are a "daily occurrence" according to a spokesman. They went back to a previous version and they are inspecting the problem SW now to see what caused the outage. (Personal experience, aided by reports in the Neue Westfalische Zeitung, 30 and 31 Oct 2007) Peter B. Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de
A Texas judge, Sharon Keller, refused to keep her court open for 20 minutes to receive an appeal from the lawyers representing Michael Richard. He was executed later the same night. His lawyers had suffered a computer breakdown and said they were unable to file the appeal within regular working hours. They had begged Judge Keller for more time and she refused. Her decision might have gone unnoticed had the supreme court not announced, on September 25, that it was reviewing a challenge to the legality of lethal injection. The announcement set off a flurry of appeals from death-row inmates and it is believed Richard's execution most likely would have been halted, to await the supreme court decision, had he been granted a hearing. Two days after Richard was executed, the supreme court blocked a lethal injection in Texas. Judges in Alabama and Kentucky have also stayed executions, bringing in an unofficial moratorium on the death penalty. http://www.guardian.co.uk/usa/story/0,,2199596,00.html
*The New York Times* (21 Oct 2007), in a article that may not have been widely noticed because it was buried in the Automotive section, reports that automakers and researchers, with U.S. government funding, are working on anti-drunk-driving interlocks that ALL drivers will have to pass in order to drive their cars, whether or not they have a record for DWI. <http://www.nytimes.com/2007/10/21/automobiles/21ALKY.html> Among other things, the article notes that to start a car with the interlocks currently used, ``the driver must puff a breath into the unit. To avoid cheating, the breath puff is measured and must be given in a uniquely identifiable way that would be hard for a person who is not the driver to duplicate.'' The breath puff isn't just for starting cars. While driving, the driver must periodically blow into the system to keep the car running." The researchers acknowledge that the current technology is not reliable or durable enough to install in all cars. But the capabilities to determine who is taking the test and to require periodic retesting while driving would presumably be carried over into the newer systems. Aside for the Big Brother and Prohibition aspects, to me the RISK with both current and future systems seems to be that your car can automatically stop -- regardless of road, weather or traffic conditions — if you don't have time or can't split your attention to take the test (while doing 65 mph on the freeway, or while you're dealing with your children in the back seat), or if there's a false positive, or if the equipment is faulty.
"Jet forced to land by a runaway laptop" is a headline in the 26 Oct 2007 Jewish Chronicle (www.thejc.com). In summary, a London-Tel Aviv flight made an unscheduled stop at Athens. A laptop has been found on-board which no one nearby claimed. Per security procedures the plane made an impromptu landing. At which point the computer's owner, having woken up, asked if anyone had seen a missing laptop.
Talk about dumb and dumber... [Source: San Diego *Union-Tribune*, 31 Oct 2007; PGN-ed] http://www.signonsandiego.com/news/northcounty/20071031-0755-bn31car.html Sheriff's officials say an Oceanside [CA] woman who was behind on car payments faked that her 1999 GMC Yukon was stolen and hid it in a friend's backyard in Escondido, not realizing it was equipped with a LoJack system. After she filed a stolen vehicle report and an insurance claim, police activated LoJack and found the SUV in a friend's yard with the woman's boyfriend's old plates. ["'Lo, Jack? How's Jill?" "She's 'Jilling." PGN]
INTEGO SECURITY ALERT - October 31, 2007 OSX.RSPlug.A Trojan Horse Changes Local DNS Settings to Redirect to Malicious DNS Servers Exploit: OSX.RSPlug.A Trojan Horse Discovered: October 30, 2007 Risk: Critical Description: A malicious Trojan Horse has been found on several pornography web sites, claiming to install a video codec necessary to view free pornographic videos on Macs. A great deal of spam has been posted to many Mac forums, in an attempt to lead users to these sites. When the users arrive on one of the web sites, they see still photos from reputed porn videos, and if they click on the stills, thinking they can view the videos, they arrive on a web page that says the following: Quicktime Player is unable to play movie file. Please click here to download new version of codec. After the page loads, a disk image (.dmg) file automatically downloads to the user's Mac. If the user has checked Open "Safe" Files After Downloading in Safari's General preferences (or similar settings in other browsers), the disk image will mount, and the installer package it contains will launch Installer. If not, and the user wishes to install this codec, they double-click the disk image to mount it, then double-click the package file, named install.pkg. If the user then proceeds with installation, the Trojan horse installs; installation requires an administrator's password, which grants the Trojan horse full root privileges. No video codec is installed, and if the user returns to the web site, they will simply come to the same page and receive a new download. http://www.intego.com/news/ism0705.asp
Elections Act changes deny vote for 1 million Canadians, CBC News 23 Oct 2007 The federal government said Tuesday it will fix a problem with the newly revamped Elections Act that prevents up to a million rural voters from casting a ballot. Four months ago, Parliament passed amendments to the Canada Elections Act that requires each voter produce proof of identity and a residential address before being allowed to cast a ballot. However, more than one million Canadians living in rural areas don't have an address that includes a street name and number. Rural addresses are often just post office boxes. On native reserves, a resident's address is sometimes simply the name of the reserve. In Nunavut, more than 80 per cent of registered voters don't have a residential address. Government House Leader Peter Van Loan told Parliament Tuesday that the problem was an oversight and called on all parties to "enthusiastically support efforts to correct this deficiency." Van Loan also said if a snap election were to be called before the issue is resolved, the chief electoral officer has assured him that he's prepared to use "his adaptation power to ensure that no Canadian loses their right to vote" in the ensuing election. With files from the Canadian Press R. S. (Bob) Heuman <email@example.com>
More than 94 million accounts were affected in the theft of personal data from TJX Cos., a banking group alleged in court filings, more than twice as many accounts as the Framingham retailer has said were affected in what was already the largest data breach in history. The data breach affected about 65 million Visa account numbers and about 29 million MasterCard numbers, according to the court filing, which was made late yesterday by a group of banks suing TJX over the costs associated with the breach. The banks cited sealed testimony taken from officials at the two largest credit card networks. A Visa official also put fraud losses to banks and other institutions that issued the cards at between $68 million and $83 million on Visa accounts alone, the filing states, the most specific estimate of losses to date. TJX, which operates more than 2,500 stores worldwide under such brand names as TJ Maxx and Marshalls, previously has said the unidentified hackers who breached its systems had com promised at least 45.7 million credit and debit card numbers as far back as 2003. TJX has said about 75 percent of the compromised cards were expired or had data in the magnetic strip masked, meaning the information was stored as asterisks rather than numbers. ... [Source: Ross Kerber, Court filing in TJX breach doubles toll: 94 million accounts were affected, banks say, *The Boston Globe*, 24 Oct 2007] http://www.boston.com/business/globe/articles/2007/10/24/court_filing_in_tjx_breach_doubles_toll/
Not Your Average Joe's, a Massachusetts restaurant chain, said yesterday that thieves have stolen credit card data belonging to its customers. The Dartmouth-based chain estimated fewer than 3,500 of the 350,000 customers it served in August and September had their credit card information stolen. The 14-restaurant chain said it is working with the US Secret Service and major credit card companies to determine how the data theft occurred and precisely how many customers were affected. [Source: Bruce Mohl, *The Boston Globe, 24 Oct 2007] http://www.boston.com/business/globe/articles/2007/10/24/restaurant_chain_customers_credit_card_data_stolen/ [Small potatoes, you say? But the customers were fried, and now they're playing catchup. PGN]
In an out-of-band communication, Steven J. Greenwald (firstname.lastname@example.org) pointed out an AP item by Lisa Leff, Teen's ticket hinges on GPS vs. radar, 25 Oct 2007, in which a retired sheriff's deputy had used a GPS tracking device to keep an eye on his stepson Shaun's driving habits. This annoyed Shaun — at least until he was pulled over for allegedly doing 62 in a 45-mile-per-hour zone. The GPS unit showed that he was indeed doing the speed limit. Whether this is sufficient evidence is still pending. http://news.yahoo.com/s/ap/20071025/ap_on_hi_te/gps_ticket_challenge_2&printer=1;_ylt=AnZr6gtZNk0ZUsM9p9w..vVk24cA This item reminded Jeremy Epstein <Jeremy.Epstein@SOFTWAREAG.COM> of a case over 30 years ago where a physicist at Los Alamos Labs protested a speeding ticket by trying to convince the judge (who was a retired physicist from the labs) that the thunderstorm caused the radar system to give a false reading. Jeremy found a reference to it at http://www.bautforum.com/archive/index.php/t-9596.html It [trying physics to get out of a speeding ticket] was tried in Los Alamos. One of the weaponeers was booked for driving his vehicle at speeds well in excess of the limit. At his trial he produced an involved theory of high-energy physics that suggested the radar speed gun readings were distorted by a nearby thunderstorm. The judge's summation went. "Only in Los Alamos would a defendant argue high-energy physics as a defense against a charge of driving with excessive speed. Only in Los Alamos would the Judge have the PhD necessary to know that he was talking utter nonsense." [Note: Steven J. Greenwald runs a low-volume mailing list intended to foster interaction between his former/current students from James Madison University's graduate INFOSEC program (http://www.infosec.jmu.edu) and other "security seniors" he knows either personally or by reputation. If you think you qualify and wish to request a subscription, please send e-mail to Steve with the e-mail address and name you wish to use. PGN]
Quite surprisingly (except for RISKS readers), a daylight-saving glitch hit Gatwick Airport on Oct 28th resulting in ire of passengers and relatives. http://www.theregister.co.uk/2007/10/29/gatwick_computer_glitch/ and others [Back at the beginning of April, I noted in RISKS-24.63 that Caltrain managed to botch the daylight saving cutover. This week they did it even more curiously: the Menlo Park Station had the correct daylight time displayed on one side of the tracks, and the week-too-early standard time on the other side. On the other hand, it makes some sense that the two sets of displays at any given station are intentionally controlled separately, particularly when bearing the bad news of late trains and accidents in one direction or the other. PGN]
Since it's the time of year for summer time/daylight savings bugs, here's mine, from the Humax PVR-9200T. It's a UK hard disk TV recorder which takes Freeview digital-over-aerial channels and supports a seven-day EPG (programme guide). Yesterday (last day of BST), the programming timeline display showed continuous time across the BST-to-GMT boundary; programmes before the change showed the correct broadcast time, programmes after the change were lined up against time markers one hour ahead of the wallclock time at which they would actually be broadcast: in other words, everything was displayed in BST, so a 7pm weekly episode yesterday would be followed by an 8pm episode this coming Saturday. Today, all times are in GMT, including those of programmes before the time change. So, I thought: a consistent, if slightly unexpected, view of time changes, and one which would allow the device to switch times unambiguously... except, of course, it doesn't work: programmed recording entries are apparently stored with clock times, so all the recordings I programmed last week will now start (and stop) one hour late. I'm currently going through and editing them all...
Monday 29 Oct 2007. Hundreds of traffic lights in Winnipeg, Canada did not change from their overnight 'flashing amber' states to the normal 'morning rush' state until an hour later than usual due to old DST settings in them. The lights will need to be manually overriden for the week until time catches up. Ref. http://www.cbc.ca/canada/manitoba/story/2007/10/29/daylight-time.html The RISK of believing all your DST issues are fine when there's no problem in the spring is illustrated nicely here. D. Joseph Creighton [ESTP] | Info. Technologist, Database Technologies, IST Joe_Creighton@UManitoba.CA | University of Manitoba Winnipeg, MB, Canada, eh?
As many readers are aware, there's frequently a discrepancy between when countries switch between "summer time" (or Daylight Savings Time as it's called in the US) and "winter time" (or Standard Time). Europe switched to winter time this year on Oct 28; the US switches to Standard Time on Nov 4. What I'm finding today is that my schedule is a shambles, because meetings that are normally sequential are overlapping, depending on who scheduled the meeting. As an example, I have a meeting I normally attend every Tuesday at 8:30 Eastern; because that was set up in Outlook by a colleague in Europe, this week it's at 9:30 Eastern (i.e., the time stayed constant for him but shifted for me). I have another meeting every Tuesday at 9:30 Eastern which contains an overlapping set of attendees, but because I set that one up, Outlook has left my time constant and shifted my European colleagues - thus, the two meetings "overlap". Of course, they don't really overlap - it's an artifact of how we've become dependent on computerized scheduling systems without thinking about the implications. Yet another reason, I suppose, why airlines and military systems run on "Zulu time", so as to avoid these glitches!
The House Judiciary Committee wrote back, via e-mail, to the contributors to its confidential whistleblower Internet submission hotline. Aside from the standard issues of doing any of this stuff via insecure and unverified e-mail, they listed all the e-mail addresses in the "to" line, so everyone saw everyone else's name [a]. One of the addresses they sent this whole list to was... email@example.com [b] ratcheting up the usual paranoia concerns. lots more detail at: http://www.tpmmuckraker.com/archives/004576.php [a] since many e-mail spam filters will kill off material addressed to large numbers of recipients, many of the intended folk probably never got the note. [b] it's unclear whether this was really the address they were using to send a copy to the VP or whether it was one of the "fake" ones used by initial submitters. I suspect it was the latter. Either way this procedure was pretty clueless.
In "Risks of cute e-mail" in RISKS-24.87, Chris Williams says > 1) Who needs a bot army to send spam/viruses when you can get people to > willingly forward things along for you? > > 3) Since this appears to have started as a local phenomenon and has slipped > by every anti-spam and anti-virus engine, the potential for malice is > high. There's a joke about the use of gullible humans instead of bots to spread viruses. It's an e-mail that says something like: "This is the <insert favorite stupid ethnicity here> virus. We don't have any smart programmers, so please erase all the files on your hard drive and forward this to all your friends." Haha. Very funny. What's really funny is that, if worded just a little bit differently, this can work, as has already been demonstrated. Another popular legend that circulated for a while a few years ago was the "virus" that was on every Windows system. The e-mail warned of some virus that the sender had found on his own system. It gave instructions for browsing some directory deep within the bowels of Windows, and if you found a specific file name, that meant you were infected, and you needed to delete the file. Of course, the file was one that exists on any normal Windows system. (Un)fortunately, it was something non-critical, so deleting it didn't do much damage, and restore instructions were widely available. I actually wished that those who followed the warning and deleted the file had suffered more damage as a result of their gullibility. So, although the "redneck" virus was a joke, it really is possible to send people e-mail that will cause them to voluntarily delete parts of their operating system and then forward the mail to all their friends. Just don't include the word "joke" and they'll do it.
DY> The problem of fake blogs is significant for me... DY> I have no way as an individual to stop the current problem... Hold the domain owner responsible perhaps?: Dear Yahoo Corporation, YOUR website, http:..., is impersonating MY website. Please cease and desist. It would be wrong to go further and give YOU, the impersonators, copies of MY personal identification documents you request as proof of my identity. I'm sure you will agree. YOU, Yahoo Corporation, are impersonating MY website. YOU are responsible! Is that not MY telephone number on YOUR website? Call it! Does YOUR page not say "This page should be at http:...? And where is that? MY website! I demand YOU remove http:... It is an unauthorized copy of MY website! Update: my above bold e-mail merely got me the same form e-mail from Yahoo asking for identification. The Federal Trade Commission website, where I turned to next, says they don't solve individuals' problems, which is just as well, as their webform produced an error. Second update: No need to hide the URLs: http://www.geo :phony: cities.com/fireboy1983/index.htm impersonates my :real: http://jidanni.org/
Today I got e-mail from the bank that services one of my credit cards, saying: Need to simplify your finances? A Balance Transfer can help! followed by various comments and a clickable link marked TRANSFER BALANCES NOW I was about to dismiss this as yet another phishing scheme, but I was surprised by how authentic it looked. Then I looked more closely, and noticed that it included my name (correctly spelled) and the last four digits of my account number. So I checked the destination for the link, and it actually did refer to my bank's website. Not only that, but the two other hyperlinks in the message also referred to my bank's website. ... From which I can only conclude that this bank is trying to train its customers to be vulnerable to phishing scams. What on earth could they be thinking?
Please report problems with the web pages to the maintainer