Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
This is not what it usually means to say "the stock market was down" or "the stock market crashed"! Yesterday the Toronto Stock Exchange (TSX) and the affiliated TSX Venture Exchange were open for only 18 minutes after early trading revealed a problem with the quotes being sent out. This was reported as a "network firmware issue" that "resulted in complications with data sequencing"; the backup system also failed. The problem was not rectified until late enough in the afternoon that it had already been decided to close for the day. See: http://www.cbc.ca/money/story/2008/12/18/tsxresumption.html Mark Brader, Toronto, msb@vex.net | "Fast, cheap, good: choose any two."
The Economist reports this week on technology-based measures that vehicle manufacturers are introducing to prevent or ameliorate traffic accidents: "Many of these safety systems at first give warning of impending danger before taking over. Despite that potential delay they still provide what Rodolfo Schöneburg, Daimler's head of passive safety, has described as an "electronic crumple zone": applying the brakes a bit late rather than not at all will at least reduce the impact of a collision. "Yet sometimes there is no room for any delay in avoiding an accident, for instance when a vehicle jumps a stop sign at a busy junction. This means safety systems will need to become even more autonomous in order to act faster — faster, probably, than people can. But because cars will be acting independently of each other, this raises safety concerns of its own. "Researchers worry, for example, about what might happen if a child ran into a busy road. If one car automatically slammed on its brakes and swerved, it could prompt others to take evasive action. The result of all these automatic, independent decisions could be a pile-up causing more deaths, injuries and damage than there would have been had drivers remained in charge. So some researchers are now looking at ways in which vehicles could co-ordinate their crash-avoidance manoeuvres. This means that in an emergency cars would have to tell each other at once what they were about to do, says Thomas Batz of the Fraunhofer Institute for Information and Data Processing in Karlsruhe, Germany." http://www.economist.com/science/displaystory.cfm?story_id=12758720 Collision avoidance (TCAS) technology has been generally beneficial in aircraft, although the 2002 mid-air collision of two planes over Switzerland resulted from conflict between a TCAS instruction and one from an air traffic controller ("July 2002 air collision revisited", RISKS-23.23 <http://catless.ncl.ac.uk/Risks/23.23.html#subj1>). However motor vehicle drivers rarely have the same degree of training in how to handle emergencies as airline pilots. A study by an Australian university found that while vehicles equipped with ABS (anti-skid) brakes were less likely to be involved in multi-vehicle crashes compared with the same models lacking ABS brakes, they were 35% over-involved in single-car accidents, http://www.racv.com.au/wps/wcm/connect/Internet/Primary/my+car/car+safety/safety+equipment/brakes/ABS/. Advanced technology protection systems may confuse drivers not used to their action in an emergency or may cause them to become over-confident and take risks that they otherwise would not. Paying hundreds, or perhaps thousands, of dollars extra for technology that allows a driver to feel safer may not result in that driver actually being safer. I haven't even started to speculate on risk of software defects in these systems.
[Re: Risks of assuming constant hours in a day (Sampson, RISKS-25.47)] About 20 years ago my then-boss discovered a systematic difference in the time accounting software that was running on our mainframe computer. This accounting software would calculate for what length of time a user had been using a given resource on the computer. The computer was running Unix and, since we had a source license, the boss started digging into the source code. He eventually found the error not in the accounting software, but on a lower level in the operating system where a programmer in the USA had assumed that the whole world did things the way they were done in America. The error? Seconds = Hertz [I presume that programmer would have been "in Dutch" with your then-boss, with some frequency! PGN]
One of Europe's most prestigious scientific journals, the *Max Planck Forschung* (Research) journal had a special issue on China. The cover art in the German language edition was supposed to be an example of Chinese calligraphy, a poem, but actually was an ad for a Hong Kong strip joint. (It had been allegedly vetted by a respected Sinologist.) In the online and subsequent English print versions, the cover art was replaced with calligraphy written by a 16th-century Jesuit titled Illustrated Explanations of Strange Devices, as shown in the website, which also provides some translations of the original. [PGN-ed] http://www.smh.com.au/news/home/technology/eminent-scientific-journal-gets-hit-for-sex/2008/12/11/1228584998876.html
Recently, I've been receiving a number of obvious spams with a ZIP file attached, the zip file name being <my email address>.zip. Today, for amusement, I saved the download to take a look at it: there was one file in the ZIP archive, named with my email address: ddean@csl.sri.com . The Unix file(1) program told me everything I needed to know: it's a Windows executable. Now, the .COM extension denotes an ancient MS-DOS executable file format, which, IIRC, is restricted to 64KB of code and data, etc. (The file in question is 28KB or so, UPX compressed [whatever that is].) But that's a beautiful attempt at social engineering: most people probably don't remember .com being an executable file format, and what harm could a file named with your email address do? Not having Windows handy, I couldn't easily find out, nor would I want to in any case....
John Markoff, *The New York Times*, 6 Dec 2008 Internet security is broken, and nobody seems to know quite how to fix it. Despite the efforts of the computer security industry and a half-decade struggle by Microsoft to protect its Windows operating system, malicious software is spreading faster than ever. The so-called malware surreptitiously takes over a PC and then uses that computer to spread more malware to other machines exponentially. Computer scientists and security researchers acknowledge they cannot get ahead of the onslaught. As more business and social life has moved onto the Web, criminals thriving on an underground economy of credit card thefts, bank fraud and other scams rob computer users of an estimated $100 billion a year, according to a conservative estimate by the Organization for Security and Cooperation in Europe. A Russian company that sells fake antivirus software that actually takes over a computer pays its illicit distributors as much as $5 million a year. With vast resources from stolen credit card and other financial information, the cyberattackers are handily winning a technology arms race. "Right now the bad guys are improving more quickly than the good guys," said Patrick Lincoln, director of the computer science laboratory at SRI International, a science and technology research group. A well-financed computer underground has built an advantage by working in countries that have global Internet connections but authorities with little appetite for prosecuting offenders who are bringing in significant amounts of foreign currency. That was driven home in late October when RSA FraudAction Research Lab, a security consulting group based in Bedford, Mass., discovered a cache of half a million credit card numbers and bank account log-ins that had been stolen by a network of so-called zombie computers remotely controlled by an online gang. ... http://www.nytimes.com/2008/12/06/technology/internet/06security.html
Hackers Hijacked Large E-Bill Payment Site http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html The attack, first reported by *The Register* began in the early morning hours of 2 Dec 2008, when CheckFree's home page and the customer login page were redirected to a server in the Ukraine. CheckFree spokeswoman Melanie Tolley said users who visited the sites during the attack would have been redirected to a blank page that tried to install malware. Digging Deeper Into the CheckFree Attack http://voices.washingtonpost.com/securityfix/2008/12/digging_deeper_into_the_c heckf.html?nav=rss_blog The hijacking of the nation's largest e-bill payment system this week offers a glimpse of an attack that experts say is likely to become more common in 2009. A spokeswoman for Network Solutions, the Herndon, Va., domain registrar that CheckFree used to register its Web site name, told Security Fix Wednesday that someone had used the correct credentials needed to access and make changes to CheckFree's Web site records. CheckFree controls between 70 to 80 percent of the U.S. online bill pay market. Still, the phishing angle suggests that the attackers managed to phish not only an employee at CheckFree, but an employee who happened to know the credentials needed to administer the company's site records. - - - - - - I can think of a couple of ideas that would help avoid disasters like this. Spreading the word about this particular event is probably the most important. People need to understand why they are doing all the extra silly work. I think the registration update procedure for major domains should require more than a simple web login. One approach would be a phone call by the registrar to a number setup out of band. The cost would be minor since the data doesn't change very often. Of course, people with valuable passwords should take good care of them. Using it on a Windows machine is obviously a high risk. So is using a system you aren't familiar with. If I was paranoid enough, I'd probably store the password on paper and never store it on a disk. To do something that needs that password I'd boot a system that runs from a CD. If I had to use Windows, I'd use a system that had been freshly installed and was behind a good firewall. A good web proxy and lots of logging might help. How many other important passwords does a company like CheckFree have?
Gary McGraw <gem@cigital.com> thought RISKS readers might get a kick out of an article just published by Gary, Brian Chess, and Sammy Migues: http://www.informit.com/articles/article.aspx?p=1315431
"While at the dry cleaner one day, Rob's iPhone was stolen. He immediately chalked it up as gone forever, and proceeded to purchase a brand new one that same evening. It was the next day when unfamiliar contacts began to appear on the new phone. The (not-too-bright) thief was unwittingly supplying him with names and phone numbers of his or her closest friends, via the magic of MobileMe synchronization from the stolen phone to the cloud and eventually to his new phone." http://www.tuaw.com/2008/12/17/iphone-thief-thwarted-by-mobileme-sync/ Nick Rothwell / Cassiel.com Limited www.cassiel.com
I received a phone call yesterday morning from Fed Ex Freight confirming that I had equipment available to unload the 28 foot beam that they were delivering today. My name, my cell phone number, my home address. Well, I'm happy they called to make sure I can get my load off the flatbed truck that's delivering it, but there's a small problem — this is not my order. I've never hear of the shipper, some redwood products company in California. I haven't heard anything more from Fed Ex so I assume they figured out where this beam was supposed to go. I had some furniture shipped by Fed Ex Freight earlier this year. A one time shipment that was arranged by the furniture vendor with shipping fees paid through the vendor. I'm assuming that an account was created for the destination address for my shipment, and that account still exists and somebody at Fed Ex mistyped the account number for the actual destination and got my (should have been temporary) account number and the beam made an erroneous 1200 mile trip to Colorado. Two things are fairly obvious: o One-time accounts should be very hard, if not impossible, to reuse. They should also have short purge times. o Account numbers should have check codes to preclude typical entry errors like transpositions and off by ones. I wonder where that beam was supposed to go! I wonder if I'll get a bill for the shipping!
The social network website LinkedIn is very well known. It is the place where professionals meet and extend their networks. Just as other social network sites the LinkedIn network offers third parties the ability to add applications to their framework. Their are API's for Amazon, Huddle, Google and also one for Slideshare.net. This last website offers you the possibility to publish your presentations online. When you add the Slideshare API to your LinkedIn profile you are able to connect your Slideshare account to your LinkedIn profile. The way it works: you enter your user-id and password of Slideshare into a box, and presto! your Slideshare profile is Linked. I tried it several times but failed. Somehow the system kept telling me that my user-id and/or password did not match the ones used at Slideshare. First I wondered: is it my username ("leon") which has too few characters? But then it occurred to me: it was the "complexity" of my password that caused the problems. My password (generated with a password generator) was "az<VK/gq#". Notice the "<" sign? The risks: a chain is as strong as the weakest link (..edIn). leon@kuunders.info http://xri.net/@trusted-id/leon skype://leonkuunders
http://austinist.com/2008/12/10/aisd_teacher_throws_fit_over_studen.php Free? - That's illegal! A teacher has thrown a student into detention and threatened to call the police for using Linux in her classroom. The teacher spotted one of her students giving a demonstration of the HeliOS distro to other students. In a somewhat over-the-top reaction, she confiscated the CDs, put the student on detention and whipped off a letter to the HeliOS Project threatening to report it to the police for distributing illegal software. Home: http://alpha.mike-r.com/ QOTD: http://alpha.mike-r.com/php/qotd.php
An interesting study. As one who has published an infosec dictionary, I've seen, first hand, how fast our technical jargon has changed (and often degraded). The effect of the technology, and the pervasive nature of the changes, is intriguing. Highlights: - new communications technology, particularly text messaging abbreviations (textese), creating new terms entering the language - errors by the technology ("predictive" numeric keypad text interpretation of "book" instead of "cool") creating new slang (book now means cool or good) * - terms from local technologies (the Oyster card error codes) are entering the language more broadly - testese messages take longer to read, and generate more errors http://news.bbc.co.uk/2/hi/technology/7775013.stm ftp://ftp.royalmail.com/Downloads/public/ctf/po/TechChat-Draft2.pdf (Unfortunately, a link to the Australian study seems to be missing.) Relevance to security? Well, I don't agree with the final statement in the BBC story. Any change to the language that increases the error level in communications has got to be dangerous. * I've heard my grandkids say this, and wondered where it came from. The technical reasons for this are fascinating in themselves. Predictive typing technology is based on the numeric keypad equivalent of words, and is based on the frequency of word usage in English. "Book" and "cool" are equivalent (2665) on a numeric keypad. In general English, book is going to be the more widely used word, and so the algorithm chooses book first when you type 2665. However, textese is used by teens much more widely than by the rest of the population, and I am morally certain that teen textese uses cool much more frequently than it uses book. I am also interested in competition in terms of the acronyms. LAMP has been widely used in technical (and particularly online) circles to refer to the use of Linux, Apache, MySQL, and PHP/Python/Perl for the creation of Websites. It is interesting to note a completely different use of LAMP in the financial arena. (We already have a similar confusion of SOA depending upon whether the speaker is from the BS 7799/ISO 27K community [statement of applicability, aka scope] or the ITIL tribe [service oriented architecture].) rslade@vcn.bc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
I phoned my credit card company. After giving my name and address, the following conversation took place: Credit card guy: Please give me you date of birth for authentication. Me: <my date of birth> Credit card guy, sounding genuinely surprised: Strange, I have a completely different date. I have <another date>. Me: That's my wife's date of birth. (which is true, but he couldn't really know that, my wife hasn't got a card with that company; I could have said that to whatever date he had given me). This seemed to satisfy him, and we proceeded with the business I called about.
(Re: Federal Criminal Charges for Violation of Commercial Online ToS?) >From the government's point of view, the "Perfect Law" is one which everyone has broken. With this law, anyone the government does not like (for whatever reason) can be arrested and imprisoned. >From the citizen's point of view, such a law means the end of the rule of law. You are now living in a tyranny: any criticism of the government could land you in jail with no recourse. "But," you protest, "I haven't violated the Terms of Service of any web site!" What about that government-run web site which just about everyone in the country is required to sign up for. On page 16 of the voluminous Terms of Service is a poorly-worded note to the effect that anyone who criticises any action of the government is in violation of the Terms of Service of this web site. martin@gkc.org.uk http://www.cse.dmu.ac.uk/~mward/
BKBUPRLH.RVW 20081123 "The Business Privacy Law Handbook", Charles H. Kennedy, 2008, 978-1-59693-176-3, U$109.00 %A Charles H. Kennedy ckennedy@mofo.com %C 685 Canton St., Norwood, MA 02062 %D 2008 %G 978-1-59693-176-3 1-59693-176-0 %I Artech House/Horizon %O U$109.00 617-769-9750 800-225-9977 artech@artech-house.com %O http://www.amazon.com/exec/obidos/ASIN/1596931760/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/1596931760/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/1596931760/robsladesin03-20 %O Audience a- Tech 2 Writing 2 (see revfaq.htm for explanation) %P 312 p. %T "The Business Privacy Law Handbook" The preface states that this is a survey of business privacy law in the United States, and the changes that field is undergoing, intended for business managers and those advising them. The introduction is rather interesting: on the one hand, it lays out a five-step process to guide the task of ensuring compliance with privacy regulations, and on the other, it points out how complex this undertaking is, in the labyrinthine legal environment of the US. Part one addresses issues of information relating to consumers and customers. Chapter one deals with information collected on the Internet and through Websites. As the US has no general national standards in this regard, most of the discussion deals with the design of corporate privacy policies for Websites. There is also an examination of the Children's Online Privacy Protection Act (COPPA). Various US and state laws with implications for general information security and protection are noted in chapter two, which also has a brief section on information risk identification. Legislation relating to companies in the financial industry are reviewed in chapter three. Chapter four notes the provisions of the Electronic Communications Privacy Act, the Stored Communications Act, and special provisions for communications carriers. The implications of HIPAA (the Health Insurance Portability and Accountability Act) for the health industry are outlined in chapter five, which also notes some related state laws. Although ostensibly about the European Union privacy directives, the rather terse material in chapter six is more about the Safe Harbor framework of the US Department of Commerce. Part two looks at job applicants and employees. Chapter seven is a brief review of the hiring process, and it is interesting to note that the common opposition (by employers) to providing detailed references has little objective basis. The examination of internal investigations, as discussed in chapter eight, is limited, and repeats content from chapter seven. Chapter nine's deliberation on surveillance is primarily concerned with tapping of phone and email conversations. Part three turns to communications with customers and consumers, with three successive chapters on marketing types of intercourse; telemarketing (in chapter ten), fax advertising (eleven), and spam (twelve). Chapter thirteen, on the monitoring of customer communications, is a mere three paragraphs in total length, and is a reiteration of some of the content of chapter nine. Appendices list state privacy and data security laws. It is unfortunate that the title does not make clear the US-centric nature of the material, but it is reasonable for a legal text to concentrate on one jurisdiction. Despite occasional shortcomings in specific areas, this text does provide a detailed, up-to-date and quite comprehensive overview of the convoluted mess of American privacy law. copyright Robert M. Slade, 2008 BKBUPRLH.RVW 20081123 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
Please report problems with the web pages to the maintainer