Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Another Peter Neumann (!!) reports in the *Berliner Zeitung* 17 Jan 2009: On January 14, 2009 at 14.03 the plug got pulled on the German national train system's computers - all of them. No ticket machines would work, either the self-service or the counter machines; the Internet pages returned 404s; the boards in the train stations telling you which track to take died; and apparently even some of the operations computers just shut off. There was a single point of failure - the "uninterruptible" power system (UPS). The computer center of the Deutsche Bahn in Mahlsdorf (Berlin) was was upgrading the UPS. Suddenly there was no electricity flowing through the mains. None. And the entire system fell like a house of cards. Oh, they had a backup system set up [for lots of money, we suppose, I've seen the computer centers, they look like prisons, windowless monstrosities with high fences topped by razorwire -dww] just down the road in Biesdorf. The speaker won't say exactly what happened, but the cut-over to the backup system did not work. It took hours to get the system back up and running - apparently every system assumes that every other system is already up and running, and turning them all on at the same time is quite a drain on electricity. The speaker will not go into any more detail on this topic, except to say that the specific nature of the error meant that each system had to be restarted by itself. Of course, the usual speculation made the rounds - hackers, terrorists, viruses. But again - never make up complicated theories for what can be explained by simple incompetence. The speaker: We have found the weak point and can guarantee that something like this will never happen again. comp.risks has a long memory.... Prof.Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Treskowallee 8, 10313 Berlin http://www.f4.fhtw-berlin.de/people/weberwu/ +49-30-5019-2320
*The Register* reports that "staff at hospitals across Sheffield are
battling a major computer worm outbreak after managers turned off Windows
security updates for all 8,000 PCs on the vital network" with "more than 800
computers ... infected with self-replicating Conficker code". And how did
this happen? The worm takes advantage of a known problem that is resolved
through a Windows patch that wasn't installed because "the decision to
disable automatic security updates was taken during Christmas week after PCs
in an operating theatre [were] rebooted mid-surgery. Conficker was detected"
on 29 Dec 2008.
http://www.theregister.co.uk/2009/01/20/sheffield_conficker/
Or in short:
- Life-critical systems rely on software that has a long history of
vulnerabilities.
- To avoid critical interruptions, automatic fix installation is disabled,
with no backup process for installing them at non-critical times.
- These systems are interconnected (including to the Internet) for
whatever reason.
- There are (apparently) no other protection mechanisms beyond installing
fixes.
- Malware leaks in to the network and spreads.
- The interaction of the above leads to really bad results.
And where is the surprise? Even Microsoft's license agreement notes that
you shouldn't use their software for life-critical systems (among other
things). Perhaps that's just a CYA thing, but one would hope that there's
consideration of the risks before ignoring those terms.
[Also noted by Toby Douglass.
Incidentally, Phil Porras (whose Cyber-Threat Analytics project
<http://www.cyber-ta.org> has been tracking conficker) noted to me
that the relevant RPC exploit was patched and distributed by MS's security
update service on 23 Oct 2008. PGN]
Brian Krebs, *The Washington Post*, 16 Jan 2009 A sneaky computer worm that uses a virtual Swiss army knife of attack techniques has infected millions of Microsoft Windows PCs, and appears to be spreading at a fairly rapid pace, security experts warn. Also, while infected PCs could be used for a variety of criminal purposes -- from relaying spam to hosting scam Web sites — there are signs that this whole mess may be an attempt to further spread so-called "scareware," which uses fake security alerts to frighten consumers into purchasing bogus computer security software. The worm, called "Downandup" and "Conficker" by different anti-virus companies, attacks a security hole in a networking component found in most Windows systems. According to estimates from Finnish anti-virus maker F-Secure Corp., the worm has infected between 2.4 million and 8.9 million computers during the last four days alone. If accurate, those are fairly staggering numbers for a worm that first surfaced in late November. Microsoft issued an emergency patch to fix the flaw back in October, but many systems likely remain dangerously exposed. One reason for this is because businesses will generally test patches before deploying them on internal networks to ensure the updates don't break custom software applications. In the meantime, an infected laptop plugged into a vulnerable corporate network can quickly spread the contagion to all unpatched systems inside that network. But the worm also has methods for infecting systems that are already patched against the Windows vulnerability. According to an analysis last week by Symantec, the latest versions of Downadup copy themselves to all removable or mapped drives on the host computer or network. This means that if an infected system has a USB stick inserted into it, that USB stick will carry the infection over to the next Windows machine that reads it. That's an old trick, but apparently one that is apparently still very effective. ... http://voices.washingtonpost.com/securityfix/2009/01/tricky_windows_worm_wallops_mi.html [Conficker is apparently even more widespread than reported above. PGN]
Lauren Weinstein's Blog Update, 19 Jan 2009 http://lauren.vortex.com/archive/000497.html Greetings. It's well known that a significant portion of the Obama administration's stimulus plans will likely be a major thrust toward electronic medical records. These are touted as reducing errors, creating jobs, and saving money — though it's arguable if medical consumers are the ones who actually pocket the savings in most cases. But there are serious concerns about these systems as well — reminding us that exactly the same sorts of problems that tend to plague our other computer-based ecosystems could now start hitting people's medical records in pretty much the same ways. *The New York Times* (19 Jan 2008) had an excellent story about privacy and security issues associated with electronic medical records — and the medical industry heavyweights who are trying to water down related provisions in associated and upcoming legislation. http://www.nytimes.com/2009/01/18/us/politics/18health.html A few days ago, AP reported on a range of potentially serious medical errors *created* by the Veterans Administration's new electronic medical records system. http://www.tampabay.com/news/military/veterans/article967778.ece Both Google and Microsoft have unveiled electronic medical records systems for users, and are actively seeking partnerships with major medical treatment organizations. While they both promise comprehensive privacy and control by users — in some ways that exceed those mandated by HIPAA privacy requirements, these systems are explicitly not actually covered by HIPAA -- though my hunch is that this status is likely to change in the near future. The key concern with such non-HIPAA medical records systems isn't their privacy and security at the moment — which as I noted appear to be good at present. Rather, an important aspect of HIPAA is that it represents a set of rules that cannot be arbitrarily changed by the organizations involved. Consumers need to know that the "rules of the game" when it comes to their medical records will not be subject to unilateral alterations on the basis of business conditions or management changes, outside the realm of legislated national rules. My belief is that electronic medical records in general, and the services like those from Google and MS in particular, have the potential for significant benefits. I also believe that a massive rush into any of these environments could end up creating a whole new range of problems that could waste money, risk privacy, and in the worst case even cost lives. I trust that Congress will move with deliberate speed, but not be pressured, in the area of electronic medical health records implementation, and that they will put patients' rights to privacy, accuracy, security, control, and choice at the top of agenda. A stampede to electronic medical records without due consideration and care would be a very dangerous prescription indeed.
[Source: David Mehegan, *The Boston Globe*, 19 Jan 2009] Cursive, foiled again: We e-mail, we text, we Twitter - what will become of handwriting? "The moving finger writes," says the famous Rubaiyat of Omar Khayyam, "and, having writ, moves on." Nowadays, the finger more likely is hammering away on a computer keyboard, texting on a cellphone, or Twittering on a BlackBerry. If you predate the computer age, you might remember a school subject called "penmanship," which trained your cursive handwriting, usually by the Palmer Method. The penmanship teacher would come by once a week to rate your work, and if your handwriting was bad, you'd hear about it. It's still taught, to be sure, but it's no longer emphasized. "There's been a decline in attention to all kinds of basic skills," said Louise Spear-Swerling, coordinator of the graduate program in learning disabilities at Southern Connecticut State University. "With handwriting, people think it's just not that important." Some people are concerned, though, and one is Kitty Burns Florey, whose book "Script and Scribble: The Rise and Fall of Handwriting" comes out Friday - John Hancock's birthday and National Handwriting Day. Florey, author of nine novels and a book about sentence diagramming, became interested in the subject after reading that computer keyboarding has displaced handwriting in schools. ... http://www.boston.com/ae/books/articles/2009/01/19/cursive_foiled_again/
In the UK there is a Government Gateway web site used to access a number of government services. One of the better hidden services is that it is possible to register a claim for unemployment benefit. Like many of the UK's IT staff I now have need of the service. Everything starts off reasonably well. Access to the site requires an ID that is delivered to users by post, together with a password users can choose for themselves. So far so good. Registering a claim for "Jobseekers' Allowance" takes the user through a questionnaire that parallels the one that most people deal with via a telephone interview. At the end of the process the user is given a final chance to review the data and finally confirm that they wish to submit a claim. At this point the user is presented with a pop-up confirmation that the claim has been submitted. The interesting thing is that the claim has not been submitted at that point and still has a status of "not yet submitted." The next stage should presumably be that the claim is actioned, but this part of the code silently fails. The claim will stay in limbo. Unless the user has some reason to return to the system and log in again they have no reason to suspect that their data has been dropped on the floor. If they do log in again they will see the "not yet submitted" status and can complete the submission again, getting a new pop-up saying that the claim has been submitted. Which submission will again be silently dropped on the floor and the "not yet submitted" flag will remain unchanged. I'm sure that there must be a lesson to be learned from this, probably several. I hope that one of the lessons which will be learned is that when you FUBAR a user's data, don't do it to a RISKS subscriber. Bernard Peek, London, UK. DBA, Manager, Trainer & Author.
New Web Analytics Service Spies on Web Browsing Activity Without Permission
http://lauren.vortex.com/archive/000498.html
Greetings. In the business of "Web Analytics" — collecting, analyzing, and
reporting of Web usage data — various firms are continuously pushing the
envelope.
Such data is in many ways the bread and butter of the free Web services that
we've come to expect, since it is in key respects a crucial element of the
ad-supported Web services ecosystem. However, the temptation to push
analytics technology too far always exists.
A firm that appears to have succumbed to that temptation came to my
attention today. "Tealium Social Media," a service of Tealium
(http://www.tealium.com) in San Diego, California, is a commercial analytics
service that uses JavaScript tricks to inspect — without the knowledge or
permission of Web users — specific URLs in their current browser histories.
The service attempts to provide a finer grain of usage information than is
typically available through analytical techniques, by querying users'
browsers for the presence of particular URLs. While this does not permit
the reading out of complete browser URL histories, it does permit the
service to ask the potentially highly privacy-invasive question: "Has this
user been to a particular URL recently?"
Obviously, by sending a variety of such queries (all of which are
essentially invisible to the user), a fascinating portrait of users'
activities could be generated. Visited this CNN story? This
government Web page? This porn image? This medical information page?
Well, you get the idea.
While the JavaScript functionalities that enable this intrusion have
been known for quite some time in hacking and other technical circles,
this appears to possibly be among the first commercial applications of
this technique.
I had a cordial chat early this afternoon with Olivier Silvestre, one
of Tealium's partners, and a later e-mail exchange with Ali Behnam,
another partner.
They both emphasized a number of points that will sound all too
familiar, and I'm afraid far from convincing. They noted that they do
not collect PII ("personally-identifiable information"), don't
accumulate user-linked data, and only query browser histories for
specific ("social media") related links. It was also mentioned that
they have obfuscated their JavaScript to try prevent their clients
from altering the code, have a customer use policy that prohibits
their clients from attempting such alterations, have put in place a
privacy policy ... and so on.
Opt-out is apparently possible via a cookie — but of course you have
to know what's going on before you'd ever think to set an opt-out
cookie! They hope to move to non-cookie opt-out techniques, and
claimed in answer to my query that they'd really prefer to be opt-in,
but realize that getting people to opt-in to such a service could be,
shall we say, impractical.
If so much of this sounds like deja vu, it's because we've heard
virtually all of it before. In many ways it's quite similar to
arguments made by Phorm and NebuAd, which were roundly criticized as
self-serving and inadequate.
The fundamental question is an obvious one — "Unless we're asked for
our permissions in advance, what the hell business is it — of anyone
by ourselves — what is or is not in our browser histories?"
Arguments about not collecting PII, only looking for particular URLs,
and all the rest, necessarily fall flat. Inspecting browser URL
histories in such a manner — without affirmative opt-in permission --
clearly crosses the line from acceptable analytics to an unacceptable
intrusion into private activities.
If a burglar argued that the only reason they conducted break-ins was
to check to see if you had purchased particular products, would such
reasoning be likely to prevail in court? I'm not a lawyer, so I won't
attempt here to present a legal analysis of the Tealium technique --
though I'd certainly be interested to hear opinions about this.
But again, the guys at Tealium were friendly and open in our contacts,
and made no attempt to evade my questions. Clearly we're dealing in
this case with a very different view of what privacy is, and what is
acceptable behavior on the Web.
My hope is that Tealium will reconsider their use of this methodology,
and I urge that all browsers vulnerable to such manipulations be
altered to prevent their use.
In the meantime, there are some ways to protect yourself from this
technology, though none are particularly pretty. You can make a practice of
clearing your browser history frequently, or not keeping a history at all,
but these are both inconvenient. You can turn off JavaScript, but this will
completely break a vast number of sites and is generally not very practical
these days.
[ Update (1/22/09): Several people have suggested the Firefox "NoScript"
plugin as a method for finer-grained control over JavaScript. This is
certainly available, though it is not necessarily clear which sites to
script block, or what the side-effects of selectively blocking JavaScript
will be in any given case. But as a practical matter, most people can't run
NoScript since they don't use Firefox, and most people who run Firefox tend
not to use plugins. The only ad hoc "solution" available to pretty much
everyone with a Web browser is to turn off JavaScript completely, with the
serious downside already noted. More to the point, blocking such activities
at the PC is essentially a diversion from the larger issues surrounding the
Tealium service, such as should their technique be permitted at all and is
it legal in all jurisdictions? It is unrealistic to expect everyone to
fiddle around with their browser configurations to try protect against these
sorts of intrusive activities. ]
Or you might contact Tealium and let them know if you do (or don't)
approve of their practices in these regards.
As far as I'm concerned, my browser history is mine, nobody else's.
Period. Full stop. End of discussion.
+1(818)225-2800 http://www.pfir.org/lauren http://lauren.vortex.com
http://www.pfir.org Network Neutrality Squad - http://www.nnsquad.org
At the Consumer Electronics Show (CES) this year, a number of booth personnel were wearing cameras on their chests that recorded video & audio of every person they talked to the entire day. The cameras had enough quality to pick up the names on the badges of the people they talked with. According to one gentleman, the camera allowed him to focus on talking with the person and not wasting time getting his/her badge information. These cameras are not expensive — one of the booths I stopped at was actually selling them. I expect them to start showing up at all kinds of business meetings. The future you project is already here.
> The future you project is already here. That being the case ... I'll add my social predictions. :-) Prosecutors today complain of the "CSI effect": On the CSI series of TV shows, every week, crimes are solved by introducing all kinds of detailed, highly specific, scientific evidence. Juries assume that that's the way things work in the real world, and convincing them without it has gotten harder - an attitude the defense bar encourages, of course. But the reality of scientific evidence doesn't approach the fantasy. In a world of ubiquitous recording, anything that *wasn't* recorded will seem, at the least, less reliable - and eventually even suspicious. "If you had nothing to hide, why didn't you make a recording of what you were doing?" The common law has traditionally accepted oral contracts - special cases, going back the the oddly- named Statue of Frauds, excepted - in recognition of the inconvenience of memorializing on paper the huge number of dealings in which we are involved on a daily basis, especially in business. The "he said/she said" evidentiary arguments that inevitably follow are just something that we have to accept to keep commerce flowing. In a world where every conversation is trivially recorded - will we continue to do that? — Jerry
Billion Dollar Mistake? (Dagenais, RISKS-25.51) I'd be willing to bet that the actual number is far, far higher, especially when adjusted for inflation. But I applaud Tony for his apology. I haven't yet heard an apology from Fortran/C/C++/etc. creators over their inability to police array bounds. A good fraction of the ACM Fellows (perhaps the ACM itself?) need to provide mea culpas over this issue. To a first approximation, the lack of array bounds checking created the virus/worm industry, and we are still paying handsomely for this. Madoff was a rank amateur by comparison. Computer "scientists" have been producing insecure code like this since before NASDAQ was started.
[Re: Risks of data retention 25.48 (Armburst RISKS-25.48)] I'm not sure I agree the assertion that one-time accounts should never be re-used. I can see a significant benefit of storing and keeping current such information as a way to reduce errors from having to enter the information each time. I think the problem comes from the resulting system, and ensuring that the re-used information is correct and correctly used. Also, if a failure occurs, then the system (human and automated) needs to be able to determine where the error occurred, so it can be corrected. I have a related story: Avis, and other car rental companies, have a service where information (driver's license number, billing info, etc.) is pre-entered into their reservation/billing system, under a Wizard Number. The benefit, to me, is that the time needed to rent a car is significantly reduced. I checked my account last summer and found that someone had made a reservation in my name. I called Avis and was told that they thought that operator error had resulted in my Wizard Number being used as part of someone else's reservation. Issues: - The system should have done some checking to ensure the correct Wizard Number was being used. Canadian banks love asking silly questions to confirm identity, why not this system? - The system didn't seem to have any way to determine who had made the reservation, and inform them that correction was needed. Was the reservation made through an agent? Was it associated with an airline reservation? I canceled the reservation, and suggested Avis send a note to the place the car was to be picked up, so they would know what happened when this person arrived (and hopefully keep a car available for him). Somewhat later copy of receipt from this person's rental turned up on my Avis account. So, logically, he must have arrived at the rental office, with a printed copy of the reservation. Rather than checking why the reservation was canceled, the rental office must have simply reconstituted the reservation under my Wizard Number. Issues: - Something should have detected a fault. A detailed check of this person's information against what was in stored under my Wizard Number should have detected something. - The system has stored the record of the rental, complete with parts of his credit card number, under my Wizard Number. I called Avis, and their response was that since the rental hadn't been charged to me (the renter had provided a credit card) nothing was wrong. So, I called the rental office. The person I talked to told me they remembered the rental, and that the Wizard Number had come up when they swiped his credit card <!>. Further discussion revealed that the name on the credit card was the same as mine, and that the driver's license was issued from the same province as where I live. Issues: - The linking of his information to my Wizard Number seems like a serious system fault, so I am curious about Avis's response. - In cases where the information between two customers has some overlap the system (human and automated) needs to do extra special checking. In this case there is a strong possibility that I could have been billed, without any way to determine who had actually rented the car. I guess the risk is all Avis (since the stamps on my passport prove it wasn't me who rented the car), but in these days of identity theft, I would hope our automated systems are being developed to reduce the IT reservation under my Wizard Number.
Please report problems with the web pages to the maintainer