Bad news: A National Health Service employee lost a flash drive containing personal information of up to 6,360 patients. Good news: The data on the flash drive was encrypted. Bad news: The password was written on a sticky-note attached to the drive. Paraphrased from the *Lancashire Evening Post* http://www.lep.co.uk/news/Apology-after-prisoners39-health-info.4862265.jp Steven J Klein, Your Mac & PC Expert, Phone: (248) YOUR-MAC or (248) 968-7622
In this case the risk appears to be the assumption that anyone who wishes to pay their electric bill can do so easily. The 93-year-old WWII veteran may not have had a checking account, a computer, or online bill paying, and the weather was too severe for him to leave home to pay his electric bill in person. After his death, a large amount of cash was found clipped to his utility bill on his kitchen table.
[Source: John Markoff, *The New York Times*, 23 Jan 2009] http://www.nytimes.com/2009/01/23/technology/internet/23worm.html A new digital plague has hit the Internet, infecting millions of personal and business computers in what seems to be the first step of a multistage attack. The world's leading computer security experts do not yet know who programmed the infection, or what the next stage will be. In recent weeks a worm, a malicious software program, has swept through corporate, educational and public computer networks around the world. Known as Conficker or Downadup/Downandup, it is spread by a recently discovered Microsoft Windows vulnerability, by guessing network passwords and by hand-carried consumer gadgets like USB keys. Experts say it is the worst infection since the Slammer worm exploded through the Internet in January 2003, and it may have infected as many as nine million personal computers around the world. [...]
via false ilife leak http://www.boygeniusreport.com/2009/01/23/trojan-virus-spreads-to-as-many-as-20000-macs/
Threat Level, By Kevin Poulsen, Wired.com, 29 Jan 2009 http://blog.wired.com/27bstroke6/2009/01/fannie.html A logic bomb allegedly planted by a former engineer at mortgage finance company Fannie Mae last fall would have decimated all 4,000 servers at the company, causing millions of dollars in damage and shutting down Fannie Mae for a least a week, prosecutors say. Unix engineer Rajendrasinh Babubha Makwana, 35, was indicted on 27 Jan 2009 in federal court in Maryland on a single count of computer sabotage for allegedly writing and planting the malicious code on Oct. 24, the day he was fired from his job. The malware had been set to detonate at 9:00 a.m. on Jan. 31, but was instead discovered by another engineer five days after it was planted, according to court records. Makwana, an Indian national, was an employee of technology consulting firm OmniTech, but he worked full time on-site at Fannie Mae's massive data center in Urbana, Maryland, for three years. On the afternoon of 24 Oct 2008, he was told he was being fired because of a scripting error he'd made earlier in the month, but he was allowed to work through the end of the day, according to an FBI affidavit (.pdf) in the case. "Despite Makwana's termination, Makwana's computer access was not immediately terminated," wrote FBI agent Jessica Nye. Five days later, another Unix engineer at the data center discovered the malicious code hidden inside a legitimate script that ran automatically every morning at 9:00 a.m. Had it not been found, the FBI says the code would have executed a series of other scripts designed to block the company's monitoring system, disable access to the server on which it was running, then systematically wipe out all 4,000 Fannie Mae servers, overwriting all their data with zeroes. [...]
Spammers hack into Government jobs website http://www.smh.com.au/news/technology/security/id-theft-alert-as-job-site-h acked/2009/01/26/1232818299147.html "The NSW Government website used to advertise public service jobs has been hacked into and the perpetrators have spammed the Government's database of job seekers with phony vacancies in an effort to steal personal data and possibly to spread viruses." [...] "However, Turner said the blame did not lie solely with the Government as 'any computer system can be hacked ... even American defence force computers'." [...] " 'The Department of Commerce is currently looking into the matter and has alerted the relevant authorities,' the spokeswoman said."
Kerri Ritchie, 28 Jan 2009 When a New Zealand man spotted a portable MP3 player for $US9 in an American op-shop, he thought he'd landed a real bargain. But Chris Ogle got far more than he bargained for. Instead of storing songs, the MP3 player contained secrets; 60 highly sensitive US military files. ... When he got back to New Zealand, he tried to download some songs onto his computer and says he got the shock of his life - 60 US military files labeled top secret popped up on his screen. ... Kerri Ritchie: The files contained the social security numbers, home addresses, even mobile phone numbers of American soldiers based in Afghanistan and Iraq. rest: http://www.abc.net.au/pm/content/2008/s2476665.htm [Also noted by Gene Wirchenko, http://arstechnica.com/security/news/2009/01/man-buys-used-ipod-gets-60-pages-of-sensitive-military-data.ars PGN]
Excerpts from http://www.foxnews.com/story/0,2933,484326,00.html : Transportation officials in Texas are scrambling to prevent hackers from changing messages on digital road signs after one sign in Austin was altered to read, "Zombies Ahead."* ...The sign was reverted back to its original message within hours... the signs are tamper-resistant and equipped with external locks. According to the blog i-hacked.com, some commercial road signs, including those manufactured by IMAGO's ADDCO division, can be easily altered because their instrument panels are frequently left unlocked and their default passwords are not changed. "Programming is as simple as scrolling down the menu selection," i-hacked.com reports. "Type whatever you want to display -- In all likelihood, the crew will not have changed [the password]." [Also noted by Geoffrey Brent: http://www.woostercollective.com/2009/01/hacking_the_grid_in_austin_zombies_ahead.html PGN]
Subject: Friends, Until I Delete You Douglas Quenqua, *The New York Times*, 29 Jan 2009 A person could go mad trying to pinpoint the moment he lost a friend. So seldom does that friend make his feelings clear by sending out an e-mail alert. It's not just a fact of life, but also a policy on Facebook. While many trivial actions do prompt Facebook to post an alert to all your friends - adding a photo, changing your relationship status, using Fandango to buy tickets to "Paul Blart: Mall Cop" - striking someone off your list simply is not one of them. It is this policy that Burger King ran afoul of this month with its "Whopper Sacrifice" campaign, which offered a free hamburger to anyone who severed the sacred bonds with 10 of the friends they had accumulated on Facebook. Facebook suspended the program because Burger King was sending notifications to the castoffs letting them know they'd been dropped for a sandwich (or, more accurately, a tenth of a sandwich). The campaign, which boasted of ending 234,000 friendships, is history now - Burger King chose to end it rather than tweak it to fit Facebook's policy - but the same can hardly be said of the emerging anxiety it tapped. As social networking becomes ubiquitous, people with an otherwise steady grip on social etiquette find themselves flummoxed by questions about "unfriending" people: how to do it, when to do it and how to get away with it quietly. ... http://www.nytimes.com/2009/01/29/fashion/29facebook.html
In the UK last week, Greenpeace asked its supporters to email their MP on the issue of runway expansion at Heathrow. Apparently, the email system in question was set up to send the supporter's email to their own MP -- and to copy the email to all the other targeted MPs on the system. As a result, 57 MPs each got thousands of emails in three or four hours. Hilarity ensued. What makes this interesting: the 57 targeted MPs are all *supporters* of Greenpeace's position, who were being asked in the emails to hold firm in their support. http://business.timesonline.co.uk/tol/business/columnists/article5600838.ece http://www.mattwardman.com/blog/2009/01/27/david-taylor-mp-raises-greenpeace-heathrow-automated-mass-email-campaign-in-parliament/
The Consumers' Association of Canada says it has been inundated with complaints from people who have been called by scam artists after placing their telephone numbers on the registry, which went into effect last September. The do-not-call list was created to prevent telemarketers from contacting people who do not want to be pestered with uninvited sales pitches. For companies to find out who they are not permitted to call, the Canadian Radio-television and Telecommunications Commission sells the list online for a fee. "You can buy any list you want of people who subscribe to the do-not-call registry online. The whole of Toronto costs you 50 bucks for 600,000 names," Bruce Cran, president of the CAC, said in a telephone interview yesterday. "That's just perfect for any telemarketer, because these are good names which they would otherwise have to pay money for to verify. In addition to that, there's no index list of cell phone numbers that you can get. However, people were encouraged to put their cell phone numbers on there as well." Source: Fraudsters abusing do-not-call list, *The Globe and Mail*, 23 Jan 2 009 http://www.theglobeandmail.com/servlet/story/RTGAM.20090123.wdonotcall23/BNStory/National/home The article makes it sound like names are also included in the lists, but the DNCL website seems to indicate otherwise (unless, of course, reverse-lookup is used with other public listings): http://www.crtc.gc.ca/ENG/INFO_SHT/t1028.htm
[Source: Anne E. Kornblut, *The Washington Post*, 22 Jan 2009, A01] If the Obama campaign represented a sleek, new iPhone kind of future, the first day of the Obama administration looked more like the rotary-dial past. Two years after launching the most technologically savvy presidential campaign in history, Obama officials ran smack into the constraints of the federal bureaucracy yesterday, encountering a jumble of disconnected phone lines, old computer software, and security regulations forbidding outside e-mail accounts. What does that mean in 21st-century terms? No Facebook to communicate with supporters. No outside e-mail log-ins. No instant messaging. Hard adjustments for a staff that helped sweep Obama to power through, among other things, relentless online social networking. "It is kind of like going from an Xbox to an Atari," Obama spokesman Bill Burton said of his new digs. In many ways, the move into the White House resembled a first day at school [...]. There were plenty of first-day glitches, too, as calls to many lines in the West Wing were met with a busy signal all morning and those to the main White House switchboard were greeted by a recording, redirecting callers to the presidential Web site. A number of reporters were also shut out of the White House because of lost security clearance lists. [...] http://www.washingtonpost.com/wp-dyn/content/article/2009/01/21/AR2009012104249.html
[From Dave Farber's IP] Got messages on various accounts over the weekend from American Express to tell cardholders that their 2008 year-end statement is online. Just click on this address, it said, giving an address. If you mouse-overed the address, a different address appeared in the status bar, and if you clicked on the address, you went to a third uniquely different address. I did so, on a machine that could be cleaned if it were compromised, twice. What I found when I got there is that after you clicked on the nonconforming link, you went to a page that asked you to input credit card information: either your existing login/password for the amex site *or*, if you didn't have login/pwd yet, to input your actual credit card information including card number, expiry date, and 4-digit "security code". Now I believe that the message was in fact legit: came from Amex and led you to a site that was what it said it was. What gobsmacked me was that Amex was using classic phishing technique to get you to their site, and asked you once there to engage in *exactly* the behavior that we tell everybody not to behave in. So what happened? Today we got two messages that obviously responded to the incomplete logins yesterday -- alerts to tell us that there was a problem with that account due to multiple attempted logins and asking us to login to the site to check and confirm information there. The "security messages" took exactly the same form: please click on this inconsistent URL and when you get to the page referenced, go ahead and input confidential information. I phoned Amex and nobody on their standard phone lines understood the issue, but they got me eventually to corporate in NYC and I spoke to someone in "investigations" who got what I was saying instantly and I could hear him shaking his head. He said he'd get on it. Archives: https://www.listbox.com/member/archive/247/=now
YOUR MONEY Ron Lieber, American Express Kept a (Very) Watchful Eye on Charges, *The New York Times*, 31 Jan 2009 You probably know that credit card companies have been scrutinizing every charge on your account in recent years, searching for purchases that thieves may have made. Turns out, though, that some of the companies have been suspicious of your own spending, too. In recent months, American Express has gone far beyond simply checking your credit score and making sure you pay on time. The company has been looking at home prices in your area, the type of mortgage lender you're using and whether small-business card customers work in an industry under siege. It has also been looking at how you spend your money, searching for patterns or similarities to other customers who have trouble paying their bills. In some instances, if it didn't like what it was seeing, the company has cut customer credit lines. It laid out this logic in letters that infuriated many of the cardholders who received them. "Other customers who have used their card at establishments where you recently shopped," one of those letters said, "have a poor repayment history with American Express." It sure sounded as if American Express had developed a blacklist of merchants patronized by troubled cardholders. But late this week, American Express told me that wasn't the case. The company said it had also decided to stop using what it has called "spending patterns" as a criteria in its credit line reductions. ... http://www.nytimes.com/2009/01/31/your-money/credit-and-debit-cards/31money.html
"The common law has traditionally accepted oral contracts - special cases, going back the the oddly-named Statue of Frauds, ..." What an excellent idea! Where is it? What does it look like? There has been a long-running debate on what should occupy the vacant fourth plinth in London's Trafalgar Square. [Woops! Your immoderate moderator's spelling checker had no trouble with that one, cast in concrete or frozen in stone. PGN]
(Epstein, RISKS-25.52) It seems that a reality check is required here. In simple terms we have to realise that there is no perfect solution to the problem of installing software patches, there are only choices between different risks. If we choose to install every patch immediately it is released we face the risk that a patch may conflict with existing software or hardware and bring systems to a halt. If we choose to delay installation, even by a day, we risk attacks from people who have reverse-engineered malware from the patches. Given that there is no win/win solution it appears to me that we either have to accept that our systems will occasionally fail or decide that using MS Windows for critical systems is tantamount to professional negligence. Bernard Peek, London, UK. DBA, Manager, Trainer & Author [This is an old issue for RISKS readers. However, it continues to be a serious issue. PGN]
... or Gresham's law? While it is a widely held belief, it is not a fact that C is "unable" to police array bounds. I cannot speak for Fortran or C++, but the C89 standard, at least, sufficiently circumscribes the definitions of pointers and the operations that may be reliably performed on them to _allow_ bounds-checking. A decent optimizing compiler could even "hoist" much of the checking out of loops etc. The issue is that much (most) software "written in C" is in fact "written in a language corresponding to the mental model formed by firing random snippets from Byte through the compiler one happened to have handy". A big part of that mental model is "A pointer is nothing more than a machine address, which is nothing more than an index into an undifferentiated sea of octets". Wrong in so many ways! There have been a few attempts at promoting C compilers that correctly compile correct programs, and diagnose issues with incorrect ones. These have been doomed by the overwhelming mass of incorrect programs. When the (time effective) solution to to the problem of error messages is to buy instead a compiler which does not emit them, the situation snowballs. "We have met the enemy, and he is us" (Walt Kelly) > To a first approximation, the lack of array bounds checking created the > virus/worm industry, and we are still paying handsomely for this. Actually, I disagree. A lack of clear separation of code and data, and a cavalier attitude toward "least privilege" has more to do with this, IMHO.
> "I haven't yet heard an apology from Fortran/C/C++/etc. creators over their inability to police array bounds." I suppose it would be going a bit too far to request a similar apology from writers of macro assemblers and autocoders? I'm presuming Henry has his tongue as firmly in his cheek as I do. The real risk has been that the art of computer programming is badly taught, and that the cherished ideal for many programmers is to not have to write a line of code ever again after some point in their lives. There IS a market for idiot-proof programming environments. But there is also a market for precision tools like C.
I don't think Tony Hoare should be apologizing for inventing null pointers. For any language with reference semantics, trying to program without being able to express a "reference to nothing" would be quite difficult. I am sure Tony Hoare could do it, but most programmers are not comfortable with the more formal languages that this would require. They think better in terms of simple assignments to state, pointer references, etc. For array bounds checking on the other hand, there is no excuse. Henry Baker <firstname.lastname@example.org> writes: > Madoff was a rank amateur by comparison. Computer "scientists" have been > producing insecure code like this since before NASDAQ was started. Well, at least with the compsci folks, they were unintentional early mistakes, compounded by generations of programmers enthusiastically repeating them. You use C yourself? Then you are just as culpable. Madoff on the other hand, was intentionally stealing from people for years.
Fortran (at least until 77) WAS amenable to the hardware policed, and hardware speed, storage area bound checking implemented by e.g. ICL's VME architecture. (As were, to my knowledge, all extant languages of the time.) Less efficient bound checking was also implementable in software. C was not, and had to have that mandatory checking suppressed (by allocating a vast uniform area of store for the entire "C supporting" environment) in order to run. It's possible (and if so, unfortunate) that subsequent Fortrans have jettisoned their sound industrial-strength approach to storage management, reducing their engineering quality to that of C.
Fortran's creators, at least, have nothing to apologise for: Fortran DOES allow array bounds to be checked and the Burroughs Fortran compiler DID check them. IBM's xlf compiler has a -C (-qcheck) option which makes the compiler check bounds. Sun's f95 compiler also has a -C option doing the same thing. Both GNU Fortran compilers (g77 and gfortran) have a -fbounds-check option. I agree that the compiler writers who do not make this the default have much to answer for, but the Fortran standardisers are under no obligation to apologise for a non-existent inability. It's interesting that Dijkstra waxed enthusiastic about Hoare's records, uses null extensively. If Dijkstra didn't see a problem, I don't think Hoare need blame himself overmuch. http://www.cs.utexas.edu/users/EWD/transcriptions/EWD01xx/EWD132.html Indeed, he may be claiming too much credit/blame for the idea. PL/I (designed in 1964) had null pointers (and null offsets). I don't know when it got them. Lisp had NIL well before that, so null pointers were an obvious invention. AED-0 started in 1961, and 'Its compact syntax was the first language to directly support "n-component elements" of Plex programming (now called "pointers", "records", and "fields".' Douglas Ross's classic "The AED-1 Free Storage Package" (CACM, Aug 1967) starts 'The use of multiword "n-component elements" for the representation and manipulation of complex problem models in programming systems was first proposed by the author in 1960'. I can't tell from that paper whether AED had null data pointers, but the paper certainly uses null function pointers, represented as 0. The earlier paper he mentioned was "A generalized technique for symbol manipulation and numerical calculation", CACM March 1961, which is the earliest reference I know to general linked webs of records. The idea was so new at the time that holding a machine address in a register was called "reversed use of index registers"! (For which 0 would have been possible.) Perhaps some Risks reader knows something about the history of AED and whether AED typed pointers allowed null references or not.
Please report problems with the web pages to the maintainer