Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
It is now becoming more common to hear of wind power caused outages. The outages are either a loss of service because the wind has stopped blowing or, surprisingly, because there is too much wind. These problems were not so apparent when the percentage of wind power was low compared to the overall capacity, and in particular to rapid response generators such as hydro. It seems that wind power has become too successful and the engineering required to integrate it into different grids has lagged behind. In particular, the correct balance is not being achieved between wind power capacity in a region and the available replacement power sources - transmission and local non-base load sources. A recent outage in Texas illustrates the low wind example. An *IEEE Spectrum* article by Peter Fairley explains the overload scenario. The Texas outage on February 27 as reported by Reuters: http://www.reuters.com/article/domesticNews/idUSN2749522920080228?feedType=RSS&feedName=domesticNews&rpc=22&sp=true "Electric Reliability Council of Texas (ERCOT) said a decline in wind energy production in west Texas occurred at the same time evening electric demand was building as colder temperatures moved into the state. The grid operator went directly to the second stage of an emergency plan at 6:41 PM CST (0041 GMT), ERCOT said in a statement. System operators curtailed power to interruptible customers to shave 1,100 megawatts of demand within 10 minutes, ERCOT said. Interruptible customers are generally large industrial customers who are paid to reduce power use when emergencies occur." The IEEE article on power surges from wind farms is at http://spectrum.ieee.org/feb08/5943 and the key paragraph is this: Wind-farm installation in Europe grew an estimated 38 percent last year, up from 19 percent in 2006, bringing the total capacity to about 67 gigawatts (roughly the equivalent of 20 to 25 standard-size nuclear power plants). At those rates, European grid operators report, windmill construction is outstripping growth in transmission capacity. The result is that in wind-farm-rich countries such as Germany and Denmark, high winds cause large and unanticipated power flows that saturate the grids of neighboring nations. In recent years this has forced grid operators to curtail scheduled transfers of power between grids. In 2008, the grid operators warn, the unanticipated power flows could overload lines anywhere from the Czech Republic to the Netherlands.
http://www.washingtonpost.com/wp-dyn/content/article/2008/03/13/AR2008031302277.html?hpid=topnews FBI Found to Misuse Security Letters; 2003-06 Audit Cites Probes of Citizens Justice Department official Glenn A. Fine testifies about his probe of national security letters. (Dennis Cook—Associated Press) Dan Eggen, *The Washington Post*, 14 Mar 2008 The FBI has increasingly used administrative orders to obtain the personal records of U.S. citizens rather than foreigners implicated in terrorism or counterintelligence investigations, and at least once it relied on such orders to obtain records that a special intelligence-gathering court had deemed protected by the First Amendment, according to two government audits released yesterday. The episode was outlined in a Justice Department report that concluded the FBI had abused its intelligence-gathering privileges by issuing inadequately documented "national security letters" from 2003 to 2006, after which changes were put in place that the report called sound. A report a year ago by the Justice Department's inspector general disclosed that abuses involving national security letters had occurred from 2003 through 2005 and helped provoke the changes. But the report makes it clear that the abuses persisted in 2006 and disclosed that 60 percent of the nearly 50,000 security letters issued that year by the FBI targeted Americans. [...] Archives: http://www.listbox.com/member/archive/247/=now RSS Feed: http://www.listbox.com/member/archive/rss/247/ [See also http://www.reuters.com/article/topNews/idUSN0563517120080305 PGN]
Sharon Gaudin, *Computerworld*, 14 Mar 2008 A student at the University of Virginia has discovered a way to break through the encryption code of RFID chips used in up to 2 billion smart cards used to open doors and board public transportation systems. Karsten Nohl, a graduate student working with two researchers based in Germany, said the problem lies in what he calls weak encryption in the MiFare Classic, an RFID chip manufactured by NXP Semiconductors. Now that he's broken the encryption, Nohl said he would only need a laptop, a scanner and a few minutes to get the cryptographic key to an RFID door lock and create a duplicate card to open it at will. And that, according to Ken van Wyk, principal consultant at KRvW Associates, is a big security problem for users of the technology. "It turns out it's a pretty huge deal," said van Wyk. "There are a lot of these things floating around out there. Using it for building locks is the biggy, especially when it's used in sensitive government facilities - and I know for a fact it's being used in sensitive government facilities." Van Wyk told Computerworld that one European country has deployed military soldiers to guard some government facilities that use the MiFare Classic chip in their smart door key cards. "Deploying guards to facilities like that is not done lightly," he added. "They recognize that they have a huge exposure. Deploying guards is expensive. They're not doing it because it's fun. They're safeguarding their systems." He declined to identify the European country. Manuel Albers, a spokesman for NXP Semiconductors, said the company has confirmed some of Nohl's findings. However, he said there are no plans to take the popular chip off the market. "The MiFare chip was first introduced in 1994. At the time, the security level was very high," he said in an interview. "The 48-bit key lengths for encryption was state of the art." Albers added that the company has other, more secure chips in its product portfolio these days, but the MiFare Classic is a relatively inexpensive, entry-level chip. Anyone needing a highly secure smart card should make sure there's layered security and not just depend on the chip's encryption, he said. "We have to start this discussion, really, at the level where we differentiate between the security level the chip provides and the additional security features an entire card provides. You're dealing with a layered security system, like strands to a rope," said Albers, noting that between 1 billion and 2 billion smart cards with this MiFare Classic-type chip have been sold. "As long as there's demand for this product [and] system integrators saying this product is good enough for their platforms, we will continue to offer it." Albers noted that NXP recently released MiFare Plus, which is backward-compatible with the MiFare Classic while offering better security. He said the company did not release the updated chip because of Nohl's findings, but it did use some of his information when designing it. "The problem is the card and the card reader," said Nohl. "They speak the same cryptography language that is flawed. Both need to be replaced. There is a lot of infrastructure to be replaced. The encryption is not standard. It's weak. It uses two short keys." While Albers said "the majority" of the smart cards with this chip are used as bus or subway cards, both van Wyke and Nohl said the real problem lies in the cards that are used as door locks. "I don't think people want to steal other people's bus tickets," said Nohl. "But think about chemical waste storage buildings or military facilities. The stakes are a lot higher. If you break in, you don't get a $2 bus ticket, but [you get] whatever is in that warehouse. These cards are used around the world to secure high-level buildings. All these applications will suffer as soon as somebody with criminal intent finds the details that we have." Nohl explained that since the MiFare Classic smart cards use a radio chip, he can easily scan them for information. If someone came out of a building, carrying a smart card door key, he could walk past them with a laptop and scanner in a backpack or bag and scan their card. He also could walk past the door and scan for data from the reader. Once he's captured information from a smart card and the card reader on the door, he would have enough information to find the cryptographic key and duplicate a smart card with the necessary encryption information to open the door. How long would it take him to capture the necessary information? About two minutes, he said. Van Wyk thinks Nohl might be humble in his estimate. "He says it would take him two minutes to crack it? Two minutes? I'd like to know what he did with the other minute and 55 seconds," he said. "It is so easy to crack most of that stuff . I don't think it's general to RFID, but there are a lot of RFID implementations that haven't done this very well. You could do RFID well, but it turns out that not many vendors are."
http://voter.engr.uconn.edu/voter/Reports_files/seeA-tamperEVoting.pdf In this paper we present a security assessment of the Diebold AccuVote Optical Scan voting terminal (AV-OS), a popular OS terminal currently in wide deployment anticipating the 2008 Presidential elections. The assessment is developed using exclusively reverse-engineering, without any technical specifications provided by the machine suppliers. We demonstrate a number of security issues that relate to the machine's proprietary language, called AccuBasic, that is used for reporting election results. While this language is thought to be benign, especially given that it is essentially sandboxed by the firmware to have only read access, we demonstrate that it is powerful enough to (i) strengthen known attacks against the AV-OS so that they become undetectable prior to elections (and thus significantly increasing their magnitude) or, (ii) to conditionally bias the election results to reach a desired outcome. Given the discovered vulnerabilities and attacks we proceed to discuss how random audits can be used to validate with high confidence that a procedure carried out by special purpose devices such as the AV-OS has not been manipulated. We end with a set of recommendations for the design and safe-use of OS voting systems. During our own experimentation we found that the bytecode language offers a wealth of functions that can be potentially exploited by an attacker. In particular, we will demonstrate a time-bomb attack in which the bytecode checks the date and time in order to decide whether the election has begun. An attack utilizing such code can retain proper behavior in pre-election testing, in which the machine is verified by comparison with hand counted ballots, while behaving improperly during the actual election.
Almost a year ago I gave a talk at the CCC Camp in Germany I called "hacking the bionic man". It even made Wired, in some fashion. http://blog.wired.com/27bstroke6/2007/08/will-the-bionic.html http://events.ccc.de/camp/2007/Fahrplan/events/2049.en.html In the talk, among other things such as the DNA and scripting languages, medical doctors and reverse engineers... was about cybernetic hacking. I gave some predictions, some for 2 years, others 40 years. Some again were pure science fiction. I was wrong on the 2 years, it's here. Today, this came up in the news (hat tip to Paul Ferguson on the funsec mailing list): http://www.nytimes.com/2008/03/12/business/12heart-web.html?_r=1&oref=slogin " The threat seems largely theoretical. But a team of computer security researchers plans to report Wednesday that it had been able to gain wireless access to a combination heart defibrillator and pacemaker. They were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal . if the device had been in a person. In this case, the researcher were hacking into a device in a laboratory. "
"Security and Privacy of Implantable Medical Devices," Daniel Halperin, Thomas S. Heydt-Benjamin, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Pervasive Computing, January 2008. http://www.secure-medicine.org/PervasiveIMDSecurity.pdf "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," Daniel Halperin, Thomas S. Heydt-Benjamin, Benjamin Ransford, Shane S. Clark, Benessa Defend, Will Morgan, Kevin Fu, Tadayoshi Kohno, and William H. Maisel, IEEE Symposium on Security and Privacy, May 2008. http://www.secure-medicine.org/icd-study/icd-study.pdf
My father has a pacemaker wired to his heart and is therefore required to stay away from things like domestic microwave ovens. What might happen to him if this device were used to stop a perpetrator in his vicinity?
from boingboing: Teen pranksters switch off San Francisco's electric buses (Posted by Cory Doctorow), 11 Mar 2008 Destiny sez, "San Francisco is now stymied by 'bus tampering.' Their new electric 'hybrid' buses have an on/off switch—which, unfortunately, 'can be accessed easily through an unlocked panel on the outside of the bus.' 'When that happens, the drivers can't accelerate, they lose radio contact with dispatchers and the interior lights on the buses go out.' Teenage pranksters then pelt the immobile buses with rocks." Link (Thanks, Destiny!) http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/03/07/BAOKVF1E8.DTL&tsp=1SF
Three major UK ISPs apparently are in advanced talks with a company called Phorm, intending to let Phorm monitor all unsecured web traffic to and from their users. The expressed intent is to offer an "improved browsing experience" through better targeted web advertising, and anti-phishing protection - thereby "improving" one's internet security. One, BT, has already trialed the system. The ISPs and Phorm are remarkably coy about the system, and Phorm in particular appears to have offered inconsistent explanations of how it all works. However, it does appear clear that this system provides access for a private company to an unprecedented amount of data that even the UK government is not permitted (at least without a court order). Phorm promise faithfully not to record information such as bank details or telephone numbers :-) Phorm claim the data is summarized and anonymized; regular readers of RISKS will I'm sure be aware that true anonymization is exceedingly difficult - and in fact this scheme would give ready access to identities should anyone take the trouble. Quite apart from being a breach of trust by the ISPs involved, it appears to drive a coach, horses and a whole army through protection offered by assorted UK legislation, including the Data Protection Act, Computer Misuse Act, Regulation of Regulatory Powers Act, etc, etc. It will if nothing else provide a central point for cracking to obtain information about these ISPs' users. The proposed system has been mentioned in passing in the media - who regrettably seem to have accepted without further investigation Phorm's assurances that there's no privacy issue. They've not even noticed that the so-called "opt-out" won't stop the data scanning, just the ads. Oh, did I forget to mention Phorm used to be 121Media, of rootkit and PeopleOnPage fame? And involves servers outside the EU, in China in particular? I think there's not so much a RISK, more of a CERTAINTY that this will go pearshaped. References: http://www.phorm.com/isp_partners/ http://www.oix.com/index.html http://www.badphorm.co.uk http://www.theregister.co.uk/2008/02/29/phorm_roundup/ http://www.techdirt.com/articles/20080218/024203278.shtml http://www.guardian.co.uk/technology/2008/mar/06/internet.privacy (and note that the Guardian has signed up with phorm for the targetted ads scheme) http://www.theregister.co.uk/2008/02/27/bt_phorm_121media_summer_2007/ (and so on...) [BTW this issue affects virginmedia, BT and talktalk in the UK - around 10 million people iirc. Other ISPs are waiting to jump on the bandwagon. Talktalk seem to be backpedaling, and may be making it opt in, although there is still major doubt about what /exactly/ is happening.] http://www.scottsonline.org.uk lists incoming sites blocked because of spam mike@scottsonline.org.uk Mike Scott, Harlow, Essex, England
(I doubt this story is true, but still it is too good not to pass on -p) TSA can't believe MacBook Air is a real laptop, causes owner to miss flight; posted 10 Mar 2008 by Darren Murph http://www.engadget.com/2008/03/10/tsa-cant-believe-macbook-air-is-a-real-laptop-causes-owner-to/ The TSA has been known to take issue with products designed in Cupertino before, but for one particular traveler, it was Apple's thinnest laptop ever that caused the latest holdup. Upon tossing his ultra-sleek slab of aluminum underneath the scanner, security managed to find enough peculiarities to remove it from the flow, pull it aside and wrangle up the owner for some questions. Apparently, the TSA employee manning the line was flabbergasted by the "lack of a drive" and the complete absence of "ports on the back," and while hordes of co-workers swarmed to investigate, the user's flight took off on schedule. Thankfully, said owner was finally allowed to pass through after some more in-the-know colleagues explained in painfully simple terms what an SSD was, but the poor jet-setter most definitely paid the price for trying to slip some of the latest and greatest under the sharp eyes of the TSA (and cutting it close on time, of course).
Yet another example of a major company sending e-mail that looks like phishing in E-mail from Paypal: Dear Andrew Koenig, Now you can pay with PayPal at all your favorite shopping sites, even when it's not an option at sheckout. Use the new PayPal Plug-in to: * Shop securely anywhere online * Fill out shipping forms in 1 click. * Save your receipts to review anytime Install in seconds - download for free and start Shopping today! The words "download for free" are a hyperlink, and when I hover the cursor over it, I learn that it is a link to http://email1.paypal.com/u.d?xxxxxxxx=nnn, where the x represents various letters and digits and the n's represent digits. So unless email1.paypal.com is somehow now part of the PayPal domain, this appears to be a legitimate solicitation disguised as a phishing attempt. As I remarked last time, they appear to be trying to train their customers to fall for phishing scams. What on earth could they be thinking?
Yahoo's CAPTCHA Security Reportedly Broken January 17, 2008 06:00 PM http://www.informationweek.com/news/showArticle.jhtml?articleID=205900620 Streamlined anti-CAPTCHA operations by spammers on Microsoft Windows Live Mail Feb 6 2008 1:37PM http://www.websense.com/securitylabs/blog/blog.php?BlogID=171 Google's CAPTCHA busted in recent spammer tactics Feb 22 2008 4:52PM http://www.websense.com/securitylabs/blog/blog.php?BlogID=174
My G4 PowerMac was replaced by an intel-Mac this week. I had a number of problems, notably browsers not coping with links to PDFs. My sysadmin fixed all this, but we thought she hadn't, because in Safari, when you link on a PDF link, it opens up a black window, and then while it is fetching the document, it spins a black "daisy" that has replaced the old beachball. If you know it is there, you can just see it, but if you don't know to expect it, you will never notice it. Black information on a black background? Not what I'd expected from Apple.
On reading [Mark Brader's post], I checked to discover that my watch was a day ahead. But not because it wasn't the smarter kind. On the contrary, it understands that 29 Feb occurs one year in four [almost], but was set to the wrong year in the cycle! Perhaps you need to run this posting next year. As a user interface risk: I haven't figured out how to find the right year on my watch other than by cycling through the months and checking whether it accepts February 29th then, once it does, stepping through the months again. Clive D.W. Feather http://www.davros.org +44 20 8495 6138 clive@davros.org
I have 3 clocks, each of different generation, and each has its set of bugs: * My watch is a pocket analog one, its date has to be set 5 times a year (by turning the crown). * My bedside clock is 1980-vintage big red LED digital (best for displaying time at night). It doesn't know about Feb. 29, so its date display has to be set once every 4 years (by running around the year - it has a "fast forward" button but no way to step down). * The latest acquisition is an LCD clock which also shows the year number, so it can figure out leap days; it might have a problem in 2100, if it lasts that long. It sets itself by listening to a radio time signal, so theoretically it should never have to be set at all, but every now and then it glitches and displays a wrong time, date or year; the difference is always a power of 2 in one of the digits, which looks like it's getting the data in some sort of BCD format, without any checksum or sanity check (which is not news on RISKS). I wonder how many critical installations are using the same chip.
USENIX is pleased to announce open public access to all its conference proceedings. This significant decision will allow universal access to some of the most important technical research in advanced computing. In making this move USENIX is setting the standard for open access to information, an essential part of its mission. USENIX could not achieve such goals without the support and dedication of its membership. We urge you to encourage others to join USENIX. Membership helps us present over 20 influential conferences each year and offer open access to the technical information presented there. USENIX conference proceedings can be found at: http://www.usenix.org/publications/library/proceedings/ Questions? Contact papersinfo@usenix.org. [This is a wonderful step in the pursuit of open access to information, PGN]
Please report problems with the web pages to the maintainer