Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
On 10 Jun 1999 a 16-inch diameter steel pipeline operated by the now-defunct Olympic Pipeline Co. ruptured near Bellingham, Washington, flooding two local creeks with 237,000 gallons of gasoline. The gas ignited into a mile-and-a-half river of fire that claimed the lives of two 10-year-old boys and an 18-year-old man, and injured eight others. Wednesday, computer-security experts who recently re-examined the Bellingham incident called its victims the first verified human casualties of a control-system computer incident. They argue that government cybersecurity standards currently under debate might have prevented the tragedy. ... Following the 1999 incident, a nearly three-year investigation by the National Transportation Safety Board concluded that multiple causes contributed to the deadly conflagration, including pipeline damage inflicted by construction workers years earlier, and a misconfigured valve. But the factor that intrigues Joe Weiss (Applied Control Solutions) and Marshall Abrams (MITRE) is a still largely unexplained computer failure that began less than 30 minutes before the accident and paralyzed the central control room operating the pipeline, preventing workers from releasing pressure in the line before it hemorrhaged. With support from the U.S. National Institute of Standards and Technology, Weiss and Abrams pored over public government records on the incident, looking at it through the lens of a pending cybersecurity standard called NIST 800-53. The duo concluded that the requirements in the standard would have prevented the explosion from occurring. ... Security experts and government investigators have long warned that the complex networks controlling critical infrastructures like the power grid, and gas and oil pipelines, were not built with security in mind—a point driven home by several incidents of the systems failing. In January 2003, the Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant and disabled a safety-monitoring system for nearly five hours. Later that year, a software bug in a General Electric energy-management system contributed to a cascading power failure that cut off electricity to 50 million people in eight states and a Canadian province. [Source: Ryan Singel, Wired.com, Threat Level: Privacy, Security, Politics and Crime Online, blog 9 Apr 2008; PGN-ed] http://blog.wired.com/27bstroke6/2008/04/industrial-cont.html
Another instance of directions from a GPS navigational device overriding common sense: A police report said the driver of a charter bus (11' 8") carrying 22 students told police he was following directions from a global positioning device prior to a crash into a pedestrian overpass that was too low (9' clearance). [Source: Seattle, KIRO TV, 17 Apr 2008] http://www.kirotv.com/news/15912549/detail.html
This weekend I was doing some last-minute work on my taxes, using TurboTax Deluxe tax software. TurboTax has an online site, ItsDeductible.com, that you can go to in order to get help in determining the value of non-monetary charitable deductions you've made. I had been to the ItsDeductible site once or twice in the past, and had had a little trouble logging in. So I went to a section on the site to try and change my login name, which I had made much too long. I started to type in my current information, and when I typed in the first letter of my first name, the auto-complete function put in the name "Jason" instead of my name. That seemed very strange, because I am the only person who ever uses this computer, and my name is not Jason. I changed it back to my own first name, and typed in my last name. Then I tabbed to the address field. As I typed in the first digit of my 3-digit house number, the house number and street name of my next-door-neighbor showed up in the auto-complete list! Since I know these neighbors, and know that the homeowner's first name is "Jason", I next moved back up to the "Last name" field of the form. I typed in the first letter of what I know is Jason's last name. And Jason's last name came up in the auto-complete list! There seems to be some way that my next-door-neighbor's information got into my PC. They always have their wireless internet on, but my wireless reception is usually disabled. I really don't know how this could have happened. Of course, since the problem showed up while I was doing my taxes, I am even more paranoid about what information of mine might have been swapped between households. I tried to make the problem repeat after a reboot, but was unable to duplicate the login screen. I also checked my "Identity Safe" passwords from Norton, and see that only my own information is saved for that web site. The browser I used was Firefox, but I can't find a way to see how it has stored its auto-complete section.
The Oklahoma DOC published a web interface where the URL contained the SQL query executed to retrieve the data to be reported. Thus, any knowledgeable user could execute general SQL queries against a database containing large amounts of personal information—including UPDATE statements (!) It was taken down only after management was shown that THEIR personal information was available. http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx
Business Week reports that Mastercard is to launch a new service which will, among other things, allow the payer of a corporate or other card to receive real-time alerts as to what the card is being used for. http://www.businessweek.com/magazine/content/08_16/b4080031217154.htm The risks are left as an exercise for the reader...
An e-mail scam aimed squarely at the nation's top executives is raising new alarms about the ease with which people and companies can be deceived by online criminals. Thousands of high-ranking executives across the country have been receiving e-mail messages this week that appear to be official subpoenas from the United States District Court in San Diego. Each message includes the executive's name, company and phone number, and commands the recipient to appear before a grand jury in a civil case. A link embedded in the message purports to offer a copy of the entire subpoena. But a recipient who tries to view the document unwittingly downloads and installs software that secretly records keystrokes and sends the data to a remote computer over the Internet. This lets the criminals capture passwords and other personal or corporate information. Another piece of the software allows the computer to be controlled remotely. According to researchers who have analyzed the downloaded file, less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack. The tactic of aiming at the rich and powerful with an online scam is referred to by computer security experts as whaling. The term is a play on phishing, an approach that usually involves tricking e-mail users - in this case the big fish - into divulging personal information like credit card numbers. Phishing attacks that are directed at a particular person, rather than blasted out to millions, are also known as spear phishing. The latest campaign has been widespread enough that two California federal courts and the administrative office of the United States Courts posted warnings about the fake messages on their Web sites. Federal officials said they stopped counting after getting hundreds of phone calls from corporations about the messages. At midday on 15 Apr 2008, one antispam company, MX Logic, said in a Web posting that its service was still seeing at least 30 of the messages an hour. [Source: John Markoff, *The New York Times*, 16 Apr 2008; excellent long article, PGN-ed] http://www.nytimes.com/2008/04/16/technology/16whale.html?ex=1365998400&en=208591045a06cdff&ei=5090
Aer Lingus blamed a technical fault for Wednesday's error, which saw up to 300 people book 5-euro business-class flights to the US. However, the airline will provide economy-class seats to the customers who made the reservations between 7.30am and 9am, when a promotional fare test webpagewas mistakenly put up live. [The flights of course were not 5 euro but about 150 euro each when taxes and charges were added. PO'B] [Source: RTE news; PGN-ed] http://www.rte.ie/news/2008/0418/aerlingus.html Patrick O'Beirne, Systems Modelling Ltd. http://www.sysmod.com/ (+353)(0) 5394 22294
Emil Protalinski, 15 Apr 2008 Internet users are quite familiar with the Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA), a quick method that verifies whether or not the user trying to sign up is a person or a bot. A picture with swirled, mangled, or otherwise distorted characters is displayed and the user then types in the correct letters or numbers. Thus far, the system has worked well to slow down malicious bots, but recently the groups behind such software have made significant strides. A security firm is now reporting that the CAPTCHA used for Windows Live Mail can now be cracked in as little as 60 seconds. Back in early February, a group cracked Windows Live Hotmail's CAPTCHA. A few weeks later, Gmail's version followed suit. In just over a month's time, some anti-spam vendors were forced to completely block the domain for the popular service as bots signed up for thousands of bogus accounts and began to flood the tubes with e-mail advertisements for lottery tickets and watches. The close proximity of the two cracks has done everything but sealed CAPTCHA's fate. To make matters worse, Websense Security Labs is now reporting that the method for getting around Windows Live Mail's CAPTCHA has been improved to the point that a bot can decipher the text and make a guess in less than six seconds, on average. Windows Live Hotmail's Anti-CAPTCHA automatic bot, which hooks itself into Internet Explorer on a victim's machine, has a success rate of about 10-15 percent. That means that it takes up to one minute for a single bot to create a new account. ... http://arstechnica.com/news.ars/post/20080415-gone-in-60-seconds-spambot-cracks-livehotmail-captcha.html
We recently reconfigured our mail SW and for a couple of days I got a few hundreds of rejected-mail bounce messages. My e-mail address has been forged by spammers for years and these bounces came from handling such fraudulent messages. No one in this world, so far as I know—and I have searched the records for years, and employed agents to help me—has ever lost money by underestimating the intelligence of the great masses of the mail system administrators. And I can't be the first to have observed that. So I am prepared to believe that there are at least a few hundred admins out there who have never heard of spam and fraudulent "From:" lines. But many if not most of these messages came from machines that either advertised themselves as spam filters, or showed that the message had passed through spam filters! One could make it a legal offence to reply to the "From:" address of a message one had classified as spam. It likely wouldn't curb the phenomenon, but it would ensure a steady flow of cash to the state, which could then redistribute it amongst Internet infrastructure providers. Peter B. Ladkin, Causalis Limited and University of Bielefeld www.causalis.com www.rvs.uni-bielefeld.de [NOTE: neumann and risks From: addresses have been widely forged in the past few weeks. PGN]
Published: 2008-04-16, Last Updated: 2008-04-16 19:14:00 UTC by Bojan Zdrnja (Version: 3) Back in January there were multiple reports about a large number of web sites being compromised and serving malware. Fellow handler Mari wrote the initial diary at http://isc.sans.org/diary.html?storyid=3834 . Later we did several diaries where we analyzed the attacks, such as the one I wrote at http://isc.sans.org/diary.html?storyid=3823 . Most of the reports about these attacks we received pointed to exploitation of SQL Injection vulnerabilities. Yesterday, one of our old friends, Dr. Neal Krawetz, pointed us to another site hosting malicious JavaScript files with various exploits. While those exploits where more or less standard, we managed to uncover a rare gem between them - the actual executable that is used by the bad guys in order to compromise web sites. While we had a general idea about what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked, or what tools the attackers used. The strategy was relatively simple: they used search engines in order to find potentially vulnerable applications and then tried to exploit them. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site. The utility we recovered does the same thing. The interface appears to be is in Chinese so it is a bit difficult to navigate around the utility, but we did some initial analysis of the code (which is very big) to confirm what it does. ... http://isc.sans.org/diary.html?storyid=4294
And what would be the likelihood that the handheld computers could be re-used for the 2020 Census? Would the vendor still support the more than 10-year-old hardware at that time? How many RISKS subscribers are still using 10+ year old computers? The risk: Spending gigantic wads of money on something that will be obsolete before it can be used even a second time?
This might be a simple captcha hacking operation. Well designed captchas are hard to break programmatically, so people put up stuff like this to get people to do the work for them. Randy Roberts, Global Network Security Capability EDS,Security & Privacy Service Line, MD 354 4000 North Mingo Road Tulsa, OK 74116 +1 918 939-4844 [Also noted by Joseph Gwinn. PGN]
Let's just say this: If you're running a marketing campaign for some company, you'd want to have some way of collecting metrics that allow you to go back to the sponsoring company and say "Look, we got you this many qualified leads. Of these, this many bought your product. So you owe us $X plus $Y as a bonus..." Anyway, that is why a company will send you an e-mail, expect you to click a link and end up at the client company's website.
If the onboard navigation system was designed by TomTom it will probably ask you all these questions whilst you're driving. TomTom appears to have decided in Navigator 6 that certain things like setting up a data link for traffic information are important enough to divert your attention from the road, and there's no disabling that question. It would be nice if someone added an 'adult' mode where you can take some of those decisions yourself again, and just once instead of every time.. Tomtom have a watchdog idea too, and the potential flaws in both this and the Nissan approach are identical: a flawed map or analysis will make a mess of the conclusion. In the case of Tomtom, maps include in some places speed limit information which is in itself not such a bad idea. The idea went off the cliff by making display modifications based on the speed data. When you exceed the "map limit", the speed indicator goes red. When you go WELL over the speed limit it starts blinking, not normal-inverse but visible-invisible, at approx a 1Hz frequency. In other words, for a precise speed indication you may have to take your eyes off the road for a full second in the worst possible conditions. Duh. Oh, and no way to disable that feature either. But no fears of Big Brother speed limits via GPS: not only did I find the speed limit data far from accurate, even when corrected there's another fly in the ointment: variable limits. In various countries, multiple speed limits are deployed, adjusted according to situation (snow, pollution, accidents etc). Which speed limit do you store? All I'm waiting for now is a government imposed feature where speeding drivers will be automatically diverted into the nearest traffic jam..
> Then after thrashing it on the track, you must take it for a $1000 Nissan > High Performance Center safety check or the warranty is void. GPS jammers cost less than $100. Does the car work if it can't get a GPS fix?
PROGRAM: http://www.ieee-security.org/TC/SP2008/oakland08.html May 18-21, 2008, The Claremont Resort Berkeley/Oakland, California, USA Claremont Hotel Group Rate Deadline: April 25, 2008 Contact: Yong Guan <guan@iastate.edu>
BKCMSCPP.RVW 20080204 "Computer Security: Principles and Practice", William Stallings/Lawrie Brown, 2008, 978-0-13-600424-0 %A William Stallings williamstallings.com/CompSec/CompSec1e.html %A Lawrie Brown %C One Lake St., Upper Saddle River, NJ 07458 %D 2008 %G 0-13-600424-5 978-0-13-600424-0 %I Prentice Hall %O 800-576-3800 416-293-3621 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0136004245/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0136004245/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0136004245/robsladesin03-20 %O Audience i+ Tech 2 Writing 3 (see revfaq.htm for explanation) %P 798 p. %T "Computer Security: Principles and Practice" I am woefully laggard in getting this review out, particularly since I reviewed the text in process, last fall, and therefore have to declare a possibility of bias. The preface states that the book is intended as the text for a one- or two-semester course in computer security. The work is also addressed to professionals as a basic reference. In that latter regard it may come up short, missing elements of infrastructure, fire protection, investigation, forensics, and being rather weak in terms of architecture and business continuity planning. There is a rather interesting chapter zero in the volume (it and chapter one are presumably "part zero," which is sound computing theory, but somewhat bemusing in a book) laying out the structure of the text, as well as pointing to the technical resource and course Website, noted above. Chapter one defines fundamental security terms and concepts from various sources. The list is comprehensive, but, given sometimes conflicting positions, little attempt is made to analyze, integrate, or unify the material. There is an excellent set of references and a solid set of questions and problems, as well as a brief appendix addressing security standards and documents. Part one involves computer security technology and principles. Chapter two introduces cryptographic tools. The basic ideas of cryptography are presented, but one must go to other chapters and appendices for details and usage of the technology. This structure is unusual in cryptographic literature, but the new perspective may demonstrate somewhat stale abstractions in a fresh way. It is rather odd that the coverage of authentication, in chapter three, does not note the IAAA model of Identification, Authentication, Authorization, and Accountability. Access control, in chapter four, is limited to data access. ( The authors also follow the original paper describing Role-Based Access Control as a form of mandatory access control, even though RBAC is now frequently used in discretionary access control environments.) Chapter five's discussion of database security emphasizes the theoretical aspects of that specialty. Intrusion detection is introduced in chapter six. Malicious software is given a scholarly, rather than practical, treatment in chapter seven, but the content is more accurate than is usual even in the security literature. Denial of service attacks are addressed in chapter eight. Chapter nine's review of firewalls concentrates, almost exclusively, on stateful inspection, and the material on intrusion prevention systems repeats, to a large extent, chapter six. Trusted computing and multilevel security, in chapter ten, are discussed in terms of formal security models and security architecture. Part two deals with software security, with chapter eleven being devoted to the topic of buffer overflows, and the other software subjects covered comprising chapter twelve. Part three contains topics the authors consider to be management issues. These are (in order through chapters thirteen to eighteen), physical and infrastructure security, human factors (primarily policy and awareness concerns), auditing security management and risk assessment, security controls (plans and procedures), and legal and ethical aspects. Part four details cryptographic algorithms, and the material is as good as one might expect from the author of "Cryptography and Network Security" (cf. BKCRNTSC.RVW). Symmetric encryption and message confidentiality, illustrated by the Data Encryption Standard and the advanced Encryption Standard, is the topic of chapter nineteen. Asymmetric cryptography and hashes are in twenty. Part five turns to Internet security. Some Internet security protocols and standards are listed in chapter twenty-one. A detailed look at Kerberos leads off chapter twenty-two's examination of authentication applications. Operating systems security is the subject of part six, with a look at the Linux model in chapter twenty-three, and Windows in twenty-four. Appendices at the end of the book provide information on number theory, pseudorandom number generation, projects for teaching security, standards and standards organizations, and the TCP/IP protocol suite. Of the various domains of information systems security, there is limited material in regard to the security implications of various aspects of computer hardware and architecture, the formation of an architectural model for security design, and business continuity planning. Otherwise, however, the coverage is quite comprehensive, much more so than in other course texts such as Gollman's excellent but now aging "Computer Security" (cf. BKCOMPSC.RVW), Bishop's rather abstract "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), and Stamp's interesting, but sometimes spotty, "Information Security: Principles and Practice" (cf. BKINSCPP.RVW). Anderson's "Security Engineering" (cf. BKSECENG.RVW) is, of course, not only a solid text, but also a useful professional reference, and Stalling and Brown might wish to examine the practical issues dealt with in that work. A range of editions of the "Information Security Management Handbook" (cf. BKINSCMH.RVW) would have similar overview, and more detail, but hardly in a single volume. There is also the "Official (ISC)^2 Guide to the CISSP Exam" (cf. BKOIGTCE.RVW), and now the "Official (ISC)^2 Guide to the CISSP CBK," but Stalling and Brown's work, while less broad and detailed, is more academically rigorous. copyright Robert M. Slade, 2008 BKCMSCPP.RVW 20080204 rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org http://victoria.tc.ca/techrev/rms.htm
Please report problems with the web pages to the maintainer