Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Software incompatibility was part of a chain of events leading to the wrong patient getting an appendectomy. News story: http://www.santacruzsentinel.com/ci_9356389 Original report: http://www.cdph.ca.gov/certlic/facilities/Documents/HospitalAdministrativePenalties-2567Forms-LNC/2567DominicanHospital-SantaCruz-Event-QQGN11.pdf or http://preview.tinyurl.com/49u49w
[via Natarajan Shankar] Udo de Haes, Andreas, InterGovWorld.com (21 May 2008) The Netherlands has banned the use of electronic voting machines in future elections due to concerns that the technology was too vulnerable to eavesdropping. "Developing new equipment furthermore requires a large investment, both financially and in terms of organization," according to the Ministry of Internal Affairs. "The administration judges that this offers insufficient added value over voting by paper and pencil." The Dutch government also banned voting printers, which were criticized by a group of experts led by Bart Jacobs, a professor at Radboud University in Nijmegen, over similar security concerns. The Netherlands will make use of electronic vote counting, and will conduct tests to improve its effectiveness. The local activist group "Wij vertrouwen stemcomputers niet" (We don't trust voting computers), led by computer hacker Rop Gonggrijp, declared the decision a victory for those who want verifiable election results.
[From johnmacsgroup] Phlashing attack thrashes embedded systems John Leyden, *The Register*, 21 May 2008 <http://www.theregister.co.uk/2008/05/21/phlashing/> A security attack that damages embedded systems beyond repair was demonstrated for the first time in London on Wednesday. The cyber-assault thrashes systems by abusing firmware update mechanisms. If successful, the so-called phlashing attack would force victims to replace systems. The attack was demonstrated by Rich Smith, head of research for offensive technologies and threats at HP Systems Security Lab, at the EUSecWest <http://www.eusecwest.com/agenda.html> security conference in London on Wednesday. Smith told Dark Reading that such as "permanent denial of service" attack could be carried out remotely over the Internet. <http://www.darkreading.com/document.asp?doc_id=154270&WT.svl=news1_1> Theoretically the attack could be both more effective (as the damage caused would be harder to recover from) and cheaper than conventional denial of service attacks, which typically rely on hackers paying to rent control of a network of compromised PCs. The PhlashDance approach relies on exploiting frequently unpatched vulnerabilities in embedded systems, such as flaws in remote management interfaces, to get access to a system. That alone wouldn't be enough, but because firmware updates are seldom secured, the possibility exists of making an update that effectively trashes a system. Smith is calling on vendors to authenticate the mechanism as one way of defending against such attacks. He is demonstrating a tool to search for vulnerabilities in firmware, as well as an attack mechanism to corrupt vulnerable firmware at EUSecWest. There's no record of such an attack even occurring and other security watchers are skeptical over whether crackers could make money - the main motive for denial of service attacks - from such an approach. Both H D Moore of Metapolit fame and the Hack a Day blog reckon that exploiting vulnerabilities to plant malware in firmware is a far more insidious and dangerous type of attack than simply destroying systems. Another presentation at EuSecWest will demonstrate a proof of concept rootkit capable of covertly monitoring and controlling Cisco routers. The Cisco IOS rootkit software was developed by Sebastian Muniz, of Core Security. <http://www.hackaday.com/2008/05/20/phlashing-denial-of-service-attack-the-new-hype>
There are some phones that have complicated software (iPhone, Nokia S60 line), but even "firmware-based" phones now have security issues: > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable Motorola RAZR firmware based cell phones. User interaction is > required to exploit this vulnerability in that the target must accept a > malicious image sent via MMS. > > The specific flaw exists in the JPEG thumbprint component of the EXIF > parser. A corrupt JPEG received via MMS can cause a memory corruption > which can be leveraged to execute arbitrary code on the affected device. http://www.zerodayinitiative.com/advisories/ZDI-08-033/ http://www.theregister.co.uk/2008/05/28/razr_security_jpg/
Jeff Yan, Ahmad Salah El Ahmad School of Computing Science, Newcastle University, UK {Jeff.Yan, Ahmad.Salah-El-Ahmad}@ncl.ac.uk Abstract: CAPTCHA is now almost a standard security technology. The most widely used CAPTCHAs rely on the sophisticated distortion of text images rendering them unrecognisable to the state of the art of pattern recognition techniques, and these text-based schemes have found widespread applications in commercial websites. The state of the art of CAPTCHA design suggests that such text-based schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks. In this paper, we analyse the security of a text-based CAPTCHA designed by Microsoft and deployed for years at many of their online services including Hotmail, MSN and Windows Live. This scheme was designed to be segmentation-resistant, and it has been well studied and tuned by its designers over the years. However, our simple attack has achieved a segmentation success rate of higher than 90% against this scheme. It took on average ~80 ms for the attack to completely segment a challenge on a desktop computer with a 1.86 GHz Intel Core 2 CPU and 2 GB RAM. As a result, we estimate that this Microsoft scheme can be broken with an overall (segmentation and then recognition) success rate of more than 60%. On the contrary, its design goal was that "automatic scripts should not be more successful than 1 in 10,000" attempts (i.e. a success rate of 0.01%). For the first time, we show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks. Our results show that it is not a trivial task to design a CAPTCHA scheme that is both usable and robust. ... http://homepages.cs.ncl.ac.uk/jeff.yan/msn_draft.pdf
MediaDefender is a company that works for the RIAA/MPAA to thwart the distribution of copyrighted materials over P2P networks. Apparently, over the weekend, they SYN flooded servers hosting seeds for Revision3's BitTorrent-distributed programs. Revision3's CEO Jim Louderback explains the SYN flood attack and MediaDefender's role in it in a really well written blog post: http://revision3.com/blog/2008/05/29/inside-the-attack-that-crippled-revision3 FYI: Revision3 is an ad-supported online TV network that distributes original programming via podcast, streaming, and BitTorrent, among other methods. BitTorrent and SYN flooding are explained in Louderback's post.
Jim Horning's note (RISKS-25.16) about uninitialized memory reminds me of something that happened to me nearly 40 years ago. At the time I was in college and working as a student consultant at the computer center. Another student came in with a problem: A comparison in his program wasn't working as he thought. This program was in 360 assembly language, using a single-pass assembler with the wonderful name of SPASM. 360 machine language includes a bunch of instructions to work with sequences of characters that can range from 1 through 256 characters. This particular student was exploiting this feature in a way that was breathtakingly clever or naive—or both. He had several Boolean flags in his program. He used three bytes to represent each flag, setting those bytes to the EBCDIC values of "SAM" or "XYZ" to represent true or false. Moreover, he did not bother to initialize these flags, figuring that they would start out with random values. In other words, if he wanted a flag to start out as false, he would assume it was true if its value was "SAM", trusting that the probability that it would be "SAM" by chance would be small enough to be zero for practical purposes. Similarly, if wanted a flag to start out as true, he would assume that it was false if its value was "XYZ". What he did not count on was that this single-pass assembler assembled his program in the same memory that it subsequently used to run it--so that one of his variables would always start out with "SAM" as its initial value. I never did figure out why he didn't use the assembly language's initialization feature.
An iTunes file database problem Apple will never fix: podcast files that are not deleted do not moved out of their original directory ... and iTunes has other poor podcast directory disk capacity tracking issues. In one case iTunes showed I had no "National Nine News" files, but the directory had about 1gb worth of video files. This memory and file tracking problem is more severe with video files, but audio files may have the same problem if they are not MP3 files. At its worse iTunes could tell users it has no files, but your hard disk could be full of podcasts. This is not an iTunes library issue. I am fairly certain that iTunes counts only podcasts you have not deleted in its disk capacity tracking text below the podcast list. More people need to provide more detail about this long-standing iTunes bug. My system Vista: podcasts stored on a FAT32 drive OSX systems probably have this same flaw, as it is a User Interface problem (high-level code vs low-level edge code that interfaces with the OS). Max Power, CEO, Power Broadcasting, SA HireMe.geek.nz
Posted by Danny O'Brien, 19 May 2008 While its customers are still puzzling over why Vista Media Center is suddenly refusing to record over-the-air NBC digital TV, Microsoft has come out with an astounding admission, courtesy of Greg Sandoval at CNet News: "Microsoft included technologies in Windows based on rules set forth by the (Federal Communications Commission)," a Microsoft spokeswoman wrote in an e-mail to CNET News.com. "As part of these regulations, Windows Media Center fully adheres to the flags used by broadcasters and content owners to determine how their content is distributed and consumed." Microsoft's statement shines light on how Microsoft expects Media Center to behave. If this is the company's explanation for what users are seeing when attempting to record digital NBC broadcasts over-the-air, then Microsoft is saying Vista obeys the broadcast flag: a requirement rejected by courts and Congress. ... http://www.eff.org/deeplinks/2008/05/microsofts-masters-whose-rules-does-your-media-cen
* From: Greg Goss <gossg@gossg.org> * Newsgroups: alt.fan.cecil-adams * Subject: Democratic fundraising overwhelms FEC computers * Date: Mon, 26 May 2008 12:07:09 -0600 What is the difference when you have a quarter million people signing checks for $200 instead of 200 people signing checks for a quarter million? Your fundraising report to the government becomes unwieldy. http://politicalwire.com/archives/2008/05/26/democratic_fundraising_strains_fec_computers.html [The FEC is at the same time both Overwhelmed and Underwhelming. PGN] For other reports, browse on Obama fundraising report spreadsheet excel
Here's an attempt to bootstrap an authentication process. Argh! Everyone is an InfoSec expert. Wonder if I can sign up everyone I know? Maybe I can order a Ferrari? If they are this lame, I can NOT imagine what the site security is like! This is a real email from one of 'my' schools. Argh! You can't make this stuff up! fjohn *** begin quote *** From: The Alumni Relations Team [mailto:alumni@zzzzz.edu] Sent: Friday, May 16, 2008 5:19 PM To: yyyyy Subject: NEW: On-line registration for zzzzz College Reunion 2008! Dear yyyyy zzzzz College is launching a new payment gateway that will further ensure that using your credit card on our Web site is both secure and protected. On-line safety is our main concern, whether you register for a class or event, make a gift or purchase an item. Please use our Web site knowing that you will always be provided with the best possible means of using your credit card in a safe and secure on-line environment. In order take advantage of the feature to register for Alumni Reunion Weekend (http://www.zzzzz.edu/reunion), you are being sent your Campus Wide Identification Number. This will serve as your "User ID". Your initial pin number will be your birth date, entered as six digit number (ex.021458). After you have entered this information on the link provided below to the registration page, you may change your log on information to a more familiar configuration. USER ID: 000761932 PIN: (your 6 digit birth date in the form of MMDDYY - i.e. Feb 14 1958 would be 021458 ) To Register for Reunion Weekend 2008: 1. Access the new Self Service Payment Gateway: https://self-service.zzzzz.edu (If you experience a "website security certificate" notification, select "allow" as prompted) 2. Enter your User ID and pin (provided above) 3. Select the Alumni Services tab 4. Select Reunion 2008 5. Follow prompts to complete your registration with credit card These measures ensure all of us that your personal information remains private. Thank you for your continued support of the College. We look forward to seeing you on Reunion Weekend! Warmest regards, xyz, Director of Alumni Relations [Literals PGN-ed to hinder filtering.]
Monty Solomon quoted a Washington Post article about a gas-station operator who fears going out of business because her mechanical pumps can't be set to more than $3.99 a gallon. The reporter doesn't explain why she couldn't do what was done on a widespread basis the last time something like this happened. On 23 May 1979, *The New York Times* reported that "New York State gave dealers emergency permission to meter by the half-gallon. The change is designed to allow more of them to charge more than $1 a gallon and thus encourage them to stay open.... By allowing machines to charge by half-gallons, the technical limit would be doubled, to $1.99 8/10 a gallon." My recollection is that at the time, in other cases, operators simply set the pumps to register half the actual price, and posted conspicuous signage stating the actual prices and noting the customer would be charged twice the total registered by the pump registered. I'm no lawyer, and certainly can't speak to weights and measures law in every state, but I find it hard to believe that an station owner taking such an action in good faith would get in serious trouble. [Big surprise. This is what is happening. Lots of items submitted on this "problem". PGN]
(The original piece was in RISKS-25.06.) Assuming your transmitter emits a specific strength RF pulse, and your receiver can detect anything more powerful than some (lower) strength pulse, the inverse square law will help determine the maximum path length between transmitter and receiver that still allows detection. Having determined this length, but assuming perfect reflectors where necessary, whether the path is looped back on itself to reach the position of the original transmitter (enemy at distance X, path length 2X), or layed straight to reach the enemy receiver (enemy at distance 2X, path length 2X) shouldn't make a difference.
Picking nits off nits, re: target detection vs. radar source detection: It's actually much more than four times the distance. Only a tiny fraction of the incident signal is reflected by the target, so we are talking about orders of magnitude, not small integer ratios. Given that, the limit on detecting someone else's threat detection radar is limited more by the geometry of surface-to-surface signals on a sphere than distance effects on signal strength. The lesson of the original post holds, that systems to detect military threats may not (indeed, may be designed not to) detect civilian bystanders.
About a year ago after coming back from Estonia I promised I'd send in an account of the Estonian "war". The postmortem analysis and recommendations I later wrote for the Estonian CERT are not yet public. A few months ago I wrote an article for the Georgetown Journal of International Affairs, covering the story of what happened there, in depth. The journal owns the copyright so I had no way of sending that along either. I wasn't about to email saying "go buy a copy". Mostly silly articles kept popping up with misguided to wrong information about what happened in Estonia, and when an Estonian student was arrested for participating, some in our community even jumped up to say "it was just some student". Ridiculous. This is the "war" that made politicians aware of cyber security and entire countries scared, NATO to "respond" and the US to send in "help". It deserved a better understanding for that alone, whatever actually happened there. I was there to help, but I just deliver the account. The heroes of the story are the Estonian ISP and banking security professionals and the CERT (Hillar Aarelaid and Aivar Jaakson). Apparently the Journal made my article available in PDF form by a third party: Battling Botnets and Online Mobs Estonia's Defense Efforts during the Internet War URL: http://www.ciaonet.org/journals/gjia/v9i1/0000699.pdf It is not technical, I hope you find it useful.
Please report problems with the web pages to the maintainer