Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
http://www.chestertontribune.com/Town%20of%20Chesterton/driver_hits_nipsco_pole_surge_fr.htm Kevin Nevers, Driver hits NIPSCO pole; surge fries sewage treatment plant When a motorist, at approximately 12:11 a.m. on Sunday, struck a NIPSCO pole on Woodlawn Ave. just west of North Eighth Street, he not only interrupted electric service to the Chesterton wastewater treatment plant, he caused a power surge which zapped into oblivion the whole of the plant's automated computer system. [Added note in archive copy: Chesterton, Indiana, USA] Since early Sunday morning, Superintendent Steve Yagelski told the Town Council at its meeting Monday night, operators have been working the plant by hand, after the computer system known as SCADA — tasked with running the facility automatically — was fried and failed. Yagelski hastened to add that no by-pass occurred, thanks to the fact that a backup alarm system not connected to SCADA activated and alerted staffers. One backup system which did not work, however, was the emergency power supposed to be provided by two generators. Yagelski told the Chesterton Tribune after the meeting that the surge was so powerful and comprehensive that SCADA failed before it could send the activation message to that pair of generators. A NIPSCO crew subsequently got those emergency generators running and then restored electric service to the plant as a whole. Now Yagelski is performing triage, trying to assess the damage done to the most critical components of the facility. "This is an unusual thing," he said. "We lost the entire plant. Virtually every breaker in the facility was blown and had to be re-set." Yagelski expects the cost of replacing damaged computers and electronics to be considerable. "I have no idea at this point what it will cost," he said. "But I'm sure we're in the thousands of dollars." Yagelski added that he is "hopeful" that insurance — the plant's or the motorist's — will reimburse at least part of the expense. Until systems can be restored, though, operators will continue to "walk the plant around the clock" to keep it in operation.
On 22 Sept, 2008 a AA 757 diverted to ORD with an in-flight electrical issue. It landed, not on the longest runway, skidding on locked brakes for thousands of feet. The pilot opted to angle off the runway near the end; I assume seeking better braking action in sod. [It worked.] There was a long delay in evacuation as the crew could not get the engines to shut down (!?!?!). The NTSB preliminary report is out, and it's got almost enough Risks to fill a sequel to PGN's book by itself: <http://ntsb.gov/ntsb/brief.asp?ev_id=20081007X03940&key=1> NTSB Identification: CHI08IA292 Greatly shortened, they had a "AIR/GRD SYS" alert message, consulted the Quick Reference Handbook, changed to a standby power configuration and continued. This configuration was battery powered, and they appear to have thought from what the QRH said that the battery charger was still working. It wasn't... and they later lost multiple systems, including some flight controls, interphone, PA, antilock brakes, thrust reversers, spoilers, AND engine shutdown controls. An 747 & 757-qualified pilot for another carrier remarked that the manuals have gotten simpler and simpler over the decades. While such is inevitable given the orders-of-magnitude complexity difference between say a 727's three paralleled generators, and the multiple power buses on a 757 [They lost four buses out of many.] there is a price to pay — "too simple" is not better than too complex. I have to wonder about external tech support. Boeing has a 24x365 support center for in-flight problems, but in their previous strike, it was at least impaired if not inoperative. Did the crew ask for help?
... power panel with HTTP interface. Oh, and Telnet is enabled by default and not covered very deeply at all in the installation manual. http://www.brightblue.schlage.com/pdf/bbmanual_hardware.pdf
This tragic case was reported in the UK press a couple of weeks ago. Broadly, a teenage girl was abducted and later murdered. Under duress, she secretly and very bravely called the 999 emergency number on her mobile, hoping the operator would hear and understand the situation and organise a rescue. Unfortunately there is a function in the emergency response software to screen out and terminate calls where the caller does not speak clearly to the operator within a given time, which is what happened here. A log of the call was recovered later and the girl was obviously in distress. The screening function is valuable in stopping accidental emergency calls clogging up the system. However in a minority of situations, like this one, it is the wrong thing to do, with life-critical consequences. This case seems to present another situation where the decision-making of a machine is wrongly preferred over a human. How well was the screening function specified, and what analyses of failure modes were undertaken? "Hannah Foster, the A-level student kidnapped and strangled in 2003, called 999 in a desperate attempt to get help after she was abducted from the street, a court heard today. The 17-year-old dialed the emergency services, hoping that the operator would be able to hear the conversation with a man alleged to be Maninder Pal Singh Kohli, who was accused of snatching her after a night out with friends in Southampton, Winchester Crown Court was told. But Nicholas Haggan QC, prosecuting, told the jury that the operator could not hear what was being said and there was a system which disconnected the call after a short time to stop accidental emergency calls clogging up the system." http://www.telegraph.co.uk/news/uknews/3196048/Hannah-Foster-murder-Student-dialled-999-after-abduction-but-was-cut-off.html
Finland has for decades used a reasonably efficient and transparent paper-based election process. Now we are experiencing almost a total ignorance of the e-voting issues already discussed in RISKS for years. There have been many warnings from the nerds and IT crowd towards the government, but they have still decided to push for e-voting machines. Classic mistakes include dismissing paper records to verify individual votes and sourcing the infra from closed-source contractors. There was even a strikingly ignorant comment from the Minister of Justice, Ms. Tuija Brax, dismissing the reported problems in electronic voting as "science fiction". http://www.hs.fi/politiikka/artikkeli/Oikeusministeri+Brax+kiist==+s=hk=F6isen+==nestyksen+uhat/1135239194037 (in Finnish) Now this incident below (232 unexecuted votes) is little more than a minor usability glitch, not a security issue, but gives an idea of the sloppy attitudes. Sounds like the voting system involved was never tested *with actual users*, just experts. Besides RISKS, this contractor has not been reading their basic usability testing books, either. http://www.effi.org/blog/2008-10-28-finnish-evoting-votes-lost.html EFFi (Electronic Frontier Finland) are doing their best to keep the public aware here, though. http://www.effi.org/blog/2008-09-01-evoting-report-in-english.html -- Pertti Huuskonen (bertil@gmail.com) `"Finland piloted a fully electronic voting system in municipal elections last weekend. Due to a usability glitch, 232 votes, or about 2% of all electronic votes were lost. The results of the election may have been affected, because the seats in municipal assemblies are often decided by margins of a few votes. Unfortunately, nobody knows for sure, because the Ministry of Justice didn't see any need to implement a voter-verified paper record. The ministry was, of course, duly warned about a fully electronic voting system, but the critique was debunked as 'science fiction.' There is now discussion about re-arranging the affected elections. Thanks go to the voting system providers, Scytl and TietoEnator, for the experience." http://news.slashdot.org/article.pl?sid=08/10/29/0137202&from=rss [Also noted in part by Matti Siivola, and by Ian Oliver — who noted the role of proportional (preferential) balloting. PGN]
http://www.newyorker.com/reporting/2008/10/13/081013fa_fact_lepore includes discussion of "voter-fraud fraud" - and how parties in power try to change the vote by changing the voter lists. http://www.newyorker.com/online/blogs/hendrikhertzberg/2008/10/voter-fraud-fra.html Sounds suspicious — unless you know that despite all the hysteria, from 2002 to 2005, only twenty people in the entire United States of America were found guilty of voting while ineligible and only five of voting more than once. By contrast, consider the lede on this story www.nytimes.com/2008/10/09/us/politics/09voting.html, published a week ago today: ``Tens of thousands of eligible voters in at least six swing states have been removed from the rolls or have been blocked from registering in ways that appear to violate federal law, according to a review of state records and Social Security data by *The New York Times*.''
I have thought of something regarding researchers who have made security discoveries, and I thought of a way in which they might legally develop, in effect, a 'poison pill' to those who would want to silence them. I'm not a lawyer and I don't know all of the exact requirements but I thought of an interesting way to cause "blowback" on those who try to browbeat others into silence. A poison pill refers to a provision in a corporation's bylaws or charter that makes a takeover attempt by a suitor which management does not agree with to trigger a provision which essentially would cause the company to be too expensive for the acquirer. Sometimes done by allowing others than the acquirer to buy company stock at a much lower price, which requires the acquirer to buy even more stock of the company and raises the cost dramatically. So my thought was, why can't security researchers do that, so that an attempt to do a 'hostile takeover' of the information triggers the poison pill defense, making the hostile takeover attempt of their information backfire worse than if they had tried to be civil and not institute legal proceedings. Here's one way I think it can be done. My effort here is to make all actions legal so that nobody gets cited for contempt or commits a crime or otherwise violates the law in doing so.. Bob discovers some security hole in something, and sends a document with full and complete disclosure of the entire explanation including how to exploit, to Alice, who is not part of his team but is simply a third-party. His instructions are, as long as he keeps re-sending the full instructions to her, every day, to do nothing, but as soon as he stops sending the full instructions, to publish and disseminate the information as widely as possible. To ensure he has not been, say, grabbed by criminals, she is to presume any order from him to change this which does not include full disclosure to be a false order given under duress or to ignore unread any order not accompanied by the full, complete disclosure document.. Bob then publicizes the security hole either to the vendor to give them time to find a patch or makes a public announcement in a less than full manner. Bob and his team are sued with a restraining order not to give out details to anyone else.. As a result, Bob is legally prohibited from sending Alice any documents because he can't send a full disclosure. As Bob has set up the instructions to Alice before he had any idea he would be sued, he isn't violating the order with what he sent because he sent it before the case was even filed or he was aware of it. So the only way that Bob can comply with the order, is to not send anything to Alice or not send the same document, which triggers the poison pill and she then posts the information everywhere she can. The company suing can't come after Alice later, she's not releasing a trade secret nor was she under any obligation to do so. If it's Bob's paper, it's his copyright so she hasn't violated anything relating to the vendor either. Nor did she have any knowledge of the lawsuit, presuming that the lawsuit would have anything to do with her or that she would be a party to the lawsuit anyway. Thus, if the vendor or the other party is civil and polite, either disclosure is delayed, or only a partial disclosure at the conference occurs, but a lawsuit causes automatic and unpreventable full disclosure. If Alice is not an employee of Bob and has no legal responsibility to him, I don't see where she has any obligation to remain silent. She hasn't been served with any court order, only Bob has. She has no knowledge of why Bob stopped, only that he has. And if she's in another jurisdiction, the court might not even have authority to issue an order to her. Or we can push this further by her doing the same thing and handing it off to a third party herself, so that if she doesn't continue to do so, or she AND Bob do not continue to send the complete document, that the third party is to publish it. Do this with two or three third parties each, and you essentially create a web of poison 'pill boxes' so that attempts to stop information do the exact opposite. As I see it, the company wanting the information has to (1) sue bob; (2) get him to reveal whom he gave copies of the paper to; (3) find them and get service on them; (4) get them to reveal whom they gave copies to; and so on, and do this before the promise expires. And some of these people can be such that they are only reachable by e- mail, and despite what some people would like to have, one can't be served a court order by e-mail; there is no proof of delivery nor proof that the recipient saw it. In some cases the vendor would have to go back to court, get a summons, serve it on Alice's ISP, get her information - if the ISP or mail service provider has any - then use that to find where Alice is and try to get good service on her. And do all of this before Bob's original request to her expires and she publishes. Could even be done using a web site in which you have to keep re-uploading the same paper to prevent its publication. Once you've been served with a gag order, you can't do that any more and you have no means to stop the publication from taking place. In order to stop it, the company suing would, again, have to contact their ISP or look up the Whois page of the website owner (if it's theirs and not simply a nominee acting as party for service of process, or even simply a page seller who sells web space to people), contact them, and, presuming the company is in the same jurisdiction and can reach them - they have no legal obligation to answer the phone or read e-mail - to get them to stop the automatic publication. It's only if they can actually get good service on someone in person that it would really be significant to be able to force them to stop. Or have proven evidence that someone was notified of a legal proceeding where the court could have or get jurisdiction over them. And if the party who answers for the website is simply an answering service or it's an answering machine, the party who gets the message might not get notice until after the document is published. As their website is automatic, they don't need to monitor it unless it reports something wrong. And if the website owner is in one jurisdiction but their webserver is in another then it may mean the company suing has to try to find yet someone else to stop that website. Seems like an interesting scheme to thwart threats and from what I am aware of, legally sound although again, I'm not a lawyer.
I just bought a new car. When I went to Tirerack.com to look at winter
tires, I was informed of the TPMS (Tire Pressure Monitoring System) that
appears mandatory as of 2007. This system typically includes an
RFID-attached sensor in each wheel that sends data to a sensor that...
The issue is that it seems, according to http://www.hexview.com/sdp/node/44
each one of these has a unique ID that would allow tracking of an individual
vehicle. Unsubstantiated - by me, so far- research indicates that it is
illegal to disconnect this system (federal) and that some states actually
check operation at state inspections.
Vehicle tracking - speeding - big brother - sheer nosiness.
I'm sure that there is no need to further enumerate the risks to this audience.
P.M. Wexelblat PhD, Erst of the Dept. of Computer Science
University of Massachusetts Lowell, One University Ave, Lowell, MA 01854
[Are you *tired* of items on monitoring and the age of surveillance? If
not, check out the extremely well-done five-part British series, "The Last
Enemy" (with a massively cross-coupled database system called TIA), which
concludes this Sunday on PBS's Masterpiece Theater. If you missed the
first four episodes, don't start with the fifth. The plot is much too
convoluted to grasp from the end, but should be quite relevant for RISKS
readers. The series will apparently be available online "for a limited
time" only. PGN]
http://www.pbs.org/wgbh/masterpiece/lastenemy/index.html
PGN, Looking through old issues of SIGSOFT, I just come across your 2006 article http://www.csl.sri.com/neumann/holistic.pdf (sorry for my slowness...), and just wish to let you know how much I agree with its conclusions and recommendations. It happens that I have a book just published: http://www.springer.com/engineering/production+eng/book/978-1-84800-371-2 a main theme of which is precisely to advocate an hologrammatic approach to computer dependability justification. You are referenced in it, as an author, but for another of your contributions! However, now that this book is completed, I have the feeling that a holistic approach for embedded computer systems may not be, as you cautiously suggest at the very end of your article, an "easier" challenge than in other disciplines. One reason perhaps is that the huge number of variables to be kept under control includes all those of the application supported by the computer system, and not only those, but also all those of the detailed inner levels of the software and hardware implementation. Pierre-Jacques Courtois BEL V (Fed. Agency for Nuclear Control Subsidiary) Rue Walcourt, 148, B-1070 Brussels, Belgium http://www.belv.be/ +32 2 5280 268 Louvain School of Engineering Universite' catholique de Louvain B-1348 Louvain - la -Neuve, Belgium, Phone: +32 10 47 31 50 Home page <http://www.info.ucl.ac.be/Bienvenue/PagesPersonnelles/courtois/> [P-JC, I think it is an enormous challenge practically speaking. But it might be aided by being somewhat less obscured by politics; also in the research communities at least, some of the architectural and software engineering issues and other precursors are perhaps less contentious. PGN]
Last week a report by the US Army's 304th Military Intelligence Battalion roiled government social web (web 2.0) advocates. The microblogging service Twitter, it found, can be used as a potent tool by terrorists. There followed some handwringing on Twitter and among journalists, and even some thinking across the river — here at Harvard. Will this dustup affect the move to the social web in the defense and intelligence communities — wikis, blogs, Facebook, and the like? After all, there's been good movement in recent months, impressive gains, and some major wins. But there's been little enterprise wide embrace. To many, the current position feels unstable. [... Long item truncated. Read the rest of Zachary's blog item at http://www.lnwprogram.org/blog/ . PGN]
BKSECENG.RVW 20080929
"Security Engineering", Ross Anderson, 2008, 978-0-470-06852-6,
U$70.00
%A Ross Anderson ross.anderson@ieee.org rja14@cam.ac.uk
%C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
%D 2001
%G 978-0-470-06852-6 0-470-06852-3
%I John Wiley & Sons, Inc.
%O U$70.00 416-236-4433 fax: 416-236-4448
%O http://www.cl.cam.ac.uk/~rja14/book.html
%O http://www.amazon.com/exec/obidos/ASIN/0470068523/robsladesinterne
http://www.amazon.co.uk/exec/obidos/ASIN/0470068523/robsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASIN/0470068523/robsladesin03-20
%O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 1040 p.
%T "Security Engineering: A Guide to Building Dependable Distributed
Systems, Second Edition"
Anything written by Gene Spafford is important. Anything written by Bruce
Schneier is readable, and, even if you disagree with it, worth thinking
about. Anything written by Ross Anderson is important, readable, worth
considering, and correct.
The preface states that this book is intended as a text for self-study or
for a one term course, a reference for professionals, an introduction to the
underlying concepts, and an original scientific contribution in terms of the
foundational principles for security engineering. In addition, the preface
to the second edition notes that these concepts now need to be understood by
legal investigators, managers, and, in the wake of 9/11, everyone. A very
tall order to fulfill, but one which, for once, seems to have been
accomplished. I have often been asked, in regard to these reviews, whether
there are, in fact, any books that I do like. Well, I like this one. If
you are involved with security and you haven't read "Security Engineering,"
you should. And you have no excuse if you haven't. This is the second
edition to be printed, and the first edition is available online, in its
entirety.
(And, if the first edition is available online for free, why should you buy
the second? Because the second edition has more, in almost every respect.)
Part one deals with the basic concepts of engineering and security. Chapter
one presents four example situations of security needs. Protocols are not
limited to the precise but limited structures with which computer people are
familiar. Security is a people problem, and chapter two, entitled
"Usability and Psychology," addresses this issue up front, along with a set
of more conceptual, but more formal, authentication problems and protocols.
It is unlikely that the models presented exhaust the field, but some thought
indicates that they are pertinent to a wide variety of applications. Much
the usual thoughts and advice on passwords is issued in chapter three,
although the research is better documented, and some additional research
(passphrase generated passwords are as secure as randomly assigned ones, and
as memorable as naively chosen ones) is presented. (Anderson's writing is
clear enough, but he does betray a taste for symbolic logic that might limit
the audience for the book. Still, perseverence on the part of the reader
will be amply rewarded.) It is strange not to see any mention of the work
factor of passwords overall. Chapter four reviews access control, but
primarily from the perspective of system and hardware internals.
Cryptography, in chapter five, is covered reliably and well, although the
structure and flow of the material is not always in developmental order.
The problems of distributed systems are examined; in terms of concurrency,
failure resistance, and naming; in chapter six. Economics can be used to
examine a great many aspects of security (and insecurity). Chapter seven
looks at a number, but I was disappointed to note that risk analysis was not
one of them.
Part two uses a number of applications of secure systems to introduce
particular concepts or technologies. Chapter eight discusses
multilevel security, which encompasses most of the formal security
models such as Bell-LaPadula. Medical (and census) databases are
used, in chapter nine, as examples of multilateral, or compartmented,
security: the need to deal with information of equal sensitivity, but
restricted to different groups. Controls particularly related to the
banking system and fraud are presented in chapter ten, although the
material is long on anecdotes, and contains weaker analysis than the
preceding text. A somewhat limited, but still interesting, review of
physical security has been added in chapter eleven. Chapter twelve
reviews monitoring systems, of both monitoring and metering types. In
regard to nuclear command and control systems, chapter thirteen
examines the tension between availability (the ability to fire a
missile) and confidentiality (or authentication: making sure nobody
else does). Various aspects of the technology for security printing
and seals is dealt with in chapter fourteen. Biometrics, in chapter
fifteen, gets a good, but fairly standard, treatment. Chapter sixteen
delves into tamper-resistance in cryptographic gear and smartcards
(expanding on the content of fourteen). The TEMPEST and Teapot (no,
I'm not kidding) projects on emission security are reviewed in chapter
seventeen. Chapter eighteen examines the security problems inherent
in the use of application programming interfaces (APIs). There is
good coverage of the basics of traditional electronic warfare in
chapter nineteen, although the material on information warfare is not
as thorough. Chapter twenty looks at telecommunications system
security, with some material on phone phreaking and lots on cellular
encryption. Network attack and defense, in chapter twenty-one, is
less focused than other chapters, and adds malware. Copyright and
DRM (Digital Rights Management) systems are examined in chapter
twenty-two, with solid coverage of recent controversies. Gaming,
social networks, elections, and other complex applications are
discussed in chapter twenty-three.
Part three turns to politics, management, and assurance. Chapter
twenty-four, under the title of "Terror, Justice, and Freedom," has a
fascinating discussion of major issues in public policy. Management
issues, in chapter twenty-five, are presented in an interesting but
generic manner. The discussion of system evaluation and assurance
asks the usual question in regard to how we know our systems are
secure. In a sense, though, the subtitle of the book is wrong: much
of the material points out how *not* to build dependable systems, and
chapter twenty-six is a bit disheartening. The conclusion, in chapter
twenty-seven, is that we need more engineers and engineering.
Although the material is presented in a very formal way, the writing
is usually quite readable, and the exceptional stilted passages are
still accessible to the determined reader. On occasion, one could
hope for additional explanations of some items that are mentioned
briefly and passed over. The constant emphasis on how security
protections have failed can be depressing, but the examination of the
errors of others does provide the basis for better designs in the
future.
copyright Robert M. Slade, 2002, 2008 BKSECENG.RVW 20080929
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
victoria.tc.ca/techrev/rms.htm blogs.securiteam.com/index.php/archives/author/p1/
Please report problems with the web pages to the maintainer