When police in Germany, Austria, and France were able to DNA-match evidence from six homicides (including the killing of policewoman Michele Kiesewetter in the town of Heilbronn) and dozens of other crimes, they naturally concluded that a multiple murderer was at work -- one who acquired the nickname "The Phantom of Heilbronn". But then one of the matches, which seemed unlikely, was retested... and the second time it came back negative. Now it seems that in fact the only connection between the crimes is that when collecting DNA from the evidence, cotton swabs from the same manufacturer (Greiner Bio-One) were used. Unused swabs were tested and a few were found to have the same woman's DNA on them; she worked at the company that did the packaging. Greiner says that they were only supposed to be sterile swabs for medical use, and were not guaranteed to be free of DNA. Of course, if this happened in a work of fiction, it'd turn out that the woman actually had committed one of the early crimes and then taken advantage of her job to deliberately contaminate the swabs in order to divert suspicion. But be that as it may, the consequences for law enforcement are not going to be pleasant. See: http://news.bbc.co.uk/2/hi/europe/7966641.stm http://www.dw-world.de/dw/article/0,,4129872,00.html http://www.time.com/time/world/article/0,8599,1888126,00.html http://www.google.com/hostednews/ap/article/ALeqM5iEPt22F_xcWatGRrX5ludZOsSM5AD976HRM00
When J.P. Neufeld, an Internet chat-room moderator in Montreal, saw someone posting an announcement that he was shortly going to set fire to a school in Norfolk, England, he took it seriously, first communicating with the poster and then phoning the Norfolk police. They acted quickly and in less than an hour a 16-year-old was arrested near the school while carrying matches and "what is believed to be a flammable liquid". http://www.cbc.ca/world/story/2009/03/20/concordia-student-forum-norfolk.html http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20090320/school_threat_090320/20090320?hub=TopStories http://www.eveningnews24.co.uk/content/news/story.aspx?itemid=NOED19%20Mar%202009%2008:52:47:223
It was reported recently that at an Ontario casino in December, a slot machine flashed its lights and displayed a message to the effect that "You have won $42.9 million" (Canadian, about $34 million US). The gambler, Paul Kusznirewicz, had 5 minutes to be ecstatic before being told the machine had malfunctioned and he hadn't won anything. (They did give him some dinner coupons.) In fact, according to the Ontario Lottery and Gaming Corp., its highest possible payout was $9,025 (Canadian). This amount was not marked on the machine, but there was a notice that nothing was payable in case of malfunction. Kusznirewicz is suing, so there probably won't be any further details unless the case makes it to court. In a followup story today, Ryerson University computer professor Sophie Quigley suggests that the number -1, as a 32-bit 2's complement signed integer, was interpreted as an unsigned integer in cents: $42,949,672.95. "A casting error", as she put it. (Not necessarily in the strict C sense.) Incidentally, the Toronto Star ran the followup next to a story about Marie Douglas-David, who is involved in a divorce case and allegedly claims that "she cannot live on $43 million" (US). The paper put the two pieces side by side under a common headline: "Two very different $43 million questions". http://www.cbc.ca/consumer/story/2009/03/17/slot.html http://www.thestar.com/News/Ontario/article/604035 [2nd URL corrected in archive copy. Item also noted by David Magda. PGN]
Macclesfield High School (near Manchester, England), threatened to ban Megan Gillan from their prom if her attendance did not improve. This was unlikely to happen, as Megan had died two months before. The girl's parents, still very much grieving, were "floored". Megan had been removed from the school's "main database", but was still listed "in a different part of the computer system" that allows letters to be sent to parents of former students. See: http://news.bbc.co.uk/1/hi/england/manchester/7963081.stm Or if that URL isn't long enough, try: http://www.telegraph.co.uk/education/educationnews/5049001/School-apologises-after-letter-warns-parents-over-dead-schoolgirls-attendance.html
Amusingly, German police have been searching in vain for a phantom serial killer, apparently responsible for 40 murders. Unfortunately, they were led astray by DNA "evidence" that resulted from using contaminated cotton swabs to collect DNA evidence. They had all been packed by an employee who refused to wear rubber gloves, so here DNA appeared to be scattered all over the country at various crime scenes. Police used the swabs against written advice in the accompanying product instructions that said the swabs were unsuitable for forensic use. Fortunately nobody was injured or arrested as a result. Here is an article from *Time* with the details: http://www.time.com/time/world/article/0,8599,1888126,00.html If your German is good, you can read this: http://www.focus.de/politik/weitere-meldungen/phantom-von-heilbronn-des-raetsels-loesung-war-das-wattestaebchen-_aid_384841.html
The [Irish] government finds itself in a deep hole because of the purchase and storage of thousands of electronic voting machines. It should stop digging. What had seemed like a good idea, way back in 1999, has turned out to be an unmitigated disaster. The initial waste of public money on the purchase of this dangerously insecure system has been compounded by the establishment of long-term leases of up to 30 years for the storage of machines in controlled environments. John Gormley is the fourth minister for the environment to have responsibility for the mess. And because there is no question of the machines being used in the forthcoming local and European elections, or thereafter, he should call a halt to the madness. An estimated 52 million euros was spent on voting machines by Noel Dempsey and by his successor, Martin Cullen, in spite of the objections and concerns of the opposition parties. And when a special Commission on Electronic Voting found it was easy to bypass the proposed security system in 2004, the machines were put into storage at an annual cost of about 700,000 euros. This public waste must end at a time when everybody is being asked to tighten their belts. The cost of storing these machines will amount to 3.5 million euros by the end of this year. And because contracts ranging from 20 to 30 years were entered into on behalf of the State, penalties are likely to be imposed for an early buy-out. The Government should not continue to engage in what is a face-saving exercise. Ireland is the only country in Europe that holds out a vague prospect of using this technology. Last year, the Dutch government decided to abandon the system because of its inherent vulnerability. Last week, the supreme court in Germany ruled that the Nedep system -- which we also purchased -- breached its electoral laws. It found that the control measures required would not be achieved by a print-out of votes. The ability to recheck votes was more important than early election results. It was not saying a final No to electronic voting, just that the current generation of voting machines was unsatisfactory. Ten years ago, the replacement of pencils and ballot papers by machines was seen as a badge of modernity. But technology was not sufficiently advanced to guarantee security of the new system. In spite of that, Fianna Fáil ministers ignored the views of computer experts and ploughed ahead. Now that the Netherlands and Germany have abandoned the project on security grounds, the Government should bow to the inevitable. [*The Irish Times*, 29 Mar 2009] http://www.irishtimes.com/newspaper/opinion/2009/0317/1224242944297.html
A special election in Fairfax County Virginia had some voting machine problems. A very close race had one DRE (out of about 50 in use) that printed suspicious results. Coverage at http://www.washingtonpost.com/wp-dyn/content/article/2009/03/11/AR2009031101675.html and http://www.washingtonpost.com/wp-dyn/content/article/2009/03/10/AR2009031002068.html I spent the day after the election observing the canvass process at the invitation of the Democratic candidate (but the campaign did not supply me with any information, nor did they pay me). Details of my findings are at http://abqordia.blogspot.com. While a winner was eventually declared, there are two unexplained problems: in one, the "zero tape" printed before the polls opened (which is supposed to show that there are no votes recorded) showed that the total votes was 0, of which 3 were for the Republican, 2 for the Democrat, 1 for the independent, and 1 write-in. Or mathematically, 3+2+1+1 = 0. No one (other than me!) seemed all that concerned that this shows something was *clearly* wrong, because they were able to get the machine to print the (purported) ballots, and count those by hand.... The risks? When the machine can print something that looks reasonable, the people making the decisions are willing to overlook clear problems (as in the math error). Instead of treating the math error as an indication that there's a deeper problem, they wrote it off as an unexplained glitch - "my car didn't start the first time I turned the key, but it started fine the second time, so I guess there's no problem". That may be true, or it may be the starter getting ready to fail.
Premier Election Solutions (formerly Diebold Election Systems) admitted in a California hearing on 17 Mar 2009 that the audit logs in its tabulation software do not record significant events that occur on the system during an election, such as the deletion of votes. The company acknowledged that the problem exists with every version of its tabulation software. [Source: Kim Zetter, Wired.com] http://blog.wired.com/27bstroke6/2009/03/diebold-admits.html [See also Shannon McElyea in Dave Farber's IP, citing Diebold Admits Audit Logs in ALL Versions of Their Software Fail to Record Ballot Deletions, http://www.bradblog.com/?p=6995]
No "Security By Obscurity" for Voting, Please John Sebes' blog, 25 Mar 2009, http://osdv.org/blog I have to confess to being appalled by the number of times recently that I have heard people talk about potential benefits of "security by obscurity" for voting systems. It's one of those bad old ideas that just won't die: if you hide the inner workings (source code) of a complex device (a voting system), that makes it harder for an adversary to break (hack, steal elections). With regard to voting systems, of course, the issue gets all muddled up with vendors' fears of compelled source code disclosure, but setting that aside, the proposition is simply this: a voting system is "more secure" (whatever that means) if the source code is not public. Or as one election official said to me recently, "We've been schooled to think that making the code public would give up the keys to the system" (my paraphrase) and ensure that a voting system could be hacked to steal elections (my inference). Wow. It's quite the fallacy, but staying power of the "Security by Obscurity" idea is impressive; despite being completely discredited among digital security professionals, the idea just won't stay dead. But please, don't take my word for it. Despite a couple decades in the security biz, I'm also an open source advocate. Instead, take a look at what security experts (the real ones, not the folks that call themselves "security experts") have to say about it. You can find several good thought pieces on the blog <http://www.schneier.com/blog> of applied cryptographer and author Bruce Schneier. You can find a range of pieces on the topic in the Risks Forum <http://www.risks.org> and <http://www.csl.sri.com/users/neumann/#3.>. For brief and general summary of the topic (including open source), PGN's IEEE <http://www.ieee.org> Science and Policy piece "Robust Nonproprietary Software" <http://www.csl.sri.com/neumann/ieee00.pdf> provides a pithy and balanced viewpoint. For an entertaining bit of myth-debunking, try "Security by Insecurity" <http://www.csl.sri.com/users/neumann/insiderisks.html#161>. And for specificity to voting, try Peter's testimony <http://www.csl.sri.com/neumann/calsen06.pdf> to the State of California invited by CA's Secretary of State, Debra Bowen <http://www.sos.ca.gov/admin/bio.htm>. [TNX! PGN] But I can't resist a couple closing thoughts. First is my little theory that closed systems are actually easier to crack. Consider the Windows OS, unsurpassed for widespread adoption, proprietary software, and history of security vulnerabilities. I am not MS-bashing here! My point is that where there is an attractive target (and Windows is #1), the bad guys have all the needed grist for the mill, without the source code!. They have the running software itself; they have some information about the software's interfaces; and they have many years of experience to guide efforts to find weak points. They have a cookbook! They don't need an electron microscope to examine the atoms and reverse engineer the target. In fact, if the source code were available, then it might actually be more work to wade through it to find security vulnerabilities. Lastly, I want to get back to election technology generally, and voting systems in specific. I do not believe that current voting systems benefit from security by obscurity. I also do not believe that disclosure of the source code would be beneficial. Independent reviewers have found many reasons for security concerns, and the vendors underline those concerns by fear-mongering around the issue of security vs. openness. Where vendors admit security problems, and yet do not display willingness to fix known problems, disclosure doesn't help because new knowledge about problems and fixes is irrelevant if the fixes don't get done. But just as disclosure wouldn't help, it also would not hurt - despite the fear mongering. Plenty enough is already known about vulnerabilities of these systems, and the bad guys have plenty of info - including the ability to buy voting machines on E-bay and reverse engineer to heart's content. So basically, disclosure of current systems is a matter of indifference to me in terms of security benefit or detriment - there is neither. But it really bothers me when people are misled into thinking that secret computing equals secure computing. It's not so, and especially not for election technology, which should be open and transparent, not for security, but for trust and public confidence in the results -- that is, the selection of those public servants who govern our public life. The recent New York Times editorial "Still Broken" is well worth the read, especially for its significant focus on dysfunction.
http://www.goodgearguide.com.au/article/295924/criminals_sneak_card-sniffing_software_diebold_atms Diebold has some of its ATMs fabricated in Russia. A break-in occurred. These ATMs run Windows. Malware, which captures card details, was installed. Pretty sophisticated stuff, too. Sophos report they believe the code has been in circulation (whatever that means) since November 2008. The fix was apparently released Jan 2009. I'm starting to think cash-from-a-bank may make a comeback. [Here's an excerpt from another report on this subject: "Security firm Sophos reported this week that it received three samples of a trojan that was customized to run on Diebold-manufactured cash machines in Russia, said Graham Cluley, Sophos' senior security consultant. The malware was able to read card numbers and PINs -- then when the attacker returned to the ATM, he inserted a specially crafted card that told the machine to issue him a receipt containing the stolen information." PGN] http://www.scmagazineus.com/ATM-malware-appears-Diebold-issues-security-update/article/129059/
A British driver blamed his GPS navigation unit for leaving his car teetering on the edge of a 100-foot cliff in Doncaster, South Yorkshire, after following its instructions. (He was stopped by running into a wire fence.) http://www.foxnews.com/story/0,2933,510495,00.html
If you want to architect Web security like it's 1995, then the Information Security Debt Clock is for you. The Information Security Debt Clock tracks the time since the Web security architecture based on Network Firewalls and SSL was first deployed: http://1raindrop.typepad.com/1_raindrop/2009/03/information-security-debt-clock.html According tp c2com, Technical Debt occurs when "During the planning or execution of a software project, decisions are made to defer necessary work...The list can grow quite long, with some items surviving across multiple development cycles." As of right now its been approximately 4,863 days since SSL 1.0 was added into Netscape in Dec. 1995.
In this e-mail message I'd like to discuss two subjects: a. Phishing against ISPs. b. Phishing in different languages against ISPs as soon as Google adds a new translation module. In the past few weeks there has been an increasing number of phishing attacks against clients of Israeli ISPs. I've only seen a few of these, but the local ISPs confirm it's happening across the board. In all these cases, the phishing e-mail is in Hebrew. While we have seen ISP phishing and Hebrew phishing before, these attacks started when Google added translation into Hebrew. Is this a trend? Have other countries (or populations) been targeted when Google added a translation module for more languages? Notes: a. Some Israeli ISPs e-mailed their clients warning against such attacks. Saying they'd never ask for their password, etc. b. While I was certainly heavily involved with phishing originally and even started the first coordination group to deal with the issue, I am somewhat removed from it now, dealing more with phishing/banking Trojan horses. Can anyone educate me as to how often ISPs get phished, if at all? c. If you get phished, what strategies if any have you taken to prevent the attacks/respond to them/educate your clients? What worked? d. I wonder if these translation misuses could eventually translate into some intelligence we will see in Google security reports, such as on malware.
The Economics of Finding and Fixing Vulnerabilities in Distributed Systems Quality of Protection Keynote, Alexandria, VA, October 27. 2008 By Gunnar Peterson Like many people in this industry, my focus on security was fundamentally altered by Dan Geer's speech "Risk Management is Where the Money Is", there are not many people who can call a ten year shot in the technology business, but Dan Geer did. The talk revolutionized the security industry. Since that speech, the security market, the vendors, consultants, and everyone else has realized that security is really about risk management. Of course, saying that you are managing risk and actually managing risk are two different things. Warren Buffett started off his 2007 shareholder letter  talking about financial institutions' ability to deal with the subprime mess in the housing market saying, "You don't know who is swimming naked until the tide goes out." In our world, we don't know whose systems are running naked, with no controls, until they are attacked. Of course, by then it is too late." Full talk: http://1raindrop.typepad.com/1_raindrop/2008/11/the-economics-of-finding-and-fixing-vulnerabilities-in-distributed-systems-.html [This item apparently fell through the RISKS crack last year. Don't forget to include "notsp" in your would-be postings. I'm filtering over a thousand spams a day, and still having to cull through 95% spam after that. The subject line is very important. PGN]
Zimbabwe Internet has been having downtime problems recently, and sent their customers the attached disarming honest e-mail. (I saw this through a friend of a friend; Mark Taylor has also posted it on http://marktaylor.blogspot.com/2009/03/only-in-zimbabwe.html) *Subject: ZOL downtime and emergency maintenance* Dear (name removed) This is a brief update of our considerable downtime today (Monday 16 March) from about 2pm to 5:30pm. We are also announcing emergency maintenance that will take us offline from approximately 8pm to 10pm tomorrow (Tuesday 17th March). Unfortunately every backup system including generators, UPS and routers were totally flummoxed by 2 painters painting the building where our satellite dish is housed. Being diligent men, they decided to remove a junction box to paint behind it. Unluckily that box belongs to Telecontract and houses a fiber optic cable joint connecting to ZOL. This took down not only ZOL, but many ISP connections on the same fiber. We are operating on a temporary solution now, but to fully repair this damage Telecontract have advised us that they will have to redo the entire joint. This will take approximately 2 hours, and will be done at 8pm on Tuesday 17th March. We apologize for any inconvenience caused. Sometimes human brilliance just shines through regardless of the best laid plans! Best Regards, *The ZOL Crew*
some realities (RISKS-25.60) In the latest RISKS digest, I detected several problems with the comments. I thought I would bring them in as a risk of people who talk about risks not being thorough in their exploration of the issues. > Subject: Health-care: The Computer Will See You Now (Anne Armstrong-Cohen) > ... So before we embrace the inevitable, there should be more discussion > and study of electronic records, or at a minimum acknowledgment of the > down side. This is no different from paper records - except that the stored and displayed answers can be definitive. The problem comes when the computer records are altered without the informed consent of the doctor who made them. > A hybrid may be the answer -- perhaps electronic records should be kept > only on tablet computers, allowing the provider to write or draw, and face > the patient. With current technologies, this would be worse than either of the current approaches. Tablets today miss lots of the entries put into them and store dotted lines, misinterpret characters, and so forth - so they will produce more errors with less definitive information on what really happened. > The personal relationships we build in primary care must remain a > priority, because they are integral to improved health outcomes. Let us > not forget this as we put keyboards and screens within the intimate walls > of our medical homes." The notion that the computer is somehow less personal than the piece of paper or that the doctor cannot still be a human being because they use a computer seems to me to be flawed. > Subject: Turkish Airline disaster and the Altimeter > I fail to see how the software would not spot a problem and carry > out the landing: > > 1) If the two altimeters are reading very different readings, > 2) If one of the altimeters switches from reading 2000 feet to -8 > feet instantly, > 3) If one of the altimeters reads a negative number? Great! So what is the list of ALL of the checks that should be done, how do we generate that list, how long is it, and how do we implement ALL of the possible check processes with adequate reliability and proper failsafes when we can't figure out how to do it for the simple things? Then apply this recursively and tell me all the ways in which just these 3 checks could possibly go wrong, and all the checks we need to check them... By the way, negative altitude is possible - fly into Death Valley some day. We seem to have forgotten the "simplicity principle" in security - perhaps because it was removed from the GASSP when the GAISP was put in its place? Perhaps not. But as a rule of thumb, the more checks we put in, the more potential failure modes there are. > Subject: Normal Accidents and Black Swans Indeed - Risks readers may also be interested in: http://all.net/Analyst/2009-04.pdf "Risk management: There are no black swans" Fred Cohen & Associates tel/fax: 925-454-0171 http://all.net/ 572 Leona Drive Livermore, CA 94550
Please report problems with the web pages to the maintainer