Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
This is the stuff of nightmares - not to mention enormous frustration and possible stomach ulcers. If you have an apostrophe in your name - like many of Irish descent do - you may find it impossible to board an airplane in the coming months. Why? Because airline computers can't print an apostrophe on the boarding pass, the name on your boarding pass will not exactly match the name on your driver's license or passport. And beginning next year, the two must match or you don't fly. And they call this progress. CJB.
- the bank paid the money, then grabbed it back from the accounts. Just like we've all been promised would never, ever, happen... [UFT press release] http://www.uft.org/news/bank_error_to_blame_for_withdrawn_pension_payments/ Bank error to blame for withdrawn pension payments Some 53,000 UFT retirees who rely on electronic pension payments had funds involuntarily withdrawn from their accounts on Nov. 6, causing all sorts of grief for those counting on the money. The Bank of New York Mellon, which is the transferring agent for the funds, erroneously reversed the October benefits payments to retirees paid through electronic fund transfer. "We're outraged. This is unacceptable," said UFT President Michael Mulgrew. "We have been on top of this since the calls first started coming in early Friday morning and we will continue to work until all of our members have been made whole. Our first priority is to get all of the money back into our members' accounts." The risks of this happening have been thrashed out before. What disturbs me even more here is that the recipient banks simply allowed this wholesale clawback. Given the dangers of someone even less scrupulous then this player doing, well, the exact same thing... one would have hoped that part of the banking security profiles on ACH transfers would include "circuit breakers" which would get tripped on any demand of this many accounts.
According to an FBI press release, a global ring of hackers broke into an unnamed American credit processing company, stole PIN numbers, manipulated accounts, and proceeded to steal 9 million USD from over 2000 ATM machines world-wide. (They have just been brought to justice.) http://www.fbi.gov/page2/nov09/atm_111609.html
I commute into Manhattan, which suffers from frequent traffic problems. I've been using a combination of technologies to help out: An cell-phone system based modem, one of the little portable WiFi hotspots that will talk to it (so that I have a hotspot in my car), and the iPod Touch map application, which shows Google's maps along with traffic conditions. Now, the Touch doesn't have a GPS and doesn't talk to cell towers; but it does quite well using technology from a company called Skyhook Wireless. Skyhook builds a database of WiFi networks, and if you're in an area where you can "see" one or more WiFi networks, it can locate you with surprising accuracy. It does make mistakes every once in a while, when very few WiFi signals are visible nearby. This may result in the map jumping around a bit until more data is available. One day, as I was driving along the west side of Manhattan, the map suddenly changed. A quick glance showed it to be entirely unfamiliar. Since I was stopped at a red light, I was able to stare at the map. Surprise! My Touch thought I had instantly teleported across the Atlantic, and was driving along the Mediterranean coast, not far from Monte Carlo. A look around me gave a hint to the cause of the problem. I was right next to a large cruise ship. Obvious guess: Such ships provide WiFi services. This one probably happened to be visiting near Monte Carlo when it made it into Skyhook's database. Sure enough, when I had driven a couple of blocks, the map suddenly shifted back to Manhattan. A friend and I had previously joked about the confusion that would result if I happened to be driving, with my in-car hotspot, just behind a Skyhook mapping van. Well ... it looks as if truth can be stranger than fiction!
If Buffett only knew how to retrieve his cell phone messages, the banking crisis might have been averted. True or false? http://www.thefirstpost.co.uk/53572,people,news,warren-buffett-the-unheard-voice-mail-that-could-have-saved-lehman-brothers Did Warren Buffett's Inability to Check Voice Mail Cause the Recession? http://www.switched.com/2009/09/16/did-warren-buffetts-inability-to-check-voice-mail-help-cause-th/ If Only Warren Buffett Knew How to Work His Cellphone... http://swampland.blogs.time.com/2009/09/15/warren-buffett-could-have-saved-lehma/ Warren Buffett Cell Phone Skills: Did They Doom Lehman? http://www.huffingtonpost.com/2009/09/16/warren-buffett-cell-phone_n_288594.html http://www.ecommerce-journal.com/news/18151_lehman_collapse_and_world_crisis_happened_because_buffett_cannot_read_voice_mail http://blogs.wsj.com/deals/2009/09/15/if-buffett-had-checked-his-voicemail-would-lehman-have-survived/
Subject: Two Are Charged With Helping Madoff Falsify Records Two computer programmers who worked for Bernard L. Madoff's investment firm were accused Friday of helping to cover-up the giant Ponzi scheme. for more than for more than 15 years." [*The New York Times*, 13 Nov 2009] http://www.nytimes.com/2009/11/14/business/14madoff.html?_r=1&hp
Canadian cabinet minister John Baird texted a friend to say that his cat had died. But it was thought he meant Margaret Thatcher, who the cat was named after... http://news.bbc.co.uk/2/hi/americas/8358544.stm http://www.guardian.co.uk/world/2009/nov/13/thatcher-cat-death-canada [And twitter was the cat's bird friend? PGN]
Robert Lemos, *Technology Review*, 25 Nov 2009 As smart phones become smarter, malicious code will find a friendlier home. http://www.technologyreview.com/communications/24011/?nlid=2555&a=f As mobile phones get more powerful, the threat of serious attacks against such devices increases, security experts warn. This week, cybercriminals moved closer to proving this point--exploiting a weakness in modified iPhones to spread a worm programmed to steal banking information. Some experts say the worm may be a sign that criminals are getting more savvy about hacking mobile devices. Last Saturday, researchers at several security firms reported that the new worm, dubbed "Ikee.B" or "Duh," spreads using the default password for an application that can be installed on modified versions of the iPhone. Once the device has been compromised, the worm grabs text messages, and searches for banking authorization codes used by at least one bank, before sending the codes to a central server. Earlier this month, another iPhone worm was released. It exploited the same password weakness to spread itself, but did not try to steal personal information. "The banking [attack] is new to mobile devices," says Chet Wisniewski, a senior security advisor at antivirus firm Sophos. "It goes through your phone, grabbing all your text messages, and sends them off to a server in Lithuania." Since the attack affects only the small number of iPhones that have been "jail broken"--modified to run nonapproved software--the worm will likely inconvenience only a few people. Yet some researchers say the worm confirms that attacks against mobile users are evolving, and that cybercriminals are targeting the personal and financial information kept on portable devices. The ability to communicate with a central command-and-control server--a characteristic more commonly associated with hijacked PCs--also makes such software more dangerous. This past summer, at the Black Hat Security Briefings conference in Las Vegas, Charlie Miller, a consultant with Independent Security Evaluators, demonstrated a way to remotely attack iPhones using the short message service (SMS) protocol<http://www.technologyreview.com/blog/unsafebits/23957/>. Miller says it's only a matter of time before cybercriminals find a way to infect phones that haven't been jail broken, vastly increasing the potential scale of an infection. "A [more serious] worm against an iPhone or any other mobile device is going to happen," Miller says. "It is going to happen to [Google's] Android and iPhone and everything else. As more bad guys do research into the mobile platforms, these devices are going to get attacked." The evolution of the Ikee.B or Duh worm can be traced back to early attacks against mobile devices. In 2000, Timofonica, a relatively simple virus that spread between desktop computers and servers, also had the ability to spam mobile phones in Spain with text messages. In 2004, Cabir, the first mobile-phone-only worm, was released. Cabir could jump automatically between Nokia handsets. In 2006, researchers at the University of Toronto and Microsoft confirmed that even short-ranged and short-lived Bluetooth connections between phones could, in theory, be used to spread a wireless worm. "Starting a Bluetooth worm outbreak is relatively easy once a vulnerability is found. An attacker can bring an infected device into a typical urban mall and discover many potential victims," the researchers wrote in a related paper. The iPhone, and other smart phones, are a more attractive target for hackers because they resemble mini PCs. The devices are always connected to the Internet, run third-party applications, and store information that is potentially valuable to cybercriminals. Normally, however, exploiting the iPhone is not that easy. The new worm employed a weakness introduced by an application called OpenSSH that can be used to connect to the phone remotely. This application uses the default password "alpine," and the worm used this default password to wriggle between handsets. "This is trivial--there is no shell code, no buffer overflow, nothing," says Miller. "It took me two weeks to write the [code] for the SMS thing, but I could have written [Ikee.B] in, like, five minutes." The attacks that have targeted the iPhone in the last month have also focused on jail-broken devices. The modification process to jail break a phone removes the code that prevents users from loading whatever applications they want, but also removes much of the security that prevents malicious code from running on the device. "The iPhone has all these layers of defense, but when you jail break your phone, you break every single one of them," Miller says. The evolution of such hacking will continue, Miller says, although the current crop of iPhone attack code has a long way to go. The new worm does little to hide its activity, for example. And, by sending data over wireless networks, as well as aggressively attempting to infect other phones, the worm also quickly runs down the compromised phone's battery. "Because the phone is trying to connect all the time, users that get infected with this thing are going to know," says Sophos' Wisniewski.
From the *Sydney Morning Herald*, 26 Nov 2009 http://www.smh.com.au/national/triple0-bungle-over-lack-of-street-address--a gain-20091126-jshb.html A man called the emergency line from a remote property near Boomi in far northern NSW. An operator ended the call because Mr Jamieson could not provide a street number. "They said they wanted a house number. I said there's no house number." When what road his property was on, he responded "The Boomi-Goondiwindi Road, they couldn't find Goondiwindi on a map because ... it's in Queensland". An ambulance eventually arrived after he contacted a business next door to the Goondiwindi ambulance service in the next state. This comes after a 17-year-old became separated from his two classmates on Mount Solitary during a three-day trek in 2006 and died. The inquest found three triple-0 operators bungled a series of calls for help he made to them because they did not have a street address of the rugged bushland. Darryl Smith, VK2TDS POBox 169 Ingleburn NSW 2565 Australia Mobile Number 0412 929 634 [+61 4 12 929 634 Int] - 02 9618 645 www.radio-active.net.au/blog/ - www.radio-active.net.au/web/tracking/ [Another problem well known to RISKS readers. PGN]
Ann Cavoukian (Privacy Commissioner of Ontario) and Jules Polonetsky: > We must take great care not to sacrifice consumer privacy amid an > atmosphere of unbridled enthusiasm for electricity reform. But we need not > forfeit one for the other in a zero-sum manner; we can adopt a > positive-sum approach, where both interests may prevail. Information > proliferation, lax controls and insufficient oversight of this information > could lead to unprecedented invasions of consumer privacy. Intimate > details of individual hydro customers' habits, from when they eat, when > they shower, to when they go to bed, plus such security issues as whether > they have an alarm system engaged, could all be discerned by the data, > automatically fed by appliances and other devices, to the companies > providing electric power to our homes. http://www.thestar.com/comment/article/726528 They have also released a white paper entitled "SmartPrivacy for the Smart Grid: Embedding Privacy into the Design of Electricity Conservation" detailing the issue: http://tinyurl.com/ye2kjlv http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=912
Subject: Failure begets failure? I've been having a number of problems with the Hyatt hotel chain lately, and I'm excerpting the bits that I think would be of interest to RISKS readers (mostly the ones that represent failure in communication and computer use), none of which is particularly surprising, although having the entire sequence is somewhat surprising to me. What I'm curious about, particularly from a RISKS perspective, is the likelihood that any given customer having experienced problems with an organization makes it more likely that the same customer will experience additional problems. Anyone know of research in this area? This is related to e.g. problems in aviation and computer servers — how likely are cascading failures? Can/should we use the first failure as a harbinger of future failures? I mean, although my experiences with Hyatt are such that calling them incompetent would be high praise, they clearly can't be causing this many problems for other customers or they'd be out of business. Here's the redacted list: * Failing to provide free Internet at Hyatt Santa Clara (California) despite group contract specifying it (5/2008) * Refusing to refund a damage deposit until I dispute the charge with my credit card company (Hyatt Santa Clara, 5/2009 - 7/2009) The next series of incidents started when the Hyatt Summerfield Suites in Belmont, California was unable to give us a room because some other guests trashed their rooms; the Summerfield sent us to the Hyatt SFO. * Informing me only by telephone about the new arrangement despite making the reservation on-line (although this is par for the course for pretty much all idiot companies) — I'm hearing-impaired, so this issue is particularly important to me, but I know plenty of people who hate using the phone * Although this is supposed to be a free room with breakfast (to compensate for switching hotels), they charge my credit card for parking, Internet, and room service ($60!) * They later reverse the charge without informing me; I only notice this on my credit card bill * Changing the name on my Hyatt account without asking me * When I complain about the name change, they claim that they have no record of a name-change on my account (they are obviously either lying or incompetent because they sent me an automated e-mail when my name was changed) In addition, the Hyatt web site uses HTTP for account login instead of HTTPS/SSL, so they clearly don't care about security. Aahz (aahz@pythoncraft.com) http://www.pythoncraft.com/
http://www.nytimes.com/2009/11/16/technology/start-ups/16wallet.html Claire Cain Miller, At Checkout, More Ways to Avoid Cash or Plastic, *The New York Times*, 16 Nov 2009 For almost as long as Americans have been hearing about jetpacks and picturephones, they have been hearing that money - bills, coins and plastic cards - might cease to exist, or at least become a novelty. Instead of leather wallets, consumers could, sooner than they think, carry virtual wallets, with their credit card and bank information stored on remote computers that are accessible everywhere and anytime. They could use them whenever they want to buy something, whether on the Web, on cellphones or at cash registers. With a new cellphone application called ShopSavvy, for instance, a shopper can use the phone's camera to scan an item's bar code in a store to see if it is available for less online. If so, the shopper can buy it with one click if they have already entered their credit card and shipping information on PayPal's Web site. "What we're trying to do and what we think is very important is to displace the use of cash or checks," said Scott Thompson, president of PayPal, which is a leader in digitizing money. "We'll just have one wallet, and it lives in the cloud." ... There's more ... makes me very uneasy. Electronic pickpockets have perked up their ears ... [And if you ask for the manager, the checker is likely to say, "The Head's in the Clouds" or perhaps "The Cloud is in the Head." PGN]
http://consumerist.com/5400720/mafia-wars-ceo-brags-about-scamming-users-from-day-one http://tinyurl.com/ycpkrzd "From the beginning, the profitability and viability of popular Facebook social networking games Mafia Wars and Farmville were predicated on the backs of scams, boasts Zynga CEO Mark Pincus in this video. "I did every horrible thing in the book just to get revenues," he crows in the clip to a gathered bunch of fellow scumbag app developers." ...
AP item, 14 Oct, 2009: New York State wants to crack down on truckers who rely on satellite devices to direct them onto faster but prohibited routes and end up crashing into overpasses that are too low for their rigs. Gov. David Paterson proposed penalties including jail time and confiscation of trucks to come down on drivers who use GPS - global positioning systems - to take more hazardous routes and end up striking bridges. http://www.dailymail.com/ap/ApTopStories/200910141133
> Troubleshooting requires lots of training and intuition, not something
> you can pick up from a book...
Like hell. I started in computers in 1971 and only a few antiques
took more than four shelves in a 36 inch cabinet for the CPU proper.
By 1974 the whole thing including I/O adapter was below 22" by 22" by
48" and did about 1 32bit (VAX) mips. Moreover these were military
ruggedized types. And the training required was weeks.
Straightforward as hell. And the basic implementation was bit slice
to boot. For that matter so was the previous generation, just not
quite so obviously. Ref (CP1303/AN-UYK7 {32bit} and CP-642B/AN-UYK4
{30 bit})
In RISKS-25.83, Frank Jimenez reports on that the Dallas Police Department has issued at least 38 tickets citing drivers for an inability to speak English. There is, in fact, no such requirement - except for commercial drivers. Jimenez concludes: "The risk here is the ability to choose an option from a drop-down box that doesn't actually apply to a particular law enforcement situation." Is it really? Do we really want a computer system involved in deciding whether a particular law is applicable in a given situation or not? We're not talking about some simple UI to a billing program where it's trivial to determine which options make sense. Police are expected to understand the law. It's part of the job description. They are human and humans make mistakes; that's why we have courts and appeals courts beyond them. But a policeman who doesn't get the law right in the vast majority of situations shouldn't be wearing a badge. Paper tickets include space for many possible violations, only a few of which may be relevant in any given circumstance. Based on all history of computerization as we'e seen it here, do we really think that replacing that piece of paper with a "smart" program that somehow decides with violations are relevant will improve things? Or is it more likely to lead to a spate of other stories in which police are unable to issue tickets because the computer fails to bring up the right option; or, even worse, are led to ignore their own knowledge and judgement and charge things incorrectly because "the computer said this was the right charge"?
BKSECUSA.RVW 20090727 "Security and Usability", Lorrie Faith Cranor/Simson Garfinkel, 2005, 0-596-00827-9, U$44.95/C$62.95 %E Lorrie Faith Cranor %E Simson Garfinkel %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2005 %G 0-596-00827-9 %I O'Reilly & Associates, Inc. %O U$44.95/C$62.95 800-998-9938 fax: 707-829-0104 nuts@ora.com %O http://www.amazon.com/exec/obidos/ASIN/0596008279/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596008279/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596008279/robsladesin03-20 %O Audience i- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 714 p. %T "Security and Usability" The editors state that they intended this collection of essays more to address the academic, than the practical, side of the security field. Thus, the papers are chosen to reflect theory and principle, rather than specific practice. A prudent choice, since theory dates less quickly than specific procedure. The thirty-four compositions in this work are divided into six sections. Part one states that security and usability are not antithetical, part two addresses authentication mechanisms and techniques, part three examines how system software can contribute to security, part four deals with privacy controls, part five examines the vendor perspective of provision of security, while part six finishes off the book with a few papers considered to be of lasting value. The papers contain interesting points, but sometimes both theoretical and practical utility are lacking. For example the first paper, entitled "Psychological Acceptability Revisited," challenges the idea that security mechanisms must be complex and difficult to use in order to be effective. Unfortunately, while the author clearly demonstrates that a system can be both insecure and useless, he does not prove the opposite, which is the condition we want. A good many papers simply state that human factors should be considered, and that security provisions should be usable: these points are true, but not helpful. With one exception (a good paper on password choice) all the pieces on authentication present research having nothing to do with usability. Most of the papers in the book describe security research that is interesting, and which frequently has relations with human factors, but the relevance to the provision of systems that are both usable and secure is not often clear. Even as a compilation of security bedtime reading, the essays collected in this volume are somewhat lacking. In terms of both principles and practice, any volume of the "Information Security Management Handbook" (cf. BKINSCMH.RVW) has superior selection, and better structure, as well. copyright Robert M. Slade, 2009 rslade@vcn.bc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html
Please report problems with the web pages to the maintainer