The BBC reports (http://news.bbc.co.uk/2/hi/science/nature/8533157.stm) on the growing threat of jamming to satellite navigation systems. The fundamental vulnerability of all the systems - GPS, the Russian Glonass, and the European Galileo - is the very low power of the transmissions. (Nice analogy: A satellite puts out less power than a car headlight, illuminating more than a third of the Earth's surface from 20,000 kilometers.) Jammers - which simply overwhelm the satellite signal - are increasingly available on-line. According to the article, low-powered hand-held versions cost less than £100, run for hours on a battery, and can confuse receivers tens of kilometers away. The newer threat is from spoofers, which can project a false location. This still costs "thousands", but the price will inevitably come down. A test done in 2008 showed that it was easy to badly spoof ships of the English coast, causing them to read locations anywhere from Ireland to Scandinavia. Beyond simple hacking - someone is quoted saying "You can consider GPS a little like computers before the first virus - if I had stood here before then and cried about the risks, you would've asked 'why would anyone bother?'." - among the possible vulnerabilities are to high- value cargo, armored cars, and rental cars tracked by GPS. As we build more and more "location-aware" services, we are inherently building more "false-location-vulnerable" services at the same time. — Jerry
"While "jamming" sat-nav equipment with noise signals is on the rise, more sophisticated methods allow hackers even to program what receivers display. At risk are not only sat-nav users, but also critical national infrastructure." Full story at: http://news.bbc.co.uk/1/hi/sci/tech/8533157.stm [This risk noted by several others as well.]
Recently Ross Anderson's group has published a new and very serious vulnerability in the "Chip & Pin" (EMV) authentication used by many -probably most- credit and debit card issuers world wide. Very briefly: "The attack uses an electronic device as a "man-in-the-middle" ... ... the terminal thinks that the PIN was entered correctly, and the card assumes that a signature was used to authenticate the transaction." The paper: http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/oakland10chipbroken.pdf The FAQ http://www.cl.cam.ac.uk/research/security/projects/banking/nopin/ The BBC Video http://www.bbc.co.uk/blogs/newsnight/susanwatts/2010/02/new_flaws_in_chip_and_pin_syst.html The risk: Providing "legacy compatibility", in this case with signature based authentication, always involves additional risk and requires special attention. (Acknowledgment to Bruce Schneier's blog)
CNN has posted an item: "Elvis Presley passport exposes security flaw" (Atika Shubert, 2010-02-23) relating an interview with Adam Laurie and Jeroen Van Beek, two self-described "ethical hackers" who created a forged passport in the name of Elvis Presley from a non-existent country. According to the article, the passport was accepted by an automated scanning machine, even though it was signed by what amounted to a self-signed certificate. Laurie is quoted as saying that many countries do not share sufficient information for others to authenticate the digital signatures. The article can be found at: http://www.cnn.com/2010/TECH/02/19/passport.security/index.html The need for commonly accepted higher level certification authority or authorities is a well-understood part of such digital signature authentication schemes. It is disturbing that such a registration or acceptance feature, common to all web browser security implementations, has not been internationally accepted, despite the fact that the infra-structure is already in place in a number of international organizations (e.g., IPU, ITU-T [formerly CCITT], and others). - Bob Gezelter, http://www.rlgsc.com
The independent newspaper *City Paper* runs a weekly column, "Murder Ink", that provides coverage of homicides here in Baltimore City, Maryland. A computer-related murder on February 17, 2010, caught my eye: > Two men got into an argument with Couther's aunt over a Facebook page. > Couther went into the living room to help his aunt and ended up arguing > and then fighting with one of the men [resulting in Couther's throat being > slashed] [...] Couther died at a local hospital an hour later. Montaize > Alford [was] arrested and charged with Couther's murder. According to > [Stephen Janis of investigativevoice.com], the aunt was being beaten by > her boyfriend because a man "friended" her on Facebook. http://www.citypaper.com/news/story.asp?id=19818 (Anna Ditkoff writing in *City Paper* volume 34 number 8, page 8, February 23, 2010) Peter Hermann of *The Baltimore Sun* corroborates the Facebook angle on his blog, citing police detective Michael Moran's charging documents: > [Couther's aunt] Begett had returned from work and was sleeping on her > sofa when Alford called her on her cell phone at about 2 a.m. and started > arguing with her about a male friend on her Facebook page [...] Begett > hung up on Alford and moments later he showed up at her home and entered > using a key. He began assaulting her [then] Couther and Alford began > fighting [resulting in] a large laceration to [Couther's] neck which was > bleeding profusely. http://weblogs.baltimoresun.com/news/crime/blog/2010/02/slew_of_homicide_arrests_inclu.html Since this is the RISKS Forum, I felt at first compelled to come up with a piquant observation about the erosion of privacy inherent in social network computing. But then I realized I'm missing the broader issue. It's not our role as scientists and practitioners to complain about how "the times they are a-changin'" — it's to ask questions like "was Begett aware when she accepted the friending request that the action would be visible to her boyfriend, and if she was not aware then how could that consequence have been conveyed better by Facebook or other entities?" The RISK to me (whom a student called "tragically uncool" due to my apparent underuse of social networking media) is missing an opportunity to do something about a problem simply because I don't like the problem.
Serious threat to the web in Italy, 24 Feb 2010 In late 2006, students at a school in Turin, Italy filmed and then uploaded a video to Google Video that showed them bullying an autistic schoolmate. The video was totally reprehensible and we took it down within hours of being notified by the Italian police. We also worked with the local police to help identify the person responsible for uploading it and she was subsequently sentenced to 10 months community service by a court in Turin, as were several other classmates who were also involved. In these rare but unpleasant cases, that's where our involvement would normally end. But in this instance, a public prosecutor in Milan decided to indict four Google employees -David Drummond, Arvind Desikan, Peter Fleischer and George Reyes (who left the company in 2008). The charges brought against them were criminal defamation and a failure to comply with the Italian privacy code. To be clear, none of the four Googlers charged had anything to do with this video. They did not appear in it, film it, upload it or review it. None of them know the people involved or were even aware of the video's existence until after it was removed. Nevertheless, a judge in Milan today convicted 3 of the 4 defendants - David Drummond, Peter Fleischer and George Reyes - for failure to comply with the Italian privacy code. All 4 were found not guilty of criminal defamation. In essence this ruling means that employees of hosting platforms like Google Video are criminally responsible for content that users upload. We will appeal this astonishing decision because the Google employees on trial had nothing to do with the video in question. Throughout this long process, they have displayed admirable grace and fortitude. It is outrageous that they have been subjected to a trial at all. ... http://googleblog.blogspot.com/2010/02/serious-threat-to-web-in-italy.html
Tim Greene, *IT Business*, 22 Feb 2010 Kneber botnet — a multi-headed hydra that's wreaking havoc The most sinister aspect of the Kneber botnet is its interaction with other malware networks, suggesting a symbiotic relationship that ultimately makes each bot more resistant to being dismantled. http://www.itbusiness.ca/it/client/en/home/news.asp?id=56499 At the bottom of the first page of the article are these two paragraphs: 'What he found is that more than half the 74,000 compromised computers -- bots — within Kneber were also found infected with other malware that uses a different command-and-control structure. If one of the criminal networks were disabled, the other could be used to build it up again, "At the very least, two separate botnet families with different [command-and-control] infrastructures can provide fault tolerance and recoverability in the event that one [command-and-control] mechanism is taken down by security efforts," he says in his written analysis of the Kneber botnet.'
http://news.cnet.com/8301-30977_3-10457077-10347072.html Students'-eye view of Webcam spy case The first two paragraphs: 'Students at Herriton High School in Lower Merion School District near Philadelphia are given Apple MacBook laptops to use both at school and at home. Like all MacBooks, the ones issued to the students have a Webcam. And, in addition to the students' ability to use the Webcam to take pictures or video, the school district can also use it to take photographs of whomever is using the computer. In a civil complaint (PDF) filed in federal court, a student at the school, Blake Robbins, said he received a notice from an assistant principal informing him that "the school district was of the belief that minor plaintiff was engaged in improper behavior in his home, and cited as evidence a photograph from the Webcam."' It is apparently worse than that: http://www.infoworld.com/d/adventures-in-it/when-schools-spy-their-students-bad-things-happen-474?source=IFWNLE_nlt_notes_2010-02-22 InfoWorld Home / Adventures in IT / Robert X. Cringely Notes from the Field February 22, 2010 When schools spy on their students, bad things happen Pennsylvania's Lower Merion School District thought it was clever to use webcams to track its students' MacBooks — boy, were they mistaken Savanna Williams, a statuesque sophomore at Harriton, appeared on CBS's "The Early Show" with her mother, talking about how she takes her school-supplied notebook everywhere — including the bathroom when she showers. If that doesn't give you a strong mental image of the potential for abuse, nothing will. For a thoroughly creepy demonstration of how another school, the Bronx's IS 339, spies on its students using webcams, check out this video. Assistant Principal Dan Ackerman cheerfully shows how he watches sixth and seventh graders in real time without their knowing it while they preen in front of an app called Photo Booth. Photo Booth is always fun... a lot of kids are just on it to check their hair, do their makeup, the girls, you know. They just use it like it's a mirror... They don't even realize that we're watching...I always like to mess with them and take a picture. At least he's doing it on school grounds and not in their bathrooms."
Begin forwarded message: > From: "Edelman Financial" <firstname.lastname@example.org> > Date: February 23, 2010 4:58:14 PM EST > Subject: A Message from Ric Edelman Dear fjohn and Evlynn: For the past two years we have been distributing news, reviews and other important information to you via email. By bypassing the postal service we are able to contact you more easily, quickly and cheaply --- which improves speed and helps us control expenses. Email also allows you to respond to us more easily and quickly, too, resulting in faster and better service. The vendor we use for sending you my updates and other non account-related communications is iContact. We have just been informed that email addresses have been stolen from iContact's system, possibly by one of their former employees. iContact is working with law enforcement officials on the matter and has not yet determined the extent of the theft. At this time, your email address may or may not have been involved. Because we do not provide iContact with anything other than email addresses and names, your personal information remains safe. It was not possible for the thief to obtain addresses, account numbers or any personal financial data. The worst case is that you might notice an increase in the amount of spam that you receive. [...] My best regards, Ric Edelman, Chairman & CEO, 888-752-6742 [I invite you to read my blog "Reinke Faces Life", visit my sites (all listed at http://krunchd.com/reinkefj), and use whatever you need. Join me (reinkefj) on LinkedIn, Facebook, Plaxo, and / or follow me on Twitter. Remember the adage "first seek to help; then be helped".]
> Subject: Clinical Update: Nationwide Technetium shortage memo.. > Date: Tue, 23 Feb 2010 ##:##:## -#### > From: Big University Hospital On 14 May 2009 the NRU Reactor in Canada was shut down due to a heavy water leak for repairs. This has impacted approximately 40% of the world's supply of Mo-99. Consequently, this has created a nationwide shortage of Tc99 which is used in 80% of nuclear medicine imaging procedures. On 19 Feb 2010 the High Flux Petten Reactor in the Netherlands will be shut down for approximately 6 months for repairs further exasperating the already acute shortage. In the coming weeks it may be necessary to adjust schedules to cope with the cyclical nature of the remaining supply of Tc99 from our commercial radiopharmaceutical providers. Typically, our providers will have a more ample supply in the beginning and end of the week, with seriously depleted availability Tuesdays and Wednesdays as a result. Even further complicating the matters, all five major medical isotope reactors will be off-line for approximately two weeks in mid-March for routine maintenance. There is a strong possibility there may be no product available during certain days during those two weeks. We will be doing everything we can to minimize the impact of this shortage to our patients including reducing our normal radioactive doses, switching to protocols that can conserve our supply of Tc99 and possibly using alternative radioisotopes when clinically applicable. We hope to continue to serve our faculty and our patients as efficiently as possible during this crisis. If you have any questions, please feel free to contact... We appreciate your understanding during this shortage. - - - - Technetium-99m is a short half-life gamma emitter that is used extensively in nuclear imaging, especially in nuclear cardiology where is the mainstay of stress-test imaging. It's short half-life makes it ideal for diagnostic studies; a small dose of Tc-99m containing tracer can be given to a patient for a high-quality imaging study with the radioactivity falling to virtually nothing within a day. The isotope is produced continually as a decay product of Molybdenum-99 which has a half-life about 10x as long. The great benefit of the short half-life of the metal imposes a hard physical limit on its use: it is essential that newly isolated TC-99 be used within a few hours of its production — there is no way to store it. The radiation exposure from a routine TC-99m heart exam is 250 to 500 x that from a routine chest x-ray. As many as 4 million people undergo such testing in the U.S. each year. The present trouble is the result of a long and complex chain of events. The main Mo-99 production reactor, located in Canada and operated by Atomic Energy of Canada Limited (AECL), was shut down in early 2009 after a containment vessel leak was discovered. Repairs are proceeding slowly. Two replacement reactors were constructed and commissioned but have never used for production because of technical problems and because AECL determined in early 2008 that they would have been too expensive to run. Unrelated to the Canadian outage, a major European source in Holland as shut down in 2008 because of corrosion problems. It was expected to restart this month but this has been pushed back to "the second half" of August 2010. Several news sources are reporting that the Maria Polish reactor will be used to produce medical isotopes, although there are obstacles that may delay availability further. A combination of factors have generated the high degree of dependency on a few, old reactors. The cost of designing, certifying, building, and commissioning a new reactor is high and operating them has proven far more expensive than was expected. Concerns about the security for reactors have increased greatly in the wake of 9/11. Radiopharmaceutical production is not a growth industry — indeed advances in non-radioactive imaging show great promise and may replace the older methods within a decade. No one wants to spend the huge amount of money needed to build a new reactor to serve a declining market share. The use of the Maria reactor, which was constructed in 1970 and renewed in 1986, for this purpose makes sense on a marginal cost basis: you have a reactor than can do this and no one else does, why not take advantage of the brief window of opportunity afforded by fate? A spin-off of the shortage is that it creates an incentive for the quick use of available Tc-99m. Rather than allowing substantial amounts of Tc-99m to simply decay before use, look for nuclear medicine programs to seek rigid control of exam timing and to book patients "standby" to assure that all of the available material gets used each day. What does this have to do with RISKS? Not a thing. For once, the problem is not related to the computers for these reactors, many of which are ancient devices that only augment the manual and conventional automation that controls the reactors! R.I.Cook, MD
You are well aware of the challenges we as a CyberSecurity community face from rapid changes in the technology landscape. FOSE 2010 is the place to discover opportunities and solutions along with changing expectations for government IT professionals. Register today for the FOSE 2010 experience http://www.fose.com. If you sign up now you also get a 10% discount on a conference pass. You can redeem this discount here http://cli.gs/FOSE10. You can expect: - 3 days of IT resources helping you navigate today's shifting tech landscape - 2 full conference days packed with education on emerging technologies, trends, and new improvements to existing solutions - Thousands of products on the FREE* EXPO floor allowing you to gain one-on-one insight into the capabilities of our exhibitors through demos, theater presentations and FREE Education. - Attend the Accenture CyberSecurity Pavilion or Focus on Digital Forensics. *FOSE is a must-attend free show for government, military, and government contractors. It's time to register and reserve your place at FOSE today! Visit http://www.fose.com to learn more about what FOSE has to offer, or redeem your 10% discount by registering here: http://cli.gs/FOSE10. Kalin Tyler, email@example.com, FOSE Team/Tuvel Communications Connect with FOSE Twitter: http://twitter.com/FOSE Facebook: http://cli.gs/85RgD5 LinkedIn: http://cli.gs/Vn8mMQ GovLoop: http://www.govloop.com/group/fose
Please report problems with the web pages to the maintainer