Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Ash Cloud Caused Flight Disruption in Germany (Der Spiegel Online) Hundreds of flights were canceled in Germany and tens of thousands of passengers were forced to change their travel plans on Wednesday after the ash cloud from an Icelandic volcano shut the airports of Berlin, Hamburg and Bremen. [as well as in Ireland and Britain, ... ] http://www.spiegel.de/international/europe/0,1518,764795,00.html
The complexity of an esoteric Hong Kong financial instrument has come back to haunt Goldman Sachs after an simple typographical slip threatened to cost it HK$350m (27m UK pounds). The error appeared in the small print of a phone book-sized prospectus accompanying the issue in February of four so-called "exchange-traded warrants" which offered exposure to Japan's Nikkei index of leading shares. In a formula to calculate the value of the warrants a multiplication symbol appeared where their should have been a division. The potentially costly error appeared in the bank's paperwork despite it having been scrutinised and approved by the Hong Kong stock exchange. Such warrants are hugely popular in Hong Kong, with 14,400 similar products said to have been issued last year by large investment banks. It was not until the end of March—almost seven weeks after the warrants had been issued—that a lawyer from Goldman reported the mistake to the stock exchange. For almost two hours the price of warrants began to soar until trading was suspended at the bank's request. Goldman has offered to buy back warrants at a 10% premium, an offer accepted by 75% of holders. However, a hard core of large investors believe they are contractually entitled to considerably more. One told the Economist magazine the bank's offer was worth HK$10m, whereas a strict application of the formula suggested the warrants could be worth $350m. http://www.guardian.co.uk/business/2011/may/31/goldman-sachs-libya-investment (final paragraphs).
Henry K. Lee at email@example.com, ATM repairman accused of loading fake money, *San Francisco Chronicle*, 26 May 2011 http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/05/26/BANQ1JLBKP.DTL&tsp=1 An employee of an ATM servicing company has been charged with swapping $200,000 in fake bills for real cash at machines in Daly City and San Francisco. Samuel Kioskli, 64, of San Francisco was wanted on a warrant when he was arrested during a routine traffic stop in Phoenix on May 11, 10 months after the thefts. Kioskli was an employee of Diebold, which services ATMs for Bank of America. On 4 July 2010, Kioskli went to six bank branches in San Francisco and one in Daly City and stole about $200,000 by replacing cash in the machine trays with counterfeit or photocopied $20 bills, Kioskli used his work card key to access the ATMs and was captured on video at all seven locations. The next day, Kioskli "abandoned his wife and disappeared." His wife reported him missing, and angry Bank of America customers contacted the bank to complain about the fake money. He pleaded not guilty in San Mateo County Superior Court to charges of burglary, embezzlement, forgery and possession of counterfeiting apparatus. He is being held in lieu of $25,000 bail. He faces similar charges in San Francisco.
[Note: This item comes from Dewayne Hendricks via Dave Farber's IP.] John E. Dunn, IDG-News-Service, London-bureau, 25 May 2011 <http://www.pcworld.com/businesscenter/article/228625/russian_company_cracks_ios_4_hardware_encryption.html> Having cracked Apple iPhone backups last year, Russian security company ElcomSoft appears to have found a reliable way to beat the layered encryption system used to secure data held on the smartphone itself. Since the advent of iOS 4 in June 2010, Apple has been able to secure data on compatible devices using a hardware encryption system called Data Protection, which stores a user's passcode key on an internal chip using 256-bit AES encryption. Adding to this, each file stored on an iOS device is secured with an individual key computed from the device's Unique ID (UID). Apple products containing this security design include all devices from 2009 onwards, including the iPhone 3GS (which can be upgraded to iOS 4), iPhone 4, iPad, iPad 2 and recent iPod Touch models. ElcomSoft has not explained how it hacked the hardware-stored key system in detail for commercial reasons, but the first point of attack appears to have been the user system passcode itself as all other keys are only vulnerable to attack once the device is in an unlocked state. The company said it had been aided by subtle weaknesses in the security architecture used by Apple, starting with the default passcode length of 4 digits. This yields only 10,000 possible number variations, which the company said most users would likely use to secure their devices without question. The only limitation in breaking this key using a brute-force attack was the need to run through the possible combinations on the iPhone or iOS device itself, which took between 10 and 40 minutes, far longer than would have been the case using a desktop PC.
[From Dave Farber's IP distribution. PGN] Reuters is reporting that unknown hackers have broken into the networks of Lockheed Martin and other major defense contractors and may have gained access to sensitive information on present and future weapons systems. Reuters had reported earlier on Friday that "Lockheed Martin, the Pentagon's No. 1 supplier, is experiencing a major disruption to its computer systems that could be related to a problem with network security." The disruption began last Sunday, when security experts detected an intrusion. According to an anonymous source with knowledge of the attacks, the hackers used data stolen in March from the RSA security division of EMC Corp. to duplicate security keys which gave them access to the networks. [SNIP] http://www.rawstory.com/rs/2011/05/27/hackers-penetrate-u-s-defense-contractors-security-networks/
A new version of rogue antivirus malware that targets the Macintosh operating system does not need victims to type in their administrator passwords to install and infect the machine. The latest version of the malware has been overhauled to look like a native Mac OS X application and is using the application name MacGuard, according to an Intego blog post. But particularly concerning is the fact that unlike previous versions, which were dubbed Mac Defender, MacProtector, and MacSecurity, MacGuard installs itself without prompting for the admin password. [Source: Elinor Mills, CNET, 25 May 2011] http://news.cnet.com/8301-27080_3-20066174-245.html How bad is the Mac malware scare? (FAQ) http://news.cnet.com/8301-27080_3-20064394-245.html How to remove MacDefender fake antivirus program http://download.cnet.com/8301-2007_4-20064445-12.html Securing your Mac from the new MacGuard malware variant http://reviews.cnet.com/8301-13727_7-20066173-263.html How to avoid or remove Mac Defender malware http://support.apple.com/kb/ht4650
http://j.mp/kt72Ke (phoronix) "Yesterday we reported on a freelance researcher reverse-engineering the Skype protocol and beginning to write open-source code that would work with this popular VoIP network. A representative of Skype has now contacted Phoronix to inform us they will be taking "all necessary steps" to stop this effort." - - - A quote from Skype (whose new master is Microsoft, let's remember) is quite telling: "This unauthorized use of our application for malicious activities like spamming/phishing infringes on Skype's intellectual property. We are taking all necessary steps to prevent/defeat nefarious attempts to subvert Skype's experience. Skype takes its users' safety and security seriously and we work tirelessly to ensure each individual has the best possible experience." Taking a play from other opponents of free speech and open source, we see Skype attempting to immediately associate open source compatibility efforts with criminal activities such as spamming/phishing ("safety and security"). I particularly enjoyed the use of the word "nefarious" in the quote, which is one of my favorite lexemes for invoking "Snidely Whiplash" bad-guy imagery. http://www.vortex.com/lauren +1 (818) 225-2800 / Skype: vortex.com People For Internet Responsibility: http://www.pfir.org Network Neutrality Squad: http://www.nnsquad.org PRIVACY Forum: http://www.vortex.com
[Lauren has had a lot of RISKS-worthy items lately on his Network Neutrality Squad: www.nnsquad.org . Here are a few summarized, encouraging you to check out his analyses that are omitted here. PGN] Skype reportedly reverse-engineered: Skype threatens to crush open-source versions http://j.mp/kZLjWL (This message on Google Buzz) Pentagon says black-hat hacking can be an act of war (with LW's analysis) http://j.mp/j94Sse (This message on Google Buzz) http://j.mp/iwIzdz (WSJ) The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force ... Pentagon officials believe the most-sophisticated computer attacks require the resources of a government. For instance, the weapons used in a major technological assault, such as taking down a power grid, would likely have been developed with state support, Pentagon officials say." State lawmakers write law so badly it could criminalize casual password sharing among friends or relatives. http://j.mp/jRUzrs (Huffington) New Scientist: New media laws could mean jail for ordinary users http://j.mp/jj3Set (New Scientist) Virtually all Syria access to Google services appears to have been disrupted http://j.mp/iXlwK9 (Google Transparency Report) Why PROTECT IP Web Censorship Will Fail - But Lead to Much Worse http://lauren.vortex.com/archive/000858.html Twitter exposes British user in court "privacy" vendetta (with LW's analysis) "The social network has passed the name, e-mail address and telephone number of a south Tyneside councillor accused of libeling the local authority via a series of anonymous Twitter accounts. South Tyneside council took the legal fight to the superior court of California, which ordered Twitter, based in San Francisco, to hand over the user's private details. It is believed to be the first time Twitter has bowed to legal pressure to identify anonymous users and comes amid a huge row over privacy and free speech online." http://j.mp/kWI7qx (This message on Google Buzz) http://j.mp/mBYtYL (UK Guardian)
A company called Autonomy, which has been selling image search technology, has launched an apparently freely available (open?) project called Aurasma. At the moment only available on iPhone 4, this allows you to "augment" the reality (that the mobile device sees) by adding video to overlay it. http://www.bbc.co.uk/news/technology-13558137 In the article, the reporter/commentator opines that this is a cute trick, but only that. I'm going to go out on a limb and predict that this assessment is short- sighted (albeit only if the technology expands to other platforms). Given that YouTube users are uploading 48 hours of video to the site every minute of the day, I suspect that the ability to create video graffiti, and "tag" it to any vista, location, or object, will be irresistible. Apparently the company thinks this will be a platform that companies will use to create ads, to promote their products or shops at related locations. They probably will. However, myriad users will be creating other content, for the same images, and we will have SEO (Search Engine Optimization) battles that will make the malware and phishing sites we see now pale in comparison. The Tokyo Chamber of Commerce or tourism board may wish to overlay video over certain landscapes or landmarks, but how will they stand up against thousands of geeks who've all seen Godzilla? firstname.lastname@example.org email@example.com firstname.lastname@example.org victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links http://blogs.securiteam.com/index.php/archives/author/p1/ http://twitter.com/rslade
purl.org is a website dedicated to an idea. That idea is that resources of worth should be named with persistent URLs. So, even if the host of a resource changes overtime, the resource itself can be located by its long-lived, persistent URL. To this end, purl.org has long maintained a database of such URLs. The way it works is that you register with the site, create a subdomain of the purl.org URL namespace and register URLs in that subdomain and define associated redirects that point to the actual resource. People who ask for a resource via its persistent URL are redirected to the website that currently hosts the resource. If the location of a resource ever changes, the maintainer of the URL can update the redirect and consumers of the URL are unaffected by the relocation of the resource. Nice idea, except that there is a problem. The site: * does not have a password reset feature for maintainer accounts * does not document how to reset the password * does not respond to e-mails with questions about how to reset such passwords * doesn't obviously have a mechanism to recover URL space from maintainers who die Remarkable. We have an organisation that has dedicated its entire existence to the idea that PURLs should be long lived and persistent, but fails to deal with the problem of a URL maintainer forgetting a password or dying before revealing the password. Without a strategy for dealing with such possibilities, what is the point of a PURL?
Recently I logged on the City of Kelowna (BC, Canada) website to claim the home owner grant against my property taxes. The login asks for the Roll Number and an Access Code, both provided on the tax statement, received via snailmail. My Roll Number is five digits followed by a period followed by three digits. When you enter it that way, you receive an error message, rebuking you for entering the period. There is no indication on the login screen that the period must not be entered. Of course, the script handling the login could remove it, but that might be too simple. The truly wonderful part of the story is that, once you have logged in, everywhere the Roll Number is shown, the period is included. Rick Gee, Computer Science department, Okanagan College, Kelowna, BC http://people.okanagan.bc.ca/rgee 250 762 5445 local 4634
John Markoff, 19 May 2011, *The New York Times*, 19 May 2011 For years, a team of computer scientists at two University of California campuses has been looking deeply into the nature of spam, the billions of unwanted e-mail messages generated by networks of zombie computers controlled by the rogue programs called botnets. They even coined a term, "spamalytics," to describe their work. Now they have concluded an experiment that is not for the faint of heart: for three months they set out to receive all the spam they could (no quarantines or filters need apply), then systematically made purchases from the Web sites advertised in the messages. The hope, the scientists said, was to find a "choke point" that could greatly reduce the flow of spam. And in a paper to be presented on Tuesday at the annual IEEE Symposium on Security and Privacy in Oakland, Calif., they will report that they think they have found it. It turned out that 95 percent of the credit card transactions for the spam-advertised drugs and herbal remedies they bought were handled by just three financial companies - one based in Azerbaijan, one in Denmark and one in Nevis, in the West Indies. The researchers looked at nearly a billion messages and spent several thousand dollars on about 120 purchases. No single purchase was more than $277. [Nick Weaver presented their paper at the IEEE Symposium on Security and Privacy in May 2011. PGN] http://www.nytimes.com/2011/05/20/technology/20spam.html
Article alleges prison labor is forced to earn virtual gold in World of Warcraft, which is then sold for real money, a practice called "gold farming". http://www.guardian.co.uk/world/2011/may/25/china-prisoners-internet-gaming-scam The risk is creating a virtual world with such value that it affects the real world. The article claims that the trade in virtual gold is outside the control of the proprietors of World of Warcraft, but how can that be possible? They control every aspect of their virtual world. If they don't control it, it is because they have decided not to control it.
Different banks' ATMs have different masking policies. So you guessed it, looking at just a couple of a pocketful of VISA(tm) Cash Advance receipts, 435117851*8*2*8* HUA NAN COMM'L TAIPEI 435117******2188 TAIPEI FUBON B TAIPEI 435117851187**** TAIWAN COOPERA TAIPEI even a five-year old can figure out the card number.
The chemistry blog 'In the Pipeline' on 16th May 2011 pointed out an interesting higher-order effect possibly attributable to Y2K errors: '...if you search the word "biotechnology" in Google's Ngram search engine, something odd happens. There's the expected rise in the 1970s and 80s, but there's also a bump in the early 1900s, for no apparent reason. Curious about this, I ran several other high-tech phrases through and found the exact same effect. 'Here's a good example, with some modern physics phrases. And you get the same thing if you search "nanotechnology", "ribosome", "atomic force microscope", "RNA interference", "laser", "gene transfer", "mass spectrometer" or "nuclear magnetic resonance". There's always a jump back in exactly the same period on the early 1900s.' The brief fashion amongst Victorians for writing articles about string theory and dark matter could be the result of '1999 + 1 = 1900'. Perhaps. But how likely is that really, a decade past Y2K? Is it not more plausible that today's students remain unaware of results in dusty journals on library stacks that are not easily available on-line yet? The Higgs boson was found was in Prague in 1925. It just hasn't got through peer review yet. Source: http://pipeline.corante.com/archives/2011/05/16/a_google_oddity.php#comments Joe Loughry, Doctoral student, Computing Laboratory, St Cross College, Oxford
The idea of having cars talk to each other or the infrastructure seems to miss an important point: As of 2008 in the UK, the majority of people Killed or Seriously Injured (KSI) are not actually in motor vehicles: they are people on foot or bicycle . While in a decade driving has become safer, due to all the features added to cars, a side effect has been that per passenger mile, walking and cycling has become more dangerous relative to being in a car. Yet it is the people driving that are the primary sources of death and (serious) injury. Any feature in cars that allows drivers to pay less attention to the road isn't going to increase road safety; it will become another risk compensation feature, especially in cities: "now you can check in to facebook while driving!" Clearly car manufacturers would like to sell these features either in terms of passenger safety, fuel economy and a way of introducing technical obsolescence in vehicles that would otherwise last for many years, and companies whose business models depend on people consuming data or voice (telcos, web companies) would support it too. However it's not clear to me how much it would improve safety compared to adding black-box systems to cars; to log the actions prior to any collision, the state of the vehicle, maybe even off-car data rates, videos from the car and neighbouring cars after a collision event. These may change people's behaviour better than saying "don't worry about hitting anything, as the computer in your car will look out for you".  http://www.dft.gov.uk/adobepdf/162469/221412/221549/227755/rrcgb2008.pdf
Regarding "Car Talk and Talk and.." (Joseph B. White via Eli the Bearded) - RISKS 26.45 There are indeed a number of issues I would like to see worked out first. A small selection: * Who is liable when I'm not really in charge of my car and an accident occurs? These systems can have a better reaction time than a human being, but they "cannat change the laaw of physics" (apologies for my poor rendering of an irreplaceable Scottish accent). * The better reaction time will give indeed an adoption cycle problem, similar to what took place with early ABS systems: your equipped car may manage a panic stop, but the likelihood of being rear-ended by a non-equipped car is very high (been there..). * Not a word on fighting external influences. Car connectivity is already giving rise to concerns as it provides a gateway to onboard electronics (which presently appear to have somewhere between poor to no defense at all against "creative engineering"). It's just over a year ago that a research team found they could hack into a car on remote, and gain so much control over the onboard electronics that they could disable the breaks(*). That's a really fun virus to spread in a chain of cars that follow each other to minimise wind resistance. * Speaking of wind resistance - this will need some algorithm to change the front end car which is taking the economy hit for being up front. Indeed, I can see some home hacks which may stop a car from chaining if it is upfront, leaving others to pick up the bill.. Et cetera ad infinitum - the above was without even coffee in my system, so a dedicated research team or someone with malicious intent will most certainly come up with more.. 2012: A *car* Odyssey? (*) http://www.autosec.org/pubs/cars-oakland2010.pdf
I actually think Taleb's "Fooled by Randomness" is a better book. In my opinion, it makes the case for being aware of "Extremistan's" power law distributions much better. Taleb does spend a long time to say not very much. But I feel there are three key lessons that all "RISKS" readers should learn: 1. Don't assume a Gaussian distribution ("Mediocristan") of event propensities in a given situation. Try to check if in fact a power law distribution ("Extremistan") applies. 2. Recognise that people who wrongly assume Mediocristan will take inadequate mitigation steps, due to their false presumption that large deviations from the observed mean are vanishingly small. 3. Design your systems and processes to be resilient rather than protective. This will allow a rapid recovery from any event, even those you didn't foresee.
Please report problems with the web pages to the maintainer