Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
NYC Transit supervisors falsified thousands of vital signal inspections across the subway system for years, leaving straphangers at risk for deadly collisions like the one that killed nine people in Washington, D.C., The Post has learned. Across every line in every borough, a cabal of managers in the signal department forced maintainers to fib on the inspections by threatening them with punishment like loss of overtime, according to a sweeping investigation by the MTA Inspector General. At least one high-level chief, Tracy Bowdwin—the MTA's highest earning signal department supervisor at $165,000-a-year—was demoted in the fallout, and managers are still being questioned, transit sources said. ... [Source: Heather Haddon, New York Post, 19 Nov 2010; PGN-ed] <http://www.nypost.com/f/print/news/local/nyc_subway_signal_inspections_falsified_ZUVA7DheupaPwrjF5yoO4M> Need we discuss the risks of ignoring maintenance and inspections, to save money?
Because of a "failure in the hard drive," nobody in New Orleans has been able to close a real estate transaction for over a month. The contractor responsible for making backups apparently didn't. http://blog.nola.com/crime_impact/print.html?entry=/2010/11/computer_glitch_stalls_orleans.html
Endre Bangerter, David Gullasch, and Stephan Krenn *Cache Games - Bringing Access Based Cache Attacks on AES to Practice* Cryptology ePrint Archive: Report 2010/594 http://bit.ly/ev8KtA (IACR) Side channel attacks on cryptographic systems are attacks exploiting information gained from physical implementations rather than utilizing theoretical weaknesses of a scheme. In particular, during the last years, major achievements were made for the class of access-driven cache-attacks. The source of information leakage for such attacks are the locations of memory accesses performed by a victim process. In this paper we analyze the case of AES and present an attack which is capable of recovering the full secret key in almost realtime for AES-128, requiring only a very limited number of observed encryptions. Unlike most other attacks, ours neither needs to know the ciphertext, nor does it need to know any information about the plaintext (such as its distribution, etc.). Moreover, for the first time we also show how the plaintext can be recovered without having access to the ciphertext. Further, our spy process can be run under an unprivileged user account. It is the first working attack for implementations using compressed tables, where it is not possible to find out the beginning of AES rounds any more—a corner stone for all efficient previous attacks. All results of our attack have been demonstrated by a fully working implementation, and do not solely rely on theoretical considerations or simulations. A contribution of probably independent interest is a denial of service attack on the scheduler of current Linux systems (CFS), which allows to monitor memory accesses with novelly high precision. Finally, we give some generalizations of our attack, and suggest some possible countermeasures which would render our attack impossible.
http://www.wired.com/threatlevel/2010/11/wiseguys-plead-guilty/ I found the last sentence of this paragraph interesting: "[The defendants] wrote a script that impersonated users trying to access FaceBook, and downloaded hundreds of thousands of possible Captcha challenges from reCaptcha, prosecutors maintained. They identified the file ID of each Captcha challenge and created a database of Captcha `answers' to correspond to each ID. The bot would then identify the file ID of a challenge at Ticketmaster and feed back the corresponding answer. The bot also mimicked human behavior by occasionally making mistakes in typing the answer, authorities said." Of course it's a risk to have "hundreds of thousands of possible Captcha challenges" available, and be able to exploit them. I find it interesting that their software tried to behave "more human" to shield itself from discovery. Could the script have passed the Turing test? Jim Reisert AD1C, <jjreisert@alum.mit.edu>, http://www.ad1c.us
[Source: Ben Sisario, *The New York Times*, 27 Nov 2010] In what appears to be the latest phase of a far-reaching federal crackdown on online piracy of music and movies, the Web addresses of a number of sites that facilitate illegal file-sharing were seized this week by Immigration and Customs Enforcement, a division of the Department of Homeland Security. By Friday morning, visiting the addresses of a handful of sites that either hosted unauthorized copies of films and music or allowed users to search for them elsewhere on the Internet produced a notice that said, in part: "This domain name has been seized by ICE - Homeland Security Investigations, pursuant to a seizure warrant issued by a United States District Court." In taking over the sites' domain names, or Web addresses, the government effectively redirected any visitors to its own takedown notice. ... https://www.nytimes.com/2010/11/27/technology/27torrent.html
Shunned Profiling Technology on the Verge of Comeback Steve Stecklow and Paul Sonne, *Wall Street Journal* One of the most potentially intrusive technologies for profiling and targeting Internet users with ads is on the verge of a comeback, two years after an outcry by privacy advocates in the U.S. and Britain appeared to kill it. The technology, known as "deep packet inspection," is capable of reading and analyzing the "packets" of data traveling across the Internet. It can be far more powerful than "cookies" and other techniques commonly used to track people online because it can be used to monitor all online activity, not just Web browsing. Spy agencies use the technology for surveillance. Now, two U.S. companies, Kindsight Inc. and Phorm Inc., are pitching deep packet inspection services as a way for Internet service providers to claim a share of the lucrative online ad market. Kindsight and Phorm say they protect people's privacy with steps that include obtaining their consent. They also say they don't use the full power of the technology, and refrain from reading email and analyzing sensitive online activities. Use of deep packet inspection this way would nonetheless give advertisers the ability to show ads to people based on extremely detailed profiles of their Internet activity. To persuade Internet users to opt in to be profiled, Kindsight will offer a free security service, while Phorm promises to provide customized web content such as news articles tailored to users' interests. Both would share ad revenue. ...
The Israeli army lets religious women avoid the draft, but recently FaceBook has been used to catch cheaters. Full story at: http://www.bbc.co.uk/news/world-middle-east-11825100
Original message to which the following is a response, from Lauren Weinstein in Network Neutrality Squad: U.S. may require jamming of cell phone use inside vehicles http://bit.ly/deUpGb (Daily Caller) Two items on this for Secretary LaHood: 1) A dangerous and stupid idea for both technical and (ironically) safety reasons 2) Good (Blankin') Luck getting people to put up with this one Response from Bob Frankston: > I can't help but think about legislation requiring every car have a person > walking in front of it to assure that horses won't get scared. The idea that > one should use the DNS to control the net is bad enough. The idea that cell > phones have only one purpose—talking while driving—is just as dumb. If > we ban cell phones > > *Passengers won't be able to communicate > *Navigation systems won't get or provide updates > *Medical monitors would fail > *Emergency SMS systems won't be able to warn you about weather conditions. > > Well, fighting the last war is Congress' forte. > > Next topic TSA probing every cavity ... Response from ssc: Date: Fri, 19 Nov 2010 19:21:13 -0500 From: ssc <ssc@strikenet.kicks-ass.net> If this comes to pass, I will make a ton of $ removing the jammers from cars. Also, just wait till someone goes to report a crime, an emergency call or an accident and it doesn't go thru, and the law-vultures get involved. This will be a MESS! Also, as anyone familiar with radio knows (Lauren), radio signals don't respect any territory. Imagine the interference generated, and resulting poor coverage in urban canyons, where cell signals are already overtaxed, and marginal in signal strength. Thousands of cars emitting jamming signals affecting pedestrian traffic will render the devices useless in cities. The result will be phones switching to higher power levels (this is automatic*) and reduced battery life at the bare minimum. At this bare minimum, I'd expect to see a noise floor rise of up to 20db, and interference to adjacent services as well, like GPS (due to uneven mixing in poorly designed jamming transmitters and nearby electronics, remember, cheap is the design imperative here). Cellular companies had better get out in front of this fast, otherwise, they face the very real prospect of major cities being inhospitable to hand held phones until every one of the interference-mobiles is gone. * When a cell phone decides its getting a very weak signal, it automatically increases its power up to a point to better enable it to communicate with what it sees as a poor connection or weak signal. This algorithm is built in to conserve battery while allowing full power for marginal signal conditions. jamming from multiple vehicles on urban streets will cause this condition to be perceived by the handsets, and as a side effect, exposing the users to higher than necessary RF output than needed to normally make a call when the phone ramps up output power. Marc [There is a way—in theory anyway—to block cell phone use more selectively (e.g., still allowing 911 calls) and avoiding outright jamming. That's the use of "picocells" to "intercept" cell phones before they reach the primary cellular networks. But this would face immense challenges in the mobile environment as well. Lauren Weinstein, NNSquad Moderator ]
It appears we have finally hit a point where people start asking questions. http://www.nbcsandiego.com/news/local-beat/Passenger-Chooses-Strip-Down-Over-Pat-Down-109872589.html?dr Through a statement released by his attorney Sunday night, Wolanyk said "TSA needs to see that I'm not carrying any weapons, explosives, or other prohibited substances, I refuse to have images of my naked body viewed by perfect strangers, and having been felt up for the first time by TSA the week prior (I travel frequently) I was not willing to be molested again." Wolanyk's attorney said that TSA requested his client put his clothes on so he could be patted down properly but his client refused to put his clothes back on. He never refused a pat down, according to his attorney. Wolanyk was arrested for refusing to complete the security process. So much for being overly accommodating :-). However, the same article contained a line that was much more worrying: A woman, identified by Harbor police as Danielle Kelli Hayman,39, of San Diego was detained for recording the incident on a phone. Ah, transparency. We've heard of it.. Regards, Peter
Vermont law on drug data mining ruled unconstitutional (Sources: Burlington Vt. news items) A Vermont law that restricts companies' use of information about the drugs doctors prescribe is unconstitutional on free speech grounds, a federal appeals court ruled Tuesday. Three companies that gather information on drugs ordered by doctors and then sell the information to pharmaceutical manufacturers—IMS Health, SDI and Source Healthcare Analytics—had sued over the so-called data mining law. Passed in 2007, it bans the sale, transmission or use of prescriber-identifiable data for marketing a prescription drug unless the prescribing doctor consents. A three-judge panel of the U.S. Court of Appeals for the 2nd Circuit said the law is a restriction on commercial free speech that violates the First Amendment. rest: http://www.burlingtonfreepress.com/article/20101124/NEWS01/11240310/Vermont-law-on-drug-data-mining-ruled-unconstitutional
(Tom Keane) Tom Keane, 20 Nov 2010 Perspective: You've got evidence When will we learn that digital communication isn't private? Are scoundrels and villains just stupider today than they once were? It used to be that if you were going to commit a crime or merely be a bit naughty, you'd try to cover your tracks. Getting caught was an outcome to be avoided. Yet now we put our transgressions on display for the world to see. A case in point comes from the campaign of Tim Cahill, state treasurer and erstwhile independent candidate for governor. In the waning weeks of the race, stories emerged that campaign staffers had allegedly traded e-mails about coordinating activities with the Treasury. If true, that's clearly illegal - public money can't be used for political campaigns. The attorney general is looking into the matter and, while I have no idea where things will end up, heads could roll. All because, instead of having a meeting about it or even using the telephone, those supposedly involved circulated a bunch of e-mails. Pretty dumb. If it's any comfort, though, they're hardly alone. Football player Brett Favre faces difficult times of his own for salacious text messages sent to ex-model and New York Jets employee Jenn Sterger. Ditto golfer Tiger Woods and his own paramours. New York gubernatorial candidate Carl Paladino got into trouble for forwarding racist jokes. Florida Representative Mark Foley resigned in 2006 after the unearthing of sexually explicit instant messages he sent a 16-year-old congressional page. The Boeing Corp. ousted CEO Harry Stonecipher over indiscreet e-mails sent to a fellow executive that were found on company servers. E-mails by Goldman Sachs employees seemed to confirm an SEC investigation into investor fraud. Federal investigators uncovered internal company e-mails showing that Enron had illegally manipulated California's electricity markets. The list goes on. Whether it's e-mailing, texting, Tweeting, blogging, or commenting on the Web, near-instant digital communications dominate our professional and personal lives. From one point of view, these new technologies are just an improvement on old-fashioned talking, writing, telephoning, and faxing. In truth, though, they are vastly different. The old ways had some semblance of privacy, oftentimes because they were legally protected (such as prohibitions against recording conversations) or because of the limits of technology (forwarding letters to thousands at once was logistically complicated). The most striking difference, however, is the permanence of the new forms of communication. Twenty years ago, if I sent you a letter with inside information on a stock trade, only you and I knew about it. If you were smart, you'd destroy the document and no one would be the wiser. ... http://www.boston.com/lifestyle/articles/2010/11/28/youve_got_evidence/
in Risks Digest 26.22, Steven Cherry <s.cherry@ieee.org> posted: : The U.S.-China Economic and Security Review Commission says that for a : period of 18 minutes last April, China Telecom hijacked 15 percent of : the world's Web traffic and sent it to servers in China, an accusation : the state-run organization has denied. Whether the apparent reroute was : intentional or accidental, it's exposed another weakness in the structure : of the Web. Well, as the ads say, "not exactly". First, it's not a weakness in the structure of the Web, but a (minor?) vulnerability in the structure of the Internet: if someone in China sets up a router so that it claims to be handling traffic for an Autonomous System (AS), some traffic for that AS may be shipped to the Chinese router. Ryan Rawdon, below, comments on the effect of this vulnerability, which is known as a prefix hijack. A more correct statement, according to Bob Poortinga in a post to the "nanog" mailing list, would be that '15% of the world's network prefixes were "hijacked", but the impact was minimal in the US." Ryan Rawdon, following up on Poortinga's correction, wrote "Also worth pointing out that if this was a normal prefix hijack without them actually delivering the packets to the intended recipient (unlikely the case), then there would be very little TCP data seen. A few packets on existing connections before they time out, and SYNs on new connection attempts. Unless they were able to push the traffic back to another ISP which didn't see their originated routes, things would break more likely than be "routed via" the hijacking AS." Once again, shock value is more important than getting the facts right. See also pp. 243-244 (logical pages 251-252) of the 2010 Report to Congress of the U.S.-China Economic and Security Review Commission, at <http://www.uscc.gov/annual_report/2010/annual_report_full_10.pdf>, which explains the hijacking event very much more clearly than does the story at www.technewsworld.com.
My mother was hospitalized during the time period mentioned in Rita's report (surrounding October 2008) and died in March 2009. During the two years leading up to her death she was diagnosed with MRSA, a hospital-caused infection; c-diff (clostridium difficile), another hospital-caused infection, although I don't believe she had it; and several other issues. She was a Medicare patient, the sort reported on. I don't see the RISKS, but from everything my mother went through, as well as the report, cost-cutting on nursing staff by hospitals is a huge part of the reported problem. I watched her nurses. They are vastly underpaid and understaffed, and the nation's serious acute care depends largely on them. They, and the hospitalists, work incredible hours. No wonder they make mistakes. The report, as well as my mother's care, is a classic description of money and profit trumping actual care. RISKS are only a matter of reporting, and time. Barbara Zanzig <bzanzig@gmail.com> Kirkland, WA
Review by Richard Austin in IEEE Cipher (IEEE-security.org online newsletter> Michael Hale Ligh, Steven Adair, Blake Hartstein, and Matthew Richard Malware Analysts' Cookbook and DVD: Tools and Techniques for Fighting Malicious Code John Wiley & Sons 2011. ISBN 978-0-470-61303-0 amazon.com USD37.79 Table of contents: http://media.wiley.com/product_data/excerpt/33/04706130/0470613033-1.pdf Battling malware has much in common with an arms race - defenders develop new defenses which forces adversaries to adapt and innovate to overcome those defenses, and the cycle repeats ad infinitum. Given this never-ending struggle and the wide prevalence of malware, malicious code analysis is becoming a more important component of the technical repertoire of information security professionals. For many years the classic starting point for aspiring malware analysts has been Peter Szor's "The Art of Computer Virus Research and Defense" (reviewed in the March, 2005 edition of Cipher by Bob Bruen, see http://ieee-security.org/Cipher/BookReviews/2005/Szor_by_bruen.html) and the "Malware Analyst's Cookbook" provides a valuable update on the state of the art. At 700+ pages (plus a DVD of tools), this book provides wide coverage of the tools and techniques used by the practicing malware analyst in a very hands-on fashion. The book is organized into 18 chapters made up of "recipes" that describe the purpose and use of a particular tool or technique. The recipes are clearly presented with illustrations and code snippets used to show the technique in action. The tools DVD uses the same chapter organization and clearly links its contents with the text (a pet peeve of mine is the companion CD/DVD which in nothing more than a blob of tools with no organization whatever). Many references are provided to aid in finding more details or additional information on a particular topic. The focus is on Windows malware (not surprising since most malware targets that platform) but uses tools that run on Windows, Linux and even MacOS. Topic coverage is comprehensive and ranges from how to research malware anonymously using Tor or various proxies to the tried-and-true techniques for analyzing suspicious executables or DLL's to cutting-edge topics such as memory forensics. The substantial value of the book is that it collects, in one place, accessible material on a plethora of useful tools whose documentation is scattered across a universe of project websites and archives. The recipes are much more than a regurgitation of "man" pages and show why a particular tool is useful and how it is applied in a particular situation. The authors gained many "credibility points" in the introduction when they identified and provided links to the compiler and driver kit required to modify their binary tools. By delving deep into the analysis of malware, the authors provide a master-course in how malware actually works and the devious techniques its creators use to subvert our systems to their purposes (confess, do you really know what an IAT-hook is?). If there is a criticism of the book, and it is a mild one, it is that it is a cookbook. Reading it front-to-back will cause you to quickly become lost in contemplation of individual trees and while remaining blind to the forest. A quick skim with a detailed working-through of several interesting recipes will set the stage for when you later reach for this book in carrying out a particular task. If you are a technical professional with an interest in or responsibility for malware analysis, this book is a worthy companion to Szor's book and merits a place on your shelf. It will become a familiar reference in answering the question "I wonder how you ...". - ----- Richard Austin MS, CISSP (http://cse.spsu.edu/raustin2) spent 30+ years in the IT industry holding positions ranging from software developer to security architect before becoming a semi-retired, part-time academic. He welcomes your thoughts and comments on this review at raustin2 at spsu dot edu.
The RISK of rampant exaggeration and hyperbole when it comes to FUD is payable in terms of privacy and rampant government waste. Cyber Warmongering and Influence Peddling http://www.informit.com/articles/article.aspx?p=1662328 In the article we attempt to provide some guidance for policymakers as they cut through the BS in our field. If you have the ears of any relevant policy makers in the government, please pass this on to them.
Please report problems with the web pages to the maintainer