http://www.post-gazette.com/pg/11004/1115414-58.stm A man in Pittsburgh was arrested on a federal warrant accusing him of stealing as much as $1.4 million from US casinos. He was about to stand trial for bilking a local casino out of nearly a half-million dollars in fraudulent jackpots. The jackpots resulted from a flaw in the software of certain IGT machines. These machines apparently awarded a jackpot when a special sequence of buttons was pushed. I wonder if a good defense here is that the machine was doing exactly what it was programmed to do and all the defendant was doing was using expert play to increase his chances of winning.
[Thanks to Jeremy Epstein and Matthew Kruk.] Dan Goodin in San Francisco, Researcher cracks Wi-Fi passwords with Amazon cloud: Return of the Caveman attack, *The Register*, 11 Jan 2011 http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/ A security researcher has tapped Amazon's cloud computing service to crack Wi-Fi passwords in a fraction of the time and for a fraction of the cost of using his own gear. Thomas Roth of Cologne, Germany told Reuters  he used custom software running on Amazon's Elastic Compute Cloud service to break into a WPA-PSK protected network in about 20 minutes. With refinements to his program, he said he could shave the time to about six minutes. With EC2 computers available for 28 cents per minute, the cost of the crack came to just $1.68. "People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so," Roth told the news service. "But it is easy to brute force them." Roth is the same researcher who in November used Amazon's cloud to brute force SHA-1 hashes . Roth said he cracked 14 hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes. He told The Register at the time he'd be able to significantly reduce that time with minor tweaks to his software, which made use of "Cluster GPU Instances" of the EC2 service . As the term suggests, brute force cracks are among the least sophisticated means of gaining unauthorized access to a network. Rather than exploit weaknesses, they try huge numbers of possible passwords until the right phrase is entered. Roth has combined this caveman approach with a highly innovative technique that applies it to extremely powerful servers that anyone can rent at highly affordable rates. Roth's latest program uses EC2 to run through 400,000 possible passwords per second, a massive amount that only a few years ago would have required the resources of a supercomputer. He is scheduled to present his findings  at next week's Black Hat security conference in Washington, DC. 1. http://uk.reuters.com/article/idUKTRE70641M20110107 2. http://www.theregister.co.uk/2010/11/18/amazon_cloud_sha_password_hack/ 3. https://aws.amazon.com/ec2/ 4. http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Roth
"The credit union used by members of the U.S. armed forces and their families has admitted that a laptop infected with malware was used to access a database containing the personal and financial information of customers. The Pentagon Federal Credit Union (PenFed) issued a statement to the New Hampshire Attorney General that said data, including the names, addresses, Social Security Numbers and PenFed banking and credit card account information of its members were accessed by the infected PC." slashdot, 12 Jan 2011 https://threatpost.com/en_us/blogs/infected-pc-compromises-pentagon-credit-union-011211 robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory Westford, MA 01886 1-781-981-5767 http://www.haystack.mit.edu
Stephanie Innes, *Arizona Daily Star*, 12 Jan 2011 Three employees at Tucson's University Medical Center have been fired for violating patient privacy in connection with accessing confidential medical records in the high-profile shooting rampage that killed six people and left Congresswoman Gabrielle Giffords in critical condition, hospital officials said. All the remaining injured patients from the shootings, including Giffords, are at UMC. ... http://azstarnet.com/news/local/crime/article_4f789a48-1e8c-11e0-929a-001cc4c002e0.html
Nick Bilton, Bug Causes iPhone Alarm to Greet New Year With Silence, *The New York Times*, 2 Jan 2011 Pat Kiernan, a morning anchor on NY1, the New York City cable news channel, is no stranger to alarm clock problems. That's why he usually relies on several clocks, phones and other devices to wake him in time for his early newscasts. That redundancy paid off for Mr. Kiernan on Saturday when his primary alarm, the one built into his Apple iPhone, failed to go off because of a programming error in the phone's calendar software. "Before I went to bed I set two iPhone alarms, and both completely failed to go off," said Mr. Kiernan, adding that he uses the iPhone as his alarm clock when he travels. "Luckily I had an Android phone with me as a third backup alarm, and it woke me up in time for my news segment." Many people weren't as lucky as Mr. Kiernan, voicing frustration online after they overslept on the first morning of the new year. By Sunday morning thousands more people were posting angry missives about the iPhone problem on Twitter, Facebook and other social networks, noting that they had missed a breakfast meeting or were running late for work or church. ... http://www.nytimes.com/2011/01/03/technology/03iphone.html
At last night's New Years Eve party, we were already disturbed to find significant time skew between people who had cell phones and wristwatches that are automatically set from WWV. (Most of the phones either had the same time or didn't show seconds.) And then at midnight, somebody's new digital wristwatch failed :-) We're not really sure what happened, and it fixed itself about 10 minutes later, but the owner said it spent a while going back and forth between 00:12 and 00:13 or something equally strange. This being a techie crowd, it led to the usual stories about Y2K and programs on punched cards that needed to be rewritten for the one-digit-date rollover from 1979->1980 and such, but after Y2K you'd think people would just Know Better.
[From Network Neutrality Squad] http://bit.ly/gUuFCU (The H Security) Depending on implementation details, this may be an argument for viewing PDF documents in inherently more "sandboxed" environments like Google Chrome (which has a basic internal PDF viewer) rather than using full-blown Adobe readers (when possible and practical, given current feature requirements in any given case).
Two Men Plea Guilty in Sophisticated Gas Station ATM and Credit Card Skimming Scheme, 11 Jan 2011, Contact: (510) 622-4500 http://oag.ca.gov/news/press_release?id=2024 Martinez CA, Two men were sentenced today to prison for their role in stealing more than $90,000 from some 200 people in Northern California by stealing personal financial information with a sophisticated skimming device placed inside ATM and credit card payment devices at gas station pumps. This morning in Contra Costa County Superior Court in Martinez, the two men pleaded guilty to all felonies they were charged with, including conspiracy and identity theft. David Karapetyan, 32, pled guilty to 37 felonies and received a seven-year prison sentence. Zhirayr Zamanyan, 31, pled guilty to five felonies and received a five-year prison sentence. Two other defendants, Edwin Hamazaspyan, 31, and Naum Mints, 21, are scheduled to appear in court on February 15. In March, the Attorney General's office took over prosecution of the case from the Contra Costa District Attorney's office because the crimes occurred in multiple jurisdictions throughout Northern California. An amended complaint was filed in October. In their high-tech crime spree, the gang traveled to gas stations across the Bay Area in a rented Cadillac Escalade. From November 2009 to February 2010, they are believed to have stolen $90,000 from 196 people through their skimming scheme. The thieves acquired keys to unlock various kinds of gas station pumps. Once they opened the pumps, they were able to connect two cables inside to their two-inch electronic device, which looked like a circuit board encased in electrical tape, and recorded ATM and credit card data as well as victims' PINs. No tampering was visible on the outside of the pumps. The gang would later return to retrieve the skimmers, which took less than 20 seconds. The investigation began in February when police in Solano and Contra Costa counties reported an increase in identity theft and a 7-Eleven store employee in Martinez noticed a skimming device inside a gas pump. Police removed the device, replaced it with a mock device and conducted 24-hour surveillance. Karapetyan and Zamanyan were arrested when they arrived to remove the device. In total, seven devices were found inside gas pumps in Martinez, Benicia, Livermore, Hayward, Oakland, San Mateo and Sacramento. Banks have reimbursed the victims. The Northern California Computer Crimes Task Force, a partnership of 17 local, state and federal agencies, participated in the investigation with assistance from the U.S. Secret Service, Martinez Police Department and the Glendale Police Department. The amended complaint and second amended complaint, as well as the arrest affidavit for Mints, are attached to the electronic version of the press release on the Attorney General's website: www.ag.ca.gov
My daughter is getting ready for a Confirmation Class trip to Washington DC, which will include a trip to the White House. So I received an email request from the trip coordinator stating: "There is a security form that I must fill out and I need the following information for each student/participant ASAP! 1. Name as it appears on Drivers License or other legal document; 2. Social Security Number; 3. Exact Date of Birth; 4. Citizen of US? Yes or No?; 5. City of current residence." She needed it ASAP, and I'm betting most parents will blindly email her the SSN. I've already informed her of the problem with doing that, but this is just the tip of the iceberg. I wanted to see why the SSN was required, and so I did some searching. I found Rep Elton Gallegly's site on tours (https://forms.house.gov/gallegly/forms/tours/tour_request.shtml), and it calls for the same information. So this seems to be a White House requirement (and SSNs seem to be a common identifier for searching security records, even though that isn't their real use). However, what is scary is the following: " Download Security Information Sheet (Excel) and email to CA24.Tours@mail.house.gov". Yup. Email again. You would think in this era of the Privacy Act the White House webmaster would have set up an HTTPS: page to submit this information. Daniel Faigin, CISSP faigin -at cahighways -dot org Journal/Blog: cahwyguy.livejournal.com Facebook: facebook.com/cahwyguy
I just got an Epson Stylus NX215 printer. I hope it lasts longer than my Dell laser printer which did not get through its second toner cartridge although my usage was not heavy in the 3 1/2 years that I used it. My new printer has very nice documentation for the installation, but one little bit got me. Near the end, there is the option to install some additional goodies. The interface was less than clear. "Select the items you want and click Install". OK. What do the Xs mean? Do they mean that the items have been selected, or that no, they have not been? The form starts with an X in each choice. It turns out that X means selected, but it could easily mean the other way around since X can mean wrong or no. Windows has standard input controls, but it seems that it is not the thing to do to use them when writing your installation program. I have run into the attitude before. In one USENET posting, a newbie was asking about other controls. He did not want to use the standard ones, BECAUSE they were standard. I remember one of the benefits of Windows pushed in the early days that with standard interfaces, it would be easier. My bet was that, since graphics was getting to be very important, the standard controls would be considered not good enough. I wish I had bet money on this. This is not the first time that I have been puzzled by non-standard controls.
(Brown, RISKS-26.28) The aviation folk are having lots of fun digesting this story and trying to determine whether or not the claimed scenario is, indeed, plausible. Curiously enough the film "Fate is the Hunter" [a] aired, err, cabled... on the Turner Classic Movies cable channel a week or so ago. The plot revolves around an airplane crash which seems to be due to pilot error. One investigator just can't believe "his pilot" would do something that careless. The relevance here (rot-13'ed as it's a spoiler): Vg gheaf bhg gung n fcvyyrq phc bs pbssrr fubegrq bhg gur pbageby pvephvgel, xabpxvat bhg gur ratvarf. So it may be that we have real life following a movie script. Or possibly just the reporting of same... [a] http://en.wikipedia.org/wiki/Fate_Is_the_Hunter_%28film%29 http://www.imdb.com/title/tt0058091/ [Also noted by Charlie Shub. citing the author of the 1961 movie Ernest K. Gann, and the Glenn Ford movie (1964). PGN]
[I somehow missed Geoff Kuenning's response to Jonathan before putting out RISKS-26.28. But I thought Jonathan's posting stood on its own. This time, Geoff's reply to Jonathan follows below. PGN] Geoff, It seems to me that Apple is not *complicit* in this case. Rather, Apple is *the cause* of the problem you encountered. If TNT's tracking numbers end with two letters, and Apple doesn't include the two letters when giving out TNT tracking numbers, then the confusion was introduced by Apple, not by TNT. I have no direct knowledge of how TNT generates tracking numbers, but with those two letters at the end, I can easily envision a tracking number algorithm which would completely eliminate the potential for confusion. For example, if the two letters indicate in base 26 the number of days since some baseline date modulus 676 (26*26), which gives you a range of 1.85 years, then as long as (a) TNT removes old shipping records from their Web tracking in less than 1.85 years, and (b) their system ensures that the same tracking number is not used twice /in the same day/, tracking number confusion will never occur. I think a correction to RISKS is in order. On 01/12/2011 07:57 AM, Geoff Kuenning wrote: >> Their Web site says, "If your consignment number appears more than once >> in the results field, you can use the letters as shown on your >> consignment note, e.g. GE123456781WW, to avoid duplicate results." Were >> you given those letters? Did using them eliminate the duplication? > Interesting; I missed seeing that note. No, I wasn't given those letters. > I cut and pasted directly from Apple's e-mail. So apparently Apple is > complicit in this case. (*Why* would they go out of their way to remove > information? It can't be easy to correctly reduce the ID number from > multiple shipping suppliers to a minimal acceptable value. Weird.)
CSPO and AAAS are co-sponsoring a seminar in Washington, D.C., commemorating the 50th anniversary of President Dwight D. Eisenhower's farewell address. Eisenhower's speech is mainly remembered for his warning of the perils of a "military-industrial complex." Less widely known, but no less important, was his caution a few sentences later about "the danger that public policy could itself become the captive of a scientific-technological elite." This seminar will explore the historical context and current relevance of Eisenhower's worries. Was He Right About the "Scientific-Technological Elite?" AAAS Auditorium / Washington, D.C. Panel: * Dan Greenberg, science journalist and author of several books on science policy * Gregg Pascal Zachary, author of the authoritative biography of Vannevar Bush * William Lanouette, a journalist on science policy and a senior analyst on energy and science issues at GAO from 1991 to 2006 * Dan Sarewitz, co-director of CSPO * Moderator: Steve Lagerfeld, editor of The Wilson Quarterly Live webcast Jan. 18 at 4:30p ET / 2:30p MT GO TO: http://www.ustream.tv/channel/cspo
CALL FOR PAPERS: RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection September 20-21, 2011 SRI International, Menlo Park, CA http://raid2011.org Paper submission deadline: Mar 31, 2011 (11:59PM PST) [Excerpted for RISKS. See raid2011.org for details. PGN] This symposium, the 14th in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss issues and technologies related to intrusion detection and defense. The Recent Advances in Intrusion Detection (RAID) International Symposium series furthers advances in intrusion defense by promoting the exchange of ideas in a broad range of topics. As in previous years, all topics related to intrusion detection, prevention and defense systems and technologies are within scope, including but not limited to the following: * Network and host intrusion detection and prevention * Anomaly and specification-based approaches * IDS cooperation and event correlation * Malware prevention, detection, analysis, containment * Web application security * Insider attack detection * Intrusion response, tolerance, and self-protection * Operational experiences with current approaches * Intrusion detection assessment and benchmarking * Attacks against intrusion detection systems * Formal models, analysis, and standards * Deception systems and honeypots * Vulnerability analysis and forensics * Adversarial machine learning for security * Visualization techniques * High-performance intrusion detection * Legal, social, and privacy issues * Network exfiltration detection * Botnet analysis, detection, and mitigation * Cyber-physical systems General Chair: Alfonso Valdes, SRI International, US Program Chair: Robin Sommer, ICSI/LBNL, US Program Co-Chair: Davide Balzarotti, Eurecom, France Publication Chair: Gregor Maier, ICSI, US Publicity Chair: Guofei Gu, Texas A&M, US Guofei Gu, Assistant Professor, Department of Computer Science & Engineering Texas A&M University
Please report problems with the web pages to the maintainer