Peter G. Neumann <neumann@CSL.sri.com>
Sun, 4 Jul 2004 08:12:11
Both the Internet and its users are under increasingly serious attacks from numerous technical and non-technical threats. If you are seriously interested in helping to avoid an "Internet meltdown" that could negatively and dramatically impact people around the world, please consider joining a group of us who will be meeting in Los Angeles from July 26 - 28 to address these issues under the aegis of People for Internet Responsibility (which I co-founded with Lauren Weinstein).
The expanding program agenda is on the conference main Web page:
In contrast to many other meetings, the conference program is oriented toward technology-related *policies* rather than to technical details, and should be of interest to techies and non-techies alike.
Please note that conference registrations need to be received prior to July 18 for the reduced conference rate, and that the hotel is offering discounted room rates through July 11.
I'm looking forward to seeing many of you at the conference.
Peter G. Neumann Principal Scientist, SRI International Computer Science Lab Chairman, ACM Committee on Computers and Public Policy
Thu, 01 Jul 2004 08:33:22 -0700
In a surprise decision, a federal appeals court has ruled that it was acceptable for a company that offered e-mail service to peruse messages sent by its subscribers. The case stems from 1998 when it was discovered that Interloc, a now-defunct literary clearinghouse, surreptitiously copied messages sent to its subscribers by rival Amazon in order to "develop a list of books, learn about competitors and attain a commercial advantage." An Interloc executive was later indicted on an illegal wiretapping charge, but yesterday's ruling upheld a federal judge's dismissal of that charge on the grounds that the e-mails were copied while in "electronic storage" (during the process of being routed through a network of servers to recipients). The Wiretap Act prohibits unauthorized eavesdropping on messages that are not stored—such as a real-time telephone conversation—but does not afford the same protection to stored messages. In a dissenting opinion, Appeals Court Judge Kermit Lipez wrote that the ruling unravels "decades of practice and precedent regarding the scope of the Wiretap Act" and essentially renders the act "irrelevant to the protection of wire and electronic privacy." In a concurring statement, the Electronic Frontier Foundation said that yesterday's ruling "dealt a grave blow to the privacy of Internet communications." [AP 30 Jun 2004; NewsScan Daily, 1 Jul 2004] http://apnews.excite.com/article/20040701/D83HMB0O0.html
Lauren Weinstein <firstname.lastname@example.org>
Fri, 02 Jul 2004 17:32:20 -0700
Federal Court Rules No Privacy in E-mail Stored at ISPs, Even Temporarily in Transit
July 2, 2004
PFIR - People For Internet Responsibility - http://www.pfir.org
[ To subscribe or unsubscribe to/from this list, please send the command "subscribe" or "unsubscribe" respectively (without the quotes) in the body of an e-mail to "email@example.com". ]
A federal appeals court has ruled that your e-mail passing through ISP servers is virtually without privacy protections. It is impossible to overstate the potential significance of this astoundingly poor decision.
For the news story, please see: http://www.washingtonpost.com/wp-dyn/articles/A19211-2004Jun30.html
The full text of the decision is at: http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf
If generally upheld, it means that user e-mail stored on ISP servers even temporarily or while in transit (Gmail, Hotmail, POP, IMAP, SMTP, etc.) is vulnerable to legal monitoring or other abuses by ISPs and others, including use for competitive or even prurient purposes, without notification to the persons whose e-mails are involved.
With many ISPs forcing more users (especially typical dynamic-IP customers) to route all mail through ISP servers (e.g., via blocking of port 25), the implications are staggering.
Though ISPs may claim privacy policies that prohibit snooping, policies are subject to change, and the legal barriers for access to the mail by outside entities is also much lower in such cases.
Regardless of whether or not this decision stands, the underlying facts should be very clear. The most reliable and trustworthy path to secure e-mail is via direct, end-to-end, encrypted connections that are not forced to route through ISP mail servers. This is one of the goals of the PFIR "Tripoli" project ( http://www.pfir.org/tripoli-overview ).
The court's ruling will also now be a topic at a legal issues panel at our PFIR "Internet Meltdown" conference late in July ( http://www.pfir.org/meltdown ). [See above. PGN]
This is one of the worst and most dangerous court decisions ever to appear relating to the Internet.
Lauren Weinstein firstname.lastname@example.org or email@example.com or firstname.lastname@example.org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, Fact Squad - http://www.factsquad.org Co-Founder, URIICA - Union for Representative International Internet Cooperation and Analysis - http://www.uriica.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy
danny burstein <email@example.com>
Sat, 3 Jul 2004 01:06:21 -0400 (EDT)
First, after a court battle, some news organizations and the Florida ACLU got a judge to grant them access to the Florida Felon list - the one that keeps people from voting ( a very painful topic we all recall from 2000):
> "TALLAHASSEE - In a victory for Florida voters, a Leon circuit court judge > today struck down a state law that prevents copying a state list with > names of more than 47,000 registered voters who may be deleted from the > voter rolls because the state has identified them as possible ex-felons.
And to no one's suprise, a couple of days later we got stories like this:
Thousands of eligible voters are on felon list BY ERIKA BOLSTAD, JASON GROTTO AND DAVID KIDWELL
More than 2,100 Florida voters—many of them black Democrats -- could be wrongly barred from voting in November because Tallahassee elections officials included them on a list of felons potentially ineligible to vote, a Herald investigation has found.
A Florida Division of Elections database lists more than 47,000 people the department said may be ineligible to vote because of felony records. But a Herald review shows that at least 2,119 of those names -- including 547 in South Florida—shouldn't be on the list because their rights to vote were formally restored through the state's clemency process...
Gadi Evron <firstname.lastname@example.org>
Sat, 03 Jul 2004 04:39:18 +0200
The Israeli Police psychologist, in-charge of consulting and evaluating police under-cover agents, lost her laptop.
The laptop was stolen in a break-in to her house.
According to Police sources the laptop held no names, rather than just the psych evaluations and information. Police said the loss is not critical, but non-the-less, they invested a lot of resources in locating the thieves and arranging for a buy.
The laptop was bought for _only_ 5K INS (a bit over 1K USD). When bought, the information on the laptop was also deleted. This suggests that maybe the thieves were only after selling the laptop and were completely unaware of the information it held or of its value. When were any of us last that lucky? I figure that's wishful thinking, but that's only my opinion.
Heck, I personally hope they were lucky, but I've seen many such warning signs completely ignored by different organizations until a 9/11 of sorts happens. Maybe this will be enough of a shock for them to bump-up information security enforcement. I am pretty sure they already have a policy and regulations.
The laptop supposedly holding no names is a consolation. At least proper compartmentalization policies were followed.
Joe Thompson <email@example.com>
Tue, 29 Jun 2004 13:27:05 -0400
Recently the DC Metro discovered two things: 1) it was short on cash, 2) parking revenues weren't what they should be. An audit implicated theft by parking attendants as a contributor to the revenue shortfall. Accordingly, the decision was apparently made to ax the contract with the company which provided the attendants and change over completely to the existing automated "SmarTrip" smart-card system.
Yesterday was the first day of all-automated parking (with attendants standing by in case of problems) and all failed to go quite according to plan:
"New machines selling SmarTrip cards were installed in stations, but many customers trying to use credit cards in those machines found they were unable to. Metro said the volume of sales was too much."
...further annoying commuters already miffed at having to shell out $5 just to buy yet another card. Apparently to buy a card in cash, the machines would *only* accept a $10 bill. (Here in DC and the surrounding area, the $20 has been the bill of choice for some time now. They're known as "yuppie food-stamps" because so many people have them and so few people can make change for them.)
For the time being, commuters can buy a traditional Metro farecard for the exact amount of the parking fee and hand that in to the attendants, but no one has addressed what happens when the attendants are gone and the SmarTrip machines are all that remains.
Also unaddressed, to my knowledge, are questions about the degree of redundancy and the failure modes in the SmarTrip system. Even before the changeover it was a regular occurrence for SmarTrip card readers in parking-lot exit gates to fail, leaving the gate down and forcing everyone to shift to another exit line. After fully-automated operation commences, will a single failed telephone or network line incapacitate all readers in a station's lot (or more than one station's lot)? Is there a contingency plan in place for that? Will gates be changed to automatically lift if communications with the card-authorization system are lost? Have they been changed to do so already, and if so, has the change been tested?
(The SmarTrip cards appear to store the current value in the chip embedded in the card, but some kind of communication does go on since registered cards' value is protected from the time the card is reported lost or stolen.)
What puzzles me is why the existing paper farecards aren't an option for automated parking payment. The readers for those much predate the SmarTrip system and the farecard vending machines are much more flexible.
RISKS: Making major system changes without sufficient forethought and testing for what are essentially political reasons.—Joe
Dominey, Jack M, NEO <firstname.lastname@example.org>
Wed, 30 Jun 2004 08:48:23 -0400
Following message forwarded by my boss. I wonder what they think of this at Coca Cola HQ?
Subject: SCIF Security Advisory
The Coca Cola Company has a summer game promotion running from 5/17 - 7/12/04 in all 50 states and the District of Columbia that has the capability to compromise classified information. The company has intermixed approximately 120 Coca-Cola cans that actually contain GPS locators equipped with a SIM card, keypad and GPS chip transponder so it functions as a cell phone and GPS locator. The cans are concealed in specially marked 12, 18, 20, or 24 can multi-packs of Coca-Cola Classic, Vanilla Coke, Cherry Coke and Caffeine Free Coke. The hi-tech Coke "Unexpected Summer" promotion can has a button, microphone, and a tiny speaker on the outside of the can. Pressing the larger red button starts the game in process, thus activating the GPS signal and a cell phone used by the customer to call a special hotline. Consumers who find these cans, activate the technology, and call the hot line must agree to allow Coke "search teams" using the GPS tracker (accurate to within 50 feet), to surprise them anyplace, anytime within three weeks to deliver a valuable prize.
In accordance with DIA, no specific policy for this promotion will be issued. However, DISA employees with access to SCIFs should take a common sense approach and if one of these cans are found inside a SCIF, they should treat it as they would any two-way electronic device in a SCIF and remove it immediately. Until such time as this sales promotion ends and all 120 cans are accounted for, Coca-Cola packages should be opened and inspected before taking them into any area marked as a" Restricted Area" or classified meetings/discussions, etc. are in progress or have the potential to occur at any time.
Scott Addis, Chief, SSO, Defense Information Systems Agency
RISKS submission from Jack Dominey, AT&T Network Disaster Recovery
Daniel P. B. Smith <email@example.com>
Sat, 3 Jul 2004 06:54:06 -0400
Boston Globe, July 3, 2004. Available (for 48 hours) at http://www.boston.com/news/nation/articles/2004/07/03/ drug_vending_units_worry_pharmacists/
"...[The Beth Israel Deaconess network] wants to introduce automatic prescription machines to their clinics in the Boston area. From afar, a pharmacist sends a message from his computer telling the machine which prepackaged bottles of pills to dispense. A staffer at a clinic retrieves the bottle, affixes a label, and gives it to the patient. ...Telepharmacy Solutions Inc., ...pioneered the concept in the 1990s. The automated dispensers cost about $60,000 each, and so far a smattering of public health centers, hospitals, and Veterans Administration clinics around the country use them. The VA has 55 machines in different states and is considering wider use."
"...[A machine at the Thundermist Clinic in Warwick, Rhode Island] The West Warwick machine carries 50 branded and generic drugs in preset doses and bottle sizes, including antibiotics, blood-pressure medication, Lipitor for cholesterol, and several kinds of antidepressants. 'I liken it to a Coke machine,' said Stephanie McCaffrey, Thundermist's vice president for program development. 'You put the order in, and plop, it comes out.' To get drugs, a doctor faxes the patient's prescription to a pharmacist in Woonsocket. The pharmacist reviews it and sends an electronic message via a secure computer link to the vending machine telling which drug to dispense. Bar codes on the pills and on the labels ensure the right medicine is given to the right patient."
"A staffer gives the bottle to the patient with printed information showing the drug's side effects and warnings. The patient is asked whether he or she wishes to speak to a pharmacist. If the answer is yes, the patient is directed to a telephone."
In addition to the obvious RISKS (machines never make a mistake--make a mistake--make a mistake), we have yet another area where automation is being used to handle the easy part of a difficult task, one that traditionally involved the personal participation of very highly skilled humans. No doubt the bulk of today's pharmaceutical practice consists of repeatedly dispensing the "top forty hits" of the drug world on a routine basis. This will now be handled by machines, by remote access, and by relatively lower-skilled persons that "give the bottle to the patient" (at least until someone decides these staffers can be eliminated, too). At clinics with the machines which "plop" out drugs, the functions for which pharmacists train for six years will theoretically still be available. But now it will be the exception rather than the rule, and over time these services may become rarer and harder to access. Today, what happens in those rare occasions when a prescription actually needs to be compounded? What will happen ten years from now?
Daniel P. B. Smith, firstname.lastname@example.org email@example.com
Fri, 02 Jul 2004 08:32:22 -0700
The Yankee Group, a prominent market research firm, is predicting that RFID tags will cost four million U.S. jobs by 2007, throughout numerous industries. (RFID stands for Radio Frequency Identification, a technology embedded for inventory and tracking purposes into products, materials, and shipments.) However, Yankee Group analyst Adam Zabel thinks that most workers who lose their jobs due to increased efficiencies made possible by RFID technology will be able to obtain 'more value-added' positions. [Vnunet 2 Jul 2004; NewsScan Daily, 2 Jul 2004] http://www.vnunet.com/news/1156369
Bob Heuman <firstname.lastname@example.org>
Fri, 02 Jul 2004 10:34:47 -0400
No new risk in the following article, but under the government of Robert Mugabe it is possible that this theft was government sponsored!
Barclays victim of data robbery GodFrey Marawanyika /Anita Fleming http://www.theindependent.co.zw/news/2004/July/Friday2/885.html
Barclays Bank of Zimbabwe has become the second financial institution to fall victim to computer data robbery, the Zimbabwe Independent has established. Barclays lost computer hard drives which contained classified information on the bank and its clientele. The hard drives were stolen over the weekend. Barclays has since informed the central bank of the incident.
The FIRST financial institution was robbed of a hard drive in February, [when] NMB fell victim to hard-drive robbery and up to now the case is still to be resolved.
Bob Heuman <email@example.com>
Fri, 02 Jul 2004 19:59:00 -0400
To me via NewsScan Daily, 2 Jul 2004 ("Above The Fold")
And what is the risk to someone from outside of France who has this type of service and flies into France? Do they too risk a 5 year prison term and a substantial fine? If so, Yankee stay home! This service seems to be offered almost all over North America, after all...
> From: "NewsScan" <firstname.lastname@example.org>:
CNIL, the French data protection authority, has declared Rampell Software's new mail-service 'Did they read it?' to be illegal.
(Subscribers to "DidTheyReadIt?" get a report about the exact time their e-mail was opened, for how long, on what kind of operating system and if the mail was forwarded to other people.)
The CNIL finds the service unacceptable under French privacy Legislation; as a result, any French subscriber to this service risks a prison sentence of 5 years plus a substantial fine.
(EDRIgram 1 Jul 2004) www.edri.org Rec'd from Jim Sterne via Mark Gibbs
Thu, 1 Jul 2004 19:30:23 +0200
The Lombardia Region (Italy) local administration has set up a web service to help citizens obtain a certificate of free entitlement to medical treatment (form E111) for travel to other European Union countries. The web service asks for only your tax code as proof of identity and then proceeds to supply you the following information:
- Forename and Surname - Health authority district of registration - Health authority registration number
So, if I have only the tax code of a Lombardia resident I can at least find out their full name and their health district (which is more or less certain to be in the same area of their home address).
The risk is providing a service without user authentication which gives out id information to unknown users if they are in possession of a valid tax code.
When challenged about this, the technical staff replied that they had examined the possibility that someone could make up a valid tax code by trial and error. They believed this to be quite remote (and I agree with them). The risk is that they hadn't considered the circumstances where someone might come into possession of a real tax code and then use it to complete the ID info.
Nick Brown <Nick.BROWN@coe.int>
Wed, 30 Jun 2004 23:40:16 +0200
It's now common practice for viruses to leverage the expected countermeasures of security software, as part (or all) of their payload. For example, the authors of the various Netsky (etc) worms know that for every mail their software sends, at least one more of the "you sent us a virus" variety will be sent by a corporate e-mail gateway virus scanner.
Once any type of automated retaliation is in place, exactly the same thing will happen. Indeed, there's plenty of potential for DOS attacks, eg if someone in company X can forge an attack as being "from" their rivals at company Y.
Curtis Karnow <email@example.com>
Mon, 28 Jun 2004 11:39:52 -0700 (PDT)
Attacking the attacker may or not be a good idea: there are public relations, and practicalities to consider. In many cases, it's a very bad idea. But if done correctly (accurate, targeted, no or [relatively] little collateral damages) it might be legal. See my "Launch On Warning: Aggressive Defense of Computer Systems,” 8 Cyberspace Lawyer 4 (March 2003); rewritten and published at http://islandia.law.yale.edu/isp/digital%20cops/papers/karnow_newcops.pdf
Rob Slade <firstname.lastname@example.org>
Mon, 28 Jun 2004 08:23:22 -0800
"Exploiting Software", Greg Hoglund/Gary McGraw, 2004, 0-201-78695-8, U$49.99/C$71.99 %A Greg Hoglund %A Gary McGraw %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2004 %G 0-201-78695-8 %I Addison-Wesley Publishing Co. %O U$49.99/C$71.99 416-447-5101 fax: 416-443-0948 %O http://www.amazon.com/exec/obidos/ASIN/0201786958/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0201786958/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0201786958/robsladesin03-20 %P 471 p. %T "Exploiting Software: How to Break Code"
I have learned to beware of books with titles like this, which generally indicate a hastily compiled set of old vulnerabilities, benefitting nobody save the author. This work, however, turns out to have a lot of value for those interested in security of software.
Although it does not deal with the factors inherent in software that almost ensure problems, chapter one outlines the fact of bugs in software, the relative rate and increasing prevalence, and future developments that may exacerbate the issue. Chapter two provides taxonomies of general types of software problems (distinguishing, for example, between a bug and a flaw), patterns of attack activities (pointing out that most exploits are used in combination), and types of system scanning activities (used to determine specific attacks that might be effective). This material is very useful in structuring the debate about software exploits and attacks in general, but, ironically, the chapter (and book) itself could benefit from better organization. Reverse engineering, both via black box testing and through code analysis, is described in chapter three. The discussion is general, and presents the different activities that can be undertaken, usually at a fairly abstract level. (This is not true in all cases: there is a chunk of twelve pages of code for a plug-in module and eight pages of script for the IDA disassembler, which is of questionable utility, depending on the familiarity the reader may have with that particular program.)
At this point in the book, the issue of the validity of the "learn to exploit in order to learn to protect" philosophy should be addressed. In general, the "hack to protect" books do not provide much that is of value for the defenders. That statement is not necessarily true of this work. Since most of the presentation is at a conceptual level, it is the ideas, and not particular exploits, that are being reviewed. The authors are explaining tools and techniques that, yes, can be used by attackers, but can equally be used by those who wish to probe a given system for weaknesses in order to determine vulnerabilities to be patched. (There appears to be only one exception in chapter three: the authors note that vendor patches tend to act as a roadmap for vulnerabilities, and it is difficult to say how this technique is useful for defence, other than to note that the probability of an exploit increases after a patch has been issued.)
Chapter four lists types of attacks on server software, while five looks at clients, primarily web browsers. Indications pointing to patterns of malformed input that are likely to generate successful exploits are described in chapter six. The classic and ubiquitous buffer overflow gets a detailed explanation (supported with a number of examples) in chapter seven, which has a strangely extensive section on RISC (Reduced Instruction Set Computer) architectures. Chapter eight is rather disappointing in light of the tone of the rest of the book: it is primarily concerned with how to create and program rootkits, and the worth for defence is doubtful.
While ultimately of greatest use to a rather select audience (those specifically concerned with finding and patching loopholes in software), this book does have a lot to say to most security professionals. The security aspects of software development tend to be glossed over too quickly in most general works on security. Specific examples of malformed input are used, in too many security texts, as evidence of the author's superior security erudition, rather than to explain the underlying concepts. Hoglund and McGraw have prepared solid tutorials and definitions of these important ideas (although one could wish that they had prepared the arrangement of the book with the same degree of care).