Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In last night's VP debate, Vice President Cheney countered an assertion made by Senator John Edwards and invited viewers to read a non-partisan analysis confirming his position by going to "FactCheck.com". Unfortunately, he meant to say "FactCheck.org", which is indeed a non-partisan election watchdog site run by the University of Pennsylvania. Worse for Cheney, it seems that FactCheck.com is a private advertising site, which is run by someone who is not a fan of the President. So to deal with the volume of traffic generated by Cheney's reference, the owner of FactCheck.com is now redirecting his traffic to www.georgesoros.com (George Soros being a billionaire who is actively campaigning to defeat the Bush/Cheney ticket). So anyone who follows Cheney's suggestion is presented with a partisan argument for voting for Kerry/Edwards. http://story.news.yahoo.com/news?tmpl=story&e=2&u=/ap/20041006/ap_on_el_pr/debate_rdp So always keep your URLs straight! http://story.news.yahoo.com/news?tmpl=story&ncid=738&e=1&u=/ap/20041006/ap_on_el_pr/debate_web_sites http://story.news.yahoo.com/news ?tmpl=story&ncid=738&e=1&u=/ap/20041006/ap_on_el_pr/debate_web_sites
On 9 Oct 2004, near Milwaukee, Wisconsin, an 80-foot-tall high-voltage electrical tower collapsed onto a second transmission tower, causing a four-hour power outage for 17,000 customers. Apparently someone had removed enough bolts from the base of the tower. Wires were still across railroad tracks the next day, delaying Amtrak and Canadian Pacific trains. http://www.cnn.com/2004/US/10/11/wisconsin.blackout.ap/index.html
The Department of Motor Vehicles in Colorado was disabled all of last week by a computer virus. New and renewed licenses and ID cards were unabled to be issued during the time. Every computer in the system had to get fresh software installs and nearly 4.5 million documents had to be reloaded. No cost estimates have been given for the outage and no details released about the nature or origin of the virus. The risks of inadvertent disclosure and alteration of DMV records has been a frequent topic here over the years, but this is the first example I'm aware of involving a malware attack against such a huge and legally important government datasystem. The risks of disclosure and modification of these data are obvious, but completely shutting down a major branch of state government for a week also provides a good case study of the possibilities of information warfare/sabotage. http://www.denverpost.com/Stories/0,1413,36~53~2417722,00.html
[Source: Article by Neil Mackay, Investigations Editor, *Sunday Herald* (Scotland), 10 Oct 2004] The Royal Navy's new, state-of-the-art destroyer has been fitted with combat management software that can be hacked into, crashes easily and is vulnerable to viruses, according to one of the system's designers who was fired after raising his concerns. Gerald Wilson, who has 25 years' experience designing naval software, worked for Alenia Marconi Systems (AMS) in a joint venture with Bae Systems and the Italian company Finmeccanica on the combat system for the Type 45 destroyer, which will rely on Microsoft Windows 2000. System failure in action, he says, would leave the ship blind, defenceless, and as good as sunk. Dismissed after voicing his fears to the Ministry of Defence and the Defence Procurement Agency (DPA), Wilson wants to give evidence to the parliamentary defence select committee about the software. Last night he told Channel 4 news that "the use of Windows For Warships puts the ship and her crew at risk, and the defence of the realm". There are also plans to install a similar Microsoft Windows-based computerised command system on Britain's nuclear submarines. Wilson said: "It is inconceivable that we could allow the possible accidental release of nuclear missiles. The people who survived such an exchange, if any, would certainly regard such a thing as a crime against humanity. And I can't help feeling that even planning to deploy such systems on Windows, with its unreliability and lack of security, is itself some sort of crime in international law." Windows was chosen by AMS in order to cut costs, as the DPA has been encouraging a switch to off-the-shelf systems. Wilson says the Navy should stick to its current operating system, Unix, which is said to be more reliable. Designers can also customise Unix, which would allow unnecessary components to be removed to reduce risk. A navy spokesman said: "Bae Systems, as the prime contractor for the Type 45, is responsible for ensuring that the warship meets the requirements placed on it by the DPA. Using Microsoft Windows within combat management systems was the subject of an independent review commissioned some while ago by the DPA. "The review found a proper engineering approach had been taken, both from a security perspective, as the system middleware isolated Windows from the remainder of the mission-critical systems, and from a safety perspective. Comprehensive hardware mechanisms will be put in place where necessary to avoid any potential Windows-derived compromises. "We are satisfied that the solution recommended by the contractor will meet our requirements, as it has been subject to an independent review. This review was conducted by a team at the DPA who are independent of the Type 45 team."
A driver of a Renault car fitted with an automatic speed regulator got more than they expected when the the regulator stuck on, giving him an hour-long drive at 125 MPH. The Renault uses an electronic card instead of a key, and the driver finally stopped the car by pulling the card out. He had been in touch with police, who had used motorway warning signs to clear the road for him to drive past safely - but at one point he had to use the emergency lane, normally only used for recovery of broken-down cars. http://www.theregister.co.uk/2004/10/07/satanic_renault/ I wonder if the driver had attempted to pull the card out earlier, and also wonder why Renault, the manufacturer, was allowed to "impound" the car for tests. I'd expect the police to be involved in any investigation. The Register article includes links to previous stories where machines have "misbehaved" - it's worth a read. Alistair McDonald, InRevo Ltd (http://www.inrevo.com) Author of the SpamAssassin book: http://www.spamassassinbook.com/ [Lindsay Marshall noted this case as well: http://www.iol.co.za/index.php?set_id=1&click_id=29&art_id=qw1096963740806B216 Also, recall "Runaway car from hell", a Pontiac Sunfire, in RISKS-23.33. PGN]
The risks of allowing a rushed ignition sequence to stall or significantly delay an emergency vehicle are certainly breathtaking. What I find interesting is that Toyota, which sells primarily in the free market rather than to government agencies, got this behavior pretty much correct. In the Toyota Prius, the computer controls the engine, the device the serves as the transmission, and of course the electric motor/generators and their associated power electronics. There is no starter motor, no reverse gear, and no cable between the accelerator pedal and the throttle, the computer monitors and controls everything. The owners manual instructs you to turn the key to 'start,' wait for the 'OK' light in the instrument panel, then release the key. In the original Prius (up to 2004) the engine starts every time the ignition is activated in order to heat up the catalytic converter. I'm told the 2004 and later models will start in all-electric mode without the engine. The beauty of the Prius is that Toyota engineers knows perfectly well that very few people read the owners manual. So you can just flip the key to start and immediately let it go. The computers go through their tests, and then start the engine. There's no way to manipulate the key in a way that will cause a delay or stall or require a reboot.
Background, for non-Brits: Customs & Excise (C&E) is the government department responsible for collecting VAT (Value Added Tax), which is a European sales tax. Businesses report their VAT transactions quarterly to C&E, currently mostly on paper (a one page form, amazingly) - this is known as a VAT return. For some time, C&E has been encouraging electronic VAT returns (cunningly named eVAT), but until recently required the use of an X509 client certificate to submit. Presumably this has proved unpopular, since they are now permitting good old username/password to be used. But they seem to be a little confused... From the eVAT FAQ: http://new.hmce.gov.uk/channelsPortalWebApp/channelsPortalWebApp.portal?_nfpb=true&_pageLabel=pageOnlineServices_ShowContent&id=HMCE_PROD_008287&propertyType=document http://new.hmce.gov.uk/channelsPortalWebApp/channelsPortalWebApp.portal ?_nfpb=true&_pageLabel=pageOnlineServices_ShowContent&id=HMCE_PROD_008287 &propertyType=document [SPLIT URL] "Which is more secure — using a Digital Certificate or User ID & Password? Both methods are secure, but they work in different ways." From the Government Gateway Help pages: http://www.gateway.gov.uk/help/help_template_non_secure.asp?content=%3A%2F%2Fwww.ukonline.gov.uk%2FGateway%2FGatewayArticle%2Ffs%2Fen%3FCONTENT_ID%3D4013333%26chk%3DBQAvk3&languageid=0 http://www.gateway.gov.uk/help/help_template_non_secure.asp ?content=%3A%2F%2Fwww.ukonline.gov.uk%2FGateway%2FGatewayArticle %2Ffs%2Fen%3FCONTENT_ID%3D4013333%26chk%3DBQAvk3&languageid=0 [SPLIT] "Certificates provide a higher level of security, which is required for certain services." Nothing like singing from the same songsheet, eh? Anyway, it gets better. Three types of certificate are permitted, SecureMark, SimplySign or Trust Services. Again from the eVAT FAQ: "* SecureMark and Chamber SimplySign certificates can be used with either Internet Explorer 5.01 or higher, or Netscape Navigator. * Trust Servicesí certificates work with Microsoft Internet Explorer 5.0 or later and Netscape v 4.6 or higher (but not v6 or 7). * certificates can be used with Internet Explorer 5.01 or higher or Netscape Navigator 4.08 or later (but not v6 or 7). " I dunno about you, but this is not exactly clear to me. Leaving that aside, let's look at the various CAs... SecureMark, on a page amusingly titled "Does your Netscape Browser meet the minimum requirements?" http://www.equifaxsecure.co.uk/digitalcertificates/Netscape_Response.html "The minimum system requirements are: Windows 95 or NT 4 (SP3) or higher Internet Explorer version 5.01 or above 128-bit cipher strength" I guess the answer will be "no", then! (My browser was Firefox, incidentally). SimplySign - seems they actually admit that "Netscape" might work. But... http://www.simplysign.co.uk/support/ierootdownload.html "To make sure that your browser works with Trustis certificates the 'Trustis FPS Root CA' certificate should be installed. There is no danger in doing this and no programs will be downloaded to your computer." No, of course, installing root CAs in your browser has no security implications whatever. And of course, you have to have the root CA to use a client cert. Not. As for Trust Services. Well, I can't find them through Google (at least, not the one they had in mind) but much meandering around FAQs eventually yielded a link - turns out its BT and Verisign, but ... oops! "Note: Inland Revenue services have not yet been upgraded to allow the use of BT ID Certificates". So much for a simpler user experience. Oh yeah, another gem from the eVAT FAQ: "The Government Gateway and Digital Certificate authorities do not currently support the use of Digital Certificates on Apple Macintosh" Well, of course not, because everyone knows that Apple X.509 is completely different from Microsoft X.509. Duh. So, after all that, I totally understand why everyone thinks PKI is hard. I'm all for the username/password thing. Its free, too. http://www.apache-ssl.org/ben.html http://www.thebunker.net/
A Swedish power company (Fortum) had a technical failure, causing it to send electricity to a hundred households with too high voltage. Result: One fire destroying part of a house, Other houses got their electrical heating destroyed. When the fire company and police arrived, lots of people met them on the street, since all the houses were more or less affected. [Source: Dagens Nyheter (largest Swedish morning paper), 6 Oct 2004] This incident actually happened in May, but not until five months was it reported in the national newspapers. The power company refuses to pay for the damages, but the issue has not been settled in courts yet. Power companies in Sweden were ten years ago mostly owned by the government or the local government. But in the privatization fervour of the 1990s, most of them have been "privatized". The private companies optimize profit at the expense of reliability. — Jacob Palme <firstname.lastname@example.org> (Stockholm University and KTH) for more info see URL: http://www.dsv.su.se/jpalme/
Security at this past summer's Oshkosh AirVenture Fly-In was increased in response to what may have been a non-threat. USA Today reports that "...a suspicious Web posting was found referring to the city." The description of the posting reminds me a lot of what an anti-spam "honey pot" web page looks like: "Winnebago County Sheriff Michael Brooks said the Milwaukee office of the FBI contacted him early Sunday regarding the Web site, which mentioned Oshkosh and Sunday's date in the text but contained no actual threat. "Brooks said a California resident found the letter, which contained more than a full page of incoherent words, on a pharmaceutical Web site and notified the FBI. It also mentioned Auckland, New Zealand; Bangor, Maine and a couple other cities around the world, Brooks said. "'It was just a series of words that did not form a complete thought,' he said. 'It contained today's date along with several names of cities — one of which was Oshkosh — so it becomes important for us to have heightened awareness..." http://www.usatoday.com/tech/webguide/internetlife/2004-08-01-oshkosh-terror-warning_x.htm Bob Harbort, Prof. of CS/Softw.Eng., Southern Polytechnic State U., 1100 S. Marietta Pkwy. Marietta, GA 30060-2896 1-678.915.7405 email@example.com [I presume you heard about the Midwest Airline story of the flight from Milwaukee to SF that was aborted after takeoff because a passenger found a sheet of paper that looked like Arabic writing in the airline magazine. (It reportedly turned out to be a prayer-like message in Farsi.) PGN]
Officials say the problem has been fixed, but the error made thousands of confidential child-abuse and foster care files available to anyone on the Web. [Source: Article by Colleen Jenkins, *St. Petersburg Times*, 1 Oct 2004] A *Miami Herald* reporter alerted local child welfare authorities this week to a software glitch that made available thousands of confidential child-abuse and foster care records to anyone with Internet access. Those files contained detailed information about the 3,966 children under the watch of Kids Central, the private consortium that handles foster care and related services for at-risk children in the Department of Children and Families' District 13, which includes Citrus, Hernando, Marion, Lake and Sumter counties. Names of foster children, birth dates, Social Security numbers, photographs, case histories and even directions to children's foster homes were accessible with a password that had been published on Kids Central's Web site, the Herald reported. DCF officials, who monitor the competitively bid contract with Kids Central, immediately ordered that the site be shut down after the reporter informed them of the security breach Wednesday morning. ... http://www.sptimes.com/2004/10/01/Hernando/Glitch_opens_access_t.shtml
Do I need to say anything except that anyone who has been at USU in the past 8 years or more needs to be careful that their SSN is not misused? While it is reassuring to hear that it looks like no one has accessed the files in question, there is NO proof and can be no proof that this is the truth. Anyway, the following is from the campus newspaper. RSH Social security breach on USU campus Personal information leaked in USU database security breach By Hilary Ingoldsby, firstname.lastname@example.org *The Statesman*, 11 Oct 2004, Email Edition TheStatesman@collegepublisher.com http://www.utahstatesman.com/news/749251.html&mkey=1022600 The social security numbers of 16 Utah State University faculty and staff members were mistakenly made accessible on the Internet, leading to the discovery of thousands more, USU officials said. Over the weekend of Oct. 1 and 2, a faculty member looked up his name using the Google Internet search engine, John DeVilbiss, executive director of public relations and marketing, said. The search yielded results of a university site that contained his social security number, he said. The site also contained the personal information of 15 other faculty and staff. The faculty member first notified the police and then Webmaster Charles Thompson was contacted, DeVilbiss said. "He [Charles] went right in and took immediate action," DeVilbiss said. Thompson said he immediately pulled the information off the server and began doing other searches. He said he also contacted Google who said they will shut down the sites but it will take a few weeks to do so completely. Upon further investigation, 12 Excel spreadsheets were found on an open-access server. The spreadsheets contain more than 7,000 social security numbers of current and past faculty, staff and students, DeVilbiss said. An additional 11 files were also found containing sensitive information, Thompson said. After much testing and searching DeVilbiss said they haven't found anything to lead them to believe that the spreadsheets were ever accessed on the Internet. So far, nothing shows that the other 11 files were indexed by search engines. However, the files containing the personal information of the 16 USU faculty and staff were accessed, DeVilbiss said. [...]
Outsource firm sues in India: Alleged Code Theft Highlights Foreign Risk Karl Schoenberger, (San Jose) *Mercury News*, 26 Aug 2004 In a case that exposes the intellectual-property risks of outsourcing in India, a small San Carlos software company has sued Mumbai police for refusing to investigate the alleged theft of proprietary source code by an employee at its Indian subsidiary. Sandeep Jolly, the founder and chief executive of Jolly Technologies, said U.S. technology companies should beware of the risks of doing business in his native land at a time when many are taking advantage of the cost savings of offshoring and entrusting sensitive software development and testing work to Indian contractors. Protection of intellectual property is still a new concept for lawmakers, police and prosecutors, he said. ... http://www.siliconvalley.com/mld/siliconvalley/9500402.htm
Internet voting should not be considered secure until the electoral authorities are confident enough to give immunity from prosecution to anyone hacking the election, and to offer a substantial prize for anyone who can produce evidence that they have attacked it successfully.
I just got some spam from a biology company in Germany. The amusing thing is that it includes the now-popular (and legally meaningless) disclaimer: > Important Note: This e-mail may contain trade secrets or privileged, > undisclosed or otherwise confidential information. If you have received this > e-mail in error, you are hereby notified that any review, copying or > distribution of it is strictly prohibited. Please inform us immediately and > destroy the original transmittal. Thank you for your cooperation. So now spammers are sending us trade secrets and asking us to forget them? Geoff Kuenning email@example.com http://www.cs.hmc.edu/~geoff/
There is a well-known buffer exploit for the X-Box game system. Basically it involves loading a savegame from an external storage device such as a USB key drive, the savegame overflows the font files used by the system, allowing the execution of arbitrary code and installation of an unauthorized program. (Generally programs on X-Box have to be digitally signed by Microsoft to run on the X-Box.) The exploit is used to allow the arbitrary code to replace an item in the Dashboard of the X-Box. And what is the "arbitrary code" and "unauthorized program"? The LINUX Operating System! Using the game MechAssault one can modify older U.S. X-Box systems to allow Linux to be installed using a buffer overflow attack upon the font files used by the X-Box, by installing a cracked savegame from a USB keydrive. This modification only changes the software, allows the X-Box to continue to be used to play X-Box game disks, does not require opening the box or replacing any chips, and is fully reversible. The method is detailed here: http://www.xbox-linux.org/Software_Method_HOWTO I note that in newer X-Boxen, Microsoft HAS fixed this bug. :) Isn't it interesting that when it is a problem for customers Microsoft can take months or be "unable" to fix exploits to their software, but when it's something that could cost them money (since someone can now purchase an inexpensive X-Box - which is sold by Microsoft as a loss-leader - and use the X-Box as a computer instead of a game console, which would mean a net loss to them) Microsoft is very quick to make fixes?
Interns at IBM's UK unit have developed a tool called Peridot that's designed to put an end to annoying broken links. It automatically maps and stores key features of Web pages so it can detect when the content changes. When deployed on a corporate intranet or Web site, it can then replace outdated links with the new ones. Currently, most of this work is done manually, which can result in work slowdowns or worse. Peridot's technical mentor Andrew Flagg says, "Internally, you have users who are trying to do their jobs and the intranet is there to facilitate that. If they can't get the information they cannot do their job properly. Externally, you have cases of companies that link to disreputable content which could seriously damage their reputation." Although there are similar tools that simply detect which links have been broken, Peridot's innovation is that it detects more substantial changes and has adjustable levels of autonomy, allowing staff to review changes before they're made or just allow the process to proceed on autopilot. The Peridot prototype has been tweaked so that it runs reliably over 100,000 pages, and intern James Bell predicts: "Peridot could lead to a world where there are no more broken links." The tool is named for the pale green gemstone which, according to legend, was used in ancient cultures to help people find something they had lost. [BBC News 24 Sep 2004; NewsScan Daily, 27 Sep 2004] http://news.bbc.co.uk/2/hi/technology/3666660.stm
Please report problems with the web pages to the maintainer