Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Rodney Reed Caverly, a Bank of America computer specialist who had developed and maintained ATM (and other) software, has been charged with computer fraud. In 2009, he reportedly was able to get ATMs to dispense cash while bypassing the audit trail that would record his transactions. The maximum sentence would be five years in prison. [Source: Robert McMillan, *Computer World*, 7 Apr 2010; PGN-ed] http://www.computerworld.com/s/article/9174991/BofA_insider_to_plead_guilty_to_hacking_ATMs [Highly relevant to this item is a forthcoming book, *Insider Threats in Cyber Security and Beyond*, edited by Christian Probst, Jeffrey Hunker, Dieter Gollmann, and Matt Bishop, which has just gone to press at Springer Verlag. It includes a chapter I wrote that specifically considers the potential roles of insider misuse in computer-related election systems. A table at the end summarizes a few cases of insider misuse that have appeared in RISKS over the years. The burgeoning incidence of insider misuse cases should be an alarm for people who believe in the integrity of existing paperless (and essentially unauditable) computer-based systems.]
[Thanks to Ken Nitz. PGN] Safer swiping while voting and globetrotting: Tel Aviv University security expert finds security holes in America's passports and 'smart cards' http://www.eurekalert.org/multimedia/pub/21697.php?from=158414 Since 2007, every new U.S. passport has been outfitted with a computer chip. Embedded in the back cover of the passport, the "e-passport" contains biometric data, electronic fingerprints and pictures of the holder, and a wireless radio frequency identification (RFID) transmitter. Although the system was designed to operate at close range, hackers were able to access it from afar --- until research by Prof. Avishai Wool of Tel Aviv University's School of Electrical Engineering helped ensure that the computer chip in American e-passports could be read only when the passport is opened. The research has been cited by organizations including the Electronic Frontier Foundation. [Corrected affiliation in archives. PGN] Now, a new study from Prof. Wool finds serious security drawbacks in similar chips that are being embedded in credit, debit and "smart" cards. The vulnerabilities of this electronic approach — and the vulnerability of the private information contained in the chips — are becoming more acute. Using simple devices constructed from $20 disposable cameras and copper cooking-gas pipes, Prof. Wool and his students have demonstrated how easily the cards' radio frequency (RF) signals can be disrupted. The work will be presented at the IEEE RFID conference in Orlando, FL, this month. More than one way to hack a chip Prof. Wool's most recent research centers on the new "e-voting" technology being implemented in Israel. "We show how the Israeli government's new system based on the RFID chip is a very risky approach for security reasons. It allows hackers who are not much more than amateurs to break the system," Prof. Wool explains. "One way to catch hackers, criminals and terrorists is by thinking like one." http://www.eurekalert.org/multimedia/pub/21698.php?from=158414 In his lab, Prof. Wool constructed an attack mechanism ---- an RFID "zapper"-- from a disposable camera. Replacing the camera's bulb with an RFID antenna, he showed how the EMP (electro-magnetic pulse) signal produced by the camera could destroy the data on nearby RFID chips such as ballots, credit cards or passports. "In a voting system, this would be the equivalent of burning ballots — but without the fire and smoke," he says. Another attack involves jamming the radio frequencies that read the card. Though the card's transmissions are designed to be read by antennae no more than two feet distant, Prof. Wool and his students demonstrated how the transmissions can be jammed by a battery-powered transmitter 20 yards away. This means that an attacker can disable an entire voting station from across the street. Similarly, a terror group could "jam" passport systems at U.S. border controls relatively easily, he suggests. The most insidious type of attack is the "relay attack." In this scenario, the voting station assumes it is communicating with an RFID ballot near it -- but it's easy for a hacker or terrorist to make equipment that can trick it. Such an attack can be used to transfer votes from party to party and nullify votes to undesired parties, Prof. Wool demonstrates. A relay attack may also be used to allow a terrorist to cross a border using someone else's e-passport. How to make "smart cards" smarter "All the new technologies we have now seem really cool. But when anything like this first comes onto the market, it will be fraught with security holes," Prof. Wool warns. "In America the Federal government poured a lot of money into e-voting, only to discover later that the deployed systems were vulnerable. Over the last few years we've seen a trend back towards systems with paper trails as a result." But there are some small steps that can be taken to make smart cards smarter, says Prof. Wool. The easiest one is to shield the card with something as simple as aluminium foil to insulate the e-transmission. In the case of e-voting, a ballot box could be made of conductive materials. The State Department has already taken Prof. Wool's advice: since 2007, they've also added conductive fibres to the back of every American passport.
Problems with computer software were most frequently cited as a cause for the errors, according to letter sent Thursday by Dr. Jeffrey Shuren, director of the agency's Center for Devices and Radiological Health. He said that the agency's analysis “revealed device problems that appear to be the result of faulty design or use error that could be mitigated by the incorporation of additional safeguards.” [Source: Walt Bogdanich, *The New York Times*, 9 Apr 2019; PGN-ed TNX to dkross] http://www.nytimes.com/2010/04/09/health/policy/09radiation.html
"The Conservatives and the Liberal Democrats have attacked the Labour Party for sending "alarmist" literature to cancer patients, and called for an inquiry into whether NHS databases had been used to identify recipients. The row erupted after Labour sent cancer patients mailshots saying that their lives may be at risk under a Conservative government." [Source: Article by Chris Hastings, Maurice Chittenden and Nyta Mann, (London) *Times Online*, 11 Apr 2010; Noted by Ross Anderson] http://www.timesonline.co.uk/tol/life_and_style/health/article7094604.ece#cid=OTC-RSS&attr=797084
"Leave it to big organizations to allow something this massive to occur un-noticed. It's why we have the stupid PCI standards we have today that do nothing but take the time out of businesses that always played by the security rules while the big guys were careless. There's a lot of blame and fingerpointing from who-ever wrote this but all the blame and fingerpointing should be pointing right at Apache. This attack had nothing to do with Linux, Slicehost, or whatever else is thrown in to tell a story. Who doesn't block brute force attacks in 2010? Who doesn't use real password encryption? Its mindblowing, but im not surprised the big guys always make a muck of things and then the little guys are stuck dealing with the aftermath." https://blogs.apache.org/infra/entry/apache_org_04_09_2010#comments
[Source: Robert McMillan, IDG News Service, 8 Apr 2010; Noted by Jeremy Epstein, with the comment, `BGPsec value demonstrated again'. PGN-ed] http://www.networkworld.com/news/2010/040810-a-chinese-isp-momentarily-hijacks.html For the second time in two weeks, bad networking information spreading from China disrupted the Internet (for about 20 minutes). On 8 Apr 2010, bad routing data from a small Chinese ISP called IDC China Telecommunication was re-transmitted by China's state-owned China Telecommunications, and then spread around the Internet, affecting Internet service providers such as AT&T, Level3, Deutsche Telekom, Qwest Communications and Telefonica. During that time IDC China Telecommunication transmitted bad routing information for between 32,000 and 37,000 networks, redirecting them to IDC China Telecommunication instead of their rightful owners. These networks included about 8,000 U.S. networks including those operated by Dell, CNN, Starbucks and Apple. More than 8,500 Chinese networks, 1,100 in Australia and 230 owned by France Telecom were also affected. [...]
In Fairfax County Virginia, a 9-year-old boy was caught accessing the Blackboard account of Dr. Jack Dale, superintendent of schools. Initial reports were that he "hacked" the system, but the real answer came out: (1) He got a teacher's password - perhaps it was on a yellow sticky, but that's not been described. (2) He logged in as the teacher. (3) The security policy allowed him to add a "student" to the class - in this case, Superintendent Jack Dale. (4) The security policy allows him to change the password of any student in the class - again, Jack Dale. (5) He logged in as Jack Dale. Each of these policies makes sense individually, but when put together, the result was.... surprising! http://www.washingtonpost.com/wp-dyn/content/article/2010/04/14/AR2010041404159.html (Original article says the student "hacked" the system and got administrator privileges) http://www.washingtonpost.com/wp-dyn/content/article/2010/04/15/AR2010041505517.html (Says that there was no hacking, and outlines the above sequence of steps)
An Israeli soldier is being accused of leaking 2000 classified documents to a reporter. That in itself isn't relevant to RISKS (nor is the contents of the classified documents), but *how* she got the documents out is relevant -- several "minor" policy violations that combined allowed a major leak. First, on orders from her commanding general, she moved documents from a classified system which did not allow printing to an unclassified system so she could print the documents at the general's request. Second, the IT department, at her request, disabled the controls that prevented access to external media, thus allowing her to write to removable media (I assume a CD-ROM or similar). Third, the system designed to detect improper actions (e.g., leaks) was not yet enabled. Risks? In a system with multiple layers of control, we can get complacent about individual controls operating correctly, and the controls fail. http://www.haaretz.com/hasen/spages/1161826.html
> In one of his more famous demonstrations, Laurie in 2008 created a passport > for Elvis Presley, and scanned the document at an automated passport scanner > in an airport in Amsterdam. ... Actually, the Elvis stunt was performed by Jeroen van Beek, although we do regularly work on such things together... http://www.dexlab.nl/epassports.html We later performed an even more fun trick at the same Amsterdam location, in which he presented an off-the-shelf USB RFID reader to the passport verification system, and it relayed a passport I was holding to a similar reader in the UK, using a mobile phone data link. In other words, the Amsterdam system believed it had been presented with a passport that was not even in the country at the time. This technique also defeats all the new security measures such as active authentication etc., as it is using a genuine passport, albeit it one that is somewhere else at the time... Adam Laurie, Suite 117, 61 Victoria Road, Surbiton, Surrey KT6 4JX http://rfidiot.org +44 (0) 20 7993 2690
EU project may monitor airline passengers' conversations http://bit.ly/biUxXQ (The MoveChannel.com) Whatever you do, don't tell your seatmate that the in-flight movie is a "bomb!" Lauren Weinstein
*The Washington Post* is reporting that a team of Bulgarian programmers developed a system that buys tickets from Ticketmaster as soon as they go on sale, allowing their US-based partners to then resell the tickets at higher prices. The group, which calls themselves Wiseguys, has software that can handle the CAPTCHAs, avoids maxing out credit cards, and makes deliberate "mistakes" in typing to avoid getting caught by the Ticketmaster system. Is this illegal or just clever programming? They're not being charged with scalping the tickets (which isn't a federal crime, but is in many states and localities)., but with conspiracy, wire fraud and computer crimes ("fraudulent misrepresentation and computer hacking" according to the indictment). There's no claim that they did what is currently known as "hacking" (i.e., breaking into computer systems), but actually is more akin to what was once known as hacking, namely coming up with clever solutions to a problem (in this case, purchasing tickets online). Initially, I thought this was a clear risk that having online systems for selling tickets makes it easier for scalpers to corner the market than in the old days where the systems were closed and you had to purchase on the telephone or in person at a ticket office. But as I thought more about it, I realized that having Hannah Montana (*) tickets priced through the stratosphere is a major advantage for those of us with pre-teenage daughters - it's easy to tell them that $500 is too much for a ticket, but harder to make the argument at $50. http://www.washingtonpost.com/wp-dyn/content/article/2010/04/08/AR2010040805594.html?hpid=moreheadlines Indictment at http://www.washingtonpost.com/wp-srv/metro/documents/wiseguys022310.pdf (*) Hannah Montana is a so-called entertainer who appeals exclusively to pre-teenage girls.
Various areas around Los Angeles have had an increasing number of water pipes breaking. Some folk are suggesting that... the water restrictions in the area (no lawn watering, etc.) are leading to higher pipe pressures, causing more and more failures. A blue-ribbon panel of scientists said Tuesday that the high-volume water main breaks that bedeviled Los Angeles last summer and fall were caused in part by the city's restrictions on lawn watering, and their findings could force the city to remake its strict water conservation policy. The city last June limited the use of lawn sprinklers to Mondays and Thursdays, and those restrictions have proved highly successful. Officials said Tuesday that in February, Los Angeles had its lowest recorded water use in 31 years. But the water conservation policy was too much for the city's aging network of cast-iron iron pipes, causing fluctuations in water pressure that strained them to the bursting point... [Source: LA Times, 14 Apr 2010] http://www.latimes.com/news/local/la-me-water-mains14-2010apr14,0,7323987.story The story as reported is short on many of the details that I'd have liked to see, such as a 24-hour time line of the pipe breaks (water use is lower at night, pressure goes up). [Although this is not particularly RISKS-related, it is illustrative of policy decisions that have implementation implications. PGN]
Those are called hash busters or, occasionally, word salad, and they've been a well known spammer trick since about 2002. Hash busters have been around so long that it's more amazing that your package can't deal with them. SpamAssassin has had ways to keep hash busters out of the bayesian filters at least since version 3.0 in 2004. Modern spam filters deal with them so well that spammers rarely bother with them any more. There must be a bad pun lurking here along the lines of reinventing the salad spinner.
> Responding to John Levine: > Those are called hash busters or, occasionally, word salad, and > they've been a well known spammer trick since about 2002. That may be, but as far as I can tell, there is something different about their newest incarnation that makes them orders of magnitude (and yes, I know what "order of magnitude" means and mean it literally) more effective than anything that has come before. One of the things I've always loved about Bayesian filters like bogofilter is their simplicity and elegance, their "purity," if you will. Filters like SpamAssassin apply a large number of rules to incoming email messages. Each rule is of the form, "Based on this rule, how likely is it that this message is spam?" The scores from all the rules are added together, and if the result exceeds a preset threshold, the message is considered spam. That's a perfectly fine way of doing things, but the weights and scores tend to be quite arbitrary, and users and developers can end up spending a lot of time tweaking the various rules and their weights to arrive at an effective configuration. In contrast, a Bayesian filter like bogofilter has just one rule — a mathematical formula based on the tokens in each message and the frequency with which those tokens have appeared in spam and "ham" messages in the past. I am charmed by that simplicity and straightforwardness, as well as by the fact that a Bayesian filter has been able to achieve >98% accuracy for me for most of the time I've been using it. Having said that, to successfully combat the most recent iteration of spam, I've had to compromise my principles a bit and apply a couple of rules to my incoming email for the first time by using a preprocessor called "spamitarium" written by Tom Anderson. You can read more about it at <http://stuff.mit.edu/~jik/software/bogofilter-milter/#spamitarium <http://stuff.mit.edu/%7Ejik/software/bogofilter-milter/#spamitarium>>. That page also documents the rest of my antispam configuration, for those who are curious.
The real issue here is that most satnav systems default to "shortest route", which is almost *never* what the user actually wants. I recently bought a car with a built-in satnav system which not only defaults to "shortest route" but, adding insult to injury, reverts to the default setting when you enter a new destination... On a related note: in Norway, you can deduct your daily commute from your taxable income, at a fixed rate per kilometer, if it exceeds a certain threshold. In addition, under certain conditions, medically justified travel expenses are refundable. However, these deductions or refunds are not based on the route you actually travel, but on the shortest route reported by a specific (gov't-run) online map service. I know of at least one case (a specific specialized hospital outside Oslo) where the gov't-approved shortest route involves a highway off-ramp that no longer exists and a forest path.
I'm currently leading a study by the UK Royal Academy of information into GPS (and more generally GNSS) usage and vulnerabilities. It's clear that the current GPS signal is easy to jam (and that it is jammed quite often for criminal and counter-criminal purposes), so one might predict that this would become more frequent as the incentives increase. I understand that GPS is used for road tolls in the Netherlands and in Germany (for lorries). If this is true, is there any evidence that it has led to jamming? If it has, what consequences have there been? Thanks for any help, on or off list. [PREFERABLE OFF LIST, hoping that Martyn will summarize the interesting responses — if relevant. PGN] Martyn Thomas CBE FREng <email@example.com>
With the assistance of Jonathan Kamens, he and I went through the steps and urls. It appears that somehow, I wound up on a sleazy third party site, looking like USPS, offering CofA services. I don't think I did it. We can't see any advertising that I could have misclicked on. There's nothing in the history that gives me a clue. I didn't have a key logger active and perhaps my memory is not as good as it I think it is. Argh! So for the time being, I'll retract my critique with apologies to all. I'm still interested in if the CofA goes thru. Thanks to my new acquaintance Jonathan Kamens, I've learned to be EVEN more skeptical and wary than I have been.
[Excerpted from Bruce's CRYPTO-GRAM, 15 Apr 2010. PGN] I have a new book, sort of. Cryptography Engineering is really the second edition of Practical Cryptography. Niels Ferguson and I wrote Practical Cryptography in 2003. Tadayoshi Kohno did most of the update work — and added exercises to make it more suitable as a textbook — and is the third author on Cryptography Engineering. (I didn't like it that Wiley changed the title; I think it's too close to Ross Anderson's excellent Security Engineering.) Cryptography Engineering is a techie book; it's for practitioners who are implementing cryptography or for people who want to learn more about the nitty-gritty of how cryptography works and what the implementation pitfalls are. If you've already bought Practical Cryptography, there's no need to upgrade unless you're actually using it. Here's what's new: We revised the introductory materials in Chapter 1 to help readers better understand the broader context for computer security, with some explicit exercises to help readers develop a security mindset. We updated the discussion of AES in Chapter 3; rather than speculating on algebraic attacks, we now talk about the recent successful (theoretical, not practical) attacks against AES. Chapter 4 used to recommended using nonce-based encryption schemes. We now find these schemes problematic, and instead recommend randomized encryption schemes, like CBC mode. We updated the discussion of hash functions in Chapter 5; we discuss new results against MD5 and SHA1, and allude to the new SHA3 candidates (but say it's too early to start using the SHA3 candidates). In Chapter 6, we no longer talk about UMAC, and instead talk about CMAC and GMAC. We revised Chapters 8 and 15 to talk about some recent implementation issue to be aware of. For example, we now talk about the cold boot attacks and challenges for generating randomness in VMs. In Chapter 19, we discuss online certificate verification. Signed copies are available. See the bottom of the book's webpage for details. http://www.schneier.com/book-ce.html
Please report problems with the web pages to the maintainer