[risks] Risks Digest 21.35

From: RISKS List Owner (riskoat_private)
Date: Mon Apr 23 2001 - 12:26:45 PDT

  • Next message: RISKS List Owner: "[risks] Risks Digest 21.36"

    RISKS-LIST: Risks-Forum Digest  Monday 23 April 2001  Volume 21 : Issue 35
    
       FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
       ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
    
    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <URL:http://catless.ncl.ac.uk/Risks/21.35.html>
    and by anonymous ftp at ftp.sri.com, cd risks .
    
      Contents:
    Reliance on Automation "Top Risk" (Peter B. Ladkin)
    Kew Public Records Office data input problem (Pete Mellor)
    Never rely entirely on technology... (Peter Houppermans)
    You've Got Mail ... From The Admissions Office! (David Tarabar)
    Server 54, Where Are You? (Jack Burke)
    Hi-tech toilet swallows woman (Gareth Randell)
    Denial of Tax Service (Rebecca Mercuri)
    E-mail address ID theft (A.E. Brain)
    Sabotaged phone lines + stolen credit cards = safety in theft (Simon Carter)
    Security flaw found in Alcatel's high-speed modems (Monty Solomon)
    Alcatel admits more than they meant to (Mike Bristow)
    Web-enabled air conditioners (Alpha Lau)
    Risks of sorting time alphabetically (Marcos H. Woehrmann)
    Using Palm VII's to give traffic tickets (Ian Jordan)
    More on UCITA (Warren Pearce)
    Re: Aasta Train Crash (Magne Mandt, Merlyn Kline)
    Re: Risks of Hidden highway robbery ... (Will Fletcher)
    Viewers lament incredible shrinking Ultimate TV (Monty Solomon)
    Do prescription records stay private when pharmacy stores are sold?
      (Monty Solomon)
    New flashlight sees through doors as well as windows (Monty Solomon)
    Windows patchwork (Jay Levitt)
    REVIEW: "Securing Windows NT/2000 Servers for the Internet", Norberg
      (Rob Slade)
    Abridged info on RISKS (comp.risks)
    
    ----------------------------------------------------------------------
    
    Date: Tue, 17 Apr 2001 11:52:59 +0200
    From: "Peter B. Ladkin" <ladkinat_private-bielefeld.de>
    Subject: Reliance on Automation "Top Risk"
    
    David Learmount, reporting from the Flight Safety Foundation's European
    Aviation Safety Seminar, held in March in Amsterdam, says in *Flight
    International* (20-26 Mar, 2001, p17) that the European Joint Aviation
    Authorities' Future Aviation Safety Team has identified "crew reliance on
    cockpit automation" as the top potential safety risk in future aircraft.
    
    PBL
    
    ------------------------------
    
    Date: Mon, 9 Apr 2001 11:50:40 +0100 (BST)
    From: Pete Mellor <pmat_private>
    Subject: Kew Public Records Office data input problem
    
    >From Private Eye 6-19th April 2001, p6: 
    
      Managers at the Public Records Office in Kew have devised a clever
      money-saving idea: they are using prisoners in British jails to input on
      to computer the information from the 1901 census.  The prisoners' work has
      been checked, however, and they have been found to be rewriting history.
      All references to prison wardens in 1901 have been changed to "bastards".
      Officials are now using cheap labour in India to correct the errors.
    
    Peter Mellor, Centre for Software Reliability, City University, 
    London EC1V 0HB  +44 (0)20 7477 8422  Pete Mellor <p.mellorat_private> 
    
      [And of course no one in India still remembers the British.  PGN]
    
    ------------------------------
    
    Date: Wed, 18 Apr 2001 15:36:29 +0100
    From: Peter Houppermans <Peter.Houppermansat_private>
    Subject: Never rely entirely on technology...
    
    The RISK here is that there appeared to be no inside escape override for the
    door: taking protection against vandalism to new heights.  
      http://www.theregister.co.uk/content/28/18312.html
    
    Interesting related fact: in the UK, all lift escape hatches are welded shut
    (i.e., don't exist anymore in a usable fashion), I vaguely remember that
    this was to prevent kids in estate buildings getting themselves in danger in
    the elevator shaft (which happened frequently).  The fact that this thus
    prevents any escape in case of emergency appears to have made insufficient
    impact on the decision.
    
    Peter Houppermans <peter.houppermansat_private>
    
    ------------------------------
    
    Date: Mon, 9 Apr 2001 16:08:03 -0400
    From: David Tarabar <dtarabarat_private>
    Subject: You've Got Mail ... From The Admissions Office!
    
    For college-bound seniors, it is a ritual of spring to eagerly await the
    daily mail delivery - looking for a thick or thin envelope which will notify
    them of college acceptance or rejection.
    
    But for the 94% of applicants to Tufts University, who provided an address,
    notification of acceptance AND rejection came via an e-mail this year. Tufts
    follows up with a physical mailing - and thus will reject people twice!
    [Boston Globe. 06-APR-2001. "For some, bad news traveling faster"]
    
    Tufts started email notifications several years ago to students in foreign
    countries. Two years ago it started e-mail notifications to applicants on
    the West Coast. (Tufts is in Medford, MA) This year it is almost everyone.
    
    The story notes that several colleges have password-protected web sites
    where an applicant can look up their admissions status.
    
    Risks
    
    1) This seems impersonal for those who are accepted. It would be interesting
    to find out if this type of notification changed the percentage who choose
    to enroll at Tufts.
    
    And it is adding to insult to injury to reject an applicant twice.  Tufts
    must get some very interesting e-mail replies.
    
    2) Not all high school seniors have private email accounts, they are often
    shared with family members or friends. Thus the wrong person might get the
    message.
    
    3) Could these e-mails be mistaken for spam? I must get a half dozen offers
    of University Diplomas each week.
    
    4) Hacking! I shudder to think what could happen if there was a dedicated
    hacking attack that sent out forged admission e-mails.
    
    ------------------------------
    
    Date: Sat, 14 Apr 2001 08:45:43 -0400
    From: Jack Burke <jfb3at_private>
    Subject: Server 54, Where Are You?
    
    My mind boggles.
    
      The University of North Carolina has finally found a network server that,
      although missing for four years, hasn't missed a packet in all that
      time. Try as they might, university administrators couldn't find the
      server.  Working with Novell Inc., IT workers tracked it down by
      meticulously following cable until they literally ran into a wall. The
      server had been mistakenly sealed behind drywall by maintenance workers.
      Source: TechWeb News, 04/09/01: 
        http://www.techweb.com/wire/story/TWB20010409S0012
    
    This sounds like a novel way -- pun intended -- to physically secure a
    server.  I suppose if you absolutely can't do without a floppy drive, etc.,
    per the Orange book, this might be an acceptable alternative to help meet C2
    specifications.
    
      [Except that electronically, it is C-Through rather than C-2.  
         [Also noted by Mike Hogsett.  PGN]
    
    ------------------------------
    
    Date: Tue, 17 Apr 2001 16:45:30 +0100
    From: Gareth Randell
    Subject: Hi-tech toilet swallows woman
    
      [Source: Article by Lester Haines, 17 Apr 2001, via Brian Randell 
      http://www.theregister.co.uk/content/28/18312.html]
    
    A 51-year-old woman was subjected to a harrowing two-hour ordeal [on 16 Apr
    2001] when she was imprisoned in a hi-tech public convenience.  Maureen
    Shotton, from Whitley Bay, was captured by the maverick cyberloo during a
    shopping trip to Newcastle-upon-Tyne. The toilet, which boasts
    state-of-the-art electronic auto-flush and door sensors, steadfastly refused
    to release Maureen, and further resisted attempts by passers-by to force the
    door.  Maureen was finally liberated when the fire brigade ripped the roof
    off the cantankerous crapper.  Maureen's terrifying experience confirms that
    it is a short step from belligerent bogs to Terminator-style cyborgs hunting
    down and exterminating mankind.
    
    ------------------------------
    
    Date: Wed, 18 Apr 2001 14:54:12 -0400 (EDT)
    From: Rebecca Mercuri <mercuriat_private>
    Subject: Denial of Tax Service
    
    KYW News Radio in Philadelphia reported on 17 Apr 2001 that there had been a
    problem when tax procrastinators attempted to file their Pennsylvania State
    returns just before the midnight Monday deadline.  Apparently in the last
    few hours, users received an error message from the filing Web site, and
    they were unable to complete their transaction.  Because of this, the state
    decided to give ALL late filers an extension through 18 Apr.  Officials were
    quoted as saying that "a glitch on the Web server" was the cause of the
    problem (whatever that means).  This brings to mind the possibility of
    denial-of-service attacks on the infrastructure being a way to avoid 
    paying taxes (short term, anyway).
    
    Rebecca Mercuri
    
      [Life, death, and taxes are not the only sure things.  But perhaps
      *electronic* files could provide a new way to get out of jail.  PGN]
    
    ------------------------------
    
    Date: Mon, 9 Apr 101 11:05:41 GMT
    From: aebrainat_private
    Subject: E-mail address ID theft
    
    RISK: The simplest ID theft is that of an e-mail address.
    
    I use e-mail quite a lot for business purposes, and also make regular
    contributions to a lot of newsgroups.  I've been on the net for a decade, so
    am on a zillion and one "40 million e-mail addresses for just $5" lists -
    thank god for filters.
    
    But on Sunday some insufferable person or organisation forged my e-mail
    address as the sender of some X-rated Spam. This has caused me lost
    business, a little personal embarrassment, and a mailbox rapidly filling up
    with bounces from nonexistent addresses. I'm expecting DOS counter-attacks
    from clueless newbies.
    
    There's not a lot that can be done to stop someone from doing this.
    
    But the risk is that I might not be able to do anything about it in the way
    of compensation. NeoTrace has given me plenty of clues to the perpetrators,
    but only by tracing the site that was advertised in the email. Proving it is
    another matter, and they may have no assets anyway.
    
    A.E.Brain <aebrainat_private>
    
    ------------------------------
    
    Date: Sun, 15 Apr 2001 16:41:32 +0000
    From: Simon Carter <smjcat_private>
    Subject: Sabotaged phone lines + stolen credit cards = safety in theft
    
    Sabotaged phone lines and stolen credit cards allowed thieves to safely
    rob a Sydney shopping centre.
    
    "The thieves first sabotaged the telecommunication network in late
    February. They entered the pits via street-level manholes and severed
    all the lines leading to shopping centre businesses. With all on-line
    transaction systems down, shopkeepers processed transactions manually
    and the thieves used stolen credit cards to buy goods and withdraw cash.
    Bills are still coming in from the spree."
    
    Full story at http://www.smh.com.au/news/0104/15/text/national12.html
    
    Simon Carter
    
    ------------------------------
    
    Date: Wed, 11 Apr 2001 17:06:38 -0400
    From: Monty Solomon <montyat_private>
    Subject: Security flaw found in Alcatel's high-speed modems
    
    Security flaw found in Alcatel's high-speed modems, By Tim Nott
    
    It's a security flaw. No, it's a spy. No, it doesn't exist at all.  Tsutomu
    Shimomura, better known for his contribution to, and book about, the arrest
    of hacker Kevin Mitnick claims to have found a "trapdoor" in Alcatel ADSL
    modems. On Monday evening, Liberation reported, Shimomura and San Diego
    Supercomputer Centre colleague Thomas Perrine reported their findings to the
    Computer Emergency Response Team. The point, continued Liberation, is
    simple. Anyone can penetrate a computer system linked to the Internet by
    Alcatel 1000 ADSL and Speed Touch Home modems.
    
    http://www.thestandardeurope.com/article/display/0,1151,16251,00.html 
    
    ------------------------------
    
    Date: Tue, 17 Apr 2001 16:47:45 +0100
    From: Mike Bristow <mikeat_private>
    Subject: Alcatel admits more than they meant to
    
    Recently, Alcatel <URL:http://www.alcatel.com> has come under fire
    for security problems with some of it's products (see [broken URL]
    <http://www.securityfocus.com/frames/?content=/templates/archive.pike
    %3Ffromthread%3D0%26threads%3D0%26list%3D1%26end%3D2001-04-14
    %26mid%3D175229%26start%3D2001-04-08%26>
    for details)
    
    As a result, Alcatel has released a statement, as a Microsoft Word document,
    which they placed on their Web site.
    
    According to <URL:http://morons.org/articles/1/188>, it had all the
    document history present (I cannot confirm this, as they appear to have 
    corrected the mistake), in which we see such gems as:
    
    > (When and where will the firewall software be available? CERT has
    > said that they don't believe that installing a firewall is the
    > answer.  What are you doing to provide a legitimate fix?)
    
    The RISKS?  Well, apart from looking like idiots, and revealing early drafts
    of statements that are "off message", and potentially drawing attention to
    errors of omission that you are conveniently brushing under the carpet...
    
    Mike Bristow, seebitwopie  
    
    ------------------------------
    
    Date: Mon, 9 Apr 2001 10:38:34 -0700 (PDT)
    From: =?iso-8859-1?q?Alpha=20Lau?= <avlxyzat_private>
    Subject: Web-enabled air conditioners
    
    Not bad! :)  Imagine the malicious freezer viruses!
    
    IBM and Carrier, an air-conditioning manufacturer, said they plan to offer
    Web-enabled air conditioners in Europe this summer that can be controlled
    wirelessly. Financial terms of the collaboration were not disclosed.  Owners
    of the newfangled air conditioners will be able to set temperatures or
    switch the units on or off wirelessly using a website called
    Myappliance.com.  http://www.wired.com/news/business/0,1367,42918,00.html
    
      From their press release (http://myappliance.com/myapp/press.htm): Unit
      performance and maintenance information over time can be gathered and
      recorded.  ...  In the opposite direction it is envisaged that Carrier
      dealers or engineers will be given 'service access' to check the system
      without the need for a PC connection.
    
    In the extreme case, someone with the correct hardware could check the
    aircond logs to see the typical times the aircond is off, i.e., when no one
    is home!
    
    Alpha
    
    ------------------------------
    
    Date: Tue, 10 Apr 2001 14:56:38 -0400 (EDT)
    From: <marcosat_private>
    Subject: Risks of sorting time alphabetically
    
    I found a sorting error on Northwest Airlines web site (nwa.com)
    that I had not seen before, but am surprised is not more common.
    
    If you ask for a list of flights between two cities it returns the
    results sorted by departure time of the outbound flight.  For
    example, from San Francisco (SFO) to Minneapolis (MSP) (return
    flight and other non-relevant data discarded):
    
      Departs   Arrives   Flight Number
       6:25am   12:04pm   NW928
       7:50am    1:28pm   NW344
      10:15am    3:47pm   NW350
      11:30am    5:16pm   NW588
      12:40am    6:09am   NW360
       3:25pm    9:01pm   NW354
       5:00pm   10:31pm   NW358
    
    The risk?  Assuming that because 11:30am is later than 10:15 am it
    follows that 12:40am is later than 11:30am.
    
    Another good reason to drop AM/PM in favor of a 24 hour clock
    (particularly if you call midnight 0.00 and not 24.00).
    
    Marcos H. Woehrmann  |  marcosat_private  |  http://members.home.com/marcos
    
    ------------------------------
    
    Date: Fri, 6 Apr 2001 14:05:26 -0700
    From: "Ian Jordan" <ianat_private>
    Subject: Using Palm VII's to give traffic tickets
    
    The Seattle news played a story on a local police force that is now using
    Palm VII's to give traffic tickets. Apparently, officers can look up
    information on vehicles and people via the wireless interface from this
    Palm. The obvious risk comes from the publicly based network that the Palm
    relies on, namely the CDPD network.
    
    Just imagine someone getting a ticket, and wanting to cover it up. If they
    broke into the system, they could start issuing tickets to every car on the
    road. How would anyone know what tickets were valid? Simpler security risks
    also are involved, such as just monitoring the communications and seeing
    what people are accused of, or even looking for addresses that are
    transmitted- if someone is getting pulled over, they're probably not home.
    
    As a side note, I wonder how you get your court summons, since this
    procedure removes paper tickets. It would also appear to eliminate the
    officer's signature, making for a dubious case, since there is no official
    document indicating the charge against you.
    
    The full story is linked at:
    http://www.king5.com/biztech/storydetail.html?StoryID=17028
    
    ------------------------------
    
    Date: Wed, 18 Apr 2001 11:50:49 -0600
    From: "Pearce, Warren, CTR" <Warren.Pearce-contractorat_private>
    Subject: More on UCITA
    
    Ed Foster's Gripeline column in the current issue of *InfoWorld*
    (www.infoworld.com) raises another interesting security related issue. The
    column starts with:
      Microsoft recently prevented an independent lab from publishing benchmark
      results, using a term in the SQL Server license that says the user "may
      not disclose the results of any benchmark test without Microsoft's prior
      written approval" to threaten the lab with legal action.
    
    It's not my intent to focus on Microsoft as this is an element of UCITA. In
    prior columns, Ed included a similar comment from Network Associates. 
    Consider a security related "benchmark test" that reveals a vulnerability.
    The vendor's permission will be required to "disclose the results" of the
    test. What does this do to the entire CERT process?
    
    ------------------------------
    
    Date: Tue, 3 Apr 2001 08:10:56 +0200 
    From: "Mandt, Magne" <Magne.Mandtat_private>
    Subject: Re: Aasta Train Crash
    
    There is one very important point that has been forgotten in the latest
    postings about the fatal Aasta train crash: The railways deliberately
    introduced a single point of failure system some months prior to the
    accident.  The old operating procedure was that both the train driver and
    the ticket taker (conductor) had to verify that the signal was green before
    the train left the station.  Under the new procedure, introduced some months
    before the crash, only the driver had to check the signal. The line where
    the crash occurred does not have an automatic train stop system that stops
    trains that are headed towards each other on the same track, so the drivers
    observation of the signal is the final barrier against a crash.
    
    Magne Mandt
    
    ------------------------------
    
    Date: Tue, 3 Apr 2001 11:14:11 +0100
    From: "Merlyn Kline" <merlynat_private>
    Subject: Re: Aasta train crash (Smorgrav, RISKS-21.32)
    
    Am I missing something here or is all this beside the point? Using mobile
    'phones as a safety-critical means of communication entails so many risks I
    hardly know where to start: The network coverage is patchy at best and
    hardly at its best when used in a train; the handset batteries have short
    lives and are liable to fail; the handsets are easily lost or damaged;
    handsets are typically unsuitable for noisy environments; communication is
    dependent on a network outside the control of the train company; even if you
    get network coverage, cell capacity is limited; the list just goes on and
    on. Some of these risks can be addressed but some simply cannot. Surely this
    can't be right?
    
    Merlyn Kline
    
    ------------------------------
    
    Date: Thu, 19 Apr 2001 20:37:15 -0500
    From: "Will Fletcher" <Will_Fletcherat_private>
    Subject: Re: Risks of Hidden highway robbery ... (RISKS-21.32)
    
    In RISKS-21.32 it was noted that Microsoft was being particularly
    heavy-handed with the end-user agreement and the rights to intellectual
    property transmitted over their.NET or Hailstorm passport service.  Wanting
    to see the fine print for myself I downloaded the agreement at
    http://www.passport.com/Consumer/TermsOfUse.asp.  Yes, it does say that
    Microsoft reserves the right to take advantage of any intellectual
    property. However, it would appear that the intent of the agreement is allow
    Microsoft the rights to any intellectual property submitted to them
    concerning the service, not intellectual property transmitted over the
    service. Towards the end of the section in question the following appears:
    
      This section also is inapplicable to any documents, information, or other
      data that you upload,transmit or otherwise submit to or through any
      Passport-Enabled Properties. Please refer to the terms and conditions for
      such Passport-Enabled Properties to determine the rights of the web site
      or service provider to such documents, information and/or data.
    
    The first sentence would seem to limit the rights of Microsoft with respect
    to misappropriating intellectual property transmitted via these
    services. But, then again the second sentence might lead one to be
    suspicious about how such rights are determined.
    
    Perhaps the real risk is not being able to read all of the fine print, since
    it is not clear where one would go to find these additional "terms and
    conditions for such Passport-Enabled Properties".
    
    Will Fletcher <will_fletcherat_private>
    
    ------------------------------
    
    Date: Wed, 18 Apr 2001 01:40:16 -0400
    From: Monty Solomon <montyat_private>
    Subject: Viewers lament incredible shrinking Ultimate TV
    
    UltimateTV shrinks from the spotlight
    
    A software bug is inadvertently shrinking hard-drive storage space on
    set-top boxes for UltimateTV, the new interactive TV service from Microsoft.
    The bug reduces how many hours of programming people can record onto the
    hard drive of UltimateTV set-top boxes. Customers began reporting the
    problem on Web forums earlier this month.
      http://www.zdnet.com/zdnn/stories/news/0,4586,5081102,00.html
    
    ------------------------------
    
    Date: Wed, 11 Apr 2001 17:02:53 -0400
    From: Monty Solomon <montyat_private>
    Subject: Do prescription records stay private when pharmacy stores are sold?
    
    Do prescription records stay private when pharmacy stores are sold?
    
    The issue caught the attention of the Clinton administration
    
    By Milo Geyelin
    THE WALL STREET JOURNAL
    
    April 11 - A novel lawsuit over the privacy of prescription records at a
    former neighborhood drug store could complicate the way pharmacy chains buy
    up their competitors. The suit challenges the common but little-known
    practice of "file buying," in which chains purchase customer prescription
    files from pharmacies they acquire and add them to their own.
    
    http://www.msnbc.com/news/557734.asp
    
    ------------------------------
    
    Date: Wed, 18 Apr 2001 01:30:46 -0400
    From: Monty Solomon <montyat_private>
    Subject: New flashlight sees through doors as well as windows
    
    Police officers serving a warrant or searching for a suspect hiding 
    inside a building could soon have a new tool for protecting 
    themselves and finding the "bad guy."
    
    A prototype device called the RADAR Flashlight, developed at the 
    Georgia Tech Research Institute (GTRI), can detect a human's presence 
    through doors and walls up to 8 inches thick.
    
    The device uses a narrow 16-degree radar beam and specialized signal 
    processor to discern respiration and/or movement up to three meters 
    behind a wall. The device can penetrate even heavy clothing to detect 
    respiration and movements of as little as a few millimeters.
    
    http://unisci.com/stories/20012/0416015.htm
    
    ------------------------------
    
    Date: Tue, 10 Apr 2001 22:09:50 -0400
    From: "Jay Levitt" <jayat_private>
    Subject: Windows patchwork
    
    A recent *Wired* news article
    <http://www.wired.com/news/technology/0,1282,42771,00.html> detailed
    problems that Microsoft had with an Internet Explorer security patch: In
    some cases the patch would wrongly display "This update does not need to be
    installed on this system."  Although I hadn't seen such a message, I
    double-checked that the patch was properly installed - and it wasn't. After
    digging further, I was surprised at the reason why.
    
    Microsoft maintains a "Windows Update" site, which automatically scans your
    Windows installation (locally), compares it with a list of known patches,
    and lists any missing updates.  Further, they have a "Critical Update
    Notification" tool that runs in the background and automatically alerts the
    user when any "critical" patches are added to Windows Update.  I run the
    notification tool, and I check Windows Update often, so I expected my system
    to be quite current.
    
    Documentation for the notification tool says: "Download this component and
    never miss a Critical Update again. Whenever a new Critical Fix is released,
    you will be notified... Critical Update Notification is the best way to keep
    your computer up-to-date and protected from potential security issues
    affecting Microsoft Windows."
    
    As it turns out, although Microsoft puts many of its IE security patches on
    Windows Update, four critical patches this year were not included there, and
    thus are not detected by the notification tool.  Users must go to a separate
    IE Security site to download these patches - a site that is not promoted or
    even mentioned by the Windows Update site or other customer service pages.
    I first learned of it from the *Wired* article.
    
    Risks:
    
    - Maintaining two separate patch repositories
    - Promoting a site as the way to "never miss" security patches, but failing
      to add all security patches there
    - Trusting Microsoft to help keep my computer up-to-date
    
    Jay Levitt <jayat_private>
    
    ------------------------------
    
    Date: Mon, 16 Apr 2001 08:48:21 -0800
    From: "Rob Slade, doting grandpa of Ryan and Trevor" <rsladeat_private>
    Subject: REVIEW: "Securing Windows NT/2000 Servers for the Internet", Norberg
    
    BKSWN2SI.RVW   20010320
    
    "Securing Windows NT/2000 Servers for the Internet", Stefan Norberg,
    2001, 1-56592-768-0, U$29.95/C$43.95
    %A   Stefan Norberg stefanat_private http://people.hp.se/stnor
    %C   103 Morris Street, Suite A, Sebastopol, CA   95472
    %D   2001
    %G   1-56592-768-0
    %I   O'Reilly & Associates, Inc.
    %O   U$29.95/C$43.95 800-998-9938 fax: 707-829-0104 nutsat_private
    %P   199 p.
    %T   "Securing Windows NT/2000 Servers for the Internet"
    
    This book is based on the paper "Building a Windows NT bastion host in
    practice," which is available on the author's Web site.  The title of the
    essay is much more accurate than the title of the text.  The work is
    concerned strictly with bastion hosts, and does not address, in more than a
    nominal way, considerations of applications that are necessarily part of any
    Internet server.
    
    Chapter one takes a brief, scattered, and not very clear look at a number of
    issues related to Windows and/or security.  This disregard for background
    information extends into chapter two.  Having presented an extensive list of
    services to turn off, Norberg tells us that "[you now] understand the
    purpose of all active software components on the host."  The irony of this
    bald assertion stems from the fact that there has been little discussion of
    why these services are to be turned off, and what you lose along the way.
    (Further, for those new to Windows NT or 2000, there is no indication of how
    to accomplish the task of reduction.)  Once we get into more advanced tuning
    there is slightly more information, but not much.  The material on the
    differences in Win2K, contained in chapter three, does present a bit more
    detail on how to accomplish the restrictions.
    
    Chapter four describes a number of software tools that will encrypt sessions
    to be used for remote administration, but does not deal with system
    management itself.  The standard advice you always read about backups ("make
    one") is repeated in chapter five.  Chapter six reviews auditing and
    logging, with, for some unknown reason, four times as much space devoted to
    network time synchronization as to intrusion detection.  "Maintaining Your
    Perimeter Network" is the title of chapter seven, but it seems to be a
    return to the same kind of catch-all discussion that started the book.
    
    In the Preface, Norberg does state that the book is not intended as a primer
    for security, or even for Windows security.  The text is written as a kind
    of a checklist for those thoroughly familiar with NT or 2K.  There is, of
    course, nothing wrong with such an approach, and those in the target
    audience will appreciate the brevity of this concise guide.  The approach
    does, however, severely limit the utility of the work.  Chapter two (and
    three, if you are using Win2K) is the heart of the book, and the rest seems
    to be an attempt to expand the text to more than pamphlet length.
    
    copyright Robert M. Slade, 2001   BKSWN2SI.RVW   20010320
    rsladeat_private  rsladeat_private  sladeat_private p1at_private
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    ------------------------------
    
    Date: 12 Feb 2001 (LAST-MODIFIED)
    From: RISKS-requestat_private
    Subject: Abridged info on RISKS (comp.risks)
    
     The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
    => SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent) 
     if possible and convenient for you.  Alternatively, via majordomo, 
     SEND DIRECT E-MAIL REQUESTS to <risks-requestat_private> with one-line, 
       SUBSCRIBE (or UNSUBSCRIBE) 
     which now requires confirmation to majordomoat_private (not to risks-owner)
     [with option of E-mail address if not the same as FROM: on the same line,
     which requires PGN's intervention -- to block spamming subscriptions, etc.] or
       INFO     [for unabridged version of RISKS information]
     .MIL users should contact <risks-requestat_private> (Dennis Rears).
     .UK users should contact <Lindsay.Marshallat_private>.
    => The INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, PRIVACY digests, etc.) is also obtainable from
     http://www.CSL.sri.com/risksinfo.html  ftp://www.CSL.sri.com/pub/risks.info
     The full info file will appear now and then in future issues.  *** All 
     contributors are assumed to have read the full info file for guidelines. ***
    => SUBMISSIONS: to risksat_private with meaningful SUBJECT: line.
    => ARCHIVES are available: ftp://ftp.sri.com/risks or
     ftp ftp.sri.com<CR>login anonymous<CR>[YourNetAddress]<CR>cd risks
       [volume-summary issues are in risks-*.00]
       [back volumes have their own subdirectories, e.g., "cd 20" for volume 20]
     http://catless.ncl.ac.uk/Risks/VL.IS.html      [i.e., VoLume, ISsue].
       Lindsay Marshall has also added to the Newcastle catless site a 
       palmtop version of the most recent RISKS issue and a WAP version that
       works for many but not all telephones: http://catless.ncl.ac.uk/w/r
     http://the.wiretapped.net/security/info/textfiles/risks-digest/ .
     http://www.planetmirror.com/pub/risks/ ftp://ftp.planetmirror.com/pub/risks/
    ==> PGN's comprehensive historical Illustrative Risks summary of one liners:
        http://www.csl.sri.com/illustrative.html for browsing, 
        http://www.csl.sri.com/illustrative.pdf or .ps for printing
    
    ------------------------------
    
    End of RISKS-FORUM Digest 21.35
    ************************
    



    This archive was generated by hypermail 2b30 : Mon Apr 23 2001 - 13:05:44 PDT