[RISKS] Risks Digest 24.04

From: RISKS List Owner (risko@private)
Date: Fri Sep 16 2005 - 16:06:49 PDT

RISKS-LIST: Risks-Forum Digest  Friday 16 September 2005  Volume 24 : Issue 04

Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can be found at

Nation's Critical Infrastructure Vulnerable to Cyber Attack (U.S. House
  Science Committee)
Katrina -- predictions before and response after (Inman Harvey)
Health Records Of Evacuees Go Online (Jonathan Krim)
One radio frequency for emergency services (Fred Cohen)
LA power outage (PGN)
Public Call for Skype to Release Specifications (Lauren Weinstein)
WebGoat 3.7 - Application Security hands-on learning environment
  (Jeff Williams)
National Academies/CSTB report on Electronic Voting (Herb Lin)
Gmail security flaw: acts on javascript in unopened e-mail (Suw Charman)
Re: Risks of REAL ID: incorrect (Steven M. Bellovin)
CardSystems Complies With Industry Standards (Curt Sampson)
REVIEW: "Forensic Discovery", Dan Farmer/Wietse Venema (Rob Slade)
Abridged info on RISKS (comp.risks)


Date: Fri, 16 Sep 2005 07:59:39 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Nation's Critical Infrastructure Vulnerable to Cyber Attack

Bart Gordon, Tennessee, Ranking Democrat
Press Contacts: Joe Pouliot  (202) 225-4275

WASHINGTON, D.C., September 15, 2005 - In testimony before the House Science
Committee today, the Chief Information Officers (CIOs) of major U.S.
corporations warned Congress that the nation's critical infrastructure
remains vulnerable to cyber attack. The witnesses said the economy is
increasingly dependent on the Internet and that a major attack could result
in significant economic disruption and loss of life.

Urging action to address this vulnerability, the witnesses advocated
increased funding for cybersecurity research and development (R&D) and
greater information sharing between industry and government and among
various sectors of industry. Witnesses also urged greater federal attention
to cybersecurity and praised the creation of an Assistant Secretary for
Cybersecurity at the Department of Homeland Security (DHS).

Testifying before the Committee were: Mr. Donald "Andy" Purdy, Acting
Director, National Cyber Security Division, Department of Homeland Security;
Mr. John Leggate, Chief Information Officer, British Petroleum Inc.; Mr.
David Kepler, Corporate Vice President, Shared Services, and Chief
Information Officer, The Dow Chemical Company; Mr. Andrew Geisse, Chief
Information Officer, SBC Services Inc.; and Mr. Gerald Freese, Director,
Enterprise Information Security, American Electric Power.

"We shouldn't have to wait for the cyber equivalent of a Hurricane Katrina
to realize that we are inadequately prepared to prevent, detect and respond
to cyber attacks," said Science Committee Chairman Sherwood Boehlert (R-NY).
"And a cyber attack can affect a far larger area at a single stroke than can
any hurricane. Not only that, given the increasing reliance of critical
infrastructures on the Internet, a cyber attack could result in deaths as
well as in massive disruption to the economy and daily life.

"So our goal this morning is to help develop a cybersecurity agenda for the
federal government, especially for the new Assistant Secretary. I never want
to have to sit on a special committee set up to investigate why we were
unprepared for a cyber attack. We know we are vulnerable, it's time to act."

Legate testified that an informal survey earlier this year found that
executives in the telecommunications, energy, chemical, and transportation
sectors estimated that about 30 percent of their revenue depends directly on
the Internet. He also said that, because of interdependency among various
industry sectors, a single attack could reverberate throughout the global
economy: "These cascading dependencies all too quickly create 'domino
effects' that are not obvious to the corporate customer or the policymaker."

Kepler told the Committee that the greatest concern for the chemical
industry is the potential for a combined cyber and physical attack. He said
he fears a potential terrorist "using information on shipments, product
inventory, or sites to construct a physical attack.using false identity to
acquire chemicals for improper use, [or].gaining inappropriate access to
systems to cause isolated disruptions."

To help prevent these scenarios from being realized, Kepler urged greater
industry input in the government's critical infrastructure protection
efforts. "Information sharing and continued cooperation between our sector
and the Department of Homeland Security is critical," he testified. "Above
all else, efforts must be focused on those threats of greatest impact and
concern to our national security, while addressing the unique needs of each

Freese said the security of his sector could also be enhanced through
increased coordination with federal agencies, such as DHS. He also urged
greater R&D funding to guide the development of a next generation Internet
and a generation power grid system that will have built-in security features
to protect against cyber attacks. "The long term solution to present
inadequacies is to build out the old infrastructure with the next generation
of technologies and equipment. The new infrastructure will be based on
greater levels of security and reliability, enhanced design, and recognition
of the interdependencies between the electricity sector and the
communications sector."

The industry witnesses praised the creation of the Assistant Secretary
position and said it will result in greater attention to cybersecurity
issues. Geisse also urged DHS to continue its focus on cyber-related
activities that have proven successful. He said, "We encourage the
Department of Homeland Security to continue to: support research grants and
assistance that focus on national cybersecurity; support industry
organizations and government agencies that create security standards and
best practices; provide early warnings of security events through various
government agencies; and make sure the security best practices that various
critical government agencies develop are shared with our critical
infrastructure industries."



Date: Thu, 08 Sep 2005 10:51:44 +0100
From: Inman Harvey <inmanh@private>
Subject: Katrina -- predictions before and response after

They told you so (2002):
It's only a matter of time before South Louisiana takes a direct hit 
from a major hurricane. Billions have been spent to protect us, but we 
grow more vulnerable every day.
Five-Part Series published June 23-27, 2002

They told you so (2004)
What if Hurricane Ivan Had Not Missed New Orleans?  Disasters Waiting to
Happen . . . Sixth in a Series Natural Hazards Observer, 2 November 2004

A couple of examples from many on

What use are calculations and predictions of risk, without the institutions
and the political will to react to them? From a viewpoint outside the US,
the response to the Katrina disaster has been quite frankly unbelievable --
sending in troops with guns as a priority over medical and humanitarian
assistance being the most bizarre.

The really big risk is the deep-seated systemic and institutional 
malaise for which such responses are symptoms. This is far more than 
merely a hurricane.

Inman Harvey, Evolutionary and Adaptive Systems Group, COGS/Informatics,
Univ. of Sussex, Brighton BN1 9QH, UK http://www.cogs.susx.ac.uk/users/inmanh/


Date: Wed, 14 Sep 2005 19:46:58 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Health Records Of Evacuees Go Online (Jonathan Krim)

The federal government is making medical information on Hurricane Katrina
evacuees available online to doctors, the first time private records from
various pharmacies and other health care providers have been compiled into
centralized databases.  The data contain records from 150 Zip codes in areas
hit by Katrina.  Starting yesterday, doctors in eight shelters for evacuees
could go to the Internet to search prescription drug records on more than
800,000 people from the storm-racked region.  Officials hope to soon add
computerized records from Medicaid in Mississippi and Louisiana, Department
of Veterans Affairs health facilities, laboratories and benefits managers.

The records are one step in reconstructing medical files on more than 1
million people disconnected from their regular doctors and drug
stores. Officials fear that many medical records in the region, especially
those that were not computerized, were lost to the storm and its aftermath.

Although the immediate focus is on urgent care for hurricane victims,
participants in the effort say the disaster demonstrates a broader need to
computerize individual health records nationwide and make them available
throughout the medical system. Such a step could, for example, give
emergency room doctors a way to quickly view medical histories for
late-night accident victims.

Electronic health records are controversial among many privacy advocates,
who fear the data could be exploited by hackers, companies or the
government.  [Source: Jonathan Krim, Government Wants Doctors in Shelters to
Have Data, *The Washington Post*, 14 Sep 2005, A24; Thanks to Keith A
Rhodes.  PGN-ed.  The article has considerable discussion on the privacy


Date: Sun, 11 Sep 2005 18:59:01 -0700
From: Fred Cohen <dr.cohen@private>
Subject: One radio frequency for emergency services

It is sad that politicians start to believe that they know how to solve
technical problems. One such sad case was Rudy Giuliani's pronouncement
today that a single frequency (then frequency band) for all emergency
services would make things work better. Now I am hardly the world's leading
expert on radio frequency spectrum allocation, but I do have some small
amount of experience in understanding radio communications and emergency
response, and I was startled, well not all that startled, perhaps bemused at
the lack of understanding displayed by people who are not risk management
professionals. Of course it seems that a lot of political folks think that
they can do as good a job as risk management professionals, and likely that
is why we are in such a sad state as a nation state at handling emergencies.
I haven't done a complete assessment of the suggestion, but here are some
initial thoughts.

The idea is that communications will work better if everyone can talk to
each other and therefore a single frequency band would allow them to do so
and improve emergency communications. Sounds sensible, however...

1) It means that in order to disrupt ALL emergency communications I only
need to jam one frequency band.

2) Different natural and artificial phenomena interfere with RF
communications in different frequency bands, so by using a relatively
limited portion of the available bandwidth, there is a guarantee that in
some places no communications will work.

3) If I want to listen into your communications, it makes it a lot easier if
I know the frequencies being used, and if everyone has to talk to each
other, then anyone can listen to everyone else.  Encryption won't solve this
of course for the same reason.

4) If there is a big emergency and everyone is on a small subset of the
bands available, there will be a lot of interference, reducing
communications effectiveness.

5) Certain weather and other human induced conditions wipe out portions of
the frequency band for periods of time, making ALL communications fail
simultaneously (see 1 above).

6) Interference between jurisdictions means that dispatchers in one
jurisdiction might end up talking over those of their neighbors, causing
confusion and more traffic problems as well as increasing the potential for
phony messages going on the air.

You all get the idea by now. Of course the last assessment I did that
involved a radio communications system for a local government was several
weeks back, and we were a bit concerned that they only had 3 redundant ways
to communicate via RF - Car radios that talk to towers in redundant
locations - hand-held radios on a different frequency range that could talk
to the towers, the cars, and each other independently of the other tower
system, and cellular telephones that they could use when the other systems
failed. They also reported problems of interference on rare occasions with
the frequencies used by neighboring jurisdictions (see 6 above), but only in
certain locations where they could communicate over quite a long distance
because of weather-related signal bounces off of clouds.

Different frequency bands are used for different things for good reasons,
and there are good reasons that a single frequency band for emergency
response would be a bad thing. Perhaps we should put Rudy in charge of FEMA
and see if things get better or worse... after all, the last political
appointee there with no expertise in emergency management worked out so

Security Posture http://securityposture.com; University of New Haven;
Fred Cohen & Associates 1-925-454-0171 Security Management Partners

  [Further discussion at iwar@private, including whether one
  frequency or one frequency band was intended.  PGN]


Date: Mon, 12 Sep 2005 16:28:43 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: LA power outage

About 700,000 electric customers in Los Angeles lost power Monday afternoon
(12 Sep 2005) after a worker mistakenly cut a wrong line, triggering a
cascade of problems in the city's power grid, a spokesman for the Los
Angeles Department of Water and Power said.  [The latest report as this
issue goes out is that the spec for the operation was incorrect, and that
the crew did exactly as they had been told.  PGN]


Date: Mon, 12 Sep 2005 14:47:24 -0700
From: Lauren Weinstein <lauren@private>
Subject: Public Call for Skype to Release Specifications

As I noted in:


eBay's acquisition of Skype (now official) leads to new concerns over the
proprietary nature of Skype's security and encryption systems, which will
now be under the control of an extremely large and powerful corporate

For eBay and Skype to have a chance of maintaining the goodwill and trust of
Skype users, I call on Skype to forthwith release the specifications and
implementation details of Skype's encryption and related technologies.

This disclosure should ideally be made to the public, but at a minimum to an
independent panel of respected security, privacy, and encryption experts,
who can rigorously vet the Skype technology and make a public report
regarding its security, reliability, and associated issues.

There are also other significant concerns regarding this acquisition,
relating to eBay's privacy policies and how they may impact the privacy of
Skype users, but I'll hold those for a future message.

Lauren Weinstein lauren@private 1 818-225-2800  
http://www.pfir.org/lauren http://www.eepi.org http://daythink.vortex.com


Date: Tue, 6 Sep 2005 09:56:11 -0400
From: "Jeff Williams" <jeff.williams@private>
Subject: WebGoat 3.7 - Application Security hands-on learning environment

  [From SC-L, included in RISKS with permission of the author.  PGN]

The *only* way to learn application security is to test applications "hands
on" and examine their source code. To encourage the next generation of
application security experts, the Open Web Application Security Project
(OWASP) has developed an extensive lesson-based training environment called

WebGoat is a lessons based, deliberately insecure web application designed
to teach web application security. Each of the 25 lessons provides the user
an opportunity to demonstrate their understanding by exploiting a real
vulnerability. WebGoat provides the ability to examine the underlying code
to gain a better understanding of the vulnerability as well as provide
runtime hints to assist in solving each lesson. V3.7 includes lessons
covering most of the OWASP Top Ten vulnerabilities and contains several new
lessons on web services, SQL Injection, and authentication.

WebGoat 3.7 is available for free download from:


Simply unzip, run, and go to WebGoat in your browser to start learning.

The OWASP Foundation is dedicated to finding and fighting the causes of
insecure software. Find out more at http://www.owasp.org.


Date: September 13, 2005 10:31:17 PM EDT
From: "Herb Lin" <HLin@private>
Subject: National Academies/CSTB report on Electronic Voting

Announcing a new report from CSTB on Electronic Voting.  Below is the media
advisory on it.  [Reproduced from Dave Farber's IP list.]

Election officials across the United States are increasingly looking to
electronic voting systems as a way to administer elections more efficiently,
but skeptics have raised concerns about the security and reliability of
the National Academies' National Research Council, offers a set of questions
that policy-makers and the public should ask to help ensure that the
technologies implemented are secure, reliable, efficient, and easy to use.
Advance copies are now available to reporters. The report, which was chaired
by DICK THORNBURGH, former governor of Pennsylvania, and RICHARD F. CELESTE,
former governor of Ohio, was released on September 13, 2005, and is
available free in PDF form at the web site below.

Press release at http://www4.nationalacademies.org/news.nsf/isbn/0309100240?OpenDocument

Full report at http://www.nap.edu/catalog/11449.html  (sign-in
required for the PDF version).

Herb Lin, Senior Scientist and Study Director, CSTB
National Academies, 1-202-334-3191


Date: Fri, 16 Sep 2005 09:36:37 +0100
From: Suw Charman <suw.charman@private>
Subject: Gmail security flaw: acts on javascript in unopened e-mail

I received a spam this morning that opened audio files without me even
opening the e-mail. The spam was from 'news@private' and had the
subject 'news'.

A closer looks reveals this code:

<Script Language='Javascript'>





This decodes to

<IFRAME width="1" height="1"
SRC="http://www.proforextrade.com/images/newex.html" frameBorder="1"

That page loads automatically, *without me having opened the e-mail*, then
runs a shed load of rubbish including two audio files.

Full e-mail with headers available on request.


Date: Mon, 29 Aug 2005 12:03:15 -0400
From: "Steven M. Bellovin" <smb@private>
Subject: Re: Risks of REAL ID: incorrect (Re: RISKS-24.02)

Charles Lamb's comment on the REAL ID law, though technically correct, is
disingenuous.  A National Research Council report ("Who Goes There --
Authentication Through the Lens of Privacy") noted this:

  Finding 6.5: State-issued driver's licenses are a de facto nationwide
  identity system. They are widely accepted for transactions that require a
  form of government-issued photo ID.

Steven M. Bellovin, http://www.cs.columbia.edu/~smb


Date: Fri, 2 Sep 2005 13:43:11 +0900 (JST)
From: Curt Sampson <cjs@private>
Subject: CardSystems Complies With Industry Standards

At either of these two URLs:


you can read that

  Payments processor CardSystems Solutions Inc., where a security breach
  exposed more than 40 million credit card accounts to fraud, on Thursday
  said its auditor had completed a report to payment networks and concluded
  it complies with industry data-security standards.

The sad thing is, it's probably true.

Curt Sampson  <cjs@private>   +81 90 7737 2974   http://www.NetBSD.org


Date: Wed, 14 Sep 2005 08:16:39 -0800
From: Rob Slade <rslade@private>
Subject: REVIEW: "Forensic Discovery", Dan Farmer/Wietse Venema

BKFORDIS.RVW   20050310

"Forensic Discovery", Dan Farmer/Wietse Venema, 2005, 0-201-63497-X,
%A   Dan Farmer zen@private
%A   Wietse Venema wietse@private
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D   2005
%G   0-201-63497-X
%I   Addison-Wesley Publishing Co.
%O   U$39.99/C$57.99 800-822-6339 Fax: (617) 944-7273 bkexpress@private
%O  http://www.amazon.com/exec/obidos/ASIN/020163497X/robsladesinterne
%O   http://www.amazon.ca/exec/obidos/ASIN/020163497X/robsladesin03-20
%O   Audience a+ Tech 3 Writing 1 (see revfaq.htm for explanation)
%P   217 p.
%T   "Forensic Discovery"

In the preface, the authors don't promise to teach the reader anything about
computer or digital forensics.  Rather, they are reporting on ten years'
worth of experience in looking into attacked machines.  Given the authors'
background, this is engrossing.  But turning it into useful guidance might
be left as an exercise for the reader.  This is not a tutorial work for the
novice, but a challenge to the experienced professional.

Part one outlines the basic concepts of forensics in digital systems.
Chapter one presents the "spirit of forensic discovery": look anywhere, for
anything, and be prepared when you find it.  (This is a tall order,
particularly the "being prepared" part, but it basically corresponds to my
experience.)  Time information and stamps (on UNIX systems) are discussed in
chapter two, along with mention of the ways that clumsy attempts to "save"
systems can destroy ephemeral information.  However, the level of the
material sweeps between broadly generic and tightly specific: it may be
difficult for those not already thoroughly familiar with forensic activities
to obtain useful guidance from it.

Part two is supposed to provide us with background on the abstractions of
the computer and operating systems that relate to forensic recovery of
materials.  Chapter three addresses file system basics, but does so
specifically with regard to the UNIX system.  The content is much more
detailed than conceptual (covering, for example, allowable characters in
UNIX filenames), and command examples are not always completely explained.
The usefulness of this approach is questionable, since the reader is assumed
to know the UNIX system well; in which case, why cover the elementary
fundamentals?  However, the work does highlight aspects of operating and
file system internals not encountered in normal administrative activity.
Analysis of information recovered from a compromised system is reviewed in
chapter four.  The methods and procedures are very strictly limited by the
case cited, but the examples demonstrate the backhanded thinking needed to
obtain interesting data after an intrusion.  A variety of intriguing ways to
subvert a running system are examined in chapter five.  As with previous
material, the text seems to talk around the topic, while the examples,
although fascinating, don't always support the general concepts under
discussion.  Analysis of the code of malicious software (a practice known in
virus research as forensic programming) is addressed in chapter six,
although the bulk of the content deals with test execution of the
programming (under various forms of restriction) and both the benefit and
complexity of disassembly is passed over rather lightly.

Part three moves beyond the concepts and into practical difficulties.
Chapter seven, although titularly about the contents of deleted files, is
primarily concerned with the conservation and preservation of the access,
modification, and (attribute) change times of files.  (In response to the
draft of this review, the authors clarified some of the points that they
were trying to make in the text, such as the fact that material from deleted
files is often more persistent than the content of active files.
Unfortunately, these points, while arresting, are not always clear in the
work itself.)  Retrieving data from memory, particularly via the swap or
paging areas of disk, is reviewed in chapter eight.

The preface does state that the authors intend this book to be useful to
sysadmins, incident responders, computer security professionals, and
forensic analysts.  I would suggest that only the last group will find much
here that they can use, and then only those at the advanced edges of the
field.  There is certainly much that is intriguing, but the material demands
of the reader that he or she have extensive background and knowledge of
system and filesystem internals.  Even then, extracting the information from
the target system, and drawing conclusions as to the implications of that
data, will be difficult.  Farmer and Venema have outlined some fascinating
material, on the bleeding edge of the technology, but have not made it easy
for practitioners to utilize or comprehend.

(In response to the draft review, The authors have noted that the full,
original text of the book is now available at http://fish2.com/forensics/ or

copyright Robert M. Slade, 2005   BKFORDIS.RVW   20050310
rslade@private      slade@private      rslade@private
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

  [I found this book to be very useful, timely, and interesting.  PGN]


Date: 29 Dec 2004 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The RISKS Forum is a MODERATED digest.  Its Usenet equivalent is comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   Mailman can let you subscribe directly:
 Alternatively, to subscribe or unsubscribe via e-mail to mailman your
 FROM: address, send a message to
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

   INFO     [for unabridged version of RISKS information]
 .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> The INFO file (submissions, default disclaimers, archive sites,
 copyright policy, PRIVACY digests, etc.) is also obtainable from
 The full info file may appear now and then in future issues.  *** All
 contributors are assumed to have read the full info file for guidelines. ***
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing


End of RISKS-FORUM Digest 24.04

This archive was generated by hypermail 2.1.3 : Fri Sep 16 2005 - 16:58:01 PDT