[RISKS] Risks Digest 24.37

From: RISKS List Owner (risko@private)
Date: Sat Aug 12 2006 - 11:47:09 PDT


RISKS-LIST: Risks-Forum Digest  Saturday 12 August 2006  Volume 24 : Issue 37

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/24.37.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Letter on cybersecurity from Senator Reid to the President (PGN)
Survey on putting electronics in checked airline baggage  (Lauren Weinstein)
More on medical errors (PGN)
RFID Guardian (Erling Kristiansen)
Search Engine Privacy - Re: AOL gaffe draws Capitol Hill rebuke
 (Lauren Weinstein)
LA power outages? (Dan Jacobson)
Your Cable Company -- powered by the guy with the extension cord
  (Lauren Weinstein)
Most college students vulnerable to cybercrime (Al Macintyre)
3.1 million HSBC (Al Macintyre)
Re: IBM 1620 - the joys of using punched cards (Chris Brady)
REVIEW: "Frauds, Spies, and Lies", Fred Cohen (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 11 Aug 2006 20:25:21 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: Letter on cybersecurity from Senator Reid to the President

  [Thanks to Marcus H. Sachs for this one.]

August 11, 2006
President George W. Bush
The Western White House
Crawford, TX 76638

Mr. President,

I write with deep concern over the lack of attention your Administration
continues to demonstrate for computer and cyber security in the federal
government.

Repeated failures at numerous government agencies have caused the disclosure
of the personal or medical information of government employees, members of
the military, veterans, and ordinary Americans. Your Administration has not
seen fit to respond, however, and for the last year the position of
Assistant Secretary of Homeland Security for Cyber Security has remained
vacant. In fact, the previous official in charge of cyber security resigned
in protest due to your Administration's persistent failure to attend to this
critical security issue. Shockingly, the acting Assistant Secretary has been
a lawyer with no background in computer security who has questionable
business ties to institutions that do business with the office he is
supposed to manage.

Yesterday, the Department of Transportation reported that a laptop
containing the personal information of approximately 133,000 drivers and
pilots has gone missing. Three days ago, the Department of Veterans Affairs
reported that it had lost a computer with the personal information of as
many as 38,000 veterans. These disclosures come on the heels of previous
failures at the VA that put the information of 26.5 million active duty,
reserve, and retired military at risk. Over the course of your
Administration, similarly grievous cyber security failures have occurred at
the State Department, the FBI, the Energy Department, the Agriculture
Department, the Federal Trade Commission, the Department of Health and Human
Services, the Department of Defense, with our military in Afghanistan, and
in the United States Navy.

This level of insecurity is unacceptable, and your Administration's repeated
failure to correct the problem must cease. To that end:

* 1. Why has the position of assistant secretary of homeland security for
  cyber security not been filled, and what steps are you taking to ensure
  that it will be appropriately staffed at the soonest possible time?

* 2. What administration-wide reviews are you undertaking and
  administration-wide guidelines are you instituting to ensure these
  repeated failures do not continue?

* 3. What studies have you directed your administration to undertake to
  ensure that all previous data disclosures and security breaches are
  accounted for, and that the damage caused by each is minimized?

As we approach the fifth anniversary of September 11th, 2001, it is critical
that the American people trust that their government is taking every
possible step to protect them. Given the continued threat of al Qaeda and
international terrorism and the volume of important personal and other
information held by the federal government, your administration's cavalier
attitude toward cyber security cannot continue. The security of the American
people demands a new direction.

I hope you will direct your administration to answer these questions quickly
and thoroughly, and will give the security of American people the attention
it deserves.

Sincerely,
Harry Reid
Senate Democratic Leader

  [This really *should* be a nonpartisan issue.  Perhaps there is a similar
  message from a Republican?  PGN]

------------------------------

Date: Fri, 11 Aug 2006 21:06:54 -0700
From: Lauren Weinstein <lauren@private>
Subject: Survey on putting electronics in checked airline baggage

[ Please distribute widely, as considered appropriate ]

I'm conducting a little unscientific survey on whether or not airline
passengers are willing to place their expensive or important
electronic equipment in airline checked baggage (whether "locked" or
not, but on most flights unlocked will be required), and how this
would affect their flying patterns.

With the above as preface, there are three questions:

1) Are you willing to place all of your significant electronic equipment
   (including laptop or other computers, cellphones, DVD players, iPods,
   etc.) in checked baggage for airline flights?

2) If you are required to place such electronic equipment in checked
   baggage, would it have a significant negative impact on your willingness
   to fly?

3) Do you mainly fly for business or pleasure?

I will only publish aggregated statistics from this survey, unless
individual persons specifically note that their responses may be
released publicly.

To participate in the survey, please e-mail a note (or simply
forward this message) with your responses to:

   baggage@private

Only a one word reply is necessary to each of the questions
unless you wish to add comments, which are invited.

Thanks very much.

Lauren Weinstein
lauren@private or lauren@private
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
   - People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
   - International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com

------------------------------

Date: Sat, 22 Jul 2006 17:23:04 PDT
From: "Peter G. Neumann" <neumann@private>
Subject: More on medical errors

A major study lists confusion over names and wrong doses among the mistakes,
and urges more use of computers in prescribing drugs.

At least 1.5 million Americans are injured or killed every year by
medication errors at a direct cost of billions of dollars, according to a
report issued Thursday by the prestigious Institute of Medicine in
Washington, D.C.

For hospitalized patients, the report said that on average, one medication
error per day was caused by confusion in drug names, wrong doses, failure to
deliver drugs or a host of other problems.

The study is a follow-up to a 1999 report from the institute, which is part
of the National Academies, that outlined all medical errors and claimed that
as many as 98,000 people were killed each year as a result of medical errors
-- 7,000 of them as a result of medication errors.  The study lays out a
detailed series of recommendations for new procedures and research to
minimize the risk of future medication errors, emphasizing computerization
of prescribing and administering drugs and data acquisition.

[Source: Medication Errors Hazardous to Your Health, Thomas H. Maugh II,
*Los Angeles Times*, 21 Jul 2006; PGN-ed, tnx to Lauren Weinstein]
http://www.latimes.com/features/health/la-sci-drugs21jul21,0,5771929.story?coll=la-home-health

------------------------------

Date: Wed, 9 Aug 2006 14:12:49 +0200 (CEST)
From: "Erling Kristiansen" <erling.kristiansen@private>
Subject: RFID Guardian

According to
http://www.bof.nl/nieuwsbrief/nieuwsbrief_2006_16.html  (in Dutch)

Vrije Universiteit in Amsterdam, The Netherlands, has developed a
prototype of a device capable to:

- Detect all RFID chips and scanners in its neighbourhood;
- Keep an inventory of all RFID chips you carry on your person, and alert
  you to new additions to the "inventory";
- Block the reading of any RFID you carry;
- Spoof a given RFID.

More details at http://www.rfidguardian.org/ (in English)

------------------------------

Date: Thu, 10 Aug 2006 09:14:32 -0700
From: Lauren Weinstein <lauren@private>
Subject: Search Engine Privacy - Re: AOL gaffe draws Capitol Hill rebuke

Ladies and Gentlemen, Boys and Girls:

Web site privacy issues in general, and search engine privacy concerns in
particular, are turning into a three-ring circus of ironies.

I discuss these issues until I'm figuratively blue in the face and yet it's
deja vu over and over again.

The article referenced below in fact failed to mention the key aspect of the
search engine data situation that makes this all so bizarre.  We have
Rep. Markey, et al., pushing data destruction laws in the wake of DOJ's push
(in support of their Child Online Protection Act case) to get Google's query
data -- which Google wisely resisted, though ultimately they had to turn
some of that data over to DOJ.  I do agree with some observers who feel that
Markey's proposal is so encompassing that it remains unlikely to ever become
law -- I'd much prefer to see more highly targeted and focused legislation.

But meanwhile, as some of us had been predicting for ages, DOJ/Gonzales are
out there pushing for broad Web site data *retention* laws -- ostensibly (do
we see a pattern emerging?) using child abuse investigations as the hook.

Gang, we can't have it both ways in any kind of simplistic scenario.  The
simple choices are (1) Burn the data to prevent abuse -- and also prevent
any other non-abusive uses of that data, or (2) Retain the data, along with
major internal and external abuse potentials.

The simplistic scenarios are each highly problematic.  We need to advance
these issues in more sophisticated directions.

The only research and policy paths I see that could possibly lead toward
better outcomes in this area are being largely ignored by the major players,
so we have this repeating cycle of events and reactions banging back and
forth.

A few months ago, in: "An Open Letter to Google: Concepts for a Google
Privacy Initiative" ( http://www.vortex.com/google-privacy-initiative ) I
set forth a proposal urging Google, as the global search leader, to apply
its formidable resources toward advancing these issues -- both for Google's
own benefit and ultimately for the benefit of the entire global community.
In light of the whole series of recent events relating to the Web site data
retention/destruction sphere, I assert that such efforts are needed now, on
a priority basis.

As I've noted previously, we must demand that our data be protected.
Accomplishing this properly requires serious thinking, hard work, and in the
real world more than a little compromise.  We need to develop effective and
reasonable technology and policy paths toward management of the vast amounts
of personally-related data that Web sites are collecting.  AOL's search
query data screw-up is bad enough, but it's only a drop in the bucket
compared with the sorts of abuses and problems that could take place if we
don't move forward appropriately.  We can be enriched by data, or we can be
enslaved by it.  The choice remains ours.

Lauren Weinstein +1 (818) 225-2800  http://www.pfir.org/lauren
Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com

------------------------------

Date: Thu, 10 Aug 2006 03:47:22 +0800
From: Dan Jacobson <jidanni@private>
Subject: LA power outages?

[My web provider has reassured me that the LA power outages are no risk:]

World class first tier facility, two redundant grid hookups, backup battery
array with two separate sets of diesel generators. Trucks full of diesel are
on standby and the datacenter is run on each for 12 hours each month to make
sure everything is working as it should.

There's more: 24/7 armed security on premises, perimeter badge required +
biometric hand scanners at the steel doors to each suite, locked cages in
each suite and video cameras recording throughout with video archived for 30
days. You can't even get into the front door of the building without
clearance and ID which is logged.

Very early smoke detection systems as well as privately lit fiber directly
into the meet me room at One Wilshire (over 200 of the worlds first tier
providers connect to each other in that room).

This is *very* expensive space... even the power comes at a pretty penny
since it is fully backed up power not just plain municipal.

This is something I rail about constantly because there is no shortgage of
competition out there on municipal power with a single homed local loop into
an office somewhere who can obviously beat me on price because they don't
have any of this. And explaining all of this to people is seemingly
impossible sometimes.

In short: at least for now, we're good. :-) You're right though the AC units
are wreaking havoc here right now - it got up to 90 degrees Fahrenheit!! Us
Southern Californians can't handle that any more than we can handle half an
inch of rain! The AC units are flying off the shelves. It's a feeding
frenzy! ;-)"

Dan Jacobson wrote:
> News has it that there are LA power outages.
> Certainly you have prepared bicycle and rodent wheel generators?
> "Global warming kills information age."

------------------------------

Date: Sat, 12 Aug 2006 03:45:41 -0700 (PDT)
From: Lauren Weinstein <lauren@private>
Subject: Your Cable Company -- powered by the guy with the extension cord

Last night at around 2:15am (yup, everyone's just leaving the bars) my area
had a widespread power failure when someone wrapped themselves around a main
distribution line power pole (this is a Friday and Saturday night tradition
of course).  While LADWP started on it pretty quickly, power was not
restored for around seven hours.

That long an outage is enough to expose one of the serious weak points in
our telecom networks -- remotely situated batteries.  They don't last very
long without external charging power, and we already know that microcell
sites tend to go down quickly for this reason when power fails.

Early this morning when I started walking the area to see the effects, I
quickly found an unmarked white bucket truck with engine running, parked at
a nearby corner, with an orange extension cord running from its open hood to
the open cable backup power box on the nearby pole, containing what looked
like about three gel cells.

When I went over and talked to the friendly cable guy splicing wires on the
back of his truck, he told me that he wasn't even trying to charge the
batteries, all he could do was try to keep the system running from his truck
until power was restored.

Cable modems?  Cable VoIP?  Our whole world of modern cable telecom,
dependent on a guy with an extension cord and an old bucket truck.

I found it rather amusing, in a "sad commentary" sort of way.

+1 (818) 225-2800 http://www.pfir.org/lauren
Lauren's Blog: http://lauren.vortex.com DayThink: http://daythink.vortex.com

------------------------------

Date: Thu, 10 Aug 2006 13:47:32 -0500
From: Al Mac <macwheel99@private>
Subject: Most college students vulnerable to cybercrime

http://daily.stanford.edu/article/2006/8/10/thievesPhishForStudents

  A CompUSA survey of US college students
* 88% keep on their computer desk tops and laptops the kind of info that
  could get their identity stolen if that computer was stolen or broken into
* 41% ignorant of the concept of phishing
* 21% had been tempted to give personal private info to web sites where
  they unsure of the security or of the source of the request for their
  personal data
* 9% had already responded to phishing e-mails

There was an incident with Stanford's Axess system, where a student's
account was cracked, then someone else opened credit in the student's name,
intercepting that student's money.  That case has been solved.

> Increased cases of identity theft have led the Office of the Inspector
> General at the U.S. Department of Education to establish a Web site,
> www.ed.gov/misused, dedicated to informing students and parents about
> identity theft. Victims of identity theft can contact the Office of the
> Inspector General's Identity Theft hotline at 1-800-MIS-USED.
> Additionally, the Stanford Residential Computing Security Web site is
> available at http://rescomp.stanford.edu/info/security

Should students have billing sent home, rather than to a school address
whose mail system may be less secure?
Are cell phones locked up when not being used?
How often do you change passwords, PIN#s?
Do you know how your financial institutions contact you, so you can
recognize a fraudulent contact?
Do you know which institutions are brain dead on security, so you should
avoid doing business with them at all?

http://daily.stanford.edu/article/2006/8/10/thievesPhishForStudents

------------------------------

Date: Thu, 10 Aug 2006 13:31:18 -0500
From: Al Mac <macwheel99@private>
Subject: 3.1 million HSBC

http://www.thisismoney.co.uk/news/article.html?in_article_id=411576&in_page_id=2

Millions of customers, with one of Britain's biggest banks, exposed to
on-line attack.  The bank says the loophole can only be exploited by
sophisticated attackers, while critics talk about how easy it is for
troublemakers to get at the tools to do so.

This incident also illustrates a problem in ethics for computer security
researchers.  If you find a flaw, who should you report it to?

* The institution with the flaw
* Law enforcement
* Only those who subscribe to your service
* Publish some research document
* The general news media

If you report it to the institution and to law enforcement, and they do not
seem to take you seriously, you also have a responsibility to the potential
victims NOT to be telling the news media, who in turn also guide cyber
criminals to exploit the flaw.  If this is not easy for people to
understand, put it in terrorist terms ... you observe a flaw at an airport,
in other transportation, that a terrorist could exploit to kill a staggering
number of people.  You tell the authorities and they ignore you.  If you
tell the news media, you may be giving ideas to criminals that they might
not otherwise have figured out on their own.

------------------------------

Date: Fri, 11 Aug 2006 11:12:53 +0100 (BST)
From: Chris Brady <chrisjbrady@private>
Subject: Re: IBM 1620 - the joys of using punched cards

With regards to the IBM 1620 - Loughbourough University (UK) had one in the
late 1960s / early 1970s - and it was my very first introduction to a real
computer - a step up from the electrical mechanical adding up machines we
had to use in the Numerical Analysis course. For my fourth year final
computer project I had written a sophisticated program in Fortran 2D on
hundreds of punched cards that plotted the contours of 3D graphs of complex
mathematical functions. An early fractal program I guess.

The IBM line printer used was exactly that with 200+ metal disks with the
printing characters on 'teeth' around the edges. They all spun round to
print an entire line at once - the whirring and clunking noise was
horrendous.

Anyway in on graduation day my parents, assorted relatives and my younger
brother (then aged 11) attended my degree ceremony. Afterwards, during a
tour of the campus, I tried to demonstrate my 'fractal' program that I'd
spent many weeks preparing. It didn't work. It wouldn't even compile. It
misread almost every card with a syntax error - which was labouriously
output on the operator's old-fashioned typewriter a character at a time.

It was only a few years ago that my uncle told me that whilst my back was
turned my dear brother had shuffled some of the cards to see what would
happen. Of course the cards weren't numbered so re-ordering them wasn't an
option at the time.

The risk: never let anyone near your stack of punched cards - especially
inquisitive brothers. P.S. My brother is now a famous computer graphics
visualiser / illustrator for clients designing new buildings and landscapes.
Now he has more laptops than I have.

------------------------------

Date: Thu, 10 Aug 2006 09:30:41 -0800
From: Rob Slade <rmslade@private>
Subject: REVIEW: "Frauds, Spies, and Lies", Fred Cohen

BKFRSPLI.RVW   20060710

"Frauds, Spies, and Lies", Fred Cohen, 2005, 1-878109-36-7, U$29.95/C$33.45
%A   Fred Cohen Fred.Cohen@private
%C   572 Leona Dr, Livermore, CA   94550
%D   2005
%G   1-878109-36-7
%I   Fred Cohen and Associates
%O   U$29.95/C$33.45 925-454-0171
%O  http://www.amazon.com/exec/obidos/ASIN/1878109367/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1878109367/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1878109367/robsladesin03-20
%O   Audience n+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   234 p.
%T   "Frauds, Spies, and Lies: and How to Defeat Them"

Over the years, lots of books have promised to teach us how to deal with
social engineering, fraudulent practices, con jobs, deceit, and just plain
old lies.  There are the pedestrian warnings that it is dangerous out there,
such as Barrett's "Bandits on the Information Superhighway"
(cf. BKBOTISH.RVW).  Or Mintz' listing of nasty Websites in "Web of
Deception" (cf. BKWBDCPT.RVW).  Or the repetitive recounting of confidence
games in Mitnick and Simon's "The Art of Deception" (cf. BKARTDCP.RVW).
Generally these works retail similar stories, with little variation and even
less analysis.

Cohen's slim volume is a bit different.

Chapter one is a brief introduction to the structure of the book.  Chapter
two defines frauds, and then lists a huge series of variations on the theme.
Many books that deal with the topic provide examples, but this exhausting
(and nearly exhaustive) catalogue, even with minimal analysis, allows the
reader to begin to see patterns and thus furnishes a useful alert for
awareness of the issues, regardless of the student's background.  (Fred, I
wonder if you are entirely correct about 419 frauds.)  The topic of
deception, in chapter three, deals first with how we think, and what
analytical mistakes we are likely to make.  This preparation is augmented by
examples of how fraudsters and confidence tricksters can use these errors.
(An interesting addition is a section dealing with self-deception, in regard
to the justifications scammers use.)  Cohen's wit and humour are used to
good effect in pointing out the absurdities of some of our thinking
patterns.  Most "spying" is not James Bond derring-do, and chapter four
outlines the means that "HUMINT" (human intelligence) specialists use to
obtain information, mostly in normal conversation.  This material would be
very useful in creating security awareness courses dealing with social
engineering.  Defence and counterintelligence is covered in chapter five.
Chapter six leans more towards the countering of various types of frauds.

This is not your normal security book, but then typical security works have
had remarkably little success in addressing this particular topic.  Security
professionals will find little new in these pages, but the aggregation of
the variant frauds is, itself, useful.  Certainly no specialized background
is needed to approach the text: anyone can pick it up and get a good deal of
useful security awareness from a perusal of chapter two alone.  The size of
the work should not be daunting for anyone, and the content is quite
readable.  (I must note that the typography and formatting creates a bit of
a problem: the lack of "white space" can sometimes make section changes a
bit hard to follow, despite the careful and clear numbering of sections and
subsections.)

I'd recommend this book, particularly as bedtime reading for any security
professional, and for those involved with security awareness programs.
However, it should have a broader readership: any reasonably intelligent
person will find something useful and helpful for building a safer and
enlightened attitude to the dangers of this complex world.

copyright Robert M. Slade, 2006   BKFRSPLI.RVW   20060710
rslade@private     slade@private     rslade@private
http://victoria.tc.ca/techrev/rms.htm

------------------------------

Date: 2 Oct 2005 (LAST-MODIFIED)
From: RISKS-request@private
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest, with Usenet equivalent comp.risks.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.   The mailman web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman your
 FROM: address, send a message to
   risks-request@private
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe@private or risks-unsubscribe@private
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 The full info file may appear now and then in RISKS issues.
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users should contact <Lindsay.Marshall@private>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks@private with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks [subdirectory i for earlier volume i]
 <http://www.risks.org> redirects you to Lindsay Marshall's Newcastle archive
 http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing

------------------------------

End of RISKS-FORUM Digest 24.37
************************



This archive was generated by hypermail 2.1.3 : Sat Aug 12 2006 - 12:19:19 PDT