disLEXia

Saturday, 25. January 2003

Sprint DSL's Gaping Security Hole puts users at risk

Sprint DSL customers are at risk of having their e-mail addresses and passwords stolen -- even when their computers are powered off -- due to weak security controls on their DSL modems.   Experts warn... [Securitynewsportal]
10:51 | permanent link | mail this

Ebay Seller Sues Over Libelous "Feedback"

An eBay Seller is taking the online auction giant to court over allegedly libelous statements made about the Seller in eBay's "feedback" mechanism, which allows buyers and sellers to leave comments about each other's performance that other users are then able to see. The Seller, who had auctioned some vintage radio magazines, was accused of shipping the goods late and in poor condition. After the Seller was unable to get eBay to remove the negative feedback, he brought suit in California Superior Court against both the Buyer and eBay.

The lawsuit aims at having eBay change its feedback policies, and of course a few million bucks for good measure. Yahoo News covers the Reuters release .[GrepLaw]
10:28 | permanent link | mail this

Wednesday, 22. January 2003

Research on Open Spam Relays

At http://www.m5computersecurity.com/research/OpenRelay-analysis-1.2.htm I found an interesting paper by Michael McCafferty titled "Statistical Analysis of Open E-mail Relaying on the Internet". The Author was scanning mailservers for open relays. Using random IPs he found 1.6% of the Mailservers beeing open relays. In contrast in DSL address ranges he found up to 35.7% open relays. I like Ross Andersons idea of drawing parallels betweenNetwork Security and the Environment.

While "don't let the masses on the Internet" thinking is nothing new this numbers lets one rethink the issue in an different light. This open relay thing is really a difficult problem. On the one hand my sympathy is with John Gilmore, on the other hand people who can't configure their mailservers and incerase the mail filtering load on me and my machine.

The other thing I like about this paper researes some facts instead of doing speculations. It is not the first scan for vulnaribilities nor the first for open relays. It just reminds me that in cybercriminology we can do experimental research without getting in real bad ethical troubles.
21:21 | permanent link | mail this

Monday, 02. December 2002

Security Firm Deserts Users

A company that once promised to find stolen corporate laptops is now itself missing in action. And left behind are countless customers stuck for the prepaid service and saddled with a software agent that not only resists being disabled but can still transmit sensitive data over the Internet.

Lucira Technologies Inc. has been defunct since August, when it filed for Chapter 7 bankruptcy protection in Boston, federal court records show. Nearly two dozen users contacted by eWeek, however, say they've never been notified that the managed service has been terminated. All telephones to the company's Boston headquarters have been disconnected, Lucira's corporate Web site has been shuttered, and the company's landlord said the firm moved out several months ago leaving no forwarding address.

The company, which was founded in 1999 as CyberTrak Systems Inc., marketed a service alternately called MobileSecure or SecurePC. At the heart of Lucira's service is a technology dubbed Pinpoint, which makes regular, automatic checks to a Lucira server when a client computer is logged on to the Internet. When a machine is reported stolen, the software could be used to log trace routes and locate the machine for recovery by police. A Lucira official once bragged in published reports that the company's client-side software agent was so robust that the only way to defeat it once installed was to physically remove the laptop's hard disk drive. [Help Net Security]
21:11 | permanent link | mail this

Lax Security: ID Theft Made Easy

Victims of one of the largest identity theft cases in the United States agree with industry experts that limp security policies at credit bureaus made it easier for the criminals to do their dirty work. By Michelle Delio. [Wired News]
12:48 | permanent link | mail this

Friday, 29. November 2002

Dänische Anti-Softwarepiraterie-Gruppe verschickt "Strafmandate"

Die dänische Anti-Piracy-Group (APG) hat rund 150 Internet-Surfern in Dänemark Rechnungen über insgesamt 133.600 Dollar geschickt. Grund: Sie hatten sich illegal Musiktitel, Videospiele und Filme aus dem Internet heruntergeladen. [ComputerWoche: Nachrichten]
08:25 | permanent link | mail this

Saturday, 23. November 2002

Bugging Out-: Software Bugs are expensive

Forget malicious hackers. The errors that come bundled with your software are costing businesses plenty. According to a study by the Department of Commerce's National Institute of Standards and Technology (NIST), bugs have become so frequent and harmful that they cost the U.S. economy an estimated $59.5 billion annually.

More alarming, NIST&151;which surveyed vendors as well as end users&151;found that $22.2 billion of that cost could be eliminated through improved testing infrastructure, allowing for bug detection earlier in the development process rather than "downstream" or post-sale. But more testing is not the necessarily the answer. "In fact, 80 percent of software development costs are now allocated to testing activities, so expanding the amount of testing may not be a good objective or even a feasible one," says Greg Tassey, senior economist on the study. "Rather, improving the efficiency of the testing infrastructure by developing better test methods, which industry can adopt as standards, appears to be the logical direction of response."

While the hefty cost is certainly startling, the issue of overly buggy software is no surprise. It first gained government attention back in January when the National Academy of Sciences issued a report urging Congress to consider legislation to hold software vendors liable for security breaches.

Unfortunately, a stricter infrastructure will mean new costs, and while the bigger vendors have made strides lately to improve confidence in their products, smaller developers could suffer. "I could see it stifling innovation, and sometimes preventing better things from emerging. That would be the real downside to government doing anything," warns Norma Schroder, software industry analyst for Gartner. "I don't believe the software vendors want to write bad software. There's always a risk in anything. There will always be room to improve, but the risk will never go away." WebTechniques Nov 23 2002 5:38AM ET [moreover Computersecurity]
12:36 | permanent link | mail this

CipherTrust Wants You To Fight Spam

E-mail security company CipherTrust wants your spam. The company is calling on surfers of all stripes to help it wage a fight against spam by sending their unsolicited mass e-mail to its new Web site, Spamarchive.org. The idea is to create a vast public repository of spam, so makers of antispam tools can test their algorithms on the latest mass-messaging trends.

"It's kind of like donating your spam to science," Paul Judge, director of research and development at CipherTrust, said.

CipherTrust is soliciting volunteers to help it determine which messages constitute spam. It plans to put the database online in a few days and will collect spam messages on an ongoing basis. [LinuxSecurity.com]

This brings up some interesting liability issues for email included in this arcive. Since some SPAMmers seem to enjoy going to court we might see some interesting trials.
09:20 | permanent link | mail this

Friday, 22. November 2002

Internal Microsoft Server Exposed Sensitive Information To The Internet

A popular Microsoft file server remained partially offline on Thursday after it was discovered that the system exposed confidential internal documents and information on millions of customers, the company confirmed.

Some Microsoft staff apparently didn't realize the server was publicly accessible, Microsoft said.

The FTP (File Transfer Protocol) server is used to allow Microsoft customers to download drivers, software patches, and other files, as well as upload files for analysis by Microsoft tech support, the company said.

The confidential documents were exposed because some Microsoft marketing staff were using the FTP server as a repository, not realizing that the server was open for public access.

As of Thursday, users could upload -- but not download -- files to the server, Microsoft said.

Among the files accessible were confidential company presentations, spreadsheets, internal reports and a 1 GB database of user names and mailing addresses, which was kept in a zip file that was easily opened with freely available password-cracking software.

The FTP server was intended for use only by Microsoft's product support organization, but marketing staff were apparently using the server, unaware that it was accessible from the Internet. The confidential information was available on the server since Nov. 15 or earlier. Microsoft took the server offline on Monday and put it back up when it was cleaned of confidential files, but Microsoft employees then began uploading new confidential files to the server. [TechWeb: Security]

See also: http://www.theregister.co.uk/content/55/28252.html

Microsoft made customer details - along with numerous confidential internal documents - freely available from a deeply insecure FTP server earlier this month.

A well as numerous PowerPoint slides, such as Linux Vs Windows comparisons and .NET strategy papers, Microsoft "published" files an estimated 11 million customer email addresses and seven million snail mail address on the server.

All these confidential files were protected by the same password which was easily defeated by standard password-cracking tools, another point Microsoft would do well to note in reviewing its security policy.
17:11 | permanent link | mail this

Thursday, 21. November 2002

Streit um Bugtraq-Eintrag: Aufklären oder schweigen?

Spätestens seit Microsofts Forderung, Sicherheitslücken geheimzuhalten, bis entsprechende Bugfixes verfügbar sind, herrscht ein Streit darüber, ob Security-Alerts hilfreich sind oder Hackern als Anleitung dienen. Viele Experten sind der Ansicht, Hersteller würden Patches nur sehr langsam oder überhaupt nicht zur Verfügung stellen, wenn nicht öffentlich vor in betreffenden Anwendungen entdeckten Lecks gewarnt würde. Andere, wie der oberste US-Sicherheitswächter Richard Clarke, meinen, Anbietern müsste eine angemessene Frist zur Entwicklung der Fehlerbereinigungen eingeräumt werden.

Nun erhitzt ein Eintrag in die Mailing-Liste Bugtraq erneut die Gemüter. Der Autor beschreibt darin detailiert einen so genannten Exploit (Exploit = Anwendung, mit der sich gezielt einzelne Sicherheitslücken ausnutzen lassen), der die Festplatten von Anwendern der Versionen 5.5 und 6.0 des Internet Explorers formatiert, wenn diese manipulierte Web-Seiten aufrufen. Er verstehe nicht, sagte der unabhängige Sicherheitsexperte Richard Smith, inwiefern die Veröffentlichung des Exploits die Sicherheit betroffener Systeme erhöhe.

Vielmehr helfe der Anitivirenhersteller Symantec, der die Mailing-Liste hostet, Script Kiddies, Internet-Seiten entsprechend zu präparieren. Offenbar werde das Forum nicht mehr moderiert, nachdem es von Symantec übernommen wurde. Der Eintrag sei explizit zur Veröffentlichung in Bugtraq freigegeben worden, erwiderte Symantec-Sprecherin Genevieve Haldeman. Die Mailing-Liste gelte als unabhängige Kommunikationsplattform für Sicherheitsexperten und habe die Aufgabe, vor Gefahren dieser Art zu warnen, bevor sie "in the wild" auftauchen. [ComputerWoche: Nachrichten]
16:10 | permanent link | mail this

Wednesday, 20. November 2002

ISC "Irresponsible" for Withholding BIND Patches

The Internet Software Consortium is taking heavy criticism for the way it handled the release of patches for a new BIND vulnerability last week. ISC knew about the security holes in late October, but initially only provided fixes for paying members of its early-alert services. The advisory went public on November 12, though it took nearly a day longer for the patches to be readily available. Considering that BIND is critical DNS software running on millions of servers, and that the vulnerability could yield root access, many in the security community felt withholding the patches was both extortionary and irresponsible. [Hideaway.Net]
23:31 | permanent link | mail this

Tuesday, 19. November 2002

Glitch Opens T-Mobile User to Hacker Probes

An IT manager at the Associated Press found hacker probes on a PC tied to T-Mobile USA's mobile data network, raising concerns about whether he might be charged for the unwanted traffic. [Computerworld]
06:53 | permanent link | mail this

Thursday, 14. November 2002

Spamming Hacker runs up $10,000 bandwidth bill

The Napier firm's usual three-figure phone account arrived from Telecom as a five-figure shocker. He said an indication of how much internet time the hacker had used was reflected in the number of megabytes used during August when he struck. "At the end of a normal month they would have used in the region of 100 megabytes. At the end of August 12,000 megabytes had been used." As well, the company's internet site was left open and operating over one nine-day stretch without its knowledge. Mr Moore said there was little police could do because hackers often struck after taking a convoluted course through several countries. [Powered by News Is Free]
12:59 | permanent link | mail this

Thursday, 07. November 2002

Robot malpractice...

http://www.sptimes.com/2002/10/30/TampaBay/Patient_dies_in_robot.shtml

In an surgical operation to remove a cancerous kidney at St. Joseph's Hospital in St Petersburg, a three-armed da Vinci robot (made by Intuitive Surgical Inc.) was being controlled by an experienced doctor from a 3-dimensional computer screen, 10 feet away. The robot technology for cutting blood vessels is supposed to decrease bleeding, pain, and recovery time. Unfortunately, the patient's aorta and another blood vessel were cut, and this went unnoticed for an hour and one-half. Two days later, the patient died of complications. The developer found no mechanical problems, and absolved the robot, which had been used successfully in 10 similar operations. [Source: Patient dies in robot-aided surgery; Such robots are considered a major surgical breakthrough, but something went wrong, Graham Brink, *St. Petersburg Times*, 30 Oct 2002; PGN-ed]

[Classical case. The vendor absolves the technology, implicating the doctor. Others blame the robot. What about the doctor-machine interface? PGN] [Paul Saffo <psaffo@iftf.org> via risks-digest Volume 22, Issue 36]
04:30 | permanent link | mail this

Monday, 22. July 2002

Wrong number costs Gateway $3.6 million

A federal court has awarded a Pensacola business $3.6 million in damages from Gateway, which had accidentally distributed the wrong phone number for customer complaints to more than 275 Gateway stores. The error dated back to 1999, when someone at Gateway erred by using the 800 prefix instead of the correct 888 prefix for the company's toll-free customer complaint line. The wrong number was also posted on Gateway's Web site, listed on Internet billings and included on a form distributed to more than 100,000 Gateway customers. Mo' Money, which manufactures and distributes promotional items, said it contacted Gateway six days after the calls began, but that it took the computer company more than two years to fix the problem. "It was a nightmare," says Mo' Money president Cliff Mowe. "We had as many as 8,000 extra calls a month, and these were all angry people You couldn't get them off the line because the only number they had was ours. You'd have to explain it and go through it, and a lot of times they'd call you right back anyway." [Associated Press, 19 Jul 2002; NewsScan Daily, 20 July 2002] http://apnews.excite.com/article/20020719/D7KS83F82.html ["NewsScan" <newsscan@newsscan.com> via risks-digest Volume 22, Issue 17]
15:41 | permanent link | mail this

Sunday, 19. May 2002

Re: Apple: break your new PC with a copy-protected CD ... (R 22 07)

Is it a car company's fault if you put sugar water in the gas tank and it destroys the engine?

Is it a printer manufacturer's fault if you put toilet paper through your printer and completely destroy the print heads?

No -- is the consumer's fault in those cases.

In the case of the copy protected CDs, things aren't so clear. It still isn't the computer manufacturers fault-- at the time of design and manufacture, they cannot predict changes in technology and they certainly can't predict and account for changes in technology that are designed to break their products!

The problem with the copy protected audio CDs is that the CD manufacturer has purposefully designed a CD to be incompatible with computer hardware. They have purposefully violated a standard that hardware manufacturers have been manufacturing to for nearly two decades (since 1983/1984).

Let's rephrase the question slightly:

Should it be legal for antitheft devices to destroy property? In particular, should it be legal to destroy property in contexts where it is not 100% guaranteed that a theft was actually in progress?

That is exactly what the audio CD manufacturers (to be fair, the folks mastering the CDs) are doing. They are purposefully creating a piece of media that, when inserted into a computer, can cause data loss [a number of PCs outright crash when faced with these CDs] or even changes to the hardware that require relatively nasty fixes (as is the case with the Macs -- it doesn't hurt it, just leaves it such that there is no way to get the damned disk out).

Sure -- it may be the fault of the consumer for actually sticking the CD into their computer.

But it would seem that the folks that created the format in direct violation of published standards should share some of the blame and resulting liability. [Bill Bumgarner <bbum@codefab.com> via risks-digest Volume 22, Issue 08]
14:43 | permanent link | mail this

Thursday, 09. May 2002

More on Klez (Re: Slade, RISKS-22.05)

Rob Slade's comments on Klez was a useful summary of the broader aspects of this recent worm.

I agree that the unusual lack of publicity on this worm is puzzling and problematic. However, the much more disruptive aspect of this worm which Mr. Slade mentioned has been Klez's penchent for sending e-mail in other people's name.

Person A, gets the virus, and his computer sends an infected e-mail to person B in the name of person C. At this point several things can happen, all of which cost the users (and their Network admins oodles of time).

The most common is that person B sends an angry e-mail to person C (whom they often do not know) or worse, to person C's business/domain. Non computer system admins want to know what person C is doing (and their questions are more pointed when Klez uses a sexually suggestive subject header). They look suspiciously at C, and at C's LAN admin, who had certified that C's computer was patched and had adequate virus protection. Explaining the complexities of this worm to less than computer literate admins often takes two or three attempts, and even then I think some of them still think they should ding someone.

Person B has a server based e-mail viral scanner and sends a notification of failure to deliver to C, who flips out, believing their computer is infected. Again, the complexities of this worm are hard to communicate, and much time is wasted trying to explain, and all the assurances you have given them about how up to date an secure their computer is (and why it is worth all the time and effort you put into antiviral and patches) suffer a credibility hit. User C may even try to contact B's domain seeking an explanation (and more time is wasted on all sides).

This is in effect, a new form of identity theft, and the time wasted in orientation (what is going on?) and repairing perceptions and reputations can be substantial.

The risk? Too many e-mail users still believe that 'from' header, unaware how easy it is to fake. As Klez forces them to understand this, they almost certainly will over-react, which ultimately will undermine the efforts to make digital signatures and online validation more common.

Bob Morrell, Cancer Center, http://home.triad.rr.com/bmorrell/ ["Bob Morrell" <bmorrell@wfubmc.edu> via risks-digest Volume 22, Issue 07]
16:18 | permanent link | mail this

Monday, 04. February 2002

Instructive story

Here is a true story that illustrates several familiar RISKS.

My sister-in-law Karen Rakow was quite surprised recently to discover that according to a web site called slatkinfraud.com, she and her husband Robert had pocketed more than $5 million from a Ponzi scheme in which they were involved. All of this was false -- including the part about having a husband named Robert. The accusation on the web site hyperlinked to Karen's business and to her list of clients, and it even named one of her clients, so this was a big problem for her.

A little research revealed what had probably happened: a person named Karen Rakow was named in some court papers, and an Internet search for "Karen Rakow" had turned up a link to a person with that name, who the slatkinfraud.com people proceeded to accuse. [RISK #1: Accusing person of a crime based only on similarity of their name to that of a real suspect.] [RISK #2: Trusting Internet searches to give semantically correct (and not merely textually similar) results.]

So Karen asked the slatkinfraud.com people to remove the references to her, her business, and her clients from their web site. They replied by saying they had done so, but in fact they had only removed some of the references. Karen complained again, and they replied that "Our assistant webmaster has made another search and believes that all references to you and your company have now been removed from the site.

But we have 60 megabytes of material at slatkinfraud.com, so manual searches are not the most efficient way of doing this." [RISK #3: Using technology to build artifacts that are too large for you to manage.] [RISK #4: Making unverified modifications that you cannot easily undo.] Eventually all of the offending references were found and removed (we think).

Here is the really interesting part: the webmaster of slatkinfraud.com is a well-known computer scientist who definitely should have known better. [RISK #5: Thinking that RISKS only apply to newbies.] ["Edward W. Felten" <ed@felten.com> via risks-digest Volume 21, Issue 90]
00:00 | permanent link | mail this

disLEXia, a research project by Maximillian Dornseif