 Tuesday, 03. December 2002
Datenschwund bei Open-Source-Website SourceForge [Update]
[Files deleted at Sourcefoge.]
Bereits seit einigen Tagen wollen mehrere Nutzer von SourceForge wissen, warum Dateien für die Webseiten zu ihren Projekten Ende November verschwunden sind. In einer an alle Nutzer gerichteten Mitteilung beziehen die Betreiber der Website, über die zahlreiche Open-Source-Projekte koordiniert und betreut werden, jetzt Stellung. Die Verzögerung sei dadurch zu erklären, dass man erst einen detaillierten Plan zur Behebung des Problems erarbeiten wollte.
Der Grund für das mysteriöse, aber wohl mutwillge Verschwinden der Dateien war, dass alle Dateien zu den Webseiten eines Projekts, auf die per CGI- oder PHP-Script zugegriffen werden soll, world-writable sind -- das heißt, prinzipiell kann jeder diese Daten löschen. Das sei systembedingt und eine "bekannte Einschränkung", betonten die SourceForge-Betreiber. Und diese Daten -- normalerweise also nicht die eigentlichen Daten des Programmierprojekts -- waren von dem Problem der mutwilligen Löschungen betroffen.
Da die SourceForge-Betreiber nach ihren Angaben die Ursache nicht beheben können, raten sie allen Nutzern zu einer adäquaten Backup-Strategie. SourceForge selbst könne diese Aufgabe nicht übernehmen, da die Ansprüche je nach Projekt verschieden seien. Die Betreiber stellen allerdings Nutzern, deren Projektdateien gelöscht wurden, einmalig ein zwei Wochen altes Backup zur Verfügung. (pab/c't)
[heise]
14:23 |
#
Friday, 07. December 2001
SMS phone crash exploit a risk for older Nokias
SMS phone crash exploit a risk for older Nokias, by John Leyden, 12 Jun 2001
Nokia has upgraded its phone software to guard against a security glitch
that might allow a cracker to render a phone inoperable by sending a text
message. However, older phones may still be vulnerable.
http://www.theregister.co.uk/content/55/23232.html ["monty solomon" via risks-digest Volume 21, Issue 82]
00:00 |
#
Thursday, 29. November 2001
How to crash a phone by SMS
How to crash a phone by SMS
By John Leyden
Posted: 28/11/2001 at 18:20 GMT
So now you can send an SMS and crash a mobile phone, so that the user is
locked out. Job de Haas, a security researcher at ITSX, has adapted a
program called sms_client, which sends an SMS message from an
Internet-connected PC, in which the User Data Header is broken.
During a presentation during the Black Hat conference last week, he
demonstrated how a malformed message crashes a Nokia 6210 phone on its
receipt. Once the message is received it is impossible to turn on an
infected phone again. ...
http://www.theregister.co.uk/content/55/23080.html [Monty Solomon via risks-digest Volume 21, Issue 80]
00:00 |
#
Saturday, 17. August 1996
"Vandalized" nuclear controls - Florida
The FBI pulled out of an investigation concerning glued switches discovered
in a backup control room at FPL's Hutchinson Island (near Ft Pierce,
Florida) nuclear facility, so reports the AP in an item carried in 16
August's _Florida Today_.
A security alert was issued Wednesday when glue was discovered in three
locked switches in the backup control room, a facility used in case the
primary control room is unusable. An FBI spokesman is quoted as justifying
pulling out of the investigation because the FBI lacked "jurisdiction...it
really came down to an act of vandalism or tampering."
The piece fails to mention the plant features that would have been affected
by the glued switches.
Investigation is reportedly focused on employees. The article implies
a link between the vandalism and complaints about a November round of
job cuts at the facility. [hgoldste@mpcs.com (Howard Goldstein) via risks-digest Volume 18, Issue 35]
18:18 |
#
Saturday, 02. March 1996
``Racist hacker shuts down Internet provider''
BerkshireNet in Pittsfield, Massachusetts, was the victim of an attack on 27
Feb 1996 in which someone planted swastikas and racist messages while
masquerading as the provider's administrator, erased data on two computers,
and then shut down the system. It was off the air for about 12 hours.
Older deleted files were restored, but files created in the last several
days were lost. [Source: *Palo Alto Daily News* (a relatively new local
freebie paper that is off to a good start), 2 Mar 1996, p. 6] ["Peter G. Neumann" via risks-digest Volume 17, Issue 83]
16:21 |
#
Friday, 08. December 1995
Denial of service attack: sabotaged electrical panel
Here at the University of Florida we appear to have been the victims of a
new variant of the "pull the fire alarm before the exam" attack. This week
has been the week before finals -- known locally as "dead week" -- when many
major projects and papers are due.
On Monday afternoon someone sabotaged the main circuit breaker to the entire
Computer Science and Engineering (CSE) building. The building houses the
computer science department, elements of the electrical engineering
department, a huge computer lab and a VAX cluster used by the general
student population, and the campus network operations center. A new breaker
had to be ordered from the manufacturer in Iowa. Apparently the breaker is
not a stock item but a custom manufacturing job.
By Tuesday morning power had been restored by borrowing a breaker from the
Marston Science Library (MSL) -- really part of the same building but with
an independent main electrical panel. While power was being restored to the
CSE, the MSL had to be closed, because it didn't have power at that point. A
planned power outage was scheduled for 10p-midnight so that the new breaker,
due to arrive late Tuesday, could be installed. Unfortunately, at about
6:00p Tuesday the vandal struck again and vandalized the same breaker. At
this point we had no functioning circuit breakers on site. Another breaker
was ordered from the manufacturer at this point. Since we had been stung
twice the campus police became very aggressive. The building was declared
"sealed" by the police although no stronger measure than locking the doors
was taken to "seal" the building. The police ejected staff members who were
on site to ensure that when power was restored things would be started
correctly and in a timely manner.
Another planned outage was scheduled for Wednesday night 10pm-3am so as to
allow the second new breaker to be installed in the MSL. By Thursday morning
we were on the path to a full recovery. There were no signs of forced entry
to the electrical closet where the main panel is housed (so we've been told)
in both of the events. After the panel was sabotaged the second time the
panel was kept under guard by the University Police until the lock had been
changed. At this point nobody has been arrested. Given that this attack
caused a great deal of hardship for a lot of students, staff and faculty,
the culprit would be a fool to advertise his or her daring. It's also worth
noting that the culprit probably put his or herself in danger in sabotaging
the panel since he or she did not cut the power at the main before
sabotaging the main breaker.
Jon Mellott, High Speed Digital Architecture Laboratory,
University of Florida (jon@alpha.ee.ufl.edu) ["Jon Mellott" via risks-digest Volume 17, Issue 53]
15:59 |
#
Friday, 17. November 1995
AOL Alerts Users to "Trojan Horse" (Edupage, 16 November 1995)
America Online issued a warning to its users about a destructive file
attached to an e-mail message that has been circulating through its service
and also over the Internet. The message itself is okay, but trying to run
an attached "Trojan Horse" file called AOLGold or "install.exe" could crash
a hard drive. (Atlanta Journal-Constitution 16 Nov 95 F7) [Educom via risks-digest Volume 17, Issue 46]
07:26 |
#
Thursday, 02. February 1995
Attack on glasfibre cables causes Lufthansa delays
Unknown attackers interrupted, Wednesday Feb.1,1995, 7 glas fibre cables
near Frankfurt/Main airport. As parts of the cables were cut out, about
15.000 telephone lines were interrupted. The cables also carried data for
Lufthansa's booking computers; consequently, new reservations had to be made
manually. As Lufthansa's main computers (installed at Frankfurt airport)
were cut off for some time, delays of up to 30 minutes were caused.
According to diverse German media, police has no information about
backgrounds of this criminal attack.
Klaus Brunnstein (February 2,1995) [Klaus Brunnstein via risks-digest Volume 16, Issue 78]
09:38 |
#
Sunday, 28. August 1994
Vandals Cut Cable, Slow MCI Service
>From the Washington Post newswire (94.08.27):
VANDALS CUT CABLE, SLOW MCI SERVICE
By Elizabeth Corcoran
Washington Post Staff Writer
"Telephone calls between New York City and Washington on the MCI network
encountered traffic jams yesterday afternoon after vandals removed a segment of
cable in Newark. The problems began just before 2 p.m. and lasted until 5:45
p.m.
"MCI Communications Corp. spokesman Jim Collins said vandals `neatly cut'
out a 20-foot segment of fiber-optic cable that ran along a railroad overpass
above a street in Newark. The cable, which was wrapped in a thin plastic
casing, was not easy to reach."
The article continues with the following key points:
o Repairs took about an hour after the break was located.
o NJ residents, in particular, got many busy signals when alternative
routes were saturated.
o Brokers on the NASDAQ exchange, including Dow Jones, were affected.
o Motives for the theft of 20 feet of fiber optic cable are unknown.
[Comments by MK: could this be a dry run for a class-3 (international)
information warfare attack? "Let's see what happens when we deliberately
interfere with one of the major carriers...."]
M.E.Kabay,Ph.D./DirEd/Natl Computer Security Assn ["Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com> via risks-digest Volume 16, Issue 36]
17:12 |
#
Friday, 14. August 1992
Security breach cited as class schedule erased (UBC)
(From _The Vancouver Sun_ August 13, 1992. Article by Lynn Moore)
University of B.C. student Tamiko Musgrove thought the worst had happened when
she checked on her class schedule for September and found she didn't have one.
Only two weeks earlier, Musgrove had used UBC's telephone registration system
and managed to get all nine courses she needed for her second year of study,
including those hard-to-get labs. Someone, Musgrove concluded after a brief
investigation, had breached the security of the Telereg system and wiped out
her courses. A Telereg hotline operator told her someone using her student
number and birth date entered the system one week after she chose her courses
and dropped them one by one. And seven of the nine courses she wanted had
filled up since then. Although Musgrove was quickly reinstated into her
courses after assuring UBC it wasn't she who dropped them, she still wonders if
Telereg security is up to snuff. UBC registration coordinator Sham Pendleton
says it is and what happened to Musgrove is rare. "One or two students each
year" claim their registration files have been tampered with through the
Telereg System, Pendleton said. And Martin Ertl of the Alma Mater Society said
Telereg security breaches have not been reported to the student association.
Students should keep their eight-digit identification number to themselves,
Pendleton said. That and their birth date combine to make the Telereg access
code. "Chances of someone knowing that combination of numbers is very, very
slim," she said. Student identification numbers have to be used on every
assignment and lab that is handed in to be marked, countered Musgrove, and it
would not difficult for a determined classmate to learn a student's number.
Birth dates are a little more difficult to figure out but not impossible, said
Musgrove, who believes that a male classmate who was harassing her last year
erased her courses. Pendleton said that when cases like Musgrove's arise,
students are put back into their original courses and given a new _and
fictitious_ birthday. Students can also request that a new birth date be
assigned to them if they fear their numbers are known to others, she said.
Thomas Dzubin, tdzubin@cue.bc.ca [tdzubin@cue.bc.ca (Thomas Dzubin) via risks-digest Volume 13, Issue 73]
01:43 |
#
Friday, 07. August 1992
"Bug" or fraud?
The following appeared in the Thursday, Aug. 7, 1992, NJ Star Ledger.
"Bug" Backfires on Computer Consultant
NEW YORK (AP) -- A computer consultant must pay $25,000 to a Manhattan
law firm whose computer system crashed because he put a "bug" in it.
Donald R. Lewis hoped the bug would cause the law firm of Werner,
Zaroff, Slotnick, Stern and Askenazy to call him for repair work after the
system collapsed, according to Civil Court Judge Richard F. Braun. Lewis was
hired in 1985 to upgrade the firm's computer system, which tracks medical
payments of auto accident victims to health care providers. The patients,
under the state's no-fault insurance law, assign their awards to the health
care professionals. Lewis initially estimated the upgrade would cost up to
$5,000, but the firm eventually paid him some $21,000.
In the months that followed, Lewis periodically called the firm's
receptionist to see if the computer file had entered claim number 56789. In
July 1986, six months after the firm made its last payment to Lewis, the
computer system shut down. It had filed claim number 56789, Braun
said. Lewis had put a "conditional statement" in the computer's software
which caused it to stop functioning at claim number 56789, the judge said. The
law firm paid another consultant $7,000 to fix the problem.
[Once again this brings up the concern of people thinking that anything that
happens in a computer system that wasn't expected by the end users is a bug.
I'd like a job where I got paid $7000 to remove a "conditional statement."
John Kriens jkriens@decoy.cc.bellcore.com] [decoy!jkriens@uunet.UU.NET (24474-kriens) via risks-digest Volume 13, Issue 71]
14:12 |
#
Monday, 03. February 1992
`Virus' in Lithuanian Atomic Power Plant
"Berliner Zeitung", 3Feb1992 ([East] Berlin), translated by DWW.
"Sabotage fails - Virus in Power Plant Program for the Lithuanian Atomic Power
Plant in Ignalina vaccinated
Vilna/Moscow (dpa)
This past weekend an act of sabotage against the computer system for the atomic
power plant in Ignalina failed. A worker in the computer center of the plant
tried on Thursday to plant a virus in a program in the non-nuclear part of the
reactor, in order to cause disruption.
dpa learned on Saturday from Vilna that the man probably wanted to get money
from the reactor managers for repairing the damage he himself causes. The plant
engineers managed, however, to repair the damage themselves in a very short
time, according to information from the news agency ITAR-TASS, which is based
on information from the government press office in Lithuania. A warrant for the
arrest of the sabotager has been issued, and officials state that he will be
prosecuted.
The shutdown of one of the two reactors since Thursday has nothing whatsoever
to do with the attempted sabotage, said the deputy Lithuanian energy minister,
Saulus Kutas. ["Wer das glaubt, wird seelig." LOOSELY TRANSLATED AS "If you
believe that, you'll believe anything." dww]
[And goes on to explain about the tiny leak in the cooling system and how the
water is not radioactive, and there are no problems, and a team of Swedish
specialists looked at the reactor and found no big problems, but they do have a
list of 20 little things they want to look at, and the Swedish government is
going to pay for it all.]"
Debora Weber-Wulff, Institut fuer Informatik, Nestorstr. 8-9, D-W-1000 Berlin 31
+49 30 89691 124 dww@inf.fu-berlin.de [weberwu@inf.fu-berlin.de (Debora Weber-Wulff) via risks-digest Volume 13, Issue 10]
07:40 |
#
Wednesday, 06. November 1991
Computer Saboteur Pleads Guilty
In RISKS-11.95, PGN reported on "Programmer Accused of Plotting to Sabotage
Missile Project." Here's the next installment:
Computer Saboteur Pleads Guilty: Michael John Lauffenburger, 31, a former
General Dynamics computer programmer who planted a destructive `logic bomb' in
one of the San Diego defense contractor's mainframe computers, pleaded guilty
to one count of attempted computer tampering. He faces up to one year in
prison and a fine of $100,000.
Federal prosecutors said Lauffenburger had hoped to increase his salary by
creating a problem only he could solve: a program that was designed to destroy
a database of Atlas Rocket components. He set the program to activate, then
resigned, hoping, investigators say, that the company would rehire him as a
highly paid consultant once it discovered the damage. But another General
Dynamics programmer inadvertently ran across the program and alerted security,
which disarmed the program.
[Source: Wire service report in the `Los Angeles Times', 5 Nov. '91, p. D2] [Rodney Hoffman via risks-digest Volume 12, Issue 60]
14:50 |
#
Monday, 28. October 1991
Porn-Sabotage in Italian newspaper
Two national newspapers (Corriere Della Sera and La Repubblica) reported on
25,26,27 October on a series of incidents occured to a third Italian
newspaper,La Notte, circulated in Milan metropolitan area.
On Thursday 24 October someone (probably an insider) altered an advertisement
for a coffee brand,exploiting the lack of acces control of the computer
system used by the editorial staff to prepare the journal.
Each occurrence of the word 'coffee', including the headline, was changed to
the four-letter (in Italian too.. :-) bad word commonly used to denote the
female sexual organ.
The fact was discovered too late to block distribution of the first printing
of the morning edition (35.000 copies).
The day after,the prankster stroke back,twice. He (or she) turned a definition
in a crossword puzzle into an obscene phrase, and in the horoscope suggested
to Capricorn-born :"explain as soon as possible a misunderstanding with a
colleague:just put your hands on her ***" (politely: 'her buttocks'). The
horoscope modify was caught in time by an emergency revision task-force,but the
crossword wasn't.
The journalists have been denouncing the RISKy situation since last winter, and
are ready to withdraw their signatures from articles if lasts the present
situation in which everyone with minimal skills can modify everything,even the
camera-ready files.
An internal inquiry was open and a denouncement versus unknown presented to law
enforcers.
Enrico Musio, Politecnico di Milano , Italy ele9059@cdc835.cdc.polimi.it [Enrico Musio via risks-digest Volume 12, Issue 57]
12:12 |
#
Tuesday, 02. October 1990
Novel on corporate computer espionage
Corporate espionage by computer is the subject of a new novel _The
Fool's Run_ by John Camp. When plans for the latest fighter plane
target acquisition hardware and software are stolen, a defense
contractor decides that only by sabotaging the development work of a
competitor can it be sure of being the only company in a position to
demonstrate the system by the deadline. The company hires Mr. Kidd
(artist, software designer, former commando) to invade the competitor's
computers and disrupt their operations for a few weeks. They say:
the best way ... is through their computer systems--design systems,
accounting systems, information systems, scheduling and materials.
Altering them, destroying them, faking them out.
In the style of a classic caper novel, Kidd assembles a team including a
burglar and a sleezy reporter and attacks the defense contractor,
disrupting their operations from all sides.
The author handles the computer entry techniques well. There is only a
small amount of "magic" involved, and most of that is performed in the
background by "Bobby" (a former phone-phreak we meet only by way of a
data link) who handles such things as telephone trace bypasses. The
discussions of computer security techniques are right on target, and the
supposed level of security at the target company is on par with what
I've seen at several of the places I've worked. When it comes to the
actual disruptions things get a little fuzzier, although not to the
point that it fails to work as a novel.
In real life, most malicious computer attacks have been committed by
disgruntled employees or former employees. Most computer viruses have
been written by misguided enthusiasts. I haven't heard of this kind of
attack against one company by another. That doesn't mean it hasn't
happened, and it certainly doesn't mean that it won't happen. I fear,
this book may give some people ideas.
Camp, John _The Fool's Run_ ISBN 0-451-16712-0 Signet $4.95
Philip Brewer pbrewer@urbana.mcd.mot.com
Motorola Urbana Design Center ...!uiucuxc!udc!pbrewer [pbrewer@urbana.mcd.mot.com via risks-digest Volume 10, Issue 47]
15:07 |
#
disLEXia, a research project by Maximillian Dornseif
|
