precedence: bulk Subject: Risks Digest 22.57 RISKS-LIST: Risks-Forum Digest Weds 19 February 2003 Volume 22 : Issue 57 FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at and by anonymous ftp at ftp.sri.com, cd risks . Contents: [Huge backlog. Sorry.] Playing Russian Roulette with traffic lights (Dan Foster) Scuba diving computer recall (Tom Race) Gambling on systems accountability (Irena Szrek) University software development fiasco (Identity withheld by request) Re: Identity theft evidently based on spoofing AOL (Identity withheld) REVIEW: "Mike Meyers' Certification Passport CISSP", Shon Harris (Rob Slade) REVIEW: "CISSP Training Guide", Roberta Bragg (Rob Slade) REVIEW: "Advanced CISSP Prep Guide: Exam Q & A", Krutz/Vines (Rob Slade) REVIEW: "The CISSP Prep Guide Gold Edition", Krutz/Vines (Rob Slade) More-Than-Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 19 Feb 2003 22:22:53 +0000 From: Dan Foster Subject: Playing Russian Roulette with traffic lights I came across a post by someone I know from previous posts in a travel USENET newsgroup -- Bill Mattocks, who mentioned an interesting cause of a car accident he was in on 2 Feb 2003 at the College and Nall intersection in Overland Park, Kansas. He was driving towards an intersection that was apparently in a flashing four-way red traffic signal so all cars came to a full stop and yielded appropriately. He then proceeded to drive through the intersection when it was his turn and after having verified the intersection and immediate vicinity was clear of any potential hazards, and had the monumental bad luck of having entered the intersection just as the lights suddenly started working again and it had signalled green in the lane at a 90 degree angle to him. End result? A BMW sped through the intersection, having seen a green, and didn't see his car until it was too late. (Both parties seems to be ok, with some minor injuries, fortunately.) The RISKS? The light *didn't* fail safely. Well, it did fail safely by reverting to a four way flashing red light which is equivalent to a four way stop sign. However, if it was properly designed, it would not have changed into any other mode without manual intervention by someone present at the control box by the intersection, along with a police officer to temporarily handle the traffic at moment the lights were put back into working order, manually. I realize that such an approach would have been burdensome in certain situations such as a large scale recovery after a power outage, but it's much less of a Russian Roulette-type of situation for drivers ("Is the light going to suddenly indicate green or red in my direction if it decides to start working again?") when properly handled. The crux being that there is no safe way to deterministically recover from such a failure without onsite manual intervention. Perhaps something that the Department of Transportation (DOT) and engineers at Crouse-Hinds (a major traffic light manufacturer) might take into account? ------------------------------ Date: 17 Feb 2003 05:35:20 -0800 From: tom.race@skipton.co.uk (Tom Race) Subject: Scuba diving computer recall [See also Risks in scuba equipment, Carl Page, RISKS-21.41] In simple terms, a dive computer monitors the amount of nitrogen dissolved in the diver's blood. Typically worn like a wrist watch, it tracks the diver's depth and calculates the absorbed nitrogen according to a mathematical model of the human body's various tissues. If a diver surfaces too quickly with too much nitrogen in the body it is released as bubbles within the blood or tissues, potentially causing injury or death through Decompression Sickness (DCS). Divers typically rely heavily on a computer to tell them when to surface to avoid DCS. The manufacturer below is being sued over the mathematical model, which has a faulty assumption, or more likely a complete oversight. The model embedded in this computer assumes that the diver on the surface continues to breath whatever gas mixture they were diving with. When the diver is using nitrox, a gas mixture containing extra oxygen and therefore less nitrogen than air, the computer will assume that they are releasing nitrogen at a higher rate than reality. Over several dives and several intervals on the surface, the state of the mathematical model and the diver's actual nitrogen levels may become seriously different, and in the 'wrong' (more risky) direction. A failure of requirements specification or code inspection? The lawsuit refers to a 'manufacturing defect'. I have an interest, since I have a nitrox computer from the same manufacturer. Fortunately mine is more recent, and I have not used it for gases other than air. Tom Race - - - - - - - - - - - - Uwatec, Scuba Pro and Johnson Outdoors Subject of Class Action Seeking Product Recall; 5 Feb 2003 Dive industry leaders Uwatec and Scuba Pro, and their parent company, outdoor equipment conglomerate Johnson Outdoors, Inc., have been sued in federal court by a former authorized reseller, Robert Raimo, seeking a mandatory recall of all Aladin Air X Nitrox dive computers manufactured before 1 Feb 1996. The suit seeks certification as a class action on behalf of all owners of the dive computers, and all persons who acted as retailers, dealers, wholesalers or distributors of the dive computers. The suit claims that 1995 model Aladin Air X Nitrox dive computers have a manufacturing defect that prevents the computer from switching from underwater to surface, or air mode when the user returns to the surface. As a result, the computer continues to calculate a diver's decompression obligations as if the diver were breathing enriched air, or nitrox, containing as little as 50% nitrogen, while on the surface, instead of properly calculating the diver's decompression obligations and off-gassing while the diver is breathing air, which contains 78% nitrogen. This defect causes the computer to underestimate residual nitrogen loads, and to overestimate the diver's safe repetitive bottom times, thereby significantly increasing the diver's risk of contracting decompression sickness (bends). The suit alleges that the defect is likely to affect experienced divers making multiple nitrox dives in a single day to maximize bottom time, such as those conducted on increasingly popular "live-aboard" dive vacations in exotic locations, far away from the nearest treatment centers capable of saving the life of a diver stricken with decompression sickness. The so-called "air-switching defect" was first described in an internal Uwatec memo dated 30 Jan 1996, which warned one of the company's test divers about "the faulty Aladin Nitrox". The memo described how to manually override the defect so the diver could safely use his computer until it was replaced by Uwatec. After this memo was sent to Uwatec's U.S. management, they drafted a product recall notice. However, the suit alleges the managers were fired before they could issue the recall notice, and the defendants have maintained a "conspiracy of silence" ever since. Copies of the 1996 memo and recall notice are attached as exhibits to the complaint and may be viewed on the News section of the Web site of Raimo's attorney, David Concannon, at www.davidconcannon.com. Raimo was stricken with Type II decompression sickness after using a 1995 model Aladin Air X Nitrox on four nitrox dives off Bonaire in Apr 2002. He is the former owner of two retail dive centers in New York. According to Concannon, the suit was filed as a class action only after Johnson, Scuba Pro and Uwatec rebuffed Raimo's requests that the companies issue a voluntary recall. The suit was filed in Oakland, California because four other lawsuits filed by divers alleging they were injured by the same model computer are currently pending there and are scheduled for trial in Nov 2003. Contact: David Concannon, 610-293-8084 David G. Concannon, Law Offices of David G. Concannon, LLC Strafford Building One, Suite 112, 150 Strafford Avenue Wayne, Pennsylvania 19087 Phone: (610) 293-8084 Fax: (610) 293-8086 concannonlaw@msn.com ------------------------------ Date: Sun, 16 Feb 2003 19:09:46 -0500 From: Irena Szrek Subject: Gambling on systems accountability I read with interest Peter Neumann's article on 'Gambling on Systems Accountability' in the 'Inside Risks' section of the February 2003 *Communications of the ACM* (Volume 46, Number 2). I can not agree more with Peter's observations on current drawback of computer systems security and need to focus on system integrity rather then confidentiality. I feel that as long as systems will not be designed with security and integrity as part of the system, and will not provide effective and conclusive audit capabilities, they will be exposed to insider or outsider fraud and will be targets of (at times successful) attacks. This is especially true in industries where ability to gain large sums of money is at stake, as in the off-track-betting systems Peter mentions, or in lottery and casino systems. I want to mention an approach to stop insider fraud in gaming systems that use random numbers. Random-number generators are used in gaming to decide outcomes of games, and are used in electronic drawing machines to pick draw numbers. Typically, the only security present is physical security; the audit trail, if any, is of the generation process, which can be circumvented by a skilled insider. We have introduced a new notion of 'unpredictable auditable random numbers', where audit of outcomes is an element of system design. With the use of digital signature, random numbers can be generated in a way providing conclusive audit of the numbers themselves. This guarantees that a proper set of random numbers is used for the plays or the draws, and is not tampered with by dishonest insiders. Irena Szrek, Szrek2Solutions 1-401-398-0395 http://www.szrek.com irena@szrek.com ------------------------------ Date: Wed, 19 Feb 2003 From: [Identity withheld by request] Subject: University software development fiasco If you are interested in yet another case of a large software project gone horribly wrong, then this is a beauty: Back in the planning stages, we had a Director of IT who loathed UNIX. So he decreed that the new academic record system would run on Windows back-end systems. Oracle and Peoplesoft said, "You want to do what!?" The new system was switched on in early November 2001 and the old system was simultaneously switched off. (NOTE, since we are in the Southern hemisphere, November is the time of peak demand for student grade processing, registration, etc.) It is now over a year after the system was switched on. The system still does not provide several of the key features that were touted as the reasons for its implementation. Information that has become public in the past year includes the fact that several U.S. universities have had significant problems with the system. And *their* version was simpler than ours since our university combines both a normal U.S. style university and an additional school that is a sort of combination VocationalTech and junior college. So, if it didn't work in the simpler U.S. environment, how could it possibly work here? The problems and risks that are highlighted here include: 1) Choose the best platform for the job. 2) The "big-bang" approach to implementation is always a disaster waiting to happen. Frequently the disaster doesn't wait. There were three problems which compounded the problem. There had been no real stress testing of the new system, it was rolled-out at the time of peak demand, and the old system, which would otherwise have provided a backout option, was switched off. 3) Non-technical people driving technical decisions. 4) Overly complex and ambitious systems being implemented as a single system and all at once rather than being phased in. Obviously, I'm sort-of on the inside on this, so I'd rather this didn't get published with my name. But, it is cautionary, at least to the extent that so many of the above problems keep getting repeated, in one form or another, year after year. I've been reading comp.risks for a long time now and it seems like some lessons are never learned. ------------------------------ Date: Wed, 19 Feb 2003 From: [Identity withheld by request; same contributor as above] Subject: Re: Identity theft evidently based on spoofing AOL (RISKS-22.56) About a year ago, we had a student who created a page based on the Hotmail password change page and then spammed Hotmail users with a poorly written e-mail, in fractured English, which instructed them to click on the link and change their Hotmail password. We estimate that it was active for no more than an hour. At the time he was shut down he had more than 120 username/ password combinations. Given the dodgy nature of the message from "Hotmail" and the fact that the URL was clearly of the form ,,,.edu.,,, it makes me wonder about the extent to which people seem to suspend critical judgment when they connect to the Net. I suppose that I shouldn't be so surprised, given the number of hoax virus messages that seem to regularly get forwarded. ------------------------------ Date: Mon, 13 Jan 2003 08:20:51 -0800 From: Rob Slade Subject: REVIEW: "Mike Meyers' Certification Passport CISSP", Shon Harris BKMMCISP.RVW 20021106 "Mike Meyers' Certification Passport CISSP", Shon Harris, 2002, 0-07-222578-5, U$29.99/C$44.95 %A Shon Harris shonharris@hotmail.com www.intenseschool.com %C 300 Water Street, Whitby, Ontario L1N 9B6 %D 2002 %G 0-07-222578-5 %I McGraw-Hill Ryerson/Osborne %O U$29.99/C$44.95 +1-800-565-5758 +1-905-430-5134 fax: 905-430-5020 %O http://www.amazon.com/exec/obidos/ASIN/0072225785/robsladesinterne %P 422 p. %T "Mike Meyers' Certification Passport CISSP" There is a "Check-In" foreword, which seems to be about the series, and an introduction that provides a very terse overview of the CISSP (Certified Information Systems Security Professional) exam. The book consists of ten chapters, one for each of the CBK (Common Body of Knowledge) domains. "Security Management Practices" demonstrates that the book is perhaps a bit too thin: illustrations and other materials from Harris' "All-in-One" guide (cf. BKCISPA1.RVW) appear, but most of the tutorial material is vague and generic. (When covering "controls," a vital concept in this domain, the text provides an "exam tip" that controls should be visible enough to deter misdeeds, but not visible enough to be avoided, but completely neglects the second axis of the control matrix, which covers deterrence, detection, and so forth.) The review questions at the end of the chapter are better than some, but still quite simplistic. As well as being limited, the content is suspect in places: a "cognitive password" is very insecure, and why would a retina scanner blow air into your eye? The "Computers 101" part of "Security Architecture and Models" is all right, although very brief and with significant gaps, but the formal models are simplified to a problematic extent (and the explanation of lattice models is flatly wrong). The "Physical Security" chapter is probably adequate for study purposes. Even after all of the above, I was surprised at how poor the material in "Telecommunications and Networking Security" was. The TCP/IP content is definitely insufficient, and specific errors are made in a number of areas (such as the ability of PPTP [Point-to-Point Tunneling Protocol] to encrypt data). "Cryptography" is limited to little more than the terms involved, and it is odd how much space is wasted on editorial comment. (The text could also use a bit more organization: a number of topics appear, in isolation, at a fair distance away from related items.) "Disaster Recovery and Business Continuity" is terse, but possibly sufficient for study purposes. The material in "Law, Investigation, and Ethics" is problematic: it appears to be somewhat dated and has some important gaps, such as corporate liability, interviewing, and the process of incident response. A great deal of the content in "Application Development" seems to have been parroted without any understanding: the iterative class of systems development models are not collected, the spiral model description is incorrectly described, the point of Java as a hybrid of compilation and interpretation seems to have been completely lost, and the malware text is rife with errors. "Operations Security" doesn't have as many mistakes, but it seems to be pretty much of an unorganized grab bag of topics. Yes, I can see the need (or desire) for a short and quick reference to the CISSP CBK. However, if you are going to take on that task, you have to make every single word (and figure) count. This book doesn't. Since McGraw-Hill also published "CISSP All-in-One Certification Exam Guide" they should probably have heeded the old dictum that "if it ain't broke, don't fix it." As it is, this work is well back in the CISSP pack, along with "Secured Computing" (cf. BKSCDCMP.RVW) and "CISSP for Dummies" (cf. BKCISPDM.RVW). copyright Robert M. Slade, 2002 BKMMCISP.RVW 20021106 ------------------------------ Date: Tue, 11 Feb 2003 08:10:53 -0800 From: Rob Slade Subject: REVIEW: "CISSP Training Guide", Roberta Bragg BKCISPTG.RVW 20030127 "CISSP Training Guide", Roberta Bragg, 2003, 0-7897-2801-X, U$69.99/C$108.99/UK#50.99 %A Roberta Bragg Roberta.Bragg@mcpmag.com %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2003 %G 0-7897-2801-X %I Macmillan Computer Publishing (MCP) %O U$69.99/C$108.99/UK#50.99 800-858-7674 info@mcp.com %O http://www.amazon.com/exec/obidos/ASIN/078972801X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/078972801X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/078972801X/robsladesinterne %P 727 p. + CD-ROM %T "CISSP Training Guide" The introduction and frontmatter appear to be much more concerned with the structure of the book (and this particular series of books) than the CISSP (Certified Information Systems Security Professional) exam. The initial list of topics covered by the domains has notable gaps and some oddities in organization. Part one is entitled "Exam Preparation," and is divided into the ten standard domains of the CBK (Common Body of Knowledge). Chapter one, on access control, shows problems right away. The first paragraph tries to distinguish between access control and authentication, but doesn't really outline the relationship between the two concepts, let alone dealing with the broader and more usual interrelated ideas of identification, authentication, authorization, and accountability. When discussing access models, the lattice content touches on advanced outcomes of the model, but not the basic principles. The biometric material is simply inadequate. There are sample questions at the end of the chapter, and this first set, at least, do appear to be crafted in order to avoid the usual "reading check" level of simplicity, but the wording is extremely poor and many answers are either flatly wrong or highly misleading. Similar problems are evident with telecommunications and networking, in chapter two, which has excessive space given to topics like cabling characteristics, poor explanation of the relationship between tunnelling and virtual private networks, an overview of intrusion detection that contradicts the material in chapter one, and some completely idiosyncratic terminology. The answers to sample question are more correct, but only because the questions themselves are overly simplistic. The rudimentary factors of security management are discussed in chapter three, but in a confused fashion, not assisted by the fact that topics are repeated and sections from other domains are introduced for no apparent reason. The central material is very brief, despite the sixty pages devoted to the topic, and entire sections, such as the various evaluation criteria, are missing. Applications development, in chapter four, does possibly provide enough information to deal with the CISSP exam on this subject, but lists lots of problems without many solutions, and has a great deal of extraneous material such as lists of different types of memory (fast page mode [FPM] versus extended data out [EDO] dynamic random access memory, for example). I thought the introduction to cryptography, in chapter five, wasn't all that bad (absent details such as the key in a one time pad having to be no shorter than the message being sent). That is, until I realized that it was the entire chapter, and details about any form of encryption, digital signatures, and the requirements for certification and a public key infrastructure were completely missing. Chapter six does cover the elemental points of security architecture, but in a disorganized manner, and has no material at all dealing with computer architecture. Operations security is discussed in terms of details like specific logs in Windows 2000 and updating antiviral scanners, and chapter seven misses more general concepts and operating principles. Business continuity and disaster recovery planning, in chapter eight, does provide most necessary information about the process, except for the recovery phase. Law, in chapter nine, concentrates too heavily on US legislation, and the investigative process fails to address incident response, interviewing, and relations with outside agencies. Chapter ten again covers physical security with specific details rather than underlying concepts. Part two is a review. About half of the "Fast Facts" are useful and the rest aren't: it would be hard for an exam candidate to know which is which. The study and exam prep tips are generic, and probably not much help. The practice exam questions are, like most of the sample questions in the book, far too simplistic and particular to properly prepare candidates for the actual CISSP exam. Despite the size of this volume, it does not contain as much information as, say, Harris' "CISSP All-in-One Certification Exam Guide" (cf. BKCISPA1.RVW), nor is it organized as well as the Krutz and Vines work (cf. BKCISPPG.RVW). It is closer to the Endorf (cf. BKSCDCMP.RVW), Miller/Gregory (cf. BKCISPDM.RVW), or the second Harris (cf. BKMMCISP.RVW) works, and therefore its utility as preparation for the CISSP exam is questionable. copyright, Robert M. Slade, 2003 BKCISPTG.RVW 20030127 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Wed, 5 Feb 2003 08:28:24 -0800 From: Rob Slade Subject: REVIEW: "Advanced CISSP Prep Guide: Exam Q & A", Krutz/Vines BKADCIPG.RVW 20030110 "Advanced CISSP Prep Guide: Exam Q & A", Ronald L. Krutz/Russell Dean Vines, 2003, 0-471-23663-2, U$50.00/C$77.50/UK#37.50 %A Ronald L. Krutz %A Russell Dean Vines %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0-471-23663-2 %I John Wiley & Sons, Inc. %O U$50.00/C$77.50/UK#37.50 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471236632/robsladesinterne %P 331 p. + CD-ROM %T "Advanced CISSP Prep Guide: Exam Q & A" Like "The Total CISSP Exam Prep Book" (cf. BKTCIEPB.RVW) before it, this volume contains no tutorial material, only questions, and then questions and answers. The format is quite similar to the Peltier work, with the book divided into the standard ten domains. A major difference is the inclusion of a CD-ROM with a testing engine. Every CISSP candidate wants sample exams and sample questions, so the query remains, are the questions any good? The CD-ROM contains "the Boson-powered test engine," but the questions are not quite as simplistic as those on the Boson exams. They tend to be longer, and, at first glance, look a lot more like real CISSP exam questions. However, upon closer examination, two problems become obvious. One is that a number of the questions are still very simple, despite the additional verbiage. They concentrate on pure recitation of facts, without the analysis and critical thinking that the actual exam requires. The second issue is that a large number of questions rely on very specific, and often esoteric facts. Again, this is counter to the genuine test, where concepts and principles are emphasized. Occasionally these two difficulties combine in a single question, such as "Which choice below is NOT one of NIST's 33 IT security principles?" If you haven't fully memorized NIST's 33 security principles, don't worry. Even if you have no idea where to find NIST's 33 security principles you can still get the answer. One of your options is "Totally eliminate any level of risk." Even the rawest security neophyte can tell you that, since this is impossible, it obviously has to be the right answer. This book may give you a somewhat better idea of the types of questions you may encounter, and the range of topics you may need to know. As preparation for the exam, however, it will both scare you unnecessarily (although if it drives you to take the ISC2 course, that might not be a bad thing), and fail to prepare you fully. copyright Robert M. Slade, CISSP, 2003 BKADCIPG.RVW 20030110 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: Wed, 12 Feb 2003 08:04:50 -0800 From: Rob Slade Subject: REVIEW: "The CISSP Prep Guide Gold Edition", Krutz/Vines BKCIPGGE.RVW 20030130 "The CISSP Prep Guide Gold Edition", Ronald L. Krutz/Russell Dean Vines, 2003, 0=471-26802-X, U$80.00/C$124.50/UK#59.50 %A Ronald L. Krutz %A Russell Dean Vines %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2003 %G 0=471-26802-X %I John Wiley & Sons, Inc. %O U$80.00/C$124.50/UK#59.50 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/047126802X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/047126802X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/047126802X/robsladesin03-20 %P 944 p. + CD-ROM %T "The CISSP Prep Guide Gold Edition" I happened to notice, in the preparation of this review, that a certain online bookstore has a special in relation to this title. You can buy it, along with the "Advanced CISSP Prep Guide: Exam Q & A" for a price slightly less than that of the two volumes together. Pity those who take the bookstore up on their offer: this volume is nothing more than "The CISSP Prep Guide" (cf. BKCISPPG.RVW) and "Advanced CISSP Prep Guide: Exam Q & A" (cf. BKADCIPG.RVW) bound together. The authors have done some updating: there are, for example, a few additional pages of material on wireless security. The authors have improved their coverage of the Common Criteria--by reprinting the explanation that is provided on the National Institute of Standards and Technology (NIST) Web site. Overall, however, the same comments appropriate to Krutz and Vines' original books still apply, so what I said was, for those studying for the CISSP exam, this book does provide a guide to the topics to be covered. If you are confident that you know more than the book at every point, you should be in good shape to sit the exam: if not, you will have to get help somewhere else. If you are studying for another security course, or are a security professional, this work will not have much to offer you. This volume may give you a somewhat better idea of the types of questions you may encounter, for the CISSP exam. As preparation for the exam, however, it will both scare you unnecessarily and fail to prepare you fully. copyright, Robert M. Slade, 2003 BKCIPGGE.RVW 20030130 rslade@vcn.bc.ca rslade@sprint.ca slade@victoria.tc.ca p1@canada.com http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade ------------------------------ Date: 19 Feb 2003 From: RISKS-request@csl.sri.com Subject: More-Than-Abridged info on RISKS (comp.risks) [See www.risks.org for the archives of back issues, almost all of which include info on RISKS. (This issue is an exception.) PGN] ------------------------------ End of RISKS-FORUM Digest 22.57 ************************