Home page logo
/

risks logo RISKS Forum mailing list archives

Risks Digest 27.38
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 26 Jul 2013 10:53:03 PDT

RISKS-LIST: Risks-Forum Digest  Friday 26 July 2013  Volume 27 : Issue 38

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/27.38.html>
The current issue can be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Star Wars Redux (Peter G. Neumann)
Hackers Reveal Nasty New Car Attacks--With Me Behind The Wheel
  (Andy Greenberg via Steve Goldstein via Dewayne Hendricks)
The risks of DNA "Certainty" (Bob Frankston)
Cybersecurity hacking estimates exaggerated for profit (Lauren Weinstein)
PIN-Punching Robot Cracks Phone's Security Code In 24 Hours (Andy Greenberg
  via Henry Baker)
"Researchers spot new breed of infected Android apps in the wild"
  (Ted Samson via Gene Wirchenko)
"SIM cards vulnerable to hacking, says researcher" (Jeremy Kirk via
  Gene Wirchenko)
Citi Bike Accidentally Exposes Customer Credit Card Information (Ted Mann
  via Jim Reisert)
Re: PayPal 'credits' US man $92 quadrillion in error (Mark Brader,
  Bill Stewart, Chris Drewe)
Fool proofs? (Re: UBS fined $30,000 for a typing error, Bertrand Meyer)
Re: Government Destroys $170k of Hardware ... (Rob Slade)
Hardware destruction in perspective (Steve Lamont)
Re: "How the Pentagon's payroll quagmire traps soldiers (Gene Wirchenko)
Re: "How to Build Versatile and Reusable Software" (Gene Wirchenko)
REVIEW: "Intelligent Internal Control and Risk Management", Leitch
  (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 25 Jul 2013 13:47:06 PDT
From: "Peter G. Neumann" <neumann () csl sri com>
Subject: Star Wars Redux

In the very first RISKS issue, RISKS-1.01 (1 Aug 1985), I posited the need
for open discussion of the risks involved in the Strategic Defense
Initiative, and suggested that past experiences with very large projects
requiring extensive new technology and system engineering were generally
less successful than anticipated:

  ... the problems of developing software for critical environments are very
  pervasive -- and not just limited to strategic defense.  But what we learn
  in discussing the feasibility of the strategic defense initiative could
  have great impact on the uses that computers find in other critical
  environments.  In general, we may find that the risks are far too high in
  many of the critical computing environments on which we depend.  We may
  also be led to techniques for developing better systems that can
  adequately satisfy all of their critical requirements -- and continue to
  do so.  But perhaps most important of all is the increased awareness that
  can come from intelligent discussion.  Thus, an open forum on this subject
  is very important.

An editorial in *The New York Times* today revisits this thorny subject,
and suggests that we are still far away from what might be needed:

  A Failure to Intercept:
  Will America ever have effective ground-based missile defense?

  After 30 years of research and an estimated $250 billion investment, the
  Pentagon's defense program against intercontinental ballistic missiles
  ... had another failed test this month... the third consecutive dud.  The
  military has tested the ground-based midcourse defense system 16 times;
  only eight were successful, the last in 2008.  One might expect the record
  to be near perfect since the tests are rigged ...  ``controlled scripted
  environment.''

  Two studies ... have expressed new doubts ...

  But it doesn't make sense to keep throwing money at a flawed system
  without correcting the problems first.

The entire editorial is worth reading carefully, although it may not be new
news to many long-time RISKS readers.

------------------------------

Date: July 25, 2013 10:51:07 AM EDT
From: Dewayne Hendricks <dewayne () warpspeed com>
Subject: Hackers Reveal Nasty New Car Attacks--With Me Behind The Wheel

  [Note: This item comes from friend Steve Goldstein.  DLH][via Dave Farber]

From: Steve Goldstein <steve.goldstein () cox net>
Subject: Hackers Reveal Nasty New Car Attacks--With Me Behind The Wheel
  (Video) - Forbes
Date: July 25, 2013 7:21:34 AM PDT

Andy Greenberg, *Forbes*, 24 Jul 2013
<http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/>

Stomping on the brakes of a 3,500-pound Ford Escape that refuses to stop --
or even slow down -- produces a unique feeling of anxiety. In this case it
also produces a deep groaning sound, like an angry water buffalo bellowing
somewhere under the SUV's chassis. The more I pound the pedal, the louder
the groan gets --along with the delighted cackling of the two hackers
sitting behind me in the backseat.

Luckily, all of this is happening at less than 5mph. So the Escape merely
plows into a stand of 6-foot-high weeds growing in the abandoned parking lot
of a South Bend, Ind. strip mall that Charlie Miller and Chris Valasek have
chosen as the testing grounds for the day's experiments, a few of which are
shown in the video below. (When Miller discovered the brake-disabling trick,
he wasn't so lucky: The soccer-mom mobile barreled through his garage,
crushing his lawn mower and inflicting $150 worth of damage to the rear
wall.)

``Okay, now your brakes work again,'' Miller says, tapping on a beat-up
MacBook connected by a cable to an inconspicuous data port near the parking
brake. I reverse out of the weeds and warily bring the car to a stop. ``When
you lose faith that a car will do what you tell it to do,'' he adds after we
jump out of the SUV, ``it really changes your whole view of how the thing
works.''

This fact, that a car is not a simple machine of glass and steel but a
hackable network of computers, is what Miller and Valasek have spent the
last year trying to demonstrate. Miller, a 40-year-old security engineer at
Twitter, and Valasek, the 31-year-old director of security intelligence at
the Seattle consultancy IOActive, received an $80,000-plus grant last fall
from the mad-scientist research arm of the Pentagon known as the Defense
Advanced Research Projects Agency to root out security vulnerabilities in
automobiles.

The duo plans to release their findings and the attack software they
developed at the hacker conference Defcon in Las Vegas next month -- the
better, they say, to help other researchers find and fix the auto industry's
security problems before malicious hackers get under the hoods of
unsuspecting drivers. The need for scrutiny is growing as cars are
increasingly automated and connected to the Internet, and the problem goes
well beyond Toyota and Ford. Practically every American car maker now offers
a cellular service or Wi-Fi network like General Motors' OnStar, Toyota's
Safety Connect and Ford's SYNC. Mobile-industry trade group the GSMA
estimates revenue from wireless devices in cars at $2.5 billion today and
projects that number will grow tenfold by 2025. Without better security it's
all potentially vulnerable, and automakers are remaining mum or downplaying
the issue.

As I drove their vehicles for more than an hour, Miller and Valasek showed
that they've reverse-engineered enough of the software of the Escape and the
Toyota Prius (both the 2010 model) to demonstrate a range of nasty
surprises: everything from annoyances like uncontrollably blasting the horn
to serious hazards like slamming on the Prius' brakes at high speeds. They
sent commands from their laptops that killed power steering, spoofed the GPS
and made pathological liars out of speedometers and odometers. Finally they
directed me out to a country road, where Valasek showed that he could
violently jerk the Prius' steering at any speed, threatening to send us into
a cornfield or a head-on collision. ``Imagine you're driving down a highway
at 80 ,'' Valasek says. ``You're going into the car next to you or into
oncoming traffic. That's going to be bad times.''

A Ford spokesman says the company takes hackers ``very seriously,'' but
Toyota, for its part, says it isn't impressed by Miller and Valasek's
stunts: Real car hacking, the company's safety manager John Hanson argues,
wouldn't require physically jacking into the target car. ``Our focus, and
that of the entire auto industry, is to prevent hacking from a remote
wireless device outside of the vehicle,'' he writes in an e-mail, adding
that Toyota engineers test its vehicles against wireless attacks. ``We
believe our systems are robust and secure. ...

Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>

------------------------------

Date: Thu, 25 Jul 2013 10:23:36 -0400
From: "Bob Frankston" <Bob19-0501 () bobf frankston com>
Subject: The risks of DNA "Certainty"

The seeming certainty of DNA evidence leads to false confidence in the
results and insufficient scrutiny. And, once again, we are at the risk of
bad math. A million in one match seems leave no doubt but if you have a
database with 10 million people you'll get ten matches. But when a jury is
just told that there is a one in a million chance of a mismatch then they
will have to convict.
http://www.nytimes.com/2013/07/25/opinion/high-tech-high-risk-forensics.html?ref=opinion

------------------------------

Date: July 24, 2013 1:50:55 AM EDT
From: Lauren Weinstein <lauren () vortex com>
Subject: Cybersecurity hacking estimates exaggerated for profit

  "A $1 trillion estimate of the global cost of hacking cited by President
  Barack Obama and other top officials is a gross exaggeration, according to
  a new study commissioned by the company responsible for the earlier
  approximation.  A preliminary report being released Monday by the Center
  for Strategic and International Studies and underwritten by Intel Corp's
  (INTC.O) security software arm McAfee implicitly acknowledges that
  McAfee's previous figure could be triple the real number."
  http://j.mp/167eQG4  (Reuters via NNSquad)

As we've been saying all along. Follow the money!

------------------------------

Date: Thu, 25 Jul 2013 10:30:09 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "Researchers spot new breed of infected Android apps in the wild"
  (Ted Samson)

Ted Samson, InfoWorld, 24 Jul 2013
Cyber criminals have successfully exploited a recently discovered
vulnerability to infect legit apps without invalidating their digital
signatures
http://www.infoworld.com/t/android/researchers-spot-new-breed-of-infected-android-apps-in-the-wild-223400

------------------------------

Date: Tue, 23 Jul 2013 12:08:22 -0700
From: Gene Wirchenko <genew () telus net>
Subject: "SIM cards vulnerable to hacking, says researcher" (Jeremy Kirk)

Jeremy Kirk, InfoWorld, 22 Jul 2013
Millions of phones could be at risk due to the use of a 1970s-era
encryption standard
http://www.infoworld.com/d/mobile-technology/sim-cards-vulnerable-hacking-says-researcher-223141

------------------------------

Date: Mon, 22 Jul 2013 07:56:21 -0700
From: Henry Baker <hbaker1 () pipeline com>
Subject: PIN-Punching Robot Cracks Phone's Security Code In 24 Hours

Andy Greenberg, *Forbes*, 22 Jul 2013
Covering the worlds of data security, privacy and hacker culture.
http://www.forbes.com/sites/andygreenberg/2013/07/22/pin-punching-robot-can-crack-your-phones-security-code-in-less-than-24-hours/

There's nothing particularly difficult about cracking a smartphone's
four-digit PIN code.  All it takes is a pair of thumbs and enough
persistence to try all 10,000 combinations. But hackers hoping to save time
and avoid arthritis now have a more efficient option: Let a cheap,
3D-printable robot take care of the manual labor.

At the Defcon hacker conference in Las Vegas early next month, security
researchers Justin Engler and Paul Vines plan to show off the R2B2, or
Robotic Reconfigurable Button Basher, a piece of hardware they built for
around $200 that can automatically punch PIN numbers at a rate of about one
four-digit guess per second, fast enough to crack a typical Android phone's
lock screen in 20 hours or less.

``There's nothing to stop someone from guessing all the possible PINs,''
says Engler, a security engineer at San Francisco-based security consultancy
iSec Partners. ``We often hear `no one would ever do that.' We wanted to
eliminate that argument. This was already easy, it had just never been done
before.''

Engler and Vines built their bot, shown briefly in the video above, from
three $10 servomotors, a plastic stylus, an open-source Arduino
microcontroller, a collection of plastic parts 3D-printed on their local
hackerspace's Makerbot 3D printer, and a five dollar webcam that watches the
phone's screen to detect if it's successfully guessed the password. The
device can be controlled via USB, connecting to a Mac or Windows PC that
runs a simple code-cracking program. The researchers plan to release both
the free software and the blueprints for their 3D-printable parts at the
time of their Defcon talk.

In addition to their finger-like R2B2, Engler and Vines are also working on
another version of their invention that will instead use electrodes attached
to a phone's touchscreen, simulating capacitative screen taps with faster
electrical signals. That bot, which they're calling the Capacitative
Cartesian Coordinate Brute-force Overlay, remains a work in progress, Engler
says, though he plans to have it ready for Defcon.

Not all PIN-protected devices are susceptible to the R2B2's brute force
attack, Engler admits. Apple's iOS, for instance, makes the user wait
increasing lengths of time after each incorrect PIN guess. After just a
handful of wrong answers, the phone can lock out a would-be hacker for hours
before granting access to the PIN pad again.

But every Android phone that Engler and Vines tested was set by default to
use a much less stringent safeguard, delaying the user just 30 seconds after
every five guesses. At that rate, the robot can still guess five PINs every
35 seconds, or all 10,000 possibilities in 19 hours and 24 minutes.

Given that the robot's software can be programmed to guess PINs in any order
the user chooses, it may be able to crack phones far faster than that 20
hour benchmark. One analysis of common PINs showed that more than 26% of
users choose one of twenty common PINs. If R2B2 is set to try easily-guessed
PINs first, it could crack one in four Android users' phones in less than
five minutes, and half of those phones in less than an hour.

Physically typing thousands of PIN codes, even with a clever robot's help,
isn't necessarily the easiest way to gain access to a phone's
data. Forensics software firm Micro Systemation released a video last year
-- since removed from YouTube -- showing that it can digitally brute-force
an iPhone's PIN by using the same ``jailbreak'' hacks that many iPhone
owners use to remove installation restrictions on their devices. Google has
been known to cooperate with law enforcement to bypass the lockscreens of
criminal suspects' phones, and Apple will in some cases crack a phone's
security and give the user's data to police if officers mail the phone to
the company.

But Engler argues that the R2B2 helps to raise attention to the insecurity
of crackable four-digit PINs in ways that software tools don't. Even a
six-digit PIN, an option on many phones, would take R2B2 as much as 80 days
longer to crack than the default four-digit passcode. ``When you see a robot
working like this, you think, `maybe I should have a longer PIN','' says
Engler. '' If I'm a CEO, a four digit PIN is a problem, because it's worth
20 hours to break in and get my confidential emails.''

Engler and Vines aren't the first to create an automated, physical
PIN-cracking tool. Another hacker who calls himself JJ showed off a similar
robot earlier in the year that could crack the four-digit PIN of a Garmin
Nuvi GPS device, shown in the video below.

But Engler's and Vine's invention is meant to be far more versatile.  In
addition to cracking phones' lockscreens, Engler says he and Vines plan to
keep improving the robot so that it can be adapted to crack the PIN codes
used in specific smartphone apps, or even to press the mechanical buttons on
non-touchscreen devices like ATMs, hotel safes and combination locks. And in
his daily work of auditing clients' security, breaking into a corporate
smartphone represents a far more serious threat than accessing the data of
any GPS device.

``We used to joke that we'd have to hire an intern to press all these
buttons,'' says Engler. ``It turns out it's much better to get the
intern to help make the robot. Then he also has time to get coffee.''

Andy Greenberg, Forbes Staff

I'm a technology, privacy, and information security reporter and most
recently the author of the book This Machine Kills Secrets, a chronicle of
the history and future of information leaks, from the Pentagon Papers to
WikiLeaks and beyond. I've covered the hacker beat for Forbes since 2007,
with frequent detours into digital miscellania like switches, servers,
supercomputers, search, e-books, online censorship, robots, and China. My
favorite stories are the ones where non-fiction resembles science
fiction. My favorite sources usually have the word "research" in their
titles. Since I joined Forbes, this job has taken me from an autonomous car
race in the California desert all the way to Beijing, where I wrote the
first English-language cover story on the Chinese search billionaire Robin
Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot
savants and even CEOs are welcome to email me at agreenberg (at) forbes.com.
My PGP public key can be found here.

------------------------------

Date: Wed, 24 Jul 2013 11:40:23 -0600
From: Jim Reisert AD1C <jjreisert () alum mit edu>
Subject: Citi Bike Accidentally Exposes Customer Credit Card Information
  (Ted Mann)

Ted Mann, *Wall Street Journal*, 23 Jul 2013

A Citi Bike software glitch accidentally exposed sensitive personal and
financial information -- including credit card numbers -- of more than 1,000
of its account holders, the bike sharing program's operators wrote in a
letter last week to the affected customers.

The data breach occurred on April 15, according to a letter sent to a Citi
Bike member reviewed by The Wall Street Journal. The letter was dated July
19.

The security breach was discovered and corrected at the end of May.  It
affected 1,174 customers who signed up for $95 annual memberships to the
program, said Seth Solomonow, a spokesman for the city Department of
Transportation, which launched Citi Bike and controls all of the system's
communications to the public.

He did not explain the delay between the identification of the security flaw
and notification of affected users.

http://blogs.wsj.com/metropolis/2013/07/23/citi-bike-accidentally-exposes-customer-credit-card-information/

Tune into another Risks Digest issue to discover the next risk resulting
from the Citi Bikes in NYC!

------------------------------

Date: Mon, 22 Jul 2013 16:43:52 -0400 (EDT)
From: msb () vex net (Mark Brader)
Subject: Re: PayPal 'credits' US man $92 quadrillion in error (RISKS-27.37)

Bob Gezelter giveth and taketh away $91,908 trillion!

From: Amos Shapir <amos083 () gmail com>
The article claims the erroneous sum was $92,233,720,368,547,800...
(Being a computer nerd I had to check -- this number is almost exactly
2^63 * 0.01, so the credit was probably meant to be 1 cent).

In fact $2^63 * 0.01 is $92,233,720,368,547,758.08, so if the indicated
amount was not rounded, it is larger than that by $41.92.  It does seem
likely that PayPal is storing its monetary amounts in 64-bit words using
integers in cents, but I don't think the deduction that the intended
amount was 1 cent holds up.

------------------------------

Date: Tue, 23 Jul 2013 14:33:46 -0700
From: Bill Stewart <bill.stewart () pobox com>
Subject: Re: PayPal 'credits' US man $92 quadrillion in error (RISKS-27.37)

That's an advantage of 64-bit arithmetic; errors like this used to be ~$21M
or $2.1B.  Nobody's bank or financial institution would be able to handle a
US$92 trillion transfer, even if they didn't have good sanity checking, but
some might let $2B slip by accidentally, and almost any of them could afford
$21M and might not notice the error for a while.  And while most of them
probably couldn't handle the interest payments on a day's float of $92T, the
interest on $21M would probably have gotten paid.

------------------------------

Date: Wed, 24 Jul 2013 22:19:10 +0100
From: Chris Drewe <e767pmk () yahoo co uk>
Subject: Re: PayPal 'credits' US man $92 quadrillion in error (RISKS-27.37)

My question: we all had a good laugh, but could it have worked out like
this?  Suppose your bank erroneously deposits a large sum into your current
account.  The mistake is quickly spotted and corrected, so no harm done.
However, this unusual activity sets off the bank's automated
anti-money-laundering alerts.  Therefore, you suddenly have a bunch of
Government heavies on your doorstep, who want to know where that money came
from, and, more importantly, just where is it now?  A mistake by your bank,
you say..?  Better find yourself a good lawyer, quickly.

------------------------------

Date: Tue, 23 Jul 2013 23:57:36 +0200
From: Bertrand Meyer <Bertrand.Meyer () inf ethz ch>
Subject: Fool proofs? (Re: UBS fined $30,000 for a typing error, Kimmeringer)

In RISKS-27.37: "The system will now be changed to be fool-proved (again)."

Are you sure this phrasing is what is intended? To me a "fool-proved" system
is one in which the Coq/Isabelle/Spark verification was assigned to the team
member who perhaps wasn't the brightest in the lot. This might happen for
example to NAS if Martyn Thomas's suggestion in the same issue is followed.

There may be something very subtle here that eludes me, but if not I think
you mean fool-proof, or possibly fool-proofed. (Two occurrences in the
entry.)

  [lothar agrees.  PGN]
    [A fool and his proofs are soon parted...  Lindsay Marshall]

------------------------------

Date: Tue, 23 Jul 2013 00:39:10 -0700
From: Rob Slade <rmslade () shaw ca>
Subject: Re: Government Destroys $170k of Hardware ... (RISKS-27.37)

Once upon a time, many years ago, a school refused to take my advice
(mediated through my brother) as to what to do about a very simple computer
virus infection.  The infection in question was Stoned, which was a boot
sector infector.  BSIs generally do not affect data, and (and this is the
important point) are not eliminated by deleting files on the computer, and
often not even by reformatting the hard disk.  (At the time there were at
least a dozen simple utilities for removing Stoned, most of them free.)

The school decided to cleanse it's entire computer network by boxing it up,
shipping it back to the store, and having the store reformat everything.
Which the store did.  The school lost it's entire database of student
records, and all databases for the library.  Everything had to be
re-entered.  By hand.

I've always thought this was the height of computer virus stupidity, and
that the days when anyone would be so foolish were long gone.

I was wrong.  On both counts.

Malware is my field, and so I often sound like a bit of a nut, pointing out
issues that most people consider minor.  However, malware, while now
recognized as a threat, is a field that extremely few people, even in the
information security field, study in any depth.  Most general security texts
(and, believe me, I know almost all of them) touch on it only tangentially,
and often provide advice that is long out of date.

With that sort of background, I can, unfortunately, see this sort of thing
happening again.

victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/

------------------------------

Date: Wed, 24 Jul 2013 08:15:12 -0700
From: spl () ncmir ucsd edu (Steve Lamont)
Subject: Hardware destruction in perspective (Re: RISKS-27.37)

This is a story about government incompetence on the grossest, most
unforgivable scale. Here's how the Economic Development Administration
unnecessarily spent $2.75 million to fight a common case of malware.

While this is indeed a waste of time and money, a bit of perspective:

At current funding levels, $170,000 is approximately what the government
spends in 54 seconds in Afghanistan and Iraq.

        http://costofwar.com/about/counters/

The entire enterprise ($2.75 million) comes down to a bit under 15 minutes
of war.

According to my calculations, we're spending $3,125 a *second* for our two
wars and I'd be hard put to show how much economic development we've gotten
from either.   spl

------------------------------

Date: Mon, 22 Jul 2013 20:07:09 -0700
From: Gene Wirchenko <genew () telus net>
Subject: Re: "How the Pentagon's payroll quagmire traps soldiers (RISKS-27.37)

http://preview.reuters.com/2013/7/9/wounded-in-battle-stiffed-by-the-pentagon
is a great article, but I suppose that it is ironic that Reuters has screwed
up in the implementation.  I got a message that I needed to have JavaScript
enabled to read the article.  The whole article was sent to my browser
though.  I went through the source, removed the <noscript></noscript> block,
saved the file locally, and then was able to read it.

------------------------------

Date: Mon, 22 Jul 2013 20:27:49 -0700
From: Gene Wirchenko <genew () telus net>
Subject: Re: "How to Build Versatile and Reusable Software" (RISKS-27.37)

Another amusing link:

http://www.law.com/jsp/lawtechnologynews/PubArticleLTN.jsp?id=1202611396558&kw=How_to_Build_Versatile_and_Reusable_Software

I called it up, read the first page, then clicked for the second, and only
then noted the message on the page of "A browser or device that allows
javascript is required to view this content."  The second page loaded just
fine.

------------------------------

Date: Mon, 22 Jul 2013 12:27:57 -0700
From: Rob Slade <rmslade () shaw ca>
Subject: REVIEW: "Intelligent Internal Control and Risk Management", Leitch

BKIICARM.RVW   20121210

"Intelligent Internal Control and Risk Management", Matthew Leitch,
2008, 978-0-566-08799-8, U$144.95
%A   Matthew Leitch
%C   Gower House, Croft Rd, Aldershot, Hampshire, GU11 3HR, England
%D   2008
%G   978-0-566-08799-8 0-566-08799-5
%I   Gower Publishing Limited
%O   U$114.95 www.gowerpub.com
%O  http://www.amazon.com/exec/obidos/ASIN/0566087995/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0566087995/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0566087995/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   253 p.
%T   "Intelligent Internal Control and Risk Management"

The introduction indicates that this book is written from the risk
management perspective of the financial services industry, with a
concentration on Sarbanes-Oxley, COSO, and related frameworks.  There
is an implication that the emphasis is on designing new controls.

Part one, "The Bigger Picture," provides a history of risk management
and internal controls.  Chapter one asks how much improvement is
possible through additional controls.  The author's statement that
"[w]hen an auditor, especially an external auditor, recommends an
improvement control it is usually with little concern for the cost of
implementing or operating that control [or improved value].  The
auditor wants to feel `covered' by having recommended something in the
face of a risk that exists, at least in theory" is one that is
familiar to anyone in the security field.  Leitch goes on to note that
there is a disparity between providing real value and revenue
assurance, and the intent of this work is increasing the value of
business risk controls.  The benefits of trying quality management
techniques, as well as those of quantitative risk management, are
promoted in chapter two.  Chapter three appears to be a collection of
somewhat random thoughts on risk.  Psychological factors in assessing
risk, and the fact that controls have to be stark enough to make
people aware of upcoming dangers, are discussed in chapter four.

Part two turns to a large set of controls, and examines when to use, and not
to use, them.  Chapter five introduces the list, arrangement, and structure.
Controls that generate other controls (frequently management processes) are
reviewed in chapter six.  For each control there is a title, example,
statement of need, opening thesis, discussion, closing recommendation, and
summary relating to other controls.  Most are one to three pages in length.
Audit and monitoring controls are dealt with in chapter seven.  Adaptation
is the topic of chapter eight.  (There is a longer lead-in discussion to
these controls, since, inherently, they deal with change, to which people,
business, and control processes are highly resistant.)  Chapter nine notes
issues of protection and reliability.  The corrective controls in chapter
ten are conceptually related to those in chapter seven.

Part three looks at change for improvement, rather than just for the
sake of change.  Chapter eleven suggests means of promoting good
behaviours.  A Risk and Uncertainty Management Assessment (RUMA) tool
is presented in chapter twelve, but, frankly, I can't see that it goes
beyond thinking out alternative courses of action.  Barriers to
improvement are noted in chapter thirteen.  Roles in the organization,
and their relation to risk management, are outlined in chapter
fourteen.  Chapter fifteen examines the special needs for innovative
projects.  Ways to address restrictive ideology are mentioned in
chapter sixteen.  Seven areas that Leitch advises should be explored
conclude the book in chapter seventeen.

A number of interesting ideas are presented for consideration in
regard to the choice and design of controls.  However, the text is not
a guidebook for producing actual control systems.

copyright, Robert M. Slade   2013   BKIICARM.RVW   20121210
rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

------------------------------

Date: Sun, 7 Oct 2012 20:20:16 -0900
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: PLEASE read RISKS as a newsgroup (comp.risks or equivalent)
 if possible and convenient for you.  The mailman Web interface can
 be used directly to subscribe and unsubscribe:
   http://lists.csl.sri.com/mailman/listinfo/risks
 Alternatively, to subscribe or unsubscribe via e-mail to mailman
 your FROM: address, send a message to
   risks-request () csl sri com
 containing only the one-word text subscribe or unsubscribe.  You may
 also specify a different receiving address: subscribe address= ... .
 You may short-circuit that process by sending directly to either
   risks-subscribe () csl sri com or risks-unsubscribe () csl sri com
 depending on which action is to be taken.

 Subscription and unsubscription requests require that you reply to a
 confirmation message sent to the subscribing mail address.  Instructions
 are included in the confirmation message.  Each issue of RISKS that you
 receive contains information on how to post, unsubscribe, etc.

=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines.

=> .UK users may contact <Lindsay.Marshall () newcastle ac uk>.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you NEVER send mail!
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line.
 *** NOTE: Including the string "notsp" at the beginning or end of the subject
 *** line will be very helpful in separating real contributions from spam.
 *** This attention-string may change, so watch this space now and then.
=> ARCHIVES: ftp://ftp.sri.com/risks for current volume
     or ftp://ftp.sri.com/VL/risks for previous VoLume
 http://www.risks.org takes you to Lindsay Marshall's searchable archive at
 newcastle: http://catless.ncl.ac.uk/Risks/VL.IS.html gets you VoLume, ISsue.
   Lindsay has also added to the Newcastle catless site a palmtop version
   of the most recent RISKS issue and a WAP version that works for many but
   not all telephones: http://catless.ncl.ac.uk/w/r
 <http://the.wiretapped.net/security/info/textfiles/risks-digest/> .
==> PGN's comprehensive historical Illustrative Risks summary of one liners:
    <http://www.csl.sri.com/illustrative.html> for browsing,
    <http://www.csl.sri.com/illustrative.pdf> or .ps for printing
  is no longer maintained up-to-date except for recent election problems.
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 27.38
************************


  By Date           By Thread  

Current thread:
  • Risks Digest 27.38 RISKS List Owner (Jul 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault