PraxIS January 2005

_______________________________________________________

Welcome to PraxIS

Best wishes for a peaceful 2005 to all our readers.

Patrick O'Beirne

_______________________________________________________ _______________________________________________________

1)  IT Risk and Security

INFORMATION SYSTEMS SECURITY ASSESSMENT FRAMEWORK Draft 0.1

The Information System Security Assessment Framework (ISSAF) is a peer reviewed structured framework that details specific evaluation or testing criteria for a number of areas. ISSAF should primarily be used to fulfill an organization’s security assessment requirements and may additionally be used as a reference for meeting other information security needs. ISSAF includes the assessment security of processes and hardening to get a complete picture of the vulnerabilities that might exist.
A draft version of this framework is available at OISSG website at: http://oissg.org/issaf01/issaf0.1.zip (5.59 MB) or http://oissg.org/issaf01/issaf0.1.pdf (12.6 MB)
The Information System Security Assessment Framework (ISSAF) is an evolving document that will be expanded, amended and updated in future. A feedback form is given at the end of ISSAF.

_______________________________________________________
 

Rice University computer scientists find a flaw in Google Desktop Search (GDS)

http://seclab.cs.rice.edu/  Unpatched Google Desktop Search can reveal file snippets to thieves.

Seth Fogarty and Seth Nielson (Rice graduate students), advised by Dan Wallach (a Rice professor), have discovered a potentially serious security flaw in GDS. "We found that the Google Desktop personal search engine contained a serious security flaw that would allow a third party to read the search result summaries that are embedded in normal Google web searches by the local search engine. An attacker would not be able to read your files directly, but the search results often contain snippets of your files. If you had a file with a list of web passwords, for example, an attacker might be able to read some of those passwords."

They have made a technical report available with more details at http://seclab.cs.rice.edu/gdesktop-tr-dec04.pdf

"The user must visit the web page of a potential attacker. The attacker includes a Java applet in the web page. This applet will appear to the user as a normal part of the web page, but it will also make certain network connections that trick the Google Desktop into integrating its local search results, even though the applet never actually connects to Google. The applet can then read these integrated results and transmit them back to the attacker's web server."

Google released a corrected version of GDS on Dec. 10. You can tell if your version of the Google program had been patched by examining the "about" page from the Google Desktop icon in the browser task bar. Version numbers above 121,004 indicate a newer edition of the program.

_______________________________________________________
 

A chess-playing "bankomat"

http://catless.ncl.ac.uk/Risks/23.62.html Risks Digest 21 Dec 2004

In German banks there are more and more self-service machines with a keyboard available instead of the 11+4 keys for the standard-cash-points (aka 'hole-in-the-wall' ATM). Lothar Kimmeringer reported to the Risks Digest that it's possible to get the underlying desktop by clicking the touchscreen where the minimize-icon resides. Somebody took the opportunity to play a little bit around with these machines and documented everything with a digital camera. The pictures can be watched at http://www.ulm.ccc.de/projekte/bankomat/  where the machine ends with a game of chess against itself running instead of the application originally intended to be run on it.

_______________________________________________________
 

Security Books

Here are a couple of books reviewed recently by Robert Slade. You can find his amazing archive of reviews at http://victoria.tc.ca/techrev/mnbk.htm or sign up to the book review Yahoogroup at http://groups.yahoo.com/group/techbooks

http://sysmod.com/az.php?a=0321218736&b=High_Tech_Crimes   "High Tech Crimes Revealed", Steven Branigan. Rob Slade thinks that the initial materials on  investigative techniques and tips are more valuable than the reports of the crimes themselves, but that the book trails off somewhat.

http://sysmod.com/az.php?a=0767905385&b=Catch_Me_If_You_Can "Catch Me If You Can", Frank W. Abagnale, 1980. Abagnale was a con man specialising in passing fraudulent cheques. His autobiography was recently made into a movie of that name.  This book examines some of his methods and presents at least a few points that can be used to detect and avoid trickery.

____________________________________________________________
____________________________________________________________   

2) More Internet tools

MSN desktop search

It searches a wider range of file types images, text, and the content of PDFs. The tray indexer seems to be fairly unobtrusive too. Download and Tour http://beta.toolbar.msn.com/ 

Review at http://www.winsupersite.com/reviews/msn_toolbar_suite_preview.asp
Paul Thurrott writes "The word wheeling functionality delivers instant search results as you type. To see it in action, click the text entry area and begin typing a search phrase. Then, as you type, results pour into the pane and are refined as you continue typing. This functionality--which Microsoft first promised in Longhorn--works amazing well, and doesn't appear to bog the system down in the slightest."

Funnily enough, Google have released a similar tool for web searches - Google Suggest.

_______________________________________________________
 

Google Suggest

http://www.google.com/webhp?complete=1&hl=en  Search as you type

As you type into the search box, Google Suggest guesses what you're typing and offers suggestions in real time. This is similar to Google's 'Did you mean?' feature that offers alternative spellings for your query after you search, except that it works in real time. The engineer who thought of it, then built it in his "20% time," blogs about the process at http://www.google.com/googleblog/2004/12/ive-got-suggestion.html

http://slashdot.org/article.pl?sid=04/12/10/1554203&from=rss A post to Slashdot indicates "It seems like Google has become a big fan of this XMLHTTP object and its Mozilla cousin. It's a great way to give web applications access to live data without requiring a page refresh." The discussion lists the obfuscated Javascript used.

_______________________________________________________
 

Babelplex - searching in tongues

http://babelplex.com/  Bilingual search service.

You specify a query word in one language, and a language for the results. The resulting window shows the Google results with the results for the foreign language on one side and the English search of the translated word on the other. There is also a search button in the foreign language so you can continue the search with the translated word/

_______________________________________________________
 

What's in those pesky Winmail.dat files?

When you read an email that contains an attachment file named "winmail.dat" it is probably an MS-TNEF format attachment. To read it, install a free utility called FENTUN from http://www.fentun.com

Often the attachment file "winmail.dat" contains only the file format of the original email. But if it contains more, Fentun can extract it for you.

http://agamemnon.ucs.ed.ac.uk/faq/mstnef.html What is an "application/ms-tnef" attachment?

____________________________________________________________
____________________________________________________________

3) Europe

UK Euro preparations

http://www.euro.gov.uk/europreparations.asp UK euro preparations

Those conscientious people in the UK Treasury working parties have dusted down their euro preparation plans again. The leaflet "Euro Preparations- What you need to know" has been expanded (November 2004).

http://www.euro.gov.uk/prep_reports_pages.asp?id=11&pg=1&ls=2 Autumn report on euro preparations (December 2004) 

____________________________________________________________
 

TRY, try again...

On Jan 3rd, I was puzzled to see that my currency converter had stopped working at www.sysmod.com/eurocalc. It had worked before Christmas, so I Googled for PHP errors and found that my server hosting company had upgraded to PHP 4.3.10 on Dec 20. After wasting some time on that I discovered that it was a false trail. The real problem was that a long-established script I was using created lowercase variable names from international currency codes. Not a problem until now.

On Jan 1st, the new Turkish Lira came into being. One new Lira (TRY) equals 1 million old Lira (TRL). The new symbol TRY now appeared in the 2005-01-03 data feed from the ECB, which in my code became "try=1.8362". This conflicted with the reserved name "try" (as in try/catch error handling). It's now fixed, but it's a lesson in variable name conventions!

____________________________________________________________
____________________________________________________________

4) Spreadsheets

SCANXLS Inventory data collector launched

I sent out a press release entitled "Affordable Tool to Inventory Spreadsheets for SOX Compliance Audits" and the search engines have dutifully indexed it. Here is the intro:

ScanXLS has a key part in IT audit projects for Sarbanes-Oxley (SOX) 404 compliance. It assists auditors concerned with internal controls on risks in end user development of spreadsheet models.

- What spreadsheets do we have where on the network?
- Who is the responsible owner/user/developer?
- How big are they, how complex, have they errors?
- What dependencies/links exist between them?
- Has a spreadsheet changed from an authorized/validated version?

http://www.sysmod.com/scanxls-eusprig.htm  I offer a 25% discount for members of the Eusprig yahoogroup, which also applies to this EuroIS group as well.

_______________________________________________________
 

Spreadsheets with more than 256 columns?

I received an enquiry recently: "I have been searching the web for ages, trying to find a spreadsheet that span about double the amount of columns a normal spreadsheet can handle (usually about 256 columns). And that will also enable import/export CVS...". If you Google for "more than 256 columns" you find:

http://spreadsheets.about.com/cs/quattropro/qt/qpqtmorecols.htm  Quattro Pro v9 has 1 million rows and 18278 columns.

The Microsoft Office Spreadsheet Component allows 702 columns up to ZZ .

If the problem is importing data with more than 256 columns, some utilities automatically split it into multiple worksheets. Otherwise, you could transpose the data and work down the sheet. If the columns are data fields, consider using a database instead.

_______________________________________________________
_______________________________________________________

FEEDBACK

Simply send your comments via our feedback form at http://www.sysmod.com/feedback.htm

Thank you! Patrick O'Beirne, Editor

_______________________________________________________ _______________________________________________________

5) Tsunami

You won't need to be reminded to donate; the public response has been tremendous. You can't go into a church, shop, or pub without seeing a collection box for the disaster victims. Hundreds of thousands face starvation, disease, and homelessness, in some cases amid local conflicts. Online, www.Google.com shows you a link to where to donate before you even search. I'll just give one link: http://www.RedCross.ie

http://newpaper.asia1.com.sg/top/story/0,4136,80172,00.html If only we had a tsunami warning system...

"One problem, perhaps, was that dangerous tsunamis are extremely rare in the Indian Ocean: The last appears to have been in 1883. And since 1509, Indian Ocean tsunamis have never hit more than one place at a time."

The Pacific Tsunami Warning System (PTWS) centre in Hawaii director did not have direct contacts with Indian Ocean nations. Scientists desperately tried to warn Asian nations by calling the US embassies in their capitals.

"The Bangkok office had told them the quake was 8.1 on the Richter scale so they didn't think there would be a tsunami: A quake of 7.6 which hit Sumatra two years ago did not affect Thailand. Since only four people out of 900 in the department are earthquake experts - and a tsunami had not hit Thailand in more than 300 years - they probably didn't know that a difference of 0.5 on the Richter scale represents 16 times more energy released.  As it turned out, the quake was a devastating 9.0."

An example of the use of ICT for disaster relief is the http://tsunamihelp.blogspot.com/  blog website. It emerged over a few days through the efforts of volunteers and bloggers from around the world. They have also worked to organise the information they are receiving into an emergency database at Wiki: http://en.wikinews.org/wiki/Tsunami_Help

_______________________________________________________
_______________________________________________________

Copyright 2005 Systems Modelling Limited, http://www.sysmod.com . Reproduction allowed provided the newsletter is copied in its entirety and with this copyright notice.

We appreciate any feedback or suggestions for improvement. If you have received this newsletter from anybody else, we urge you to sign up for your personal copy by sending a blank email to   EuroIS-subscribe (at) yahoogroups (dot) com - it's free!

For those who would like to do more than receive the monthly newsletter, the EuroIS list makes it easy for you to discuss issues raised, to share experiences with the rest of the group, and to contribute files to a common user community pool independent of the sysmod.com web site. I will be moderating posts to the EuroIS list, to screen out inappropriate material.

Patrick O'Beirne, Editor
_______________________________________________________
ABOUT THIS NEWSLETTER
"Praxis" means model or example, from the Greek verb "to do". The name is chosen to reflect our focus on practical solutions to IS problems, avoiding hype. If you like acronyms, think of it as "Patrick's reports and analysis across Information Systems".
Please tell a friend about this newsletter.
We especially appreciate a link to www.sysmod.com from your web site!
______________________________________________________
ARCHIVES
To read previous issues of this newsletter please visit our web site at http://www.sysmod.com/praxis.htm

DISCLAIMER
This newsletter is prepared in good faith and the information has been taken from observation and other sources believed to be reliable. Systems Modelling Ltd. (SML) does not represent expressly or by implication the accuracy, truthfulness or reliability of any information provided. It is a condition of use that users accept that SML has no liability for any errors, inaccuracies or omissions. The information is not intended to constitute legal or professional advice. You should consult a professional at Systems Modelling Ltd. directly for advice that is specifically tailored to your particular circumstances.
_______________________________________________________
PRIVACY POLICY:
We guarantee not to sell, trade or give your e-mail address to anyone.
To subscribe to this Newsletter send an email to
EuroIS-subscribe (at) yahoogroups (dot) com
To unsubscribe from this Newsletter send an email to
EuroIS-unsubscribe (at) yahoogroups (dot) com
EuroIS is the distribution list server of the PraxIS newsletter. It also offers a moderated discussion list for readers and a free shared storage area for user-contributed files. The archives of this group are on YahooGroups website http://finance.groups.yahoo.com/group/EuroIS/
_______________________________________________________