Further resources supporting the latest NoticeBored Classic module on trust, integrity & fraud

This page last updated on Tuesday, April 29, 2008

The following websites and other Web resources proved useful in our research for this month’s NoticeBored Classic awareness module on trust, integrity and fraud. Hover over the blobs below to see when new links were added, and be sure to visit the pick of the bunch, the sites. Do let us know if your favorite resources are not yet listed here. Hit <F5> to refresh the page for recent updates and keep up with relevant entries on the NoticeBored Blog.

General integrity references

 Data integrity is a serious issue for anyone writing or using spreadsheets, especially if they supply information that informs management decisions or forms part of the organization’s financial management systems. Read our review of Spreadsheet Check and Control, a highly recommended book on this important topic. 

If you’re not entirely convinced that computer security involves protecting integrity and availability just as much as confidentiality/secrecy, read Fred Cohen’s short monologue from nearly a decade ago, especially the examples in the latter half.

“Don’t believe everything you read” could be a motto for the web ... and indeed more traditional forms of publishing. Try composing your own jargon-and-buzzword-filled paper here. Integrity definitely not guaranteed.

‘It’s the things that you don’t test that go wrong’ is a lesson from this story about NASA’s Huygen lander.  “We have a technical term for what went wrong here,” one of Huygens’s principal investigators explained to reporters: “It’s called a cock-up.” It seems the ground team didn’t have the budget to complete testing of the communications systems before the probe was launched, relying on simpler in-flight tests later. An engineer’s nagging doubts led him to insist on not just testing the Cassini’s radio receiver with a simple carrier, but simulating the data modulation as well. His hunch paid off with the discovery of a subtle problem caused by Doppler shift differences between the carrier and the modulation. In the event, the Huygen probe’s weak radio signals were successfully received by Cassini ... and also by at least one radio telescope on Earth (seems they had a contingency plan after all!).

Personal integrity

The Global Corruption Report paints a chilling picture of bribery and corruption around the world. In some parts of the world, bribery is clearly accepted as a way of life whilst in many others it is quite common but less evident. There are implications for those doing business locally in these areas and for global businesses accepting orders or taking supplies from there.

Nineteen-year old Englishman Aaron Caffrey, accused of hacking into systems at the Port of Houston, Texas, was found not guilty by a British jury. Although Aaron admitted to being a member of a hacker group, the case essentially revolved around his defense that fellow hackers had installed Trojan horse programs on his PC and they, not he, were responsible for the breach. The jury was evidently unconvinced by the prosecution’s arguments, despite there apparently being no forensic evidence of such Trojan programs on his PC when analyzed, but this case potentially reopens a can of worms for future cyber crime prosecutions under the UK Computer Misuse Act [Postscript: the British Government reviewed the CMA during 2004 ...].

Microsoft closed most of its free chatrooms worldwide during October 2003 to prevent their abuse by pedophiles. User authentication in chatrooms is rudimentary, at best: basically users are forced to rely on the honesty of others that they are who they say they are. It’s hardly surprising that things are not always what they seem. Visit www.safekids.com for some pragmatic online security advice for young websurfers.

Data and systems integrity

 Professor Raymond Panko from the University of Hawaii has a well-founded reputation for researching human (programming) errors in spreadsheets and other programs since the 1960’s. Ray’s spreadsheet research and personal websites are definitely worth a close look by anyone concerned enough about the topic to be reading this page.

 The ICAT database records and categorizes security vulnerabilities in operating systems and applications . Their statistics page gives an interesting analysis by type of vulnerability, currently indicating that half are input validation errors (buffer overruns etc.).

A “software error during routine maintenance” caused an ISP to delete the contents of 14,000 customer email accounts and, with no ISP backups evidently, they disappeared forever in a puff of logic. This incident cost the ISP $50 credits to the affected customers, presumably rather less than 14,000x$50 as some will have defected. The reputational damage could be even costlier.

Starting with a comment from Gartner that “More than 25% of critical data in Fortune 1,000 databases is inaccurate or incomplete”, a thought-provoking piece in Baseline magazine suggests five steps improve your data accuracy: (1) Acknowledge the problem; (2) Determine the extent of the problem; (3) Establish the costs of getting it right (and wrong); (4) Use available tools; and (5) Put somebody in charge.

A majority of web surfers (us included) successfully use Google to search the web for useful information but Google is an imperfect tool. Many highly-placed results in Google are the result of web marketing activities for example using link farms and web rings (collections of trivial sites that reference each other). The sport of google bombing demonstrates the ability to manipulate Google results artificially - try Googling the term “miserable failure” for instance: the #1 result is a White House biography of George W. Bush. This amusing diversion demonstrates that Google’s ranking algorithm can be fooled, a kind of integrity failure.

US-CERT has released practical guidance on using digital signatures.

Interesting article explains the concept of referential integrity using MySQL.

An attempt to insert Trojan horse code into a Linux beta software release was foiled by integrity controls that detected the unauthorized change.

Documents from public bodies that are put into the public domain under Freedom of Information Act provisions sometimes have to be censored to conceal information that should remain secret. Once upon a time, this used to be done by obliterating the relevant words or sections using something like a black marker pen - a process called ‘redacting’. In these days of word processing and electronic publishing, redaction can be done electronically but if it is not done properly, the underlying obscured text may be disclosed. This is exactly what happened to a paper published by the US Justice Department. [This story combines an integrity failure with loss of confidentiality]

How often do you check for updates to your operating systems and applications? The Microsoft Windows Update website, for example, provides a simple way to check for the latest Windows security patches, automatically on schedule if you choose.

Data entry controls are an important means of ensuring the validity of data at the point of entry into a system. However, if the validation rules are incorrect, they can make the problem even worse. A journalist at TheStreet dotcom reports that data entry fields with too few digits have constrained the recording of salary figures by the US Census Bureau, for example, and may therefore have invalidated the statistics.  Advice to programmers on coding data entry validation routines.

For a while, Microsoft promoted its Trustworthy Computing (TWC) initiative at every marketing opportunity, calling it a cornerstone. However, their more candid spokespeople sometimes admitted that they have some way to go before they can claim to release secure software. “Windows Server 2003 is the most secure product we’ve ever released ... but I can guarantee there will be security vulnerabilities in it” said Stuart Okin (former Chief Security Officer for Microsoft UK) at a presentation to a London security exhibition.  Anyone who truly understands the constraints of current information security practice would surely agree with Stuart’s implication that commercial software is simply too complex to be entirely secure. Maybe he was thinking primarily about access control when he said this but all manner of information security problems, including system integrity failures, remain very much a fact of life despite the vendors’ apparent interest in security. We may at least theoretically be getting closer to our goal but in practice total security is an oxymoron.

Wired reports that the source code to an electronic voting system from Sequoia Voting Systems was made available on a publicly accessible FTP server managed by Jaguar Computer Systems. The software may potentially have been analyzed by hackers for security weaknesses (which, of course, it should not have if integrity and security in general were important drivers in the development) and might even have been compromised in situ (e.g. Trojan horse functions may perhaps have been inserted), although the vendors state that this particular system was a support system rather than the actual eVoting system itself. 

Whilst systems can and should be designed to trap common typos and other invalid user input, it may not be so easy to prevent dishonest users deliberately entering invalid data. A gentleman called Rob Cockerham, for example, has gained a little notoriety by duplicating and distributing copies of his supermarket loyalty card barcode number. He claims this is a prank, mentioning personal privacy as a motivator. If enough people did this, the loyalty schemes might collapse ... but probably not if the supermarkets were able to identify and trap this kind of deliberate abuse .

A single missing full-stop character in a software upgrade resulted in integrity problems that caused management to bring the New Zealand stock exchange trading systems to a halt for some five hours. Whilst some described this as an overcautious response, it demonstrates how seriously the financial industry regards integrity.

A US law case revolved around the claim that emailing information about a particular security vulnerability to users constituted a threat to integrity of the system, and was thus illegal under a federal computer crime statute. If this case stands, the precedent it sets may discourage people from posting to BugTraq et al.

Given that, according to some, ‘there can be no more fundamental a duty for a politician than to ensure a fair and accurate election process’, data and systems integrity is clearly vitally important for automated voting systems. An eVoting system used in Maryland has come under fire from researchers who discovered serious security flaws in the software, and is now to be investigated further.

The Guardian newspaper (sometimes known in the UK as the Grauniad due to its alleged propensity for spelling miskates) reported that discrepancies between atomic clocks, earth-based celestial time (UTC) and GPS systems, caused by variations in the earth’s rotation and technical problems with updating electronic clocks, create risks to aircraft navigation. The article also mentioned possible legal challenges to the timing of documents. Whilst the examples given were weak, the article did highlight our dependence on knowing and agreeing the “correct” time. Timestamps are used to sequence and validate transactions, logged system events, digital certificates etc. PC clocks are quite unreliable and need to be referenced e.g. to web -based time standards.

---

Related NoticeBored links collections

Trust, fraud, information security management, Bugs!, authentication, compliance, risk management, malware, confidentiality and security awareness

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.