The RISKS Digest
Volume 21 Issue 60

Friday, 17th August 2001

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Heart-device recalls
PGN
Runway incursions
Andres Zellweger
Cingular wireless goes down in heat wave
PGN
Swisscom Mobile breaks down for 10 hours
Andre Oppermann
Marines face charges in Osprey records falsifications
PGN
Woman stalked by Michigan cop via police databases is murdered
Declan McCullagh
Video crypto standard cracked?
Monty Solomon
Free hotel reservations canceled
Steve Bellovin
Interstate car tags to be photographed and tracked
Steve Holzworth
Hacked caller ID?
Andrew Hilborne
Risks of letting MS not-so-Hotmail do your junk filtering...
Michael Loftis
GPS-guide in car going nuts?
Martin Schulze
The risks of not verifying e-mail addresses
Doug Winter
Re: Mixing advertising and credit-card activation
Sam Garst
Joel Garry
REVIEW: "The Internet Security Guidebook", Juanita Ellis/Timothy Speed
Rob Slade
Dependability and "Open Source" development
Cliff Jones
CFP2002: Call for Proposals
Lance J. Hoffman
Info on RISKS (comp.risks)

Heart-device recalls

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 16 Aug 2001 9:35:51 PDT

A study from Brigham and Women's Hospital in Boston in the JAMA reports
that, over the ten-year period ending Dec 2000, 42 recalls and 10 safety
alerts were issued for pacemakers and implantable cardioverter
defibrillators (ICDs, as In Cheney, Dick) involving more than 520,000
devices.  Over 600,000 Americans have pacemakers and 150,000 have ICDs, so
that represents a remarkably high percentage.  However, only a small
fraction of the recalled devices were actually defective.  If recall
recommendations were followed, the study estimates that 36,000 devices would
have been replaced.  Only a few deaths were attributed to malfunctions.
Advisories are increasing, but that is attributed to increased manufacturer
vigilance and richer information output by the devices.  [Source: article by
Kenneth Chang, *The New York Times*, 15 Aug 2001, Natl. Edition A12; PGN-ed]


Runway incursions

<Andres Zellweger <azellweg@hq.nasa.gov>>
Wed, 15 Aug 2001 10:54:24 -0400

A 14 Aug 2001 Reuters item, New glitch for US system to avoid runway
collisions, talks about more delays in the long promised FAA Runway
Incursion System — due to ``excessive false alarms''.  This raises an
interesting dilemma for designer of such safety systems.  The state of the
art in runway incursion systems is not good enough to detect all potential
incursions without a relatively high level of false alarms.

One could tune the system to have false alarms at an ``operationally
acceptable'' level, but the likelihood of missing some potential incursions
increases.  Critics argue that one should not be implemented a system that
misses some potential incursions because air traffic controllers would
become dependent on the system instead of using it a safety net. Therefore,
they argue, there might be more incursions than if controllers were doing
their job properly without the system in place. Others (and I fall in this
camp) think that, with proper training, controllers will not be lulled into
a false sense of security, and safety can be increased when a safety net
that is not perfect is present. I don't think that any air traffic
controller takes his/her job of separating aircraft less seriously because
of TCAS!

Andres G. Zellweger, PhD, NASA code R, 300 E St, SW,
Washington, DC 20546-0001    1-202.358.0544   azellweg@hq.nasa.gov

  [The chairman of the relevant House subcommittee on aviation suggested
  that the FAA should take the time to get it right.  (The program is
  already six years behind schedule.)  Runway safety is an increasing
  with more near misses, including one at Dallas in May 2001.  LAX and
  O'Hare each had five near misses from 1997 to 2000.  PGN-ed]

    [This morning's news reports noted a new runway crossing near-miss,
    preliminarily blamed on air-traffic control.  PGN]


Cingular wireless goes down in heat wave

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 10 Aug 2001 14:17:48 PDT

A little reverse Rube Goldberg: The heat wave in the DC area caused a power
outage, the backup batteries failed, and the automatic system that should
have cut over to the backup generator also failed, resulting in disruption
of cell-phone service to 301- and 202-area Cingular Wireless customers.  The
failure of a single switch that was supposed to transfer from batteries to
generator power (which was designed to operate autonomously for at least a
month) was apparently the ultimately limiting factor.  But the generator ran
fine!  [Source: Associated Press article by Derrill Holly, AP 10 Aug 2001;
PGN-ed]


Swisscom Mobile breaks down for 10 hours

<Andre Oppermann <oppermann@telehouse.ch>>
Sun, 12 Aug 2001 13:03:15 +0200

On Friday, July 27th 2001, the whole Swisscom Mobile GSM network, serving
3.3 million customers (70% market share in Switzerland), broke down for 10
hours from approx. 12:30 until 22:30 GMT+0200.

Two independent software errors in the primary and backup network signaling
processors (the SS7 network) caused a halt for the processing of all
signaling in a GSM network. This includes call setup, call receiving, SMS
(short message service), logging onto network and basically everything
else. The central GSM systems (HLR, VLR, NMC and so on) stayed up but were
unable to communicate with the base stations in the field.

The primary system suffered a complete failure (software error) and as
designed the backup system took over. While it was working fine first the
backup system got loaded more and more, judging from the description
something like a missing free() call, and eventually broke down too half an
hour later.

The newspaper "Le Monde" was reporting insider information last week saying
that these signaling processors are made by Alcatel and that Alcatel found
out about the software errors two weeks before (and probably also had a fix)
but "forgot" to inform Swisscom Mobile about it. Alcatel is now facing a
Swiss Franc 30 million liability case. This is the loss Swisscom Mobile has
because of lost revenues, not including public image damages.

In one thing I have respect for Swisscom; They did a pretty good job with
public relations and informed the media and public very openly about their
technical problem(s). Now, two weeks later, Swisscom Mobile also issued a,
thought written for the non technician but pretty detailed, press release of
the cause and events of this network failure.

Although one funny thing happened; The press release in German is the
original one and while translating into English they forgot one just one
word but it makes a somewhat significant difference. In the German version
it reads "Technical systems do *not* guarantee 100% availability [but we do
our best to get 99.95%]. In the English version it reads "Technical systems
guarantee 100% availability [but we do our best to get 99.95%]". But see
yourself:

http://www.swisscom.com/gd/information/press_releases/2001/
  natel_disruption-de.html in German
http://www.swisscom.com/gd/information/press_releases/2001/
  natel_disruption-en.html in English

Andre Oppermann


Marines face charges in Osprey records falsifications

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 10 Aug 2001 13:09:55 PDT

Eight Marine Corp officers have been charged with misconduct with the
alleged falsification of MV-22 Osprey tilt-rotor maintenance records.
[http://www.washingtonpost.com/wp-dyn/articles/A59345-2001Aug10.html]

  [See RISKS-21.14,21,24,31,33,36,38,41 for Osprey problems.]


Woman stalked by Michigan cop via police databases is murdered

<Declan McCullagh <declan@well.com>>
Fri, 10 Aug 2001 10:35:36 -0400

A Michigan State Police detective whose estranged wife was shot dead at the
Potter Park Zoo admitted using police databases such as the Law Enforcement
Information Network (LEIN) to check on his wife and her acquaintances before
her fatal shooting.   [Source: *Free Press*, 8 Aug 2001; PGN-ed
  http://www.freep.com/news/mich/lein8_20010808.htm]


Video crypto standard cracked?

<Monty Solomon <monty@roscom.com>>
Wed, 15 Aug 2001 01:17:48 -0400

Noted cryptographer Niels Ferguson says he's broken Intel's vaunted
High-bandwidth Digital Content Protection (HDCP) Digital Video Encryption
System, but fear of U.S. law is keeping him silent on the details.  HDCP
connects digital cameras, high-definition televisions, cable boxes, and
video disks players.  [Source: Article by Ann Harrison, 13 Aug 2001, PGN-ed;
http://www.securityfocus.com/news/236]

  [Intel has not threatened him, but he can still be sued by the U.S. Govt
  under DMCA, or by the motion-picture industry.  His comments are at
    http://www.macfergus.com/niels/dmca/index.html
  Knowledge that it is (or might be) breakable is likely to result in other
  folks doing it, and perhaps posting it anonymously in some non-US Web
  site.  The globalization of the Internet is clearly going to be an
  increasingly difficult problem for industries trying to defend information
  supposedly protected under flawed standards.  PGN]


Free hotel reservations canceled

<Steve Bellovin <smb@research.att.com>>
Tue, 14 Aug 2001 11:56:40 -0400

We have here a story of sequential bugs, or at least odd behavior.

Last March, someone entered a rate of $0 per night for the Mexico City
Airport Hilton into an online reservation system.  A number of users of the
Travelocity web site saw it and reserved rooms.  Hilton eventually agreed to
honor that rate for one night, and let travelers stay additional nights at
"the lowest available rate".  But the story has gotten stranger.

According to today's Wall Street Journal, at least two people who made such
reservations via Travelocity have found that their reservations have been
canceled without their knowledge.  Hilton and Travelocity deny any knowledge
of what happened.  Both cancellations were via telephone calls to
Travelocity, made within minutes of each other.

Steve Bellovin, http://www.research.att.com/~smb


Interstate car tags to be photographed and tracked

<Steve Holzworth <sch@unx.sas.com>>
Thu, 9 Aug 2001 19:00:48 -0400

>From WRAL.com (excerpted):

http://www.wral.com/news/910501/index.html

[Charlotte, NC]

... The cameras will be used to photograph the license tags of some 400,000
vehicles so researchers can analyze freeway travel and predict future
air-pollution levels and highway needs.  The 43 cameras will photograph and
track every car that passes on stretches of U.S. 74, and Interstates 77 and
85 during a 12-hour period on Tuesday.  ...  North Carolina highway
officials say the photos will be destroyed within 90 days to protect the
drivers.  [Suuure they will - SCH]

Steve Holzworth, Senior Systems Developer  sch@unx.sas.com
SAS Institute - Open Systems R&D VMS/MAC/UNIX  Cary, N.C.

  [Interesting possibility if the numbers and letters can be read,
  but the state identification cannot — in which case Steve in NC
  might get a ticket based on someone's Alaska licence plate.  PGN]


Hacked caller ID?

<Andrew Hilborne <andrew.hilborne@uk.xo.com>>
09 Aug 2001 18:09:52 +0100

Two-and-a-half years ago I received an unexpected telephone call at about
2230 on my British Telecom phone. The caller was adamant that I had called
him at about 2020 the same night, from my phone — he had used "1471" when
he arrived home himself, to access the CLID of the last call to his number.

But I had been out of the house until 2200, and the house had been empty.
It took some effort to persuade my unknown caller that I hadn't called him
earlier that evening. So the following day I asked on the BT fault reporting
line how this could have happened. I was told that this sort of thing
happens quite often. I may well have been in trouble if a crime had been
committed at the other house that night.

BT don't advertise this failure mode at all.

Andrew Hilborne


Risks of letting MS not-so-Hotmail do your junk filtering...

<Michael Loftis <mloftis@wgops.com>>
Fri, 10 Aug 2001 09:01:38 -0700

I see that Hotmail has junk/spam filter, I get a fair amount of SPAM in
my hotmail account so I figure I'll give this a try.  It doesn't block
anything that is spam, in fact the only thing it did block in the "Low"
setting was mailings from SPEAKEASY my ISP, even after I told it that I
*wanted* those!

It's a good thing I noticed, they send bills via e-mail too.

I mean really!  I got 3-4 pices of spam through the filter (even after
saying one of htem was spam earlier) and 5-6 pieces of mail from
Speakeasy went into the Junk folder with the filter, I turned it off.

The RISK is two-fold, blocking very obvious non-bulk mailings via a
mechanism that isn't obvious, and then telling the user that they can ask
that mechanism to be circumvented in special cases but not implementing it!!

Imagine if I had not looked into the Junk Mail folder?  How much other
legitimate e-mail would go into there, keep in mind this was the "Low"
setting.

Michael Loftis


GPS-guide in car going nuts?

<Martin Schulze <joey@finlandia.infodrom.north.de>>
Wed, 8 Aug 2001 18:09:33 +0200

Modern cars may contain GPS systems to guide the driver to unknown
destination locations he would otherwise have to use a map for.

We went out with three cars, of which two were sold with such a GPS system,
ours wasn't, but we were driving in the city I know best.  Both cars with
GPS system didn't know that city well enough to reach the destination
location without a map (or GPS system).

After lunch at a restaurant at a distant edge of the city we went back to
the house.  Right after leaving the restaurant the three cars diverted, used
different paths.  Our car (w/o GPS) and one other car arrived at the house
early.  We were wondering where the third car had gone.  Finally, some 10
minutes later, they arrived as well.

What was the reason?  Too much trust and depending on modern computer
thingies.  The location was stored in the GPS system.  In order to reuse the
location it was stored by using letters, but unfortunately the display
wasn't very wide.  When storing the name of the city and some random string
the system cut off some parts:

        Wilhelmshaven Hotel
        Wilhelmshaven House
        Wilhelmshaven Restaurant
        `-----------'
          Display

So when re-selecting the destination after lunch the driver had to
make the choice which of the three similar looking locations is the
proper one.  He had selected the wrong one so the GPS system guided
him to the hotel instead of the house.

This driver used the GPS system of a modern 'VW Passat', the other car
was a 'Audi 100' which has a larger display for the GPS system, so the
driver was guided to the correct address.

  [Joey says "Please always Cc to me when replying to me on the lists."
  That is always a good policy.  PGN]


The risks of not verifying e-mail addresses

<Doug Winter <dwinter@businesseurope.com>>
Thu, 9 Aug 2001 18:21:08 +0100

A colleague of mine recently received the following e-mail, apropos nothing:

> Date: Wed, 8 Aug 2001 16:41:07 +0530
> From: HDFC Bank Support <Support@hdfcbank.com>
> To: [name elided] <[address elided]>
> Subject: " Welcome to HDFC Bank.  "
>
> This is an auto-generated mail. Please do not reply to it.
> Dear Customer,
> Thank you for opening an account with us.
> We have received your account opening form and opened an account as
> per the details mentioned below.
> You can now access all your accounts from any of our branches across
> the country. To give you quick access to all your accounts with us, we
> have generated a Customer Identification Number (Customer ID No.). All
> your accounts are linked to this number, and you only need to quote
> this number to our Personal Bankers or Tellers for any help you
> may require.
> Your Customer ID No. is  [number elided].
> The Account details are:
> Account Number:  [number elided]
> Primary Account Holder:  [name elided]
> The Welcome Letter is being sent to you separately by mail.
[snip]

They sent a real account name, account number and customer ID to a complete
stranger on the basis of a new user's registration information, without
first validating it in any way.  The user in this case had /almost/ got his
email address right - only the Top Level Domain was incorrect.

On informing the bank of their error they claimed "The information we send
across to across e mail is limited hence the possibility of misuse is not
possible".

The risks are obvious.

Doug Winter, CTO, Business Europe, 3 Waterhouse Square, Holborn Bars,
142 Holborn, London EC1N 2NX  +44 (0)20 7961 0341  dwinter@businesseurope.com


Re: Mixing advertising and credit-card activation (Green, RISKS-21.57)

<Sam Garst <samgarst@netaxs.com>>
Tue, 07 Aug 2001 14:30:12 -0400

In RISKS-21.57 Bob Green <rgreen@etnus.com> discussed a credit-card
authorization process that raised some risks.  I, too, was confused by a
recent credit card activation; with an couple of novel (and risky) twists:

My credit card had been compromised. Kudos to the credit card agency, as
they called me to confirm a suspicious (and fraudulent) charge. I dutifully
called to activate my new card when it arrived. I have CallerID blocked, and
I was curious to know how this might be handled. It wasn't, I sailed on
through the authorization process. Do they have the means to override
CallerID blocking? Or, are they not validating the originating phone number
as my home? I promise to call from my office next time, and report back.

Just as Bob Green mentioned, I was subjected to a rather long and tedious ad
before the authorization process was complete. Ironically, the ad was for
one of those credit reporting services, that will send you a consolidated
report from all credit agencies, and alert you whenever someone makes a
credit check. Well, I hope it was ironic and not targeted advertising for
fraud victims.

Finally, the prompt at the end of the ad were deeply confusing, just as Bob
Green noted. But wait, the confirmation prompt was reversed: "Do you want to
buy this service?" <NO> "Are you sure you don't want to buy this service?"
<YE...uh, wait, what was the question?>

Sam Garst <samgarst@acm.org>


Re: Mixing advertising and credit-card activation (Green, RISKS-21.57)

<Joel Garry <joel-garry@home.com>>
Tue, 07 Aug 2001 23:27:33 -0700

>From Pacific Bell web page about caller id
http://www.pacbell.com/Products_Services/Residential/ProdInfo_1/1,1973,10-3-,00.html

  Complete Blocking prevents the transmission of your phone number on all
  calls you make, except 911 and national 800, 888, and 877 number calls.

The risk must be that adhesion contracts (with terms you are stuck with) may
define a phrase like "Complete Blocking" with caveats that may unexpectedly
negate the phrase.  Of course, they are the phone company, they don't have
to adhere to any reasonable man or reasonable computer standard.

A few days ago, I noticed my business line was in use.  Since I wasn't using
it, I picked it up and heard telephone technicians talking about line loops
and how the "ants were biting the hell out of my arm."  So I drove over to
where they were installing DSL in the street and told a very surprised tech
that if he didn't get off my line, I would make sure his supervisor would
bite his ass a lot harder than those ants!

Joel Garry, Oracle and Unix Guy  http://www.garry.to


REVIEW: "The Internet Security Guidebook", Juanita Ellis/Timothy Speed

<Rob Slade <rslade@sprint.ca>>
Mon, 13 Aug 2001 09:38:30 -0800

BKISGFPD.RVW   20010605

"The Internet Security Guidebook", Juanita Ellis/Timothy Speed, 2001,
0-12-237471-1, U$44.95
%A   Juanita Ellis
%A   Timothy Speed tim.speed@home.com
%C   525 B Street, Suite 1900, San Diego, CA   92101-4495
%D   2001
%G   0-12-237471-1
%I   Academic Press
%O   U$44.95 619-231-0926 800-321-5068 fax: 619-699-6380
%P   320 p.
%T   "The Internet Security Guidebook: From Planning to Deployment"

The introduction outlines some of the basic types of attacks that can happen
over the Internet, and seems to concentrate on attacks against machines,
rather than people or companies.  This emphasis on the technical is odd,
since the material provides very few technical details, but does contain
more than a little error and confusion.  The text of the book doesn't
mention a specific target audience, although the jacket notes seem to
promote the work to CEOs and other senior executives.  Which is odd: the
writing level seems more appropriate to the home user.

Chapter one is an overview of security planning.  Most of the important
parts of preparation are included, but the chapter structure and even the
figures are very confusing.  There are many gaps in the discussion of
security reviews, and a number of odd and apparently misplaced items have
been inserted.  Encryption is covered simplisticly, and the lack of depth in
the material becomes a problem in the chapter on network security.  After
twelve pages that *don't* explain the Internet and OSI (Open Systems
Interconnection) models of networking, the text attempts to deal with a
number of Internet security tools, most of which rely on encryption and key
exchange.  There are frequent errors and the sections sometimes even provide
contradictory and nonsensical explanations, such as the statement that
"unencoded" means both "not encrypted" and "not as plain text."  The basic
outline of firewalls is better than is provided in most general guides,
although the description of circuit- level gateways keeps referring to
"stateful inspection" without ever explaining what that is.  The long
evaluation section is, unfortunately, the usual for this type of book: it
does provide most of the right questions to ask, but doesn't give the novice
reader much help in analyzing the answers.  Authentication is a very
important topic in security, and it is too bad that the material on this
subject is so confused, and confusing.  I find it very difficult to
reconcile the statement that there are "very few examples" of biometrics
with the existence of a great many fingerprint, palm geometry, iris,
voiceprint, and even face readers.  The depiction of Kerberos is wrong in
some basic aspects, does not address the fundamental problems with the
Microsoft version, and does not relate in any way to the very closely
associated topic of single sign-on that immediately follows.

The discussion of PKI (Public Key Infrastructure) does do well in covering
the "build or buy" debate for a certificate authority.  Directory issues are
not handled particularly well, and there are other errors.  (Excuse me?  The
Internet didn't exist before the mid- 1980s?)  The chapter on messaging
security is a real grab bag of topics, none of which, with the possible
exception of acceptable use, are covered in sufficient depth.  (Viruses and
trojans get lumped into this chapter, and the commentary is quite sloppy.)
The basic outline of risk analysis, including threat, impact, and
probability, is good, but the supporting material is not quite standard, and
probably not very helpful to the target audience.  The chapter also fails to
point out the full scope of such an appraisal, as well as the importance of
looking at the aggregate risk.  On the other hand, the review of policy and
procedures hardly seems to address policy creation at all.  This is another
miscellaneous compendium of vulnerabilities, diving into specifics and
missing the bigger picture.  The material on incident response is generic,
but does point out the foundational concepts.  There is little detail, and
the text does concentrate on dealing with events by severity, rather than by
type.  The book closes off with an ordinary presentation on project
planning.

I would be the first to admit that security can be a dry topic, and a little
humour can help to spice up the text.  However, I am willing to make an
exception in the case of this book.  The jokes added to the text do nothing
to improve it.  They are intrusive, distracting, and do not, in any way,
help the reader to understand the topics under discussion.  Indeed, the
attempts at comedy generally sidetrack the reader from the central issues of
the work, and simply confuse any issue under discussion.

If this text is aimed at executive management, it definitely needs to be
tightened up and reorganized to eliminate duplicated material and ensure the
structure and arguments are easier to follow.  Many points raised throughout
the work are important, but a number of vital issues are not addressed, and
the patchwork of writing level and quality of information probably means
that this is unsuitable as an only introduction to security.  The Internet,
in fact, is not really a major concern in this book, although it does get
mentioned from time to time.  I would have difficulty in suggesting a group
that would benefit from this book, although it might serve as an adjunct
text to the security planning process, if ideas were being culled from
multiple sources.

copyright Robert M. Slade, 2001   BKISGFPD.RVW   20010605
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Dependability and "Open Source" development

<Cliff Jones <cliff.jones@ncl.ac.uk>>
Wed, 15 Aug 2001 13:39:14 +0100

WORKSHOP ON OPEN SOURCE SOFTWARE DEVELOPMENT
NEWCASTLE, 25-26 FEBRUARY 2002

Organised by the Dependability of Computer-Based Systems (www.dirc.org.uk)
Interdisciplinary Research Collaboration, the focus is on
dependability and open source software development.  Short abstracts
due by 2 Nov 2001, papers later.  For further details, see:
  http://www.dirc.org.uk/events/ossdw_ncl.html
and contact Dr. C. Gacek <cristina.gacek@ncl.ac.uk>.


CFP2002: Call for Proposals

<"Lance J. Hoffman" <hoffman@seas.gwu.edu>>
Wed, 01 Aug 2001 19:48:44 -0400

  [CFP has been an extraordinarily valuable conference, bringing together
  a very diverse group.  Strongly recommended.  Proposals due 15 Oct 2001.
  (This CFP CFP has been abridged for RISKS.)  PGN]

  CFP2002: The Twelfth Conference on Computers, Freedom & Privacy
  Cathedral Hill Hotel, San Francisco, California, USA
  16-19 April 2002
  http://www.cfp2002.org

Lance J. Hoffman, The George Washington University, Washington DC 20052:
Professor, Dept. of Computer Science  www.cs.seas.gwu.edu (202) 994-4955
and Cyberspace Policy Institute (202) 994-5513 www.cpi.seas.gwu.edu

Please report problems with the web pages to the maintainer

x
Top