The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 26

Monday 5 March 2001

Contents

Smart bombs miss again
Lord Wodehouse
Air gaps
Bruce Schneier
Bibliofind exposes lots of credit card data they shouldn't have had
Lenny Foner
TurboTax potential overstatement of gross income
Richard Mason
Risks of buggy cell phone networks
Kragen
SETI@Home felled by a Single Point of Failure
Malcolm Pack
Passwords don't protect Palm data, security firm warns
Yves Bellefeuille
Risks of laptop anti-theft devices
Tony Yip
Where does NAVSTAR say we are, again?
James Paul
Beware assumptions about keyboard layouts...
Perry Pederson
Re: On paper-size standards
Gideon Sheps
REVIEW: "Tangled Web", Richard Power
Rob Slade
Info on RISKS (comp.risks)

Smart bombs miss again

<Lord Wodehouse <w0400@ggr.co.uk>>
Thu, 22 Feb 2001 15:05:03 +0000 (GMT Standard Time)

>From BBC New online at
http://news.bbc.co.uk/hi/english/world/middle_east/newsid_1184000/1184086.stm

  "Pentagon officials have admitted that most of the bombs dropped by US
  and British warplanes on Iraq last Friday missed their targets."

Yet again I find myself writing to RISKS to point out that these
computer-game type weapons are almost always oversold on their abilities and
have been little more effective than plain dumb bombs.  The Patriot missile
is another case oversold (see many article in RISKS).

However, if smart weapons fail in Iraq, how much less well will they work in
Europe under bad weather. Kosovo was such a case and often the weapons could
not be used. The military rely on them more and more, and yet they are shown
to be more limited and often less usable.

Extending this on to the smart guns and systems for soldiers, I see the
fighting forces becoming less effective. The small band of fighters often
now seem to beat the big armies. It will become worse, if technology is used
exclusively.

And what about the NBMD system. Five failures so far. I do not see be being
anything apart from a means of keeping some companies in work and something
that destabilizes the current situation. Shooting down a long range missile
is a lot harder than trying to hit a static target!

Global Research Information Systems, GlaxoSmithKline Medicines Research Centre
Stevenage SG1 2NY UK +44 1628 482 634  w0400@ggr.co.uk  http://www.gsk.com/


Air gaps

<Bruce Schneier <schneier@counterpane.com>>
Wed, 21 Feb 2001 16:39:50 -0600

This is from the February Crypto-Gram.
	http://www.counterpane.com/crypto-gram-0102.html

Whale Communications has been marketing something called e-Gap, which they
claim is an "air gap" between two networks. Basically, the system consists
of two servers. One is connected to the Internet and the other to the
internal network. The two servers only connect through the e-Gap system, a
SCSI-based memory device that gets toggled between them. The two servers
are never directly connected.

This is an interesting idea, but it's not an air gap.

What E-Gap really does is create a proxy connection between two computers.
It's a slow connection. It's a very limited connection; the system strips
down any network layers under the session layer. What that means is that if
you set up a system using E-Gap and an intruder were to break into the
Internet server, he could not obtain TCP/IP connectivity to the internal
server. This certainly increases the security of the back-end server.

Nonetheless, the intruder can still access the back-end server as a regular
client. The intruder can still break into the internal system by exploiting
any vulnerabilities above the transport layer.

The whole point of an air gap is that there is no automated connection
between the two devices. It's not simply that there is no physical
connection between the devices most of the time, but that any logical
connection between the two devices is not automated. If the Internet server
and the back-end server were on opposite sides of a room, there would be an
air gap between them. To connect the two computers, a user has to walk a
floppy disk across the room. For an attacker to attack one computer from
the other, he needs to be physically present. Even if an attacker gains
access to the Internet server remotely, he cannot bridge the air gap to the
back-end server.

While E-Gap can claim that with their device systems are "completely
disconnected at all times," the truth is that their switch operates
automatically at all times. There is always a logical connection between
the systems connected by their device. And that connection is subject to
remote attack, and possible compromise.

I'm not saying that this is a bad product -- it sounds like a good product
-- but it is not an air gap. Calling it one is deceptive marketing. Kind of
like calling a stream cipher a one-time pad.

Whale's page describing their technology:
<http://www.whale-com.com/fr_0300.htm>
They call it "impenetrable." Also note that on their home page they don't
just call it an air gap but a *physical* air gap, just in case someone
might have wanted to give them the benefit of the doubt.

A response to critics by someone with Whale:
<http://lists.gnac.net/firewalls/mhonarc/firewalls.199911/msg00269.html>

Hall of shame puff piece:
<http://www2.cio.com/archive/050100_development_content.html>

Whale isn't the only one. Here's a review of six "air gap" products:
<http://www.infosecuritymag.com/articles/july00/cover.shtml>

Airgap Networks, which has few details on their product, is notable for
actually defining "air gap" (albeit in an Orwellian manner).
<http://www.airgap.net/what.html>

Bruce Schneier, CTO, Counterpane Internet Security, Inc.  1-408-556-2401
3031 Tisch Way, 100 Plaza East, San Jose, CA 95128  http://www.counterpane.com


Bibliofind exposes lots of credit card data they shouldn't have had

<Lenny Foner <foner@media.mit.edu>>
Mon, 5 Mar 2001 17:26:25 -0500 (EST)

Bibliofind matches up people looking for used books, and book dealers
who have them.  Every time you use it to actually buy a book, you're
forced to enter all of your name, address, CC info, etc, etc, and
that's then sent to the book dealer.  They didn't appear to actually
keep any of this information around, given that it was never presented
in the UI (e.g., as a pre-filled-in form, or something else useful).

So I'm especially appalled to have just read that my data, along with
about 100K others' data, was perhaps being read for the last 4 months.
See http://www.cnn.com/2001/TECH/internet/03/05/bibliofind/index.html

Not only did they -not- say they were keeping it (instead of just
serving as a conduit), keeping it did nothing to make their customers'
lives easier.  So it looks like they got it wrong coming and going.
Perhaps the press report got it wrong, and it was some sniffer-like
attack instead, but it sure seems to imply that they had a big
database hanging around that they didn't tell their customers about
and which wasn't helping anybody, except to serve as a big fat target.

Feh.  I guess we'll see if phantom charges appear on various cards.
Not to mention perhaps enabling identity frauds of various sorts.

I can't get any info about this directly from Bibliofind at the
moment, because their site is off the air.


TurboTax potential overstatement of gross income

<Richard Mason <mason@unr.edu>>
Thu, 01 Mar 2001 14:41:45 -0800

In using TurboTax there is an ability to directly download income tax
information on dividends, interest and securities sales, from various
brokerage firms directly into TurboTax. When downloading income tax
information from Fidelity Investments for a joint tax return I ended up
with duplicate, i.e. double amounts of interest and dividends, in the
following circumstance. Husband and wife each have individual brokerage
accounts. They also have a joint brokerage account. Husband's account
info downloads into TurboTax on his social security number and password,
wife's account information downloads into TurboTax on her social
security number and password. Joint account information downloads on
each access. The result is a doubling of the interest and dividend
income into TurboTax. This may be unique to the Fidelity account account
access system that allows joint account access from either social
security number and password, but it is a concern.

Richard Mason, University of Nevada


Risks of buggy cell phone networks

<kragen@pobox.com>
Fri, 2 Mar 2001 02:22:56 -0500 (EST)

I've been a customer of Sprint PCS in Silicon Valley since mid-January.
I've noticed that, frequently, when I call busy phone numbers, I never hear
a busy signal; instead, I hear my own voice echoed back at me.

My morning train seatmate had a Motorola Sprint PCS phone she claims works
everywhere but San Francisco.  Here, whenever she called her Sprint PCS
voice mail (located in Texas), she got connected to someone else's
in-progress call --- apparently selected at random.

I observed the same phenomenon later today trying to call my girlfriend's
Seattle Sprint PCS phone and (non-Sprint, non-cellular) home phone.
Sometimes I got fast busy signals, sometimes I got my own echo, and
sometimes I got other people's conversations.  It appeared that I was only
hearing one side of the conversation, the speakers could not hear me, and my
listening did not disrupt their conversation; but it only lasted for ten
seconds or so.  Still, I heard snatches like, "Yeah.  She says this is the
sickest she's ever felt."  One eavesdropping session lasted nearly a minute.

I suspect these are two manifestations of a single bug in Sprint's base
station software.  I wonder who's listening in on my conversations?  This
(plus Sprint billing me $161 for my first day of service, then $99 for the
next 30 days) will probably wean me from Sprint.

Any secure communications architecture that relies on hop-by-hop encryption
will be vulnerable to bugs like this in switches.  End-to-end encryption is
more robust against such things.


SETI@Home felled by a Single Point of Failure

<Malcolm Pack <risks2@potnoodle.net>>
Thu, 01 Mar 2001 07:35:22 +0000

After being unavailable for over 24 hours, the home page for the SETI@Home
project, <http://setiathome.ssl.berkeley.edu/>, has currently (1 March 2001)
been set to redirect to a holding page at
<http://www.net.berkeley.edu/setiathome/>.

| Fiber cut silences SETI@Home
|
| At about 3:30 AM PST on 27 February an optical fiber cable connecting
| the U.C. Berkeley campus with the Lawrence Berkeley National
| Laboratory was cut, apparently by vandals trying to "salvage" copper
| from other nearby cables.
|
| The broken fiber carries data and voice connections for LBNL and also
| for the Space Sciences Lab. SSL is where the SETI@Home project is
| located, so the millions of participants helping to analyze data have
| been unable to contact the SETI@Home servers for more than a day.
|
| Contractors are pulling new cable now. It's expected that service to
| SSL will be restored by Friday, 2 March 2001. We'll update this page
| as we learn more about the progress of the repairs.

I infer either:

o	Traffic to and from the SET@Home servers is too great to be
	permitted to use any backup connection that exists between the
	two facilities.

or

o	LBNL and SSL are cut off from the 'Net altogether until this
	SPF is repaired.

The loss of processing time to the project is unimportant in terms of
contribution to overall success or failure (I doubt ET will be too
upset if we find him/her/it/them 4 days later than expected), but the
drop-out rate may increase as people simply give up instead of
checking the home page for an explanation for their lack of progress.

Malcolm Pack


Passwords don't protect Palm data, security firm warns

<yan@storm.ca (Yves Bellefeuille)>
Fri, 02 Mar 2001 17:41:00 -0500

At http://news.cnet.com/news/0-1006-202-5005917-0.html:

Passwords don't protect Palm data, security firm warns
By Robert Lemos
Special to CNET News.com
March 2, 2001, 11:45 a.m. PT
http://news.cnet.com/news/0-1006-201-5005917-0.html?tag=prntfr


People who rely on passwords to keep strangers from poking through the
data stored on their Palms actually have no protection at all, a network
security company warns.

In an alert posted Thursday, @Stake pointed to a back door in the Palm
operating system that allows anyone with developer tools to access data
on handhelds that have been "locked" with a password.

If someone finds or steals a Palm, the owner's data is basically an open
book. And the theft of mobile devices for their data is becoming more
common.

"This is the nail in the coffin of the notion that the Palm has any
security for your data," said Chris Wysopal, director of research and
development for Cambridge, Mass.-based @Stake.

"Any attacker with a laptop and a serial (syncing) cable is pretty much
able to access everything on the device," he said.

Handspring's Visor handhelds and Sony's Clie use the Palm OS.

Palm representatives would not immediately comment on the advisory.

The security flaw is actually in the OS for a reason. Palm software
engineers and many of its application developers use the back door to
debug applications running on the handheld. Many of them do not consider
it to be a security issue, Wysopal said.

However, few people who use the devices realize that using a password
will keep only the casually curious from looking at their data.

For that reason, @Stake said, it released the warning.

"It's equivalent to adding a password to your PC's screensaver. "There's
no true security in that," said Wysopal, who is known in the security
community by his hacker handle, Weld Pond.

Last September, @Stake discovered that the encrypted password used by
Palm OS to protect so-called private records from prying eyes could
easily be broken. With the discovery of the latest back door, it would
seem that no data is safe.

With a laptop loaded with developer tools and a sync cable, anyone who
obtains access to a handheld can access the owner's data, add or delete
applications, and format the memory card.

Even Palm handhelds protected by encryption software could be
compromised by using the back door to load a program to record all
passwords as they are entered.

Wysopal warned that weak Palm security could lead to other compromises
as well.

"You have corporate administrators keeping their company's critical
passwords on their Palm because they think it is secure," he said.

The back door affects all current versions of the Palm OS, Wysopal said.
Palm OS 4.0, due later this year, is expected to correct the problem.

Yves Bellefeuille <yan@storm.ca>, Ottawa, Canada


Risks of laptop anti-theft devices

<Tony Yip <tonyy@chancery.com>>
Mon, 5 Mar 2001 12:01:30 -0800

Edited slightly from Burnaby Now, March 4, 2001, page 8.

	Nearly 300 people were evacuated from "the boot" (the phone
company's main office building) last Monday after an employee mistook a
computer's anti-theft device for a bomb.

	Spokesman said police were called to the company offices around 4:45
pm to investigate a small beeping object wrapped in tape that was left in
the men's washroom.

	Investigators examined the device and determined the little bundle
was nothing more than a loss prevention device removed from one of the
company's laptop computers.

	Police have since learned that when the device was removed,
frustrated employees tried to muffle its persistent alarm noise by wrapping
it in tape. When that effort proved fruitless, one of the workers stashed
the alarm in the washroom "for a little peace and quiet." "The guy walking
in there afterwards must have had some scare. Thankfully this wasn't the
real thing, but you should always be aware of your surroundings... you can
never be too careful."


Where does NAVSTAR say we are, again?

<James Paul <James.Paul@mail.house.gov>>
Fri, 2 Mar 2001 13:52:07 -0500

OS/COMET, top-secret U.S. computer-system source code for guiding
spacecraft, rockets, and satellites, has been obtained through an Internet
breakin at the U.S. Naval Research Laboratory in Washington D.C., traced to
a company in Stockholm and then to someone with username LEEIF (seemingly in
Germany) masquerading as a user of freebox.com.  This software is used in
NAVSTAR GPS monitoring.  [Source: Hacker gets hold of top secret U.S. space
codes, Reuters News Service, 2 Mar 2001; PGN-ed; see also
  http://www.washingtonpost.com/wp-dyn/articles/A16751-2001Mar2.html
  http://www.washingtonpost.com/wp-dyn/articles/A16751-2001Mar2.html ]


Beware assumptions about keyboard layouts...

<"Perry Pederson" <perandtim@home.com>>
Fri, 2 Mar 2001 08:30:00 -0800

I recently started a checking account at Hewlett-Packard's credit union, and
as part of the process of obtaining a VISA debit card attached to the
account, I needed to create a four digit PIN number for the card.  After the
card was initialized at the credit union, it failed to work at ATM machines,
giving me an "invalid PIN number" error.  I re-initialized the card three
different times with credit union personnel, to no avail.  Finally, after
several calls to the credit union's main office to determine why my PIN
wasn't taking, I noticed that the keypad that I used at the credit union to
set the PIN number had the rows appearing in the opposite order of a
"normal" PC keyboard-- the topmost row of keys had the numbers "123", the
second row "456", and the third row "789".  When I was generating my PIN, I
was automatically pressing keys that had the same pattern as an "old" PIN
that had I used at a previous bank without checking the numeric values
associated with the keys.  Once I entered the "correct" numbers, the card
worked fine at ATM machines.

The RISKs here should be obvious-- one should observe the input hardware
being used, regardless of how similar it may look to other input devices.


Re: On paper-size standards (Klossner, RISKS-21.25)

<Gideon Sheps <gbs@asiabondportal.com>>
Wed, 28 Feb 2001 10:40:31 +0800

> Other disparaging remarks, such as the "bizarre" way that we
> norteamericanos measure paper density, would perhaps be more compelling if
> they did not come from an island where everyone drives on the wrong side
> of the road.

I would be more inclined to be sympathetic if America wasn't the only
country in the world still using the "British Imperial Standard of Measure"
based on such sensible units such as the length of the King's foot or
distance from his thumb to nose with arm outstretched, some 225 years after
their revolution.

Further, the whole world hardly drives on the same side of the road as the
USA - in fact, as you might discover, the Brits are hardly alone. The
Japanese, as well as much of Asia, Australia, New Zealand, parts of Africa,
(e.g., S. Africa), and the Carribean (Bermuda, Bahamas, BVI...), also drive
on the right.

Given that India and Indonesia drive on the right, which roughly match China
for population, I'd say its a tight race for the question of who is really
on the wrong side.

Technically, the Brits are on the correct side of the road, as approaching
your opponent with your right hand free to hold the lance or sword is
preferential for the 85% of the population who are right handed.  (make that
Gun for Americans... one might ask how many fewer random drive-by shooting
victims might there be if they were firing with the right instead of left
hand and could aim better?).

I think the real risk here is that American schools don't prepare Americans
for life outside America.

G. Sheps (A "nortamericano" in Hong Kong)


REVIEW: "Tangled Web", Richard Power

<"Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca>>
Mon, 26 Feb 2001 08:25:15 -0800

BKTANGWB.RVW   20001027

"Tangled Web", Richard Power, 2000, 0-7897-2443-X,
U$25.00/C$37.95/UK#18.50
%A   Richard Power
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2000
%G   0-7897-2443-X
%I   Macmillan Computer Publishing (MCP)
%O   U$25.00/C$37.95/UK#18.50 800-858-7674 317-581-3743 www.mcp.com
%P   431 p.
%T   "Tangled Web: Tales of Digital Crime from the Shadows of
      Cyberspace"

This book gives a reasonably balanced review of the perception of security
experts in regard to the level of computer or communications involved crime
going on in our networked world.  That is because this is not so much a
book, as an extended compilation article.  Power reproduces interviews with,
or grabs quotations from the written works of, a great many forensic and
security specialists or researchers.  Very large chunks of the book are
taken from previously published works.

Note also that I say "balanced," and not "complete."

Part one appears to be intended as a general introduction to computer
related crime.  Chapter one is the usual statement that it goes on,
mercifully brief.  Despite an interview with Sarah Gordon and extensive
quoting from Donn Parker, chapter two's look at cybercriminals focuses
rather narrowly on the fact that people who do crimes aren't normal.  The
CSI (Computer Security Institute)/FBI Computer Crime and Security Survey is
introduced with many graphs and tables in chapter three.  The description
does mention, but doesn't emphasize, the fact that the survey was
self-selecting and self- reporting, and therefore only marginally more
informative than an opinion poll.  Chapter four tries to look at costs.

The title of part two seems to indicate a deeper analysis of criminals and
system breakers.  Chapter five touches on the infamous Operation Sundevil
(the law enforcement disaster that was the inspiration behind Bruce
Sterling's "The Hacker Crackdown," cf. BKHKRCRK.RVW), and the even more
infamous Morris Internet Worm: is Power trying to equate police activity
with system breaking?  Three penetration episodes that led to the arrest of
young crackers are described in chapter six.  Some stories of theft of
credit card numbers, bank fraud, and advanced phone phreaking are given in
chapter seven, but these are cobbled together from published interviews with
police, and have little technical background.  There is a little bit about
nuisances and vandalism, and a lot about distributed denial of service, in
chapter eight.  Chapter nine tells the stories of the Melissa and Love Bug
e-mail worms.  As with the earlier tales in the book, the material is
technically weak, and has other errors of fact as well.  (I exclude the
respective CERT advisories, which are reproduced in full.)

Part three is about spies and espionage.  However, chapter ten, which talks
about spies, doesn't really have anything to say about computer penetration.
The stories are all very terse mentions of spying culled from general news
reports.  The tales of insider fraud, in chapter eleven, vary in length and
don't really present any more than trivial information.  Infowar gets a mix
of anecdotes and speculation in chapter twelve.

Part four looks at personal attacks.  Both chapter thirteen, on identity
theft, and chapter fourteen, on child pornography, are short and oddly
unhelpful.

Part five turns to defensive activities.  Chapter fifteen concentrates on
where the security department should be on the corporate org chart.  Global
law enforcement recounts a few presentations by non-US law enforcement
people in chapter sixteen.  There are more details on US government security
offices and activities, in chapter seventeen, but not many.
Countermeasures, in chapter eighteen, is a "once over lightly" of the entire
security field.  The epilogue, entitled "The Human Factor," is vague.

If you haven't been paying any attention to computer security, this book is
a quick read that will get you a very rough idea of what is going on in the
areas of greatest concern to large corporations.  If it scares a few people
that will be all to the good: it certainly doesn't help you to start doing
anything about security.  Presumably it is the general public, with little
knowledge of computer security, that is the intended audience.  However, the
lack of structure and uneven quality and depth of information make it
difficult to know what those readers will take from this book.

If, of course, you have been paying any attention at all, this is pretty old
news.

copyright Robert M. Slade, 2001   BKTANGWB.RVW   20001027
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com

Please report problems with the web pages to the maintainer

Top