The RISKS Digest
Volume 21 Issue 29

Friday, 23rd March 2001

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Identity theft: Forbes-ing a head?
PGN
Indiana University penetration raises fears of identity theft
Keith A Rhodes
Serious new CA Drivers License ID RISK
Peter V. Cornell
Faulty radar prompts FAA inspections and remediations
Keith A Rhodes
Bogus Microsoft Corporation digital certificates from Verisign
Jeff Savit
Your PGP E-Hancock can be forged
Monty Solomon
Czech PGP flaw tech details
David Kennedy
Politically correct: DoE is slow to warn of computer virus
David Farber
Nokia cell phone trivially easy to unlock
Eric Hanchrow
Hacker sentenced to hacking
Jeremy Epstein
Government, school sites link to porn
Dave Stringer-Calvert
Yahoo! Mail translates attachments
Matt Curtin
Re: Air gaps
Fred Cohen
Re: MIT/Caltech voting study
Paul Terwilliger
German armed forces ban MS software, citing NSA snooping
Pete McVay
MS Word: Ohm, SaveAs Watt
Kevin Rolph
Workshop CfP: Security and Privacy in Digital Rights Management 2001
Tomas Sander
Info on RISKS (comp.risks)

Identity theft: Forbes-ing a head?

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 20 Mar 2001 11:26:58 PST

In RISKS, we have for many years been warning about the burgeoning increase
in identity theft.  The following case could foster a broader awareness of
the depth of the problem, but then again most folks still seem to have their
heads in the sand — unless they have already been burned.

Abraham Abdallah was arrested on 7 Mar 2001, a 32-year-old Brooklyn NY
high-school dropout working as a busboy, and already a convicted swindler.
Although he was arrested as he was picking up equipment for making bogus
credit cards, he is suspected of already having stolen millions of dollars.
In his possession were SSNs, addresses, and birthdates of 217 people whose
names appeared in a Forbes Magazine itemization of the 400 richest people in
the U.S.  He reportedly also had over 400 stolen credit-card numbers, and
had used computers in his local library to access of the Web for information
gathering.  He is being held on bail of $1M.  His activities were detected
after an e-mail request to transfer $10M from a Merrill Lynch account,
whereupon authorities found mailboxes he had rented in various names and
other evidence.  His defense attorney said Abdallah is innocent, and that
prosecutors had ``made an unfair leap from possession of this information to
an inference that there was an attempt to take money.''  [PGN-ed from a
variety of sources, including an AP item by Tom Hays
  http://www0.mercurycenter.com/premium/business/docs/forbes21.htm;
Thanks to Dave Stringer-Calvert and to Michael Perkins at Red Herring]


Indiana University penetration raises fears of identity theft

<"Keith A Rhodes" <RhodesK@GAO.GOV>>
Wed, 28 Feb 2001 10:19:34 -0500

A user browsing from Sweden stored music and video files on a server at
Indiana University that had apparently been left unprotected after a crash.
IU realized it had a problem when huge increases were noted in network
traffic.  In the process, they also noted that a file of over 3,100 student
names and SSNs had been copied from the server.  Associate Vice President
Perry Metz contacted the Social Security Administration about what might be
an appropriate reaction, and said that they told him ``it's unlikely and
unusual for someone who has your Social Security number to be able to do
anything with it.  Normally, financial institutions require additional
information.''  [Is that reassuring to RISKS readers?  Sources: Swedish
hacker breaches IU server; Culprit stored music, video files on system and
also downloaded private student data, AP item 28 Feb 2001, and article by
John Meunier, *Herald-Times*, 28 Feb 2001; PGN-ed]


Serious new CA Drivers License ID RISK

<"Peter V. Cornell" <pcornell@nanospace.com>>
Wed, 21 Mar 2001 16:03:12 -0800

This is really happening!

Almost exactly one decade ago Chris Hibbert posted a RISKS article
describing the (then) new California Drivers License (CDL). He gave a
warning to us all. That little piece is still on server:
  http://catless.ncl.ac.uk/Risks/11.03.html#subj10
[and has been updated by Chris since.  PGN]

That warning, given in 1991, has blossomed into a nightmare.

Recently, The California driver license and ID card have been declared as
PRIMARY IDENTIFICATION DOCUMENTS in this state by the California
legislature.

http://www.dmv.ca.gov/faq/dlfaq.htm#2504
http://www.lbl.gov/Workplace/HumanResources/irss/dmv.html

Guess why?  A great convenience for bankers, but enabling serious new ID
fraud RISKS based on easily obtained fake driver licenses and data.

http://www.fakeidsite.com/
http://www.photoidcards.com/
http://www.wdia.com/home-entrypage.htm
http://www.spyheadquarters.com/

Courtesy of the California legislature, *anyone* who has a fake California
drivers license with YOUR correct data, but with *his* picture and *his*
version of your signature, can steal your money in many different ways. For
example, if he knows your Social Security Number, bank, and account number,
(easily obtained online or by mail theft) he can walk into any branch office
and receive cash. Tens of thousands have been stolen from my (no longer
existent) Wells Fargo accounts.

I must be one of the very first victims of this new kind of identity
theft. I have been scouring the internet for months and have found no
mention of it. Of course there are gigabytes of stuff about the old credit
card scams, alive and still growing, but no mention of use of drivers
licenses to impersonate bank customers and withdraw cash directly.

With that fake drivers license, that fraudster becomes YOU.  All he need do
is write a bad check drawn on another bank's bogus name account set up for
that purpose, with the victim (you) as payee. He then walks into (in my
case) a Wells Fargo branch and, impersonating the victim, cashes the
check. When the check bounces, Wells Fargo (probably others, too) simply
debits the victims account.

The banking industry has arranged the law (California Commercial Code
Sections 4401-4407 and 3101-3119) to ensure that the customer takes the
hit. So that, among other conveniences, THE LAW allows banks to rely
*solely* on the CDL data to confirm the identity of a customer with no risk
exposure whatsoever. "IF THE CUSTOMER PROVES" means you must sue the
bank. They have it written so you'd lose anyway, but the amounts, however
painful, are not nearly enough to pay a lawyer. (See excerpts from the
California Commercial Code below.)

So, with my CDL data in circulation, if I want to keep a checking account, I
must change banks regularly. There are at least two fraud artists still
using my ID.

The banks DO check your CDL number as well as date of birth at the teller
window. But there is no possible way to change any of my drivers license
data. The California Department of Motor Vehicles (DMV) web site says to go
to a local office to change your drivers license number. That just plain
doesn't work. Many of the items on their ID Theft page simply do not work in
actual practice. It *looks* pretty.

http://caag.state.ca.us/identity.htm

The DMV local says they'll replace your picture ID with one that has no
picture while your request is being processed which may take
months. Impossible! They also require a letter from the bank. But none of
the Wells Fargo's "headsets" (customer service phone reps) or "robots"
(branch employees) are able or willing to do that. They'll give you forms to
fill out which are totally inadequate for this new kind of ID fraud. Bank
customers are thus denied any access to the bank officers responsible and
accountable for bank policy.

Bankers have their political money well spent. With their
credit cards, computers, headsets and robots, their ethics,
"good faith" and accountability were abandoned long ago.

Peter V Cornell <pcornell@nanospace.com>

 - - - -

CALIFORNIA CODES COMMERCIAL CODE SECTION 4406 [excerpted]

   (d) (2) The customer's unauthorized signature or alteration by the same
wrongdoer on ANY OTHER ITEM paid in good faith by the bank if the payment
was made before the bank received notice from the customer of the
unauthorized signature or alteration and after the customer had been
afforded a reasonable period of time, NOT EXCEEDING 30 DAYS, in which to
examine the item or statement of account and notify the bank.

    (e) If subdivision (d) applies and the CUSTOMER PROVES that the bank
failed to exercise ORDINARY CARE in paying the item and that the failure
contributed to loss, the loss is allocated between the customer precluded
and the bank asserting the preclusion according to the extent to which the
failure of the customer to comply with subdivision (c) and the failure of
the bank to exercise ORDINARY CARE contributed to the loss.  IF THE CUSTOMER
PROVES that the bank did not pay the item in good faith, the preclusion
under subdivision (d) does not apply.

CALIFORNIA CODES COMMERCIAL CODE SECTION 3103.
   (a) (7) ORDINARY CARE "... in the case of a bank that takes an instrument
for processing for collection or payment by automated means, reasonable
commercial standards DO NOT REQUIRE THE BANK TO EXAMINE THE INSTRUMENT..."

(To see the complete text of the above California Commercial Code Sections,
go to http://www.leginfo.ca.gov/calaw.html Check the "Commercial Code" box,
enter keyword "4401", then click search.)


Faulty radar prompts FAA inspections and remediations

<"Keith A Rhodes" <RhodesK@GAO.GOV>>
Mon, 19 Mar 2001 07:32:49 -0500

The ASR-9 radar system in use at 134 major U.S. commercial and military
airports has recently had some serious mechanical failures — notably in
Boston on 22 Apr 2000 and NY's JFK on 17 Dec 2000.  The Federal Aviation
Administration ordered an inspection, which detected 23 further cases of
similar problems.  17 had the same problem that Boston had — stripped
rivets in the support assembly.  The other 6 had the JFK problem — a
stripped jackscrew assembly for positioning the antenna.  Various remedial
actions are underway to hopefully prevent future collapses, with an
estimated total cost of $22 million.  [Source: Problems at 23 Installations
Are Linked to Support Stands or Tilt Mechanisms, Don Phillips, *The
Washington Post*, 19 Mar 2001, A02; PGN-ed]
  http://www.washingtonpost.com/wp-dyn/articles/A23566-2001Mar18.html


Bogus Microsoft Corporation digital certificates from Verisign

<Jeff Savit <Jeff.Savit@Sun.COM>>
Thu, 22 Mar 2001 17:12:06 -0500

Spoofing hazard: Verisign gave digital certificates under Microsoft name to
an individual not from Microsoft. Microsoft issued a bulletin at
  http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
that describes the risk of running code that erroneously appears to be
signed by Microsoft (eg: ActiveX controls), and discusses the risks due to
not having a proper revocation mechanism.

Note that the certs were made available January 30th, so who knows what code
has been accepted and executed since then.  Microsoft is a victim in this
particular instance.

Jeff Savit, Sun Microsystems  1-201/498-8306  Jeff.Savit@sun.com

  [Noted by quite a few RISKS contributors.  Many thanks!  PGN]


Your PGP E-Hancock can be forged

<Monty Solomon <monty@roscom.com>>
Wed, 21 Mar 2001 17:09:00 -0500

A Czech information security firm has found a flaw in Pretty Good Privacy
that permits digital signatures to be forged in some situations.  Phil
Zimmermann, the PGP inventor who's now the director of the OpenPGP
Consortium, said that he and a Network Associates (NETA) engineer verified
that the vulnerability exists.

http://www.wired.com/news/politics/0,1283,42553,00.html


Czech PGP flaw tech details

<David Kennedy CISSP <david.kennedy@acm.org>>
Thu, 22 Mar 2001 18:23:24 -0500

The promised technical paper is at:
  http://www.i.cz/en/pdf/openPGP_attack_ENGvktr.pdf (PDF, 100 KB)

"The attack to private signature keys in OpenPGP format, PGPTM
program and other OpenPGP based applications" here.
  http://www.i.cz/pdf/pgp/OpenPGP_Attack_ENGfinal.ppt (PPT, 81 kB)

ICZ's scientists' reactions to criticism and FAQ
  http://www.i.cz/en/onas/ohlasy.html

[...]

Hal Finney has a succinct analysis posted to the Open-PGP list
archived at:
  http://www.imc.org/ietf-openpgp/mail-archive/msg04767.html

My summary of Hal's analysis:
1.  Attackers have to diddle the secret key.
2.  Does *not* work with commercial PGP 7.0.3 w/RSA keys (unknown
    about earlier).
3.  Does work with all DSA keys and RSA keys in GPG.

Dave Kennedy CISSP Director of Research Services TruSecure Corp.
http://www.trusecure.com

  [Debate rages over whether this is a realistic attack.  Once again, the
  vulnerability of underlying operating systems and the presence of
  subvertible networked resources makes such attacks easier.  PGN]


Politically correct: DoE is slow to warn of computer virus

<David Farber <dave@farber.net>>
Sun, 18 Mar 2001 9:36:24 PST

  The "Naked Wife" virus was already wreaking havoc, but when DoE
  headquarters set out to warn the troops, the politically correct DoE
  software balked at the word "naked."  WN has been told that it took
  several hours before the warning could be passed on.

[From Dave's IP.  For archives, see: http://www.interesting-people.org/]


Nokia cell phone trivially easy to unlock

<Eric Hanchrow <offby1@blarg.net>>
20 Mar 2001 10:04:50 -0800

My cell phone — a Nokia 8260 — has lots of information in it that I
wouldn't want divulged.  Examples: phone numbers of friends, my calling-card
number, a detailed record of all the calls, text messages, and e-mail
messages that I've made or received.  And, of course, I certainly wouldn't
want anyone who got hold of my phone to be able to place calls with it, thus
forcing me to pay for them.

Until recently, I assumed that the phone's "lock" feature would indeed
protect the information and prevent unauthorized use.  However, I now
believe that that feature is close to worthless.

Here's how it's supposed to work:

The phone stores two secret numbers, which act essentially as keys.  One
number, called the "security code", is like a master key, in that if you
know this number, you don't need the other; the other, called the "lock
code", is like a regular key.  You can set the phone up to "lock" itself as
soon as you turn it off.  This means that, the next time you turn it on, the
phone will be unable to place calls until you enter the lock code.  Thus the
lock code appears to protect the information — you can't poke around in the
phone's menu system to read the information while the phone is locked — and
to protect against unauthorized use, since you can't place calls while the
phone is locked.

Now, there's a handy feature built into the phone that will save you if
you've forgotten the lock code, but still remember the security code: merely
enter the wrong lock code five times in a row, and the phone will then ask
for the security code.  Once you enter the security code, the phone unlocks,
and you can then change the lock code to something you will remember.  So if
you know the security code, you don't need the lock code.

Surely, you can see where I'm headed: I've discovered that it's trivially
easy to find out the phone's security code, even if you don't know the lock
code, even if the phone is locked.  All you need to do is turn the phone on,
enter a magic string of digits and symbols (which I won't divulge here, but
which is *very easy* to find on the web), and then scroll through an
undocumented menu hierarchy until you find a menu called "security".  Once
you select that menu, the phone displays its security code.  You then turn
the phone off and on, enter the wrong lock code five times in a row, enter
the security code when prompted, and the phone is now yours.


Hacker sentenced to hacking

<"Jeremy Epstein" <jepstein@webmethods.com>>
Fri, 16 Mar 2001 15:48:46 -0500

A teenager who was convicted of defacing Web sites must serve a sentence
that includes programming the jail's computers (see
  http://www.usatoday.com/life/cyber/tech/2001-03-09-coolio.htm).
Talk about putting the fox in charge of the henhouse!  What's going to
happen when he puts in some backdoors to change the behavior of the system
to better suit his needs?  Who will be able to correct the problems
introduced this way?

--Jeremy

  [We noted a case 15 years ago of a prisoner gaining access to the prison
  information system to change his release date, plus three cases of bogus
  release messages.  PGN]


Government, school sites link to porn

<Dave Stringer-Calvert <dave_sc@csl.sri.com>>
Fri, 23 Mar 2001 08:42:19 -0800

Farmers and gardeners around the country looking for growing tips from
university research centers are currently being pointed to pornography
instead.  Hundreds of university and government Web sites including the
U.S. Department of Agriculture are linking to the porn site, which has taken
over the domain of an important agricultural resource center.  The
university that runs the site blames bad record keeping at Network
Solutions, which maintains part of the Internet's domain names system.

http://www.msnbc.com/news/547652.asp


Yahoo! Mail translates attachments (Re: Frankston: RISKS-21.27)

<Matt Curtin <cmcurtin@interhack.net>>
16 Mar 2001 09:59:23 -0500

> http://www.zdnet.com/zdhelp/stories/main/0,5594,2631218,00.html

Unfortunately, ZDNet has chosen not to put its story on a single page; the
two paragraphs at the cited URL are just the introduction; one must click
through the rest of the story.  Therein, we learn what's happening.

One example of translation is instances of "expression" being changed to
"statement".  It appears that the translation — RISKy as it could be — is
itself a "feature" to minimize risk.  Namely, the risk of malicious
JavaScript or ActiveX code.

There are a lot of issues raised by this; unfortunately none of the raised
issues is new.  It's not hard to argue that using the web (built atop the
stateless protocol HTTP, rife with lots of potential for leaky channels of
communication and therefore privacy problems) for email is the Wrong Thing
to do.

It seems to me that translation of words that could potentially be read by
an eager JavaScript interpreter fails to follow mom's maxim: two wrongs
don't make a right.

Matt Curtin, Founder   Interhack Corporation   http://www.interhack.net/


Re: Air gaps (Jaffe, RISKS-21.27)

<Fred Cohen <fc@all.net>>
Fri, 16 Mar 2001 06:50:48 -0800 (PST)

It's hard to believe that people in the 'security business' who have
claims that are so unworthy of trust can continue to exist.

Of course all systems have covert channels - after all, it is the wave
nature of matter and energy - and yet an air gape is supposed to mean that
there is literally no connection between the components other than the one
afforded by subatomic forces acting over a distance across the 'air gap'.
The distance across of the air gap then leads to the signal strength across
the distance and we can calculate how far away things need to be to have
very nearly zero chance of passing a digital level signal.

But the term "air gap" is fraudulent as used in these product claims.  That
are nothing like air gaps.  They are in fact directly connected systems with
wires between them and no air gap at all.

  Being able to remotely send an email that causes the introduction of
  software that gets into the 'inside' and sends results back to the
  'outside', even if not instantaneously.

Is very very different from

  Being able to induce current in a proximate system by getting close enough
  to it to create the proper fields and having a sensitive enough
  specialized piece of electronics gear there to detect the changes in
  signal strength returning from the other side.

Mr. Jaffe may wish to minimize this difference through rhetoric, but I do
not think it is accurate to do so.

Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
Fred Cohen & Associates: http://all.net - fc@all.net - tel/fax:925-454-0171
Fred Cohen - Practitioner in Residence - The University of New Haven


Re: MIT/Caltech voting study (PGN, RISKS-21.28)

<Paul Terwilliger <pault@gsinet.net>>
Wed, 21 Mar 2001 20:06:21 -0500

In RISKS-21.28, PGN commented after a writeup about the NSF study of
internet voting:

>   [These results are rather similar to the findings of the California
>   commission.  Interested readers should also dig up the recent Caltech/MIT
>   report, which states that lever machines, hand-counted paper ballots, and
>   optically scanned ballots are all significantly more accurate than
>   direct-recording voting machines (DREs) and Internet voting schemes.  PGN]

The MIT/Caltech voting technology project's *preliminary* report, available
at http://www.vote.caltech.edu/Reports/report1.pdf, studies the "residual
vote", which is defined in this context as the difference between the number
of voters who sign-in (the turnout), and the total votes cast for president.

This report did indeed conclude that lever machines and hand-counted ballot
jurisdictions had the lowest average residual vote (1.8% and 2.0%,
respectively), and DRE (3.0%) one of the highest.  Internet voting was not
studied.

Are the differences statistically significant?  I do not know.

Are there external factors at work?  It would seem likely.  Ballot design
can be logical or confusing - doesn't matter what type of technology is
being used!  Introduction of new systems may cause confusion.  Heavy turnout
and long lines may cause voters to walk out after signing in.

Or there could be problems with a particular system or technology.

However, it is a long stretch to take the conclusions of this study and make
claims that one system is "significantly more accurate" than another.

Paul Terwilliger, Sequoia Voting Systems


German armed forces ban MS software, citing NSA snooping

<"Pete McVay" <pmcvay@tiac.net>>
Mon, 19 Mar 2001 05:58:36 -0500

The German foreign office and Bundeswehr are pulling the plugs on Microsoft
software, citing security concerns, according to the German news magazine
*Der Spiegel*, which claims that German security authorities suspect that
the US National Security Agency (NSA) has 'back door' access to Microsoft
source code, and can therefore easily read the Federal Republic's deepest
secrets.  The Bundeswehr will no longer use American software (we surmise
this includes Larry and Scott as well) on computers used in sensitive areas.
The German foreign office has meanwhile put plans for videoconferencing with
its overseas embassies on hold, for similar reasons.  Undersecretary of
State Gunter Pleuger is said by *Der Spiegel* to have discovered that "for
technical reasons" the satellite service that was to be used was routed via
Denver, Colorado.

According to a colleague of Pleuger, this meant that the German foreign
services "might as well hold our conferences directly in Langley." We're not
entirely sure whose interesting video conferencing via satellite service has
a vital groundstation in Denver, but we note that Pleuger seems to have
gleaned this information from a presentation held earlier this month in
Berlin by, er, Deutsche Telekom.  Which just happens, along with Siemens, to
have picked up the gig.  The two companies have supplanted Microsoft (and
anything else American) and will be producing a secure, home-grown system
that the German military can be confident in.

  [From an article by John Lettice in *The Register*, 17 Mar 2001,
  German armed forces ban MS software, citing NSA snooping
  http://www.theregister.co.uk/content/4/17679.html]


MS Word: Ohm, SaveAs Watt

<Kevin Rolph <kevin@kgames.demon.co.uk>>
Wed, 21 Mar 2001 21:38:03 +0000

Reviewing an intranet document the other day, I was puzzled to see
electrical resistances given in kilowatts!

I'd created the document from a Word document using save-as HTML and it had
automagically converted the Omega symbols into 'W's (and not to mention
'tick's into 'v's).

I recall seeing a passing generic warning about symbols but as I had used a
club / clover-leaf symbol as a marker elsewhere I'd assumed it meant that.
It didn't actually say *which* symbols it was bothered about.

Kevin Rolph, Cambridge, UK

  [Thanks for that one.  It is a real joule.  How about omegawatts?  PGN]


Workshop CfP: Security and Privacy in Digital Rights Management 2001

<Tomas Sander <sander@intertrust.com>>
Thu, 15 Mar 2001 15:39:33 -0800

  [Excerpted for RISKS.  Looks like a really interesting workshop.
  For full CfP see the workshop Web site:
     http://www.star-lab.com/sander/spdrm/
  PGN]

		            CALL FOR PAPERS
  WORKSHOP ON SECURITY AND PRIVACY IN DIGITAL RIGHTS MANAGEMENT 2001
          Philadelphia, Pennsylvania, USA, 5 November 2001

      held as part of the Eighth ACM Conference on Computer and
                  Communications Security (CCS-8)

This workshop will consider technical problems faced by rights holders (who
seek to protect their intellectual property rights) and end consumers (who
seek to protect their privacy and to preserve access they now enjoy in
traditional media under existing copyright law).  Submissions are due
3 Aug 2001.  Program Chair Tomas Sander, InterTrust STAR Lab,
sander@intertrust.com,  +1-408-855 0242

Please report problems with the web pages to the maintainer

x
Top