The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 58

Thursday 9 August 2001

Contents

Half of Norway's banks offline for a week: erroneous keystroke
Nicolai Langfeldt
Danish police break "Safeguard" encryption program in tax case
Bo Elkjaer and Jay D. Dyson via Declan McCullagh
E-Divorce banned in Singapore
Dave Stringer-Calvert
Omron uses GPS to catch a car thief
Monty Solomon
Corrupt Michigan cops abuse police database to stalk, harass
Ed Walker via Declan McCullagh
OT: rot13, practical uses of
Joe Manfre
GA scholarship info exposed
Rachel Slatkin
DoCoMo and thttpd: i-mode DDoS attack!
Jef Poskanzer via Dug Song
Low-grade cryptography
Gene Wirchenko
Automated traffic-camera system has flaws
Dave Kinswa
Risks of the Passport Single Signon Protocol
Monty Solomon
Hotmail catches Code Red
Brian McWilliams via Dave Farber
Toll Road Transponders used to steal food at McDonald's
Arthur Kimes
More Adobe plastering
Peter Wayner
Re: WinXP blocks some versions of some programs
Michael Loftis
Workshop on Trustworthy Elections
David Chaum
REVIEW: "Computer Security Handbook", Hutt/Bosworth/Hoyt
Rob Slade
Info on RISKS (comp.risks)

Half of Norway's banks offline for a week: erroneous keystroke

<Nicolai Langfeldt <janl@linpro.no>>
Tue, 07 Aug 2001 13:50:31 +0200

  http://www.digitoday.no/dtno.nsf/pub/dd20010807092448_er_28707255
(in Norwegian)

This is a mix of abstracting the above article and whatever has been on the
news the last few days, and one or two of my own comments:

EDB Fellesdata AS runs the computer services of about half of Norway's
banks.  On Thursday 2 Aug 2001, they apparently installed about 280 disks in
their Hitachi storage.  Then, instead of initializing the new disks, they
initalized _all_ their disks -- thereby wiping out the entire warehouse.
EDB Fellesdata itself declines to make any statements in the case pending
further contact with their customers, the banks.  They are considering
lawsuits, but if one of their own employees made a "user error", they may
have a hard time of it.

Talk about a lot of eggs in one basket, one can only imagine how many
terrabytes of database this is, considering the number of disks, and how
long it takes to restore from backup, and how many transactions were waiting
to be processed from _other_ banks once the restore is done.  Apparently the
computers were running by Sunday, card services and ATMs were available on
Monday, but Internet banking and automatic-phone-banking access is limited.
They have announced that updated account balances will not be available
until Wednesday, the 7th day after the mishap.  The concerned banks'
customers could pay their bills by visiting a local branch office the whole
time, but apparently the transactions had not been processed because
creditors have been warned that money may be late in arriving (but
presumably retro-credited once the transaction is processed?).

Some information gotten from the only available statement from EDB
Fellesdata at
  http://www.edb.fellesdata.no/edb/nyheter/2001/06_08_driftstans.asp,
also Norwegian.


Danish police break "Safeguard" encryption program in tax case

<Declan McCullagh <declan@well.com>>
Thu, 9 Aug 2001 11:24:35 -0400

  [From the cryptography mailing list. --Declan; lightly-PGN-ed for RISKS]

> Date: Tue, 7 Aug 2001 22:51:08 +0200
> From: bo.elkjaer@eb.dk
> Subject: Utimacos Safeguard Easy broken by Danish police in tax evasion case

> The German encryption program Safeguard Easy has been broken by the Danish
> police. Today the police from the city Holstebro in Jutland presented
> evidence in court, that was provided after breaking the encryption on five
> out of sixteen computers that where seized april 25 this year.

> All 16 computers were protected with Safeguard Easy from the german
> encryption provider Utimaco. It is not known whether DES, 128-bit IDEA,
> Blowfish or Stealth was used as algorithm on the computers. All four
> algorithms are built in Safeguard Easy. Details are sparse. It is not
> known how the encryption was broken, whether it was brute forced or flaws
> in the program was exploited.

> The computers where seized from the humanitarian (leftwing) foundation
> Tvind (Humana) in connection with a case about tax evasion. Among the
> evidence provided from the encrypted computers were e-mails sent among the
> leaders of the foundation, Poul Jorgensen and Mogens Amdi Petersen
> describing transfers of large sums of money.

> Apparently, but not confirmed, British Scotland Yard has been involved in
> breaking the encryption. The Danish police doesn't have the capacity to
> break encryption by themselves. Neither has the Danish civilian
> intelligence service. Routine is that cases concerning encryption is
> handed over to the Danish defence intelligence service DDIS. This
> procedure has been described earlier this year by the Danish minister of
> justice in connection with another case. DDIS denies involvement with the
> Tvind case.

> Employees and leaders at Tvind has denied handing over their passwords to
> the computers. One even wrote a public letter mocking the chief of police
> in Holstebro, describing how he changed his password weekly, and stating
> that he'd probably even forgotten his password by now. At a time, the
> police considered putting employees in custody until passwords were handed
> over.

> Bo Elkjaer, Denmark

  [followed by a response]

> Date: Tue, 7 Aug 2001 16:25:03 -0700 (PDT)
> From: "Jay D. Dyson" <jdyson@treachery.net>
> Subject: Re: Utimacos Safeguard Easy broken by Danish police in tax evasion case

> If the OS used was Windows, it's quite likely that the plaintext and/or
> passphrases were recovered in the Windows swap file.  Barring OS
> considerations, it's also possible that the police put a keystroke logger
> on the system, just as the FBI here in the States did with an organized
> crime suspect.

> My gut sense is that, since only five of sixteen systems were "cracked,"
> it seems likely that it was the swap file that let the cat out of the bag.
> Even so, a flaw in the cryptosystem should be investigated and proven or
> ruled out.

> Let us not also forget that people can be pressured to divulge
> passphrases.  Rubber-hose cryptanalysis isn't just a humorous concept.

> Jay D. Dyson - jdyson@treachery.net

FROM POLITECH -- Declan McCullagh's politics and technology mailing list
You may redistribute this message freely if you include this notice.
To subscribe, visit http://www.politechbot.com/info/subscribe.html
This message is archived at http://www.politechbot.com/


E-Divorce banned in Singapore

<Dave Stringer-Calvert <dave_sc@csl.sri.com>>
Wed, 08 Aug 2001 20:36:36 -0700

SMS (short-text messaging) enables short messages from one cell phone to
another. Muslim authorities had previously permitted men to divorce their
wives by SMS.  In April to June 2001, 16 divorces were so reported.
However, now the Islamic Religious Council of Singapore (MUIS), the Syariah
Court and the Registry of Muslim Marriages are "unanimous in their view that
divorce through SMS is unacceptable. ... Only a judge can confirm a divorce
after deciding that there is merit in the complaint filed by the couple with
the Syariah Court."  [Source: Singapore bans text-message divorce, CNET
News.com, 8 Aug 2001; PGNed without comment]
  <http://news.cnet.com/news/0-1005-200-6815505.html>


Omron uses GPS to catch a car thief

<Monty Solomon <monty@roscom.com>
Mon, 6 Aug 2001 01:55:35 -0400

Omron Corp. plans to deliver your stolen car, and the wretched villain
inside it, right to the nearest koban (Japanese police box).  "Imagine that
someone steals your car, and a network of sensors in the vehicle knows the
person driving is not the right person. So using its GPS, it makes the car
stop outside the nearest koban and locks the driver inside. This is what I
imagine, this is the next stage," said Shin'ichi Mukaigawa, an engineer at
Omron's business incubation center, who has designed the basic elements for
such a system.  [Source: article by Paul Kallender, *EE Times*, 12 Jun 2001,
  http://www.eetimes.com/story/technology/OEG20010612S0059]

  [Quite few of you noted this item.  OCSchwar@MIT.edu added:
    How RISKy.  How lovely. Hijack someone's car using this system,
    park it next to an empty koban, and let the Yakuza do their thing.
  PGN]


Corrupt Michigan cops abuse police database to stalk, harass

<Declan McCullagh <declan@well.com>>
Sun, 05 Aug 2001 11:59:48 -0400

[According to the third Detroit Free Press story, a cop who stalked a woman
using his access to police databases was "suspended for a day without pay."
That'll teach 'em! --Declan]  [FROM POLITECH]

> Date: Sat, 04 Aug 2001 02:08:36
> From: "Ed Walker" <ed_walker@hotmail.com>
> Subject: Michigan cops abusing database

> www.governing.com/news had a link to a freep article that may be of
> interest to politechnicals.  The first two links are the story, and the
> third is an account of a truly creepy cop stalking someone he met while on
> duty.

> Michigan Newspaper: Police Abuse Database Police throughout Michigan,
> entrusted with the personal and confidential information in a state law
> enforcement database, have used it to stalk women, threaten motorists and
> settle scores. Over the past five years, more than 90 Michigan police
> officers, dispatchers, federal agents and security guards have abused the
> Law Enforcement Information Network, according to a Detroit Free Press
> examination of LEIN records and police reports.  More: Detroit Free Press
> http://www.freep.com/news/mich/lein31_20010731.htm
> http://www.freep.com/news/mich/lein1_20010801.htm
> http://www.freep.com/news/mich/amber31_20010731.htm

> Ed Walker


<manfre@flash.net (Joe Manfre)>
7 Aug 2001 20:23:21 GMT
Subject: OT: rot13, practical uses of

  [Contributed by Mark Brader.  PGN]

Recently there has been some discussion on AUE of the many fascinating
ways in which the venerable letter-substitution scheme called "rot13"
can be used.  Well, this article may be of some interest:

  http://www.zdnet.com/zdnn/stories/comment/0,5859,2800985,00.html

It deals with a certain Russian cryptanalyst who has been jailed for
cracking and exposing the encryption schemes that some electronic book
publishers use to protect their copyrighted properties.  Turns out that one
publisher of industrial reports was using rot13 to protect its valuable (to
the tune of $3,000 a pop) works.

Joe Manfre, Hyattsville, Maryland.


GA scholarship info exposed

<Rachel Slatkin <rslatkin@pobox.com>>
Wed, 8 Aug 2001 09:25:03 -0400

Computer passwords and personal information about participants in Georgia's
HOPE scholarship program were inadvertently exposed on the web as early as
December 2000. The information was apparently cached by several search
engines, including Google. From the *Atlanta Journal Constitution*, 8 Aug
2001, "State staff may feel byte from hackers":

  "Last Nov. 14, he said, a member of the agency's technical staff
  copied a file onto the HOPE computer system that prevents
  Internet search engines from indexing the system's contents.

  But another program in the system deletes unused files after 30
  days, Newsome said. So about Dec. 15, the security file was
  wiped out, exposing other files."

It's not clear what "security file" was accidentally removed. The news
articles I've read about this have not named the file. I'm guessing it was
either robots.txt or .htaccess, hopefully the latter.

Many system administrators have discovered the risks of deleting "unused"
files without being sure of their purpose. Having the procedure happen
automatically compounds the problem.

Rachel Slatkin  rslatkin@pobox.com  http://pobox.com/~rslatkin/


DoCoMo and thttpd: i-mode DDoS attack!

<Dug Song <dugsong@arbor.net>>
Thu, 2 Aug 2001 20:06:05 -0400

Poor jef has become the victim of his own success (and DoCoMo's)!
Perhaps this qualifies as the first cellphone-based (i-mode)
distributed denial-of-service attack? :-/
Dug Song, Security Architect, Arbor Networks, Inc.

  Date: Thu, 02 Aug 2001 11:22:14 -0700
 >From: Jef Poskanzer <jef@acme.com>
  To: thttpd@bomb.acme.com
  Subject: [THTTPD] DoCoMo and thttpd

  Hey, is anyone on the list familiar with DoCoMo?  Apparently it's a type
  of cell-phone / web browser device from Japan.  I have suddenly started
  getting a [whole] lot of hits to http://www.acme.com/software/thttpd/ with
  various versions of DoCoMo in the user-agent field.  Unfortunately the
  referrer field is blank, which makes it difficult to figure out why this is
  happening.  Current working theory is that some server run by the DoCoMo
  company switched over to using thttpd, and I'm getting the usual spillover
  from any 404 pages on their site.  I've seen this effect before with large
  ISPs, but never with such a high volume of hits.  My bandwidth is pegged
  to the throttle right now, and they're not even fetching the inline images
  (which by the way means I'm not getting any ad impressions from these
  hits, which is somewhat annoying).  [...]
  Jef Poskanzer  jef@acme.com  http://www.acme.com/jef/


Low-Grade Cryptography

<Gene Wirchenko <genew@shuswap.net>>
Tue, 07 Aug 2001 22:31:48 -0700

  DMCA and encryption is discussed in this article:
    http://www.zdnet.com/zdnn/stories/comment/0,5859,2800985,00.html

My favourite part: "Publishers encrypt their books to prevent them from
being read by anyone except the registered owner... they hope. But it turns
out that the encryption software of at least two manufacturers is so weak
that it can be broken instantly. One publisher, Sklyarov found, uses a
cypher called rot13 ...".   [Doggedly rot-wily?  PGN]


Automated traffic-camera system has flaws

<dAVe <kinswa@mail.com>>
Sun, 05 Aug 2001 12:03:57 -0700

>From the Seattle Times:
http://seattletimes.nwsource.com/html/localnews/134326067_trafficam05m.html

It was not the kind of "Kodak moment" the city of Lakewood hoped for.  Its
high-tech traffic camera had just nabbed Cyn Mason for doing 38 in a 30-mph
zone. The camera captured the license plate on the Tacoma woman's car as it
sped through a school zone June 8. Or so it seemed.

After receiving a notice, a thumbnail copy of the incriminating image and a
demand for $71, Mason put pen to paper:

"This is my sworn statement, under penalty of perjury, that your system
cannot distinguish between the sporty coupe shown in the ticket picture, and
the Honda CR-V sport-utility vehicle that I drive. In other words, I swear
that you have the wrong car, since the one shown in the ticket is not my
vehicle. Is this sufficient to correct your error, or would you like me to
swear at you some more?"


Risks of the Passport Single Signon Protocol

<Monty Solomon <monty@roscom.com>>
Mon, 6 Aug 2001 22:35:53 -0400

David P. Kormann and Aviel D. Rubin,
Risks of the Passport Single Signon Protocol,
IEEE Computer Networks, volume 33, pages 51-58, 2000.

David P. Kormann and Aviel D. Rubin
AT&T Labs - Research
180 Park Avenue
Florham Park, NJ 07932
{davek,rubin}@research.att.com
http://avirubin.com/passport.html

Abstract: Passport is a protocol that enables users to sign onto many
different merchants' web pages by authenticating themselves only once to a
common server. This is important because users tend to pick poor (guessable)
user names and passwords and to repeat them at different sites. Passport is
notable as it is being very widely deployed by Microsoft. At the time of
this writing, Passport boasts 40 million consumers and more than 400
authentications per second on average. We examine the Passport single signon
protocol, and identify several risks and attacks. We discuss a flaw that we
discovered in the interaction of Passport and Netscape browsers that leaves
a user logged in while informing him that he has successfully logged out.
Finally, we suggest several areas of improvement.


Hotmail catches Code Red (via Dave Farber's IP)

<Brian McWilliams <brian@pc-radio.com>>
Wed, 08 Aug 2001 18:01:34 -0400

  [From Dave Farber's IP: http://www.interesting-people.org/ ]

Microsoft's Hotmail Is Red Hot From Worm

Several systems hosting the MSN Hotmail service have been infected by
variants of the Code Red worm, Microsoft has confirmed.

http://www.newsbytes.com/news/01/168837.html


Toll Road Transponders used to steal food at McDonald's (Re: R-21.43)

<Arthur Kimes <artki@netzero.net>>
Thu, 02 Aug 2001 19:32:39 -0700

> McDonald's customers will wave the "Speedpass" ... at a drive-through window
(also see RISKS-21.46 and 21.49)

Some toll roads in Orange County, California, do use those transponders (not
the Mobil "speedpass") and local McDonald's have been accepting those as
payment since April 2000.  Since then, according to the Transportation
Corridor Agencies, there has been $4,000 in charges for food at McDonald's
using stolen transponders.  [Source: *Los Angeles Times*, 23 Jul 2001]


More Adobe plastering (Re: Maggard, RISKS-21.56)

<Peter Wayner <pcw@flyzone.com>>
Fri, 3 Aug 2001 09:10:36 -0400

In RISKS-21.56, Michael Maggard writes, "...Adobe has been installing a
mysterious file of their own that regularly 'calls home' for reasons
unknown."

Perhaps this kind of reporting software is necessary, but it may be the
reason why I'm slowly giving up on Adobe products. My version of InDesign
crashes frequently. My version of ImageReady has the strangest bug. If my
system has been up for a bit, ImageReady refuses to run. If I reboot, it's
fine. I suspect this has something to do with the quick blip of the network
access LED on the router that flickers just after starting up. Maybe that
little phone-home program doesn't say the right thing to ImageReady. I
thought about complaining or investigating, but I decided that making the
transition to GIMP is simpler.

This topic has been on my mind while I've been working on creating simple
watermarks for a pay-per-copy experiment. (See
http://www.flyzone.com/satstory/ or just end $.75 to satstory@flyzone.com
for a copy of a story on DirecTV hacking) I considered complicated
encryption mechanisms and gave up. The complexity took too long to develop
and excluded too many legitimate customers. In the end, I just insert the
purchaser's name in the file on the way out the door.

This kind of watermark may be easy to defeat, but that has
advantages. First, bright kids get no boost from hacking the system.  It's
trivial. But it is still complex enough to require someone to take a
positive step to defeat it. If they can live with themselves, well, they'll
get enough punishment. Finally, there is no complexity to crash systems and
drive users nuts.


Re: WinXP blocks some versions of some programs (Griffin, RISKS 21.57)

<Michael Loftis <mloftis@wgops.com>>
Tue, 07 Aug 2001 20:33:15 -0700

They're blocking drivers because too many vendors have been implementing bad
code in their drivers.


Workshop on Trustworthy Elections

<David Chaum <david@chaum.com>>
Wed, 08 Aug 2001 14:23:15 -0700

26-29 August 2001, Tomales Bay, California: WOTE (Workshop on Trustworthy
Elections) is a small research-oriented workshop devoted to advancing
technologies for election integrity and ballot secrecy, organized by David
Chaum and Ronald L. Rivest.  Topics include: Cryptographic protocols,
computer security, audit, operational procedures, certification,
tamper-resistance, document security, integrity, ballot secrecy, voter
authentication, all as related to trustworthy elections.
http://www.vote.caltech.edu/wote01/index.html


REVIEW: "Computer Security Handbook", Hutt/Bosworth/Hoyt

<Rob Slade <rslade@sprint.ca>>
Tue, 7 Aug 2001 11:07:47 -0800

BKCMSCHB.RVW   20010530

"Computer Security Handbook", 1995, Arthur E. Hutt/Seymour Bosworth/
Douglas B. Hoyt, 0-471-11854-0
%E   Arthur E. Hutt
%E   Seymour Bosworth
%E   Douglas B. Hoyt
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1995
%G   0-471-11854-0
%I   John Wiley & Sons, Inc.
%O   U$90.00 416-236-4433 fax: 416-236-4448
%T   "Computer Security Handbook, Third Edition"

Overall, this work appears to be strongly influenced from a time when
computers were mainframes locked in glass rooms, and the information
technology department was under the jurisdiction of accounting.  Although
some effort has been made to address more recent topics, the attempt is
piecemeal at best, and quite limited in depth.

Part one looks at the responsibility of management in the security concern.
The first essay, specifying the role of management, certainly dates the work
in the big iron era, defining security solely from the perspective of
availability.  Disclosure of information does get a mention, but even the
list of risks to be considered concentrates primarily on malfunction or
disaster.  A second paper takes a rather vague look at policies and related
documents, but is backed up with a number of examples.  The review of risk
analysis is similarly nebulous, although it does have some potentially
useful tables of probable threats.  Optimism about the availability of
background information seems to surround the discussion of employee
policies, but some important basic principles are presented.  Legal issues
are dealt with briefly, but over a wide range of topics.  The article on
computer crime is not particularly realistic: as one example, the
examination of controls concentrates on provisions for preventing
programmers from installing logic bombs, but the case studies actually cited
as examples of the need for such controls were perpetrated as fraud by those
in positions of authority.

Part two outlines basic safeguards.  Disaster recovery is, again, reviewed
primarily from the mainframe perspective.  The principles may be the same,
but the important resources for a corporation probably involve many more
aspects than just a mainframe and data.  An overview of insurance sounds
very much like a sales pitch, although it does divide the topic up by type
of threat, and examines different factors that can affect price and the
willingness of the insurers to make good on a loss.  (I was amused to note
that the section on viruses basically admits that vendors will use
extraordinary interpretations of standard wording to weasel out of paying.)
The chapter on auditing appears to have been written solely from an
accounting perspective, and, while the points listed would be helpful in
creating part of a security policy, they address only those issues related
to internal fraud.  System application controls are discussed strictly in
terms of development cycles and ideas such as "total quality management"
(TQM).

Part three moves to physical protection.  Hardware protection takes a
detailed look at internal error situations right down to the gate level, as
well as a more superficial examination of architecture concerns and
environmental problems.  Accidental calamities are also the major emphasis
in computer facility protection, although there is some attention paid to
the need to secure cabling.  "Monitoring and Control Devices" presents
theory behind surveillance and alarm systems.

Part four starts to look into technical aspects of data security.  A chapter
on software and information security appears to have some valid points to
make (aside from the misinformation on viruses) but is written in such a
convoluted manner that most material must be read several times to puzzle
out the meaning.  An essay on records retention has been retrofitted to
become an examination of computer data security.  The paper on encryption is
extremely disjointed (for example, dropping a discussion of network
topologies into a purported explanation of the RSA [Rivest Shamir Adleman]
encryption algorithm), and almost completely lacking in details.  A rather
generic security overview (with questionable virus information) is supposed
to address data communications and networking.  A grab bag of penetration
techniques and countermeasures provides some interesting prompts to consider
various attacks, but is not organized or complete enough to fully cover the
subject.  The chapter on viruses and related threats is rife with errors,
and confuses the various types of problems with each other as well as with
unverified speculation.

Part five deals with special protection issues.  Chapter twenty suggests
that you might want to be a little careful when dealing with outside
contractors.  While there is some disorganization, and a few odd
anachronisms, the paper on personal computers is much more practical than
most of the preceding material.  The essay on LANs presents a primer on
networks, and then a generic overview of security, without an awful lot of
relation between the two.  The chapter on Internet security has some basic
information, but is quite disorganized.

Supplements are supposedly produced to update the work.  Some such documents
ask you to replace paragraphs and correct errors: others offer additional
sections to enhance the original essays.  In the 1997 supplement (ISBN
0-471-17297-9) there are some weak addenda for auditing, encryption, and
viruses, as well as a decent, though still disorganized, extension to the
Internet material.  There is also a first rate examination of e-mail privacy
issues and a reasonable though uninspired review of single sign-on.  When I
contacted the publisher, I was told that the 2000 supplement was still in
the editorial stage.  In fact, so was the 1998 supplement!  So I wouldn't
expect any updates for the book in the near future.

Most of the material is fairly obviously old, and originally intended to
address topics applicable solely to mainframe computer establishments, or
even non-computerized systems.  Patchwork updating is evidently an
afterthought.  A great deal of material is repeated many times over in
different essays.  Generally the papers have little detail or depth, so the
recapitulations do not add much new content each time.

There is useful material in the work, but it is difficult to abstract the
good from the outdated and mundane unless you are already quite expert in
the field.  The newcomer would be advised to get some basic training or
reading before attempting to deal with this work, but the expert will be
able to find some useful nuggets.

copyright Robert M. Slade, 2001   BKCMSCHB.RVW   20010530
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top