The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 21 Issue 83

Weds 26 December 2001

Contents

Error at Board of Studies
Pete Mellor
Wiretapping equipment compromised: FBI, CALEA
Michael E. Goldsby
Security problems in Microsoft and Oracle software
NewsScan
Latest Windows versions vulnerable to unusually serious attacks
Monty Solomon
Software glitch grounds new Nikon camera - Tech News - CNET.com
Craig Mautner
Secure in, insecure out
Jeremy Epstein
Assume no safety ...
Peter Houppermans
Re: Identity theft without prior knowledge of SSN
Brett Harmond
Mersenne prime exponent wrong
Ken Knowlton
Re: Computer will drive 820 passengers at 68 mph
Ian Entecott
Jonathan Thornburg
Curt Sampson
Jeff Jonas
Jacob Sparre Andersen
Anthony W. Youngman
Andrew Roberts
Jens Braband
Jerrold Leichter
Info on RISKS (comp.risks)

Error at Board of Studies

<Pete Mellor <pm@csr.city.ac.uk>>
Sat, 15 Dec 2001 15:26:41 +0000 (GMT)

The following was sent to the Dean (Cc the School) by one Head of Department
last Friday.  I thought it might provide a little Christmas cheer!

> Please give my apologies to the Board for the error
> in my last report. I had written,
> "There should be a rewording of BSc CS's position .. "

> My spellchecker challenged "CS's". Unfortunately I
> clicked 'Replace' rather than 'Skip' without noticing.
> The default substitute for "CS's" is "Chihuahuas".

Peter Mellor, Centre for Software Reliability, City University,
Northampton Square, London EC1V 0HB  +44 (0)20 7040 8422  [NEW]

  [The spelling checker must have been a little dogged in its
  persistent challenging.  But it would be even more delightful if
  a Chihuahuan with a BSc degree had applied for the position.  PGN]


Wiretapping equipment compromised: FBI, CALEA

<"michael e. goldsby" <mike.goldsby@attbi.com>>
Thu, 20 Dec 2001 00:59:00 +0000

A recent series of four newscasts on the Fox Network alleged that
U. S. telephone call records have been falling into the hands of
international organized crime.  Call records allow traffic analysis but do
not disclose the contents of the conversations.

However, the newscasts further alleged that the equipment used by the FBI to
do the wiretaps authorized by the CALEA legislation (1994) has been
compromised.  It is said to contain back doors that allow unauthorized
persons to obtain access to the contents of telephone conversations.  The
back doors were not put there by the FBI and are not under their control.

Partial transcripts of the newscasts are available at
  http://foxnews.com/story/0,2933,40684,00.html
  http://foxnews.com/story/0,2933,40747,00.html
  http://foxnews.com/story/0,2933,40824,00.html
  http://foxnews.com/story/0,2933,40981,00.html

The second newscast cites an example of a 1997 Los Angeles drug case in
which access to telephone call records was used to "completely compromise
the communications of the FBI, the Secret Service, the DEO [sic] and the
LAPD."


Security problems in Microsoft and Oracle software

<"NewsScan" <newsscan@newsscan.com>>
Fri, 21 Dec 2001 08:47:58 -0700

Two top companies have issued new statements acknowledging security flaws in
their products: Microsoft (Windows XP) and Oracle (the 9i application
server, which the company had insisted was "unbreakable." Resulting from a
vulnerability called "buffer overflow," both problems could have allowed
network vandals to take over a user's computer from a remote location.
Microsoft and Oracle have released software patches to close the security
holes, and a Microsoft executive says: "Although we've made significant
strides in the quality of the software, the software is still being written
by people and it's imperfect. There are mistakes. This is a mistake." (San
Jose Mercury News 21 Dec 2001; NewsScan Daily, 21 December 2001)
  http://www.siliconvalley.com/docs/news/svfront/secur122101.htm


Latest Windows versions vulnerable to unusually serious attacks

<Monty Solomon <monty@roscom.com>>
Fri, 21 Dec 2001 01:21:03 -0500

Microsoft's newest version of Windows, billed as the most secure ever,
contains several serious flaws that allow hackers to steal or destroy a
victim's data files across the Internet or implant rogue computer software.
...  A Microsoft official acknowledged that the risk to consumers was
unprecedented because the glitches allow hackers to seize control of all
Windows XP operating system software without requiring a computer user to do
anything except connect to the Internet.  Microsoft made available on its
Web site a free fix for both home and professional editions of Windows XP
and forcefully urged consumers to install it immediately.  ...
Ted Bridis, Associated Press, 20 Dec 2001
  http://digitalmass.boston.com/news/2001/12/20/microsoft.html

  [The vulnerabilities involve the universal plug-and-play features, and
  were discovered by a team at eEye Digital Security Inc. of Aliso Viejo,
  Calif., led by Marc Maiffret.  There were also subsequent reports that the
  free fix was not adequate.  By the way, the free fix can arrive
  automatically with "drizzle", which allows MS to upgrade for you.  PGN
  SAYS BEWARE OF MECHANISMS THAT OFFER AUTOMATIC UPGRADES, no matter how
  convenient they may seem.  The article also quotes Microsoft's departing
  corporate security officer, Howard Schmidt, who is about to join Richard
  Clarke in the White House, expressing frustration about continuing threats
  from overflows. "I'm still amazed that we allow these things to occur."
  PGN]


Software glitch grounds new Nikon camera - Tech News - CNET.com

<"Mautner, Craig" <craig.mautner@windriver.com>>
Thu, 20 Dec 2001 15:29:22 -0800

>From the article
http://news.cnet.com/news/0-1006-200-8246450.html
  ?tag=pt.msnbc.feed..ne_8246450:

"...Given certain circumstances, the glitch can come into play if a person
switches on the camera without first removing the lens cap. Depending on
what position the zoom lens was in when the camera was last used, the lens
cap will block the lens from automatically extending back to that position,
resulting in an error that cannot be cleared by the owner..."

The risks? No doubt some user missed taking the one picture that would have
won them a Pulitzer. Mere aggravation for all other users affected. Nikon is
out a bunch of $$'s (or yen) involved in the cycle of recall, debug,
reprogram a bunch of cameras.

Craig Mautner, Wind River Services, 10505 Sorrento Valley Road #1,
San Diego, CA 92121-1608  1-858-824-3065  craig.mautner@windriver.com


Secure in, insecure out

<Jeremy Epstein <jepstein@acm.org>>
Wed, 26 Dec 2001 09:27:48 -0500

As readers of RISKS know, many Internet users think that HTTPS is equivalent
to security.  Here's an example where that went badly wrong.

My employer uses an online service to handle signups for the flexible
spending plan (*).  It uses an HTTPS form to collect the usual personal
info: name, address, social security number, and amount to be deducted.  So
far, so good.  I don't know what it does with the information (presumably
puts it in a database, which has it's own issues).  Then they e-mail the
information back to the user for confirmation, including the SSN.

Interestingly, *someone* at the company understood the risks, because their
"security and privacy" policy on their home page notes that unencrypted
e-mail is not safe. (**) Whoever wrote that policy obviously wasn't working
with the people building the system.

The response when we pointed the problem out was "we use HTTPS, so we're
secure".  After several rounds of back-and-forth with the vendor, they
admitted the problem, and proposed to fix it early next year.  Since this is
software that gets used once a year (to meet the Dec 31st deadline), that
was clearly a silly proposal, since all users would be forced into using the
incorrect version.  So after some arm-twisting, they changed the
confirmation message to eliminate all but the last 4 digits of the SSN.  A
big improvement.

The risk here is that this is a commercial system that's presumably used by
many other companies besides ours.  How many other companies use this flawed
system and never objected?  And how many other equivalent systems are there
out on the net?  If I were looking for an easy way to commit identity theft,
I'd be monitoring e-mails coming out of that company...  chances are there's
a lot of good info!  (Which is why I'm not giving their name or URL!)

  -----
(*) A flexible spending plan is established by US tax law to allow tax-free
deductions from salary into an account which can then be used to pay for
medical or child care expenses.  By law, you have to decide by December 31st
how much money will be deducted in the following year, and you (generally)
can't change that decision once it's made.  Also, any unspent money is not
returned to the employee, so it's important to estimate accurately.  Because
of the legal Dec 31st deadline, it wasn't possible/feasible to wait for a
more appropriate resolution of the problem.

(**) I did a Google search on the actual phrase used on their Web page to
see if it would disclose who the vendor is.  They were the only vendor of
their type who used the particular phrase, which is why I haven't quoted it
verbatim, but it seems to be a catch phrase used in MANY security and
privacy policies.  So perhaps they just cut & pasted it without having a
clue what it meant.

--Jeremy

P.S. Yes, I understand there are a lot of other risks in this system besides
just sending the SSN unencrypted.  This was just particularly egregious.


Assume no safety ...

<Peter Houppermans <Peter.Houppermans@paconsulting.com>>
Mon, 17 Dec 2001 16:43:01 -0000

I came across an ad in *Computing* for the new Samsung GT9000Pro notebook,
one of the laptops following the trend to have a fingerprint scanner built
in.  Envisage: switch on the machine, press thumb and you're logged in (for
the sake of Administrators thumbs, I hope they allow a file update for a
mass rollout, but I digress ;-).

Now, after this highly sophisticated, technically advanced piece of
biometric technology has reliably authenticated, you can immediately start
to work on your Corporate network ..

.. via its built-in Wireless LAN network card.

Duh.

The RISK: assuming that a fancy front-end (the scanner) implies a completely
secure system.

Peter Houppermans, PA Consulting Group Ltd


Re: Identity theft without prior knowledge of SSN

<Brett Harmond <brett_harmond@yahoo.com>>
Mon, 17 Dec 2001 09:20:32 -0800 (PST)

A few years ago I had the pleasure of writing a program to pull credit
reports electronically.  During my testing, I learned that one only needs
two of the following three pieces of information: Name (defined by last name
and only the first three characters of the first name), SSN, and Address.
Given any two of the three and making up the third, you can obtain a
legitimate credit report.  Considering how easy it is to find anyone's name
and address, this makes it a piece of cake to get their social security
number and other interesting information.


Mersenne prime exponent wrong (RISKS-21.82)

<KCKnowlton@aol.com>
Sun, 16 Dec 2001 20:26:19 EST

(On the RISK of manually inputting digits:)
That new Mersenne prime as given on the cited Web page is
  2^(13,466,917) - 1,  not 2^(12,466,917) - 1.

Shall we call this another off-by-one error, or
off-by-two-to-the-millionth?   Ken Knowlton


Re: Computer will drive 820 passengers at 68 mph (Norton, R 21-82)

<Ian.Entecott@tas.alcatel.ca>
Mon, 17 Dec 2001 08:29:01 -0500

The train control system being installed at JFK Airport is a SELTRAC system
made by the Transport Automation division of Alcatel Canada Inc. Alcatel
have installed several such systems around the world including the Docklands
Light Railway, London, UK; the SkyTrain, Vancouver, BC, Canada and the LRT2,
Kuala Lumpur, Malaysia. All operate to similar specifications given in
Daniel Norton's posting; the DLR carries 130,000 passengers a day using 30
single and double vehicle driverless trains and has been in operation since
1993 without an accident to passengers or staff. Regular readers of RISKS
will already being saying to themselves that operating software problem free
for several years is no guarantee that there are no problems waiting to be
revealed but I hope Alcatel's record in developing automatic train control
systems will reassure Daniel that the AirTrain will provide safe, reliable
transport for the passengers and staff of JFK Airport.

Ian Entecott, Alcatel Canada Inc., Transport Automation Systems,
1235 Ormont Drive, Weston, Ontario, L3X 1N2, Canada.


Re: Computer will drive 820 passengers at 68 mph (R-21.82)

<Jonathan Thornburg <jthorn@aei.mpg.de>>
Sun, 16 Dec 2001 15:37:10 +0100

Vancouver, Canada's "Skytrain" light rail transit system has been
operational since 1986, and currently carries an average of 110,000
people per day at cruising speeds of 72 km/hr, with a fleet of 150
cars on 29 km of track,  (A major extension is currently under
construction.)  The system is fully computer-controlled: there are
*no* drivers or (apart from roving fare checkers and security guards)
any other transit personnel in the cars.  Indeed, there are no driver's
cabs in the cars.  Further details at
   http://city.vancouver.bc.ca/commsvcs/planning/atoz/A_ALRT.htm
   http://www.questercorp.com/transit/index.html

I lived in Vancouver during the system's initial commissioning and for
some years thereafter, and I don't recall any serious problems being
reported in the local press.

Jonathan Thornburg, Max-Planck-Institut fuer Gravitationsphysik (Albert
Einstein Institut), Golm, Germany http://www.aei.mpg.de/~jthorn/home.html


Re: Computer will drive 820 passengers at 68 mph

<Curt Sampson <cjs@cynic.net>>
Mon, 17 Dec 2001 13:38:34 +0900 (JST)

The biggest RISK here is lack of even basic research on the part of a
worried person, I'd say.  [... some duplication on Alcatel deleted.  PGN]

As it turns out, for many of the safety systems, the technology is not
even that new, or even computer-related. I asked a friend of mine who
worked on this Alcatel system for his comments. He said:

> Well, most automated systems use some kind of physical interlocking
> system that guarantees safety.  The trains are driven by computer, but
> because of the nice tidy one dimensional network problem, it's fairly
> easy to contain the safety critical portion into this interlocking.
> In some systems it's actually completely mechanical, with the computer
> (I kid you not) driving the motion of metal bars pneumatically.  An
> unsafe route cannot be set without one iron bar passing through
> another iron bar.
>
> I guess the point is that this interlocking is present whether the
> system is human controlled or computer controlled: the only real
> difference is that in an automated system it's a computer paying
> attention to the signals and there is a mechanism to halt the train if
> a signal is ignored.  In a human operated system an unsafe route still
> can't be set because of the interlocking, but a human can skip a
> signal and human systems usually don't include very effective
> mechanisms for forcing a stop when a signal is blown.
>
> Short version: we have hundreds of years of experience building safety
> critical train systems and in most cases these systems are still in
> use to protect the train and passengers---even when a computer is
> doing the driving.

(Actually, I've seen some pretty effective systems for making sure that
human-driven trains stop. On the New York subways, there is a lever on
the tracks at each signal that pops up when the light is red. If the
driver attempts to pass the signal when this lever is up, the lever will
trigger a switch under the car that turns on the brakes. If you stand
at the middle or the head end of a subway platform in NYC, you can see
this system in operation.)

Getting out of the safety area, I suppose the RISKSs might include loss
of service due to computer failures. But then again, given the level
of train automation we're using even in systems with drivers, the risk
appears not significantly different. (A severe computer failure in the
train control systems on a system with drivers still brings the entire
system to a halt; drivers rely on the signaling to make sure that they
are taking safe actions.)

So to this reader at least, the risks are not at all obvious. We've had
automated systems shuttling around groups of "820 people at 68 mph" for a
long, long time now, with an excellent safety record and, overall, a
significant improvement in the number of people a system can move as
compared to one with human drivers.

Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org


Re: Computer will drive 820 passengers at 68 mph (Norton, R-21.82)

<"Jeff Jonas" <jeffj@panix.com>>
Fri, 14 Dec 2001 22:57:29 -0500 (EST)

The Port Authority of NY & NJ already operates such train-systems:

* The PATH system mostly crosses the Hudson river,
  linking NY to NJ (the link to lower Manhattan was at the
  World Trade Center, a temporary station might open in 2 years).
  It looks like a subway system: high tech signalling and communications
  but the train's still totally under the motorman's control.

* The monorail around Newark airport seems fully or highly automated.
  It was recently extended to the Northeast Corridor train lines
  (N.J. Transit and Amtrak trains)

[PS: I think the Port Authority of NY/NJ also owned/operated the World Trade
Center.  Related to this: after the first bombing, the twin towers were
criticized for not meeting New York City fire codes since it was not
accountable to NYC being a Port Authority project!  Also related: before
9/11, there were efforts to "privatize" the New York City airports but now
with the move towards federal oversight, the Port Authority might keep
control]

* The Delaware River Port Authority of Pennsylvania and New Jersey
operates PATCO: a tiny train system similar to PATH: see
  http://www.drpa.org/patco/
I remember the PATCO Hi-Speedline has an operator sitting in a little
platform with a curtain, more like a bus-driver than the usual booth for a
train engineer.  Under normal operation, the train runs hands free, the
operator just opens and closes the doors.  The operator seems to take full
control of the train when running on the alternate tracks.

In Miami Florida, there's some elevated people-mover that's fully automated,
no operators on the little trolley-like monorail-like system.  But it moves
slowly.  See:
  http://www.co.miami-dade.fl.us/transit/
Miami-Dade Transit
  http://www.fta.dot.gov/library/technology/apm/apmrev.html

AUTOMATED PEOPLE MOVER APPLICATIONS: A WORLDWIDE REVIEW
  http://faculty.washington.edu/~jbs/itrans/detroit.htm

Detroit Downtown Peoplemover
  http://faculty.washington.edu/~jbs/itrans/miami.htm

Miami Metromover - The First Automated Downtown Peoplemover in the U.S.

  [The shuttle between Grand Central and Times Square in New York City was
  fully automated MANY years ago.  PGN]


Re: Computer will drive 820 passengers at 68 mph

<Jacob Sparre Andersen <sparre@nbi.dk>>
Sun, 16 Dec 2001 17:24:56 +0100

The Paris metro line 14 is fully automated, and does not seem to have any
special problems.  The automated train control system for line 14 was
implemented in Ada (a programming language designed with the goal of getting
reliable software), and the implementation was tested using a theorem proof
system.

The future Copenhagen airport metro is supposed to be fully automated, but
nobody knows if it is going to work or not (yet).

I definitely prefer the Paris metro line 14 to the roads of Copenhagen and
Paris.

Jacob


Re: Computer will drive 820 passengers at 68 mph (Norton, R-21.82)

<"Anthony W. Youngman" <Anthony.Youngman@ECA-International.com>>
Mon, 17 Dec 2001 13:24:58 -0000

Well, there's always the Docklands Light Railway (DLR) in London which works
fine and, as far as I know, has never had an accident.  [SEE PGN NOTE
BELOW.]  And the engineers comment that there is *less* likelihood of an
accident with an automated system, which sounds right given the fact that
we've had several very nasty accidents due to drivers ignoring signals
recently.

Mind you, that "drivers ignoring signals" is another example of RISKy
behaviour. The sequence of signals from danger to safe is "red", "single
yellow", "double yellow", "green". Given that due to crowding most trains go
through most signals on double yellow, all too often they go through a
single yellow without realising it (the in-cab warning is IDENTICAL for
both). So a train going at near full speed suddenly realises the signal in
front is red, having missed the single yellow "slow down" warning, and is at
serious risk of overrunning the red because it can't stop in time (or even
worse, misses the red completely, and then cancels the cab warning because,
again, IT IS THE SAME IN-CAB SIGNAL!).

  [In RISKS-5.29, Mark Brader notes a Docklands crash on 10 Mar 1987, at the
  Island Gardens station.  The train crashed through the station buffers and
  hung off the end of the elevated track.  Required modifications that would
  have prevented the accident had not yet been installed.  PGN]


Re: Computer will drive 820 passengers at 68 mph

<Andrew Roberts <andrew.roberts@automationpartnership.com>>
Mon, 17 Dec 2001 12:39:59 +0100

This sounds very similar to the system at STN London Stanstead.  There, the
main terminal is separate from satellites where the gates are located.  A
fully automated, driverless guided busway runs between these, going
underground to reach the satellites.  I say busway because the vehicles have
rubber tyres rather than running on rails.

Carriages (originally 1, but now 2 coupled together, I think there's room
for 3 at the stations) travel at up to 40mph (my estimate), and carry
similar number of passengers as the JFK system.

This has been in operation since the early nineties, without a single
breakdown when I've been on it (unlike the rest of the UK railway system).

Andrew Roberts, The Automation Partnership(Cambridge) Ltd, York Way,
Royston, Herts, SG8 5WY, UK  http://www.automationpartnership.com


Re: Computer will drives 820 passengers at 68 mph (Norton, R-21.82)

<<Jens.Braband@web.de>>
Wed, 19 Dec 2001 20:40:41 +0100

While the risk of automatic guided transport is obvious, it is nothing new.
Automatic systems have been in operation since the early 80's mainly in
metros and airport shuttles.  For example, the Web site of the market
leader, Matra Transport (http://www.matra-transport.fr/) shows this clearly
with systems being realised all over the world.  It must also be
acknowledged that the automatic guided transport systems seem to have a
clean safety record so far and that also high-speed trains, although not
being fully automated, have to rely to a great extent on computer guidance.

  [Matra is also responsible for the Ariane 5 and Taipei subway system
  (which suffered a computer crash, but no accidents, on 3 Jun 1986).
  See RISKS-18.17 and 18.19.  PGN]


Re: Computer will drive 820 passengers at 68 mph (Norton, R-21.82)

<Jerrold Leichter <jerrold.leichter@smarts.com>>
Sun, 23 Dec 2001 17:55:14 -0500 (EST)

Such systems are common, and have been common for many years.  The
commonality may not be obvious because of a difference in physical
orientation: The ones in wide use have tracks running vertically.  We call
them elevators. Granted, elevators don't attain the same rate of speed -
about 15 mph seems to be the limit - but a falling car could easily exceed
it.  And granted few if any elevator cars carry 820 passengers - but there
are certainly many large buildings whose entire elevator system, during peak
periods, carries much greater passenger loads.

Ah, but elevators just go up and down a single isolated shaft.  Actually,
first of all that's not true in modern buildings; second, the JFK rail
system appears to follow pretty much the same model.  (This is based on
personal observation of the system as it's being built.  It will run on a
pair of tracks built over a highway, completely isolated from all other
traffic.)

A large, complex system of trains on various interconnected tracks poses
difficult problems which we probably aren't ready to deal with fully
automated controls.  A simple back-and-forth system with no external
connections and a limited number of trains is quite a different story.

Will this system be hazard- and problem-free?  Only time will tell - but
there's no reason I can see to believe that it would be safer so if a human
being - whose ability to respond quickly and accurately after months of
numbing routine going back and forth between the same 5 or 6 stations would
surely be severely taxed - were standing at the controls.  Actually, as many
years of experience has shown, a human being - unaided - would do very badly
at this kind of job.  That's why railroad systems have various safety
automated safety devices.  For that matter, so do elevators - and they
introduced them when "elevator operator" was still a job description.  If
there's reason to believe that the JFK system has scrimped on such systems,
that's another issue - but my reaction would be no different from hearing
that a new digitally-controlled elevator had eliminated the mechanical
emergency brakes that have been standard for the better part of a century.

Please report problems with the web pages to the maintainer

Top