Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22: Issue 31

Monday 21 October 2002

Contents

E-ZPass Users in New Jersey Will Get Replacement Devices

Monty Solomon

The high risk of low security: element 118

Wendell Cochran

Password complexity -- not just for computers anymore

Seth Arnold

GPS: Keeping Cons Out of Jail

Monty Solomon

How mobile phones let spies see our every move

Monty Solomon

Airline Security

Morten Welinder

GAO: Commercial Satellite Security Should Be More Fully Addressed

Monty Solomon

UCSD bans WinNT/2K -- will it do any good?

Jeremy Epstein

Outlook knows best!

Jim Bauman

Microsoft Skins a Knee on the Astroturf

Monty Solomon

Bogus Yahoo e-mail picks up credit-card numbers

Tom Van Vleck

A new twist to Bugbear

Paul Edwards

How we run elections in the UK

Richard Pennington

Re: Risks of automatic Windows updates, and HIPAA legality

Chuck Karish
Greg Searle
Douglas Siebert

Re: Pac*Bell menu

Crispin Cowan

Re: Hazards of online translation and plagiarism

Bob Schuchman

Re: Weak encryption kills wolves

Phil Smith III

Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk

PGN

REVIEW: "Hacking Exposed", Stuart McClure/Joel Scambray/George Kurtz

Rob Slade

REVIEW: "Have You Locked the Castle Gate", Brian Shea

Rob Slade

Info on RISKS (comp.risks)

E-ZPass Users in New Jersey Will Get Replacement Devices

<Monty Solomon <monty@roscom.com>>

Wed, 16 Oct 2002 03:39:36 -0400

New Jersey's E-ZPass windshield transponders are wearing out sooner than
expected, resulting in hundreds of thousands of mistaken violation notices
being issued.  Similar problems with the manufacturer, Mark IV Industries,
have arisen in 14 states (not all of which are E-ZPass customers).  Over
about 900,000 users out of six million will be getting free replacements.
[Source: Ronald Smothers, *The New York Times*, 16 Oct 2002, PGN-ed]
  http://www.nytimes.com/2002/10/16/nyregion/16PASS.html

  [Head them off at the Pass?  PGN]

The high risk of low security: element 118

<Wendell Cochran <atrypa@eskimo.com>>

Wed, 16 Oct 2002 11:01:13 -0700

Recently a prominent physicist at the Lawrence Berkeley National Laboratory
was fired, and the reported detection of element 118 was retracted.
Everyone concerned agrees that essential data in a computer file had been
faked, forged, or fudged.

  [What to name the would-be new element?
  Phonium?  Phakium?  Phorgium?  Phudgium?  PGN]

The fired physicist denies doing the dirty work.  According to *The New York
Times, Science section, 15 Oct 2002: ``He says he is as perplexed as anyone.
His account on the laboratory computer system was used by everyone in his
group, he says, and his password was an open secret.''

Sardonic cackling in the deep background may emanate from the ghost of
Richard P. Feynman, once the resident lockpicker at Los Alamos.

Wendell Cochran, West Seattle

Password complexity -- not just for computers anymore

<Seth Arnold <sarnold@wirex.com>>

Sat, 19 Oct 2002 17:15:15 -0700

The outside key-code on my building has five buttons but ten digits -- two
digits per button. This allows for 10^n different "combinations" as humans
must remember it, but 5^n different combinations as the door remembers it.

Who thought of this? Hopefully the same person who thought capitalizing all
passwords before performing comparisons was a good idea -- I'd hate to think
there are more than a handful of people making mistakes like this.

GPS: Keeping cons out of jail

<Monty Solomon <monty@roscom.com>>

Tue, 15 Oct 2002 19:48:51 -0400

An electronic tracking system that follows suspects and criminals around
their neighborhoods and compares the information to current crimes has
received, of all things, the stamp of approval from the American Civil
Liberties Union.  The Global Positioning System's satellites track
probationers and parolees and compare their whereabouts to the location of
crimes committed in their vicinity.  ...  [Source: Julia Scheeres,
wired.com, 15 Oct 2002]
  http://www.wired.com/news/privacy/0,1848,55740,00.html

How mobile phones let spies see our every move

<Monty Solomon <monty@roscom.com>>

Tue, 15 Oct 2002 20:18:45 -0400

Government's secret Celldar project will allow surveillance of anyone, at
any time and anywhere there is a phone signal

Jason Burke and Peter Warren, 13 Oct 2002, *The Observer*

Secret radar technology research that will allow the biggest-ever extension
of 'Big Brother'-style surveillance in the UK is being funded by the
Government.  The radical new system, which has outraged civil liberties
groups, uses mobile phone masts to allow security authorities to watch
vehicles and individuals 'in real time' almost anywhere in Britain.  The
technology 'sees' the shapes made when radio waves emitted by mobile phone
masts meet an obstruction. Signals bounced back by immobile objects, such as
walls or trees, are filtered out by the receiver. This allows anything
moving, such as cars or people, to be tracked. Previously, radar needed
massive fixed equipment to work and transmissions from mobile phone masts
were thought too weak to be useful.  ...
  http://www.observer.co.uk/uk_news/story/0,6903,811027,00.html

Airline Security

<Morten Welinder <terra@diku.dk>>

15 Oct 2002 21:04:26 -0000

Finally someone in FAA and in the mainstream press [ahem] has gotten a clue
and figured out how to improve airline security.  If only all these airline
security articles had anything to do with comp.risks.

  Seeking to address "the number-one threat to airline security," the
  Federal Aviation Administration announced Monday that it will consider
  banning passengers on all domestic and international commercial
  flights. [...]
    http://www.theonion.com/onion3838/faa_passenger_ban.html

GAO: Commercial Satellite Security Should Be More Fully Addressed

<Monty Solomon <monty@roscom.com>>

Fri, 18 Oct 2002 01:19:56 -0400

GAO: Commercial Satellite Security Should Be More Fully Addressed
http://www.gao.gov/new.items/d02781.pdf

UCSD bans WinNT/2K -- will it do any good?

<"Jeremy Epstein" <jepstein@webmethods.com>>

Thu, 10 Oct 2002 08:06:55 -0400

Seen in *Security Wire Digest* ... seems to me it's trading the devil you
know for the devil you ... know.  Is WinXP really any more secure than
WinNT/2K?  Now if they banned the use of Outlook, that might be a step
forward...

BTW, students have to pay for a copy of WinXP.  Maybe this is a fundraising
effort by Microsoft... put out products that are so vulnerable that users
have to spend more money to buy a less vulnerable version.  "I'm sorry
ma'am, but the wheels frequently fall off the 1998 model cars.  We have no
intention of fixing the problem.  Would you like to buy a 2002 model for
$20,000?  By the way, you'll also need to build a new garage on your house
to park it in, and a new driver's license, because the old ones aren't
compatible."

*UNIVERSITY BANS WINDOWS NT/2000
Citing security reasons, the University of California at Santa Barbara
(UCSB) has banned the use of Microsoft Windows NT/2000 on its residential
network, ResNet. In a posting on the ResNet site, UCSB officials blame the
OSes for "hundreds of major problems on UCSB's residential network during
the 2001-2 academic year," including exploited vulnerabilities,
denial-of-service attacks, port scanning, and infections by Code Red and
Nimda. UCSB recommends that ResNet users switch to Windows XP Home.
http://www.resnet.ucsb.edu/information/win2k.html

Outlook knows best! ... (Re: Kabay, RISKS-22.30)

<Jim Bauman <JBauman@safety-kleen.com>>

Wed, 16 Oct 2002 09:42:50 -0500

I showed my boss the piece that M.E. Kabay submitted regarding Lookout, er,
I mean Outlook, always forcing the primary over the secondary address.
She's had the same experience using it at home.  At work, we've been happily
using Lotus Notes for our mail client for many years. In the near future,
the powers that be will be switching us to Outlook.  I can't wait!

Microsoft Skins a Knee on the Astroturf

<"Monty Solomon" <monty@roscom.com>>

Tue, 15 Oct 2002 18:03:12 -0400

A grass-roots campaign orchestrated by a PR department is commonly called
"astroturf." What shall we call Microsoft's embarrassing sally at Apple's
successful "Switchers" campaign?  Let's consider "paid testimonial."  ...

No one expects Apple's ads to swing much market share, but perhaps Microsoft
was feeling their sting.  On Monday the company posted a Web page,
"Confessions of a Mac to PC convert," supposedly written by a young woman
who had switched from Apple to Windows XP. Her name was not given.  Her
picture, as Slashdot posters quickly discovered, was a stock image available
for purchase from Getty's Photodisc.  (Why the agency did not use an image
from the competing Corbis service, owned by Bill Gates, is another mystery.)

  http://newsletter.mediaunspun.com/index000021694.cfm#a100869

Bogus Yahoo e-mail picks up credit-card numbers

<Tom Van Vleck <thvv@multicians.org>>

Fri, 18 Oct 2002 12:18:01 -0400

Yahoo Inc. said on 17 Oct 2002 that some of its customers had been tricked
into giving their credit-card numbers to an unaffiliated third party that
had posed as Yahoo in a mass e-mail.  [Source: Reuters, Yahoo, 17 Oct 2002]

  http://story.news.yahoo.com/news
  ?tmpl=story&ncid=582&e=2&cid=582&u=/nm/20021018/wr_nm/tech_yahoo_fraud_dc

A new twist to Bugbear

<Paul Edwards <paule@unimelb.edu.au>>

Wed, 16 Oct 2002 10:15:40 +1000

I have just received a Bugbear-initiated e-mail message. What made this one
different was that the body of the message contained a fragment of another
e-mail message that stated a username and password for an Australian event
ticket seller's e-commerce site. I set up an account on said site to see how
it worked; it appears to automatically recall credit-card details upon
login, as well as showing the usual personal details (address, phone number,
email address, etc). There's not even an address to give the Web folks
feedback.

RISKS? At least three, as I make it:

* Sending the two authorizing IDs in the one message
* Sending them cleartext
* Not requiring manual entry of credit-card details per transaction

Paul Edwards, Research Support Officer, Advanced Research Computing
The University of Melbourne  3010  AUSTRALIA  t: +61 3 8344 8884

  [Note added 18 Oct 2002:

    Just to follow up to my original posting, I finally managed to speak to
    someone by phone about the problem. They now appear to have removed the
    automatic link to credit-card details, and some (although not all) of
    the personal details.  PE]

How we run elections in the UK

<Richard Pennington <richardhelen.pennington@virgin.net>>

Sat, 19 Oct 2002 16:43:55 +0000

I have been following, with a mixture of amusement and alarm, the
correspondence about elections ever since Florida.

In the UK, we have a separate ballot paper for each issue at stake (perhaps
we're not as democratic as the USA - there is usually just one at a time),
and we use a manual count.  The counters are usually "volunteered" from the
class of people most likely to be able to count large numbers of pieces of
paper quickly and accurately - bank cashiers.

The count proceeds in two stages: separating the votes between the various
candidates, and then counting the individual piles, grouping them by elastic
band into packets of 500 or 100.  Dubious cases are taken out and argued
over separately. The counts are scrutinised by representatives of the
various political parties and others involved.  A partial recount can be
done very quickly by counting the number of packets in each candidate's pile
(e.g. a winning count of 25,000 votes is counted by counting the 50 packets
of 500 votes each), while a full recount involves recounting the number of
votes in each packet (not a very long job, but necessary only if the result
is close).  Any candidate can claim a recount, either if there is doubt
about who has won, or if there is doubt about whether a candidate has
obtained enough votes to keep his deposit.

Every general election, there is an informal competition between the various
constituencies to see which can declare their result first (the declaration
including a statement of the numbers of votes for each candidate, hence
requiring a complete count).  With an electorate averaging about 80,000 per
constituency, the time to first declaration is usually just over one hour
after the ballot closes.

At a general election, the result is usually clear enough for the loser at
national level to concede victory before the following dawn, and the removal
trucks (should they be required) move into Downing Street the day after the
election (in the UK, the result is, usually, effective immediately).

The system is low-tech, but quick, reasonably efficient, recountable, and
verifiable.

However, there are moves afoot to introduce electronic voting in the UK, and
it was reported last week that Dr. Rebecca Mercuri visited the UK last week
to voice her concerns about some of the proposed voting methods.  I
sincerely hope that the UK authorities will respect her knowledge and listen
to her concerns.

Dr. Richard Pennington, Camberley, Surrey, UK

Re: Risks of automatic Windows updates, and HIPAA legality (R-22.29)

<Chuck Karish <karish@well.com>>

Sun, 13 Oct 2002 09:48:49 -0700

Is Microsoft's End User License Agreement for Windows 2000 Service
Pack 3 insidious or just sloppily worded?  It's possible to read it
as being meant primarily to ask for permission to execute certain
tasks that the user is about to initiate: the tasks that constitute
the OS upgrade.  There's a big problem, though, in that the EULA
doesn't spell out that the permission being asked for is limited to
an immediate response to a specific user request.

* If you choose to utilize the update features within the OS Product or OS
  Components, it is necessary to use certain computer system, hardware, and
  software information to implement the features.  By using these features,
  you explicitly authorize Microsoft or its designated agent to access and
  utilize the necessary information for updating purposes.  Microsoft may
  use this information solely to improve our products or to provide
  customized services or technologies to you.  Microsoft may disclose this
  information to others, but not in a form that personally identifies you.

* The OS Product or OS Components contain components that enable and
  facilitate the use if certain Internet-based services.  You acknowledge
  and agree that Microsoft may automatically check the version fo the OS
  Product and/or its components that you are utilizing and may provide
  upgrades or fixes to the OS Product that will be automatically downloaded
  to your computer.

---

Re: Risks of automatic Windows updates, and HIPAA legality (R-22.29)

<Greg Searle>

Wed, 09 Oct 2002 17:03:38 -0400

One solution is simply to turn the automatic update off.  I have had a
Windows 2000 system that periodically and mysteriously rebooted itself in
the middle of the night.  Turning this automatic update "feature" off solved
the problem.

[greg_searle(at)hotmail(dot)com]

---

Re: Risks of automatic Windows updates, and HIPAA legality (R-22.29)

<Douglas Siebert <dsiebert@excisethis.khamsin.net>>

Wed, 9 Oct 2002 20:34:53 +0000 (UTC)

Well, it does say "recording electrodes", which sounds to me like there's no
output voltage.  Unless there's a need to send a small voltage pulse out to
cause a response for certain things being recorded, of course.

However, if it did control voltages, and those voltages had a range high
enough to cause damage to the patient, you are correct there's a big risk
here.  Whether that's from MS having an OS that might update itself during
surgery, or a hospital dumb enough to put something that could be harmful to
the patient on the Internet where MS updates are only one of a number of bad
things that can happen to it, I'm not sure.

Re: Pac*Bell menu (Stringer-Calvert, RISKS-22.30)

<Crispin Cowan <crispin@wirex.com>>

Tue, 15 Oct 2002 20:40:19 -0700

Seems perfectly sane to me, if you allow for modular composition.

Consider software functions. You make them general, so that they can be
called from multiple contexts. From some contexts, some parameter arguments
will never occur.

Now consider that the phone menus are functions ....

Given the sad state of software engineering, and the generally accepted view
that modularity is good for software quality, I'm not particularly troubled
that the phone people didn't bother to special-case this.

Crispin Cowan, Chief Scientist, WireX       http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org

Re: Hazards of online translation and plagiarism (Mannes, RISKS-22.30)

<Bob Schuchman <schuchmanr@ieee.org>>

Tue, 15 Oct 2002 16:25:53 -0700

Anyone who called this story the result of an online translation and
plagiarism problem hasn't read the facts at
http://www.pinoylife.com/article.php?sid=88 . An inexperienced student
journalist didn't realize that pinoylife.com is an "insider"
Filipino-American site with it's tongue in it's cheek. She might not even
know what the tongue in the cheek meant. How she found the site is anybody's
guess, but don't they have a proofreader or at least an editor at the
*Daily Evergreen*?

What about the risk of telling a story without presenting all the facts and
giving it a loaded title?

Re: Weak encryption kills wolves (Fredriksson, RISKS-22.29)

<"Phil Smith III" <phs3@akphs.com>>

Sun, 20 Oct 2002 23:13:53 -0400

One solution to the hunters using the wolf-tracking devices for hunting
would be to deploy a large number of bogus trackers (assuming they're
inexpensive enough).  Perhaps a number of sheep could be equipped and
deployed for this purpose, with the added benefit of providing food to help
the struggling wolf population.  They would, of course, also be sheep in
wolves' clothing, so to speak...

...phsiii (smiling, um, sheepishly)     [Watch out for ewe turns.  PGN]

Peter L. Bernstein, Against the Gods: The Remarkable Story of Risk

<"Peter G. Neumann" <neumann@csl.sri.com>>

Mon, 21 Oct 2002 13:45:14 PDT

I finally caught up with a fascinating analysis of the history of risk
management over the previous millennium.  Although the book is somewhat
slanted toward the financial world, it nevertheless has an incisive and yet
broadly quasi-mathematical thoughtful perspective on risk management, and
could be of interest to you.  However, you might browse before you buy.  It
is not a typical page-turner, and is probably better digested slowly.

  Peter L. Bernstein
  Against the Gods: The Remarkable Story of Risk
  John Wiley & Sons, New York
  1996
  ISBN 0-471-29563-9

The inside cover has this sentence:

  This book chronicles the remarkable intellectual adventure that liberated
  humanity from oracles and soothsayers by means of the powerful tools of
  risk management that are available to us today.

[Thanks to David Huestis for lending me this book.]

REVIEW: "Hacking Exposed", Stuart McClure/Joel Scambray/George Kurtz

<Rob Slade <rslade@sprint.ca>>

Thu, 10 Oct 2002 10:19:31 -0800

BKHCKEXP.RVW   20020911

"Hacking Exposed", Stuart McClure/Joel Scambray/George Kurtz, 2001,
0-07-219381-6, U$49.99
%A   Stuart McClure stuart@hackingexposed.com
%A   Joel Scambray joel@hackingexposed.com
%A   George Kurtz george@hackingexposed.com
%C   300 Water Street, Whitby, Ontario   L1N 9B6
%D   2001
%G   0-07-219381-6
%I   McGraw-Hill Ryerson/Osborne
%O   U$49.99 905-430-5000 fax: 905-430-5020
%P   729 p. + CD-ROM
%T   "Hacking Exposed: Network Security Secrets and Solutions, 3rd Ed"

Yes, I know that this book has the most sales for any security work,
ever.  And, for the life of me, I still can't figure out why.

Part one looks at gathering data for an attack.  Chapter one discusses
company information that is generally available.  However, while it
may alert some to the fact that a lot of information can be obtained
about them, most of the material deals with facts that you either want
to make available, or that you must make available.  Some suggested
countermeasures are useful, while others strain the topic, such as the
protection against domain hijacking.  Scanning for weaknesses and
loopholes, mostly with individual tools, in this edition, is the topic
of chapter two.  Enumeration, or finding weak user accounts and
unprotected system resources (mostly on Windows 2000) is covered in
chapter three.

Part two looks at details of specific systems.  Chapter four touches
on Windows 9x.  NT gets a fair amount of detail in chapter five, but
such vital and standard topics as disabling the Administrator account
and setting up auditing are barely mentioned.  Windows 2000 now has
its own chapter: six.  Some common NetWare attacks are listed in
chapter seven.  UNIX has the most extensive coverage, in chapter
eight, but it is hardly comprehensive.

Part three deals with network weaknesses.  Most of chapter nine
discusses war-dialling and dial-up, but there is a brief mention of
Virtual Private Networks (VPN).  Some device weaknesses (vendor
specific bugs, that is) are listed in chapter ten.  (There is also a
very brief mention of wardriving and detecting wireless networks.)
Firewalls, in chapter eleven, are primarily addressed in terms of
scanning to (for identification) or through.  Chapter twelve describes
a few denial of service attacks.  (Something has been lost in the
update: a discussion of IP fragmentation attacks refers to "earlier"
material on teardrop that no longer appears in the book.)

Part four looks at software.  Chapter thirteen deals with remote
access software in fair detail.  Hijacking and backdoors are discussed
in chapter fourteen.  Miscellaneous Web site bugs are reviewed in
chapter fifteen.  Chapter sixteen is a confusing amalgam of ActiveX
design flaws, Internet Explorer implementation bugs, and random
discussions of malware.

The original preface (which no longer appears in the work) stated that the
book was intended for system administrators, but it did, and still does,
read more like a cookbook for security breaking.  The authors defend
themselves against this charge in advance, and certainly "keep quiet" versus
"let it all hang out" is a constant debate in security circles.  However,
the attack descriptions are far more detailed than the countermeasures
sections, and many attacks are presented without any specific protections
being mentioned.  There are a number of points in the book that can be
helpful in identifying specific security weaknesses.  However, the book
can't be comprehensive in that regard, and what it fails to do is give an
overall concept of, or framework for, security on an ongoing basis.  The
examples given are frightening and stimulating, but the authors present them
as the entire picture.  In fact, even the picture as presented is not
entire.  A number of descriptions given in the book either do not mention,
or gloss over, the fact that, for example, sniffers must be placed on a
local, promiscuous, network, and session hijacking requires that the
attackers somehow get "between" two systems.

On the other hand, the book is quite readable and can give you some tips.
And, I wouldn't mind seeing a few sysadmins a little more scared than they
are at the moment.  As long as they don't think that this is *all* you need
to do.

copyright Robert M. Slade, 2000, 2002   BKHCKEXP.RVW   20020911
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

REVIEW: "Have You Locked the Castle Gate", Brian Shea

<Rob Slade <rslade@sprint.ca>>

Mon, 21 Oct 2002 08:17:56 -0800

BKHYLTCG.RVW   20020825

"Have You Locked the Castle Gate", Brian Shea, 2002, 0-201-71955-X,
U$19.99/C$31.99
%A   Brian Shea
%C   P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario  M3C 2T8
%D   2002
%G   0-201-71955-X
%I   Addison-Wesley Publishing Co.
%O   U$19.99/C$31.99 416-447-5101 fax: 416-443-0948
%P   193 p.
%T   "Have You Locked the Castle Gate: Home and Small Business
      Security"

Chapter one is entitled "Assessing Risk."  It deals with the basic concepts,
but in a somewhat confused manner, and sometimes stresses or sensationalizes
minor points.  A grab bag of security concepts drifts into Windows specifics
in chapter two.  The author has said that he will be concentrating on
Windows, since it is the most widely used system for home computers, but the
material tells only *how* to, for example, set up groups, and not what
groups are used for in terms of security.  Chapter three is more of the
same: more miscellany, and more Windows.  The discussion of servers, in
chapter four, is almost entirely devoted to Windows, and is weak on security
concepts and technologies such as firewalls.  There is a set of vague ideas
about the Internet in chapter five.  Chapter six, on email security, has
some good suggestions, but a number of gaps.  Web security is a questionable
checklist of browser settings, almost entirely for Internet Explorer, in
chapter seven.  "Defending Against Hackers," in chapter eight, sounds like
it should be important, but it is hard to find any point.  Chapter nine, on
viruses, starts with a surprisingly good set of definitions (recognizably
from "Robert Slade's Guide to Computer Viruses") but quickly deteriorates
into errors (the Internet Worm was *not* an accident), and poor suggestions
(it does not make an awful lot of sense to talk about "boot disks" for
scanning Windows systems without getting into a lot of detail).

I am all in favour of having a relatively simple and straightforward guide
to security for home and small business users.  But Jeff Crume already did
"Inside Internet Security" (cf. BKININSC.RVW), and did a much better job.

copyright Robert M. Slade, 2002   BKHYLTCG.RVW   20020825
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Report problems with the web pages to the maintainer