The RISKS Digest
Volume 22 Issue 55

Wednesday, 12th February 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Helsinki Health Department computer system down
Jesus Climent
Hospital computer changes patient status from discharged to deceased
Steven Tepper
Medical records: Turning lemons into lemonade or doublespeak?
Richard Cook
Surplus computer in Kentucky held 'deleted' AIDS files
NewsScan
TETRA radios pose some risk to hospital equipment
Martyn Thomas
Boston artery errors cost over $1 billion
Monty Solomon
TurboTax — more security problems
Jim Garrison
Stupid Security competition
Simon Davies
Gambling on mobile devices? You bet!
Monty Solomon
Senator Hagel of Nebraska ran his state's voting machines
Steven Hauser
Judge suspends Washington State phone privacy
Monty Solomon
BC Student reprograms ID card, steals thousands
Steve Summit
Theft of disk drive at ISM Canada
Bruce Hamilton
Feds charge 17 with stealing satellite TV signals
Monty Solomon
Ex-hacker Mitnick's site vandalized
PGN
The non-paperless electronic office
Dick Mills
Password complexity
Jacob Palme
REVIEW: "PC Fear Factor", Alan Luber
Rob Slade
REVIEW: "Mastering Network Security", Chris Brenton/Cameron Hunt
Rob Slade
Info on RISKS (comp.risks)

Helsinki Health Department computer system down

<Jesus Climent <jesus.climent@hispalinux.es>>
Tue, 11 Feb 2003 13:36:17 +0100

A new data system named Pegasos has forced doctors in Helsinki to ask
patients to remember their case history and to take hand notes.  The fact
that doctors cannot get any historical data forces them to spend m= ore time
writing (*sigh*) the data and reviewing the past treatments.  As a
conclusion, computers can, instead of speeding up the process, slow it down.
  [Source: http://www.helsinki-hs.net/news.asp?id=3D20030206IE8]

Jesus Climent | Unix SysAdm | Helsinki, Finland | pumuki.hispalinux.es


Hospital computer changes patient status from discharged to deceased

<greep <greep@mindspring.com>>
Wed, 12 Feb 2003 12:08:03 -0800

http://www.baselinemag.com/article2/0,3959,880881,00.asp

   Eighty-five hundred people at St. Mary's Mercy [in Grand Rapids,
   Michigan] thought they were still alive. But the hospital's
   computers were telling them they were not.
   ...

   It turns out St. Mary's Mercy had recently completed an upgrade of
   its patient-management software system...  A "mapping error" in the
   conversion process resulted in the hospital assigning a disposition
   code of "20"--which meant expired--instead of "01," which meant
   the patient had been discharged.

   Worse, that errant data wasn't sent just to the shocked patients but
   to their insurance companies as well as the local Social Security
   office, which helps determine whether elderly or disabled patients are
   eligible for Medicare. Obviously, once a patient is dead,
   Medicare--assuming its electronic-records system is accurate--isn't
   going to make any payments on bills for future medical services or
   medication.


Medical records: Turning lemons into lemonade or doublespeak?

<"Richard Cook" <ri-cook@uchicago.edu>>
Mon, 10 Feb 2003 09:23:24 -0600

One remarkable aspect of techno-enthusiasm is the willingness to recast
failure as a form of success.  A long piece in CIO Magazine, "Off the
Charts" describes a failure of the electronic medical record system as
evidence of the value of the system itself.  The piece describes a chip
failure (burned out Alpha processor) that went on to generate a 20-minute
delays in viewing medical records in the system at the University of
Illinois medical center.  According to the Christopher Koch, the author, the
fact that "angry calls streamed into IS" from physicians (who had
conveniently forgotten that there was a "read-only database that had been
built for such emergencies") serves as prima facie evidence that the system
is valuable.  No mention is made of whether patient care was impeded or if
missing information contributed to accidents during the interval.
  [http://www.cio.com/archive/020103/eva_charts_content.html]

If a small failure marks a favorable climate, perhaps a full fledged
catastrophe marks real success?

Richard I. Cook, MD, Associate Professor Clinical Anesthesia and Critical Care
Univ. Chicago, 5841 S. Maryland Ave MC4028, Chicago, IL 60637 www.ctlab.org


Surplus computer in Kentucky held 'deleted' AIDS files

<"NewsScan" <newsscan@newsscan.com>>
Mon, 10 Feb 2003 09:15:21 -0700

A state auditor found that at least one computer used by staffers counseling
clients with AIDS or HIV was ready to be offered for sale to the public even
though it still contained files of thousands of people. Auditor Ed Hatchett
said: "This is significant data. It's a lot of information lots of names and
things like sexual partners of those who are diagnosed with AIDS. It's a
terrible security breach." Health Services Secretary Marcia Morgan, who has
ordered an internal investigation of that breach, says the files were
thought to have been deleted last year.  [AP/*USA Today* 7 Feb 2003;
NewsScan Daily, 10 February 2003]
  http://www.usatoday.com/tech/news/2003-02-07-surplus-computer_x.htm


TETRA radios pose some risk to hospital equipment

<"Martyn Thomas" <martyn@thomas-associates.co.uk>>
Tue, 11 Feb 2003 09:59:58 -0000

The new TETRA two-way radio system is being widely adopted by emergency
services.  Because it is pulsed more slowly than GSM (17.6 Hz rather than
217 Hz) the signal is harder to filter and causes a greater level of
RFI.  For comparative tests on hospital equipment, see
  http://www.medical-devices.gov.uk/mda/mdawebsitev2.nsf/
  webvwSearchResults/37CE5B0D2F6E45C900256A99005B8734?OPEN


Artery errors cost over $1 billion

<Monty Solomon <monty@roscom.com>>
Sun, 9 Feb 2003 21:25:12 -0500

In the spring of 1997, David Beck of Bechtel/Parsons Brinckerhoff (the Big
Dig's contracted managers) discovered that the entire 19,600-seat Fleet
Center arena (whose own dig had begun in April 1993) was missing from the
1994 design drawings for what was then only a $10.8-billion project.
Instead, there was an obstacle-free area through which contractors were
expected to lay utility lines.  Bechtel apparently failed to fix the problem
before signing off on the final design drawings three years later, which
(according to the headline) cost over $1 billion extra.  [PGN-ed from Raphael
Lewis & Sean P. Murphy, *The Boston Globe*, 9 Feb 2003, First of 3 articles.]
http://www.boston.com/dailyglobe2/040/nation/Artery_errors_cost_over_1b+.shtml


TurboTax — more security problems (Re: RISKS-22.51)

<Jim Garrison <jhg@acm.org>>
Thu, 06 Feb 2003 22:44:37 -0600

Apart from all the user uproar over TurboTax's activation scheme, the
program has additional security problems.  TurboTax's online registration
and update facility will work only if Windows' Internet security parameters
are reduced to their lowest setting (when you do this Windows itself tells
you this setting is NOT recommended).

Access to online update is *required* because the distribution CDs are
pressed before all tax forms are available and you MUST update the product
in order to have the current forms for filing.

My Win2K system is on an internal LAN behind a Linux firewall, and Intuit
tech support initially blamed the problems on this configuration.  When I
connected the Win2K system directly to the cable modem and reproduced the
problem, they were forced to find the correct solution.

There are several RISKS here:

1) Telling people firewalls are a problem

2) Extremely poor error handling — Both registration and online update just
   hang forever, displaying an "in progress" dialog box.

3) Writing code that requires the user to reduce Operating
   System security protections in order to use it.


Stupid Security competition

<Simon Davies <s.g.davies@lse.ac.uk>>
Tue, 11 Feb 2003 02:19:35 +0000

PRIVACY INTERNATIONAL, MEDIA RELEASE
PRIVACY WATCHDOG LAUNCHES QUEST TO FIND THE
WORLD'S MOST STUPID SECURITY MEASURE

Global competition will identify absurd and pointless security requirements

The human rights watchdog Privacy International today launched a competition
to discover the world's most pointless, intrusive, annoying and self-serving
security measures.  The "Stupid Security" award aims to highlight the
absurdities of the security industry. Privacy International's director,
Simon Davies, said his group had taken the initiative because of
"innumerable" security initiatives around the world that had absolutely no
genuine security benefit.  "The situation has become ridiculous" said Mr
Davies. "Security has become the smokescreen for incompetent and robotic
managers the world over.  I have stood for ages in a security line at an
inconsequential office building and grilled relentlessly only to be given a
security pass that a high school student could have faked. And I resent
being forced to take off my shoes at an airport that can't even screen its
luggage" he said.

Even before 9/11, a whole army of bumbling amateurs has taken it upon
themselves to figure out pointless, annoying, intrusive, illusory and just
plain stupid measures to "protect" our security.

It has become a global menace. From the nightclub in Berlin that demands the
home address of its patrons, to the phone company in Britain that won't let
anyone pay more than twenty pounds a month from a bank account, the world
has become infested with bumptious administrators competing to hinder or
harass us. And often for no good reason whatever.

Unworkable security laws and illusory security measures do nothing to help
issues of real public concern. They only hinder the public and intrude
unnecessary into our private lives.

Until 15 Mar 2003, Privacy International is calling for nominations to name
and shame the worst offenders.

The competition will be judged by a panel of well-known security experts,
public policy specialists, privacy advocates and journalists.

The competition is open to anyone. Nominations can be sent to
stupidsecurity@privacy.org Winners will be announced on 3 Apr 2003 at the
13th Computers, Freedom & Privacy conference in New York.


Gambling on mobile devices? You bet!

<Monty Solomon <monty@roscom.com>>
Mon, 10 Feb 2003 13:44:01 -0500

Because the newest cell phones are essentially mini-PCs, with full operating
systems, heavy-duty processor power, and high-resolution color screens, they
are becoming better suited to remote gambling.

"Certainly wireless is the next generation of e-gaming that is looking to
take hold," says Nancy Chan-Palmateer of CryptoLogic, a Toronto-based
Internet gambling software company.  The Internet gambling market is
expected to bring in $5 billion this year for casinos and game operators.
[Source: Chana R. Schoenberger, *Forbes*, 10 Feb 2003; PGN-ed]
  http://www.forbes.com/2003/02/10/cz_cs_0210gaming.html

    [Not surprisingly, this prompts your Moderator to note that today's
    all-electronic voting machines (without any voter-verified nonelectronic
    record of each vote) are essentially equivalent to Internet gambling on
    an unknown off-shore Web site.  "Trust us.  We're completely honest."
    PGN]


Senator Hagel of Nebraska ran his state's voting machines

<Steven Hauser <hause011@tc.umn.edu>>
Mon, 10 Feb 2003 10:54:00 -0600 (CST)

Republican Senator Hagel was the CEO of the company that produced the voting
machines that tallied his "upset" victory in Nebraska.  Go figure.
  http://www.thehill.com/news/012903/hagel.aspx
  http://www.theregister.co.uk/content/55/29247.html

Steven Hauser  http://www.tc.umn.edu/~hause011/

  [The machines used at the time were apparently a version of the AIS
  DataMark mark-sense card system (now owned by ES&S) rather than
  all-electronic systems.  PGN]


Judge suspends Washington State phone privacy

<Monty Solomon <monty@roscom.com>>
Tue, 11 Feb 2003 12:36:10 -0500

AP Online, 11 Feb 2003

Washington state regulations to protect the privacy of telephone customer
account information, some of the toughest in the country, have been
suspended by a federal judge.  State regulations that were adopted in
November [2002] and took effect in January [2003] required phone companies
to obtain customer approval before selling calling records or using them to
market anything but telecommunications services.

  But Verizon Communications Inc. of New York, which has about 1 million
  customers in Washington, sued the state, saying its Utilities and
  Transportation Commission overstepped its authority and infringed on the
  company's ability to speak to and serve customers.

  U.S. District Judge Barbara J. Rothstein ruled Monday that Verizon had
  raised "serious questions" about the constitutionality of Washington's
  privacy rules, and granted a preliminary injunction blocking their
  enforcement while the case is pending.  ...

  http://finance.lycos.com/home/news/story.asp?story=31474529


BC Student reprograms ID card, steals thousands

<Steve Summit <scs@eskimo.com>>
Fri, 07 Feb 2003 15:54:53 -0500

Like many colleges, Boston College has a multipurpose magstripe ID card
which is used for identification, access, purchases at dining halls and the
campus bookstore, and even local restaurants.  A BC student managed to
reprogram his ID card with the ID numbers of other students, meaning that he
could purchase meals, textbooks, etc. with his charges showing up on the
bills of others.  Evidently he had (among other things) broken into the
student center after hours and installed sniffing software on computers
there so that he could obtain the information to reprogram his own card
with.  A spokesman reassures us that the BC system has been "upgraded to
prevent future breaches".
  http://digitalmass.boston.com/news/2003/02/07/bc_student.html .

The RISKS of these multi-use cards have been known for some time;
see for example Andre DeHon's 1995 paper at <http://www.ai.mit.edu/
people/andre/mit_card/security_assessment/security_assessment.html>.
It's reasonably interesting to see those fears being realized.


Theft of disk drive at ISM Canada

<bruce_hamilton@agilent.com>
Wed, 12 Feb 2003 09:17:34 -0800

Yesterday I received a letter which read, in part:

  "Dear Valued Client,

  "I am writing to inform you that on January 29, 2003, ISM Canada, a
  subsidiary of IBM Canada Limited that provides client statement services
  to Investors Group, notified us that a significant proportion of our
  clients' 2002 third-quarter statement data was contained on a computer
  hard drive that went missing from their Regina, Saskatchewan offices. Some
  of our information was determined to be on the missing drive.

  "I understand the concern this may cause for you. Investors Group wishes
  to assure you that there is no ability for anyone to access your Investors
  Group accounts with this information.

  "The missing data is the same information that you see on your quarterly
  client statement, being your name and address, your Investors Group
  Consultant, the details of your Investors Group Plans and Accounts ... and
  any beneficiary designations you may have made. The missing data *does not
  include any of the confidential personal information typically involved in
  the misuse of personal data,* such as social insurance numbers, dates of
  birth, or banking information.

  "IBM Canada and ISM Canada have expressed their regret to you and to
  Investors Group, and have been working with us to ensure this matter is
  handled quickly and properly. ISM had previously notified Investors Group
  of a hard drive that was missing at the Regina facility, believed to
  contain a small amount of securely protected Investors Group data. They
  indicated that they were investigating the incident. Subsequently, on
  January 29th, ISM Canada advised Investors Group of the full extent of the
  missing data and that the local authorities were treating the incident as
  a theft."

I checked my statement, and it's true that my SSN, DOB, etc., are not
there. I don't know what the author means by "banking information" since the
statement includes my name, account numbers, balances and previous quarter's
balances. This makes it much easier to do social engineering, e.g. "I notice
that my account #12345 is down 15%, so I'd like you to wire the remaining
balance to ..."

The double reassurance that the data is "securely protected" and that it's
also not confidential is worrisome: if it truly were secure, we wouldn't
care whether it was confidential.  I asked how the data was protected, and
haven't heard back yet.  I *was* told that police have recovered the drive,
and the thief's apparent intention was to get the drive, rather than the
data on it.

I'm curious about how somebody steals a disk drive from a presumably running
system, but I'll be pesky about one question at a time.

bruce_hamilton@agilent.com  Tel: +1 650 485 2818  Fax: +1 650 485 4917
Agilent Technologies MS 24M-A, 3500 Deer Creek Road, Palo Alto CA 94303


Feds charge 17 with stealing satellite TV signals

<Monty Solomon <monty@roscom.com>>
Wed, 12 Feb 2003 01:44:52 -0500

Seventeen people allegedly involved in the theft of satellite TV signals
were arrested after a year-long undercover FBI investigation, as part of the
FBI's nationwide "Operation Decrypt".  Six of them were accused of violating
the Digital Millennium Copyright Act, marking only the second grand jury
indictment under that statute.  Losses for satellite broadcasters reportedly
involved millions of dollars.  Source: Reuters, 11 Feb 2003; PGN-ed]
  http://finance.lycos.com/home/news/story.asp?story=31494999


Ex-hacker Mitnick's site vandalized

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 11 Feb 2003 10:16:54 PST

Twice in the past two weeks, online vandals broke into the Web server of
former hacker Kevin Mitnick's security start-up, Defensive Thinking.
[Source: Robert Lemos, Special to ZDNet News, 11 Feb 2003]
  http://zdnet.com.com/2100-1105-984084.html
    [As one correspondent noted this item,
     ``As the credit card commercial says, 'Priceless.' ''


The non-paperless electronic office

<"Dick Mills" <dmills@mybizz.net>>
Sun, 9 Feb 2003 17:54:24 -0500

My laptop shares a messy desktop with the usually assortment of papers and
pencils.  Yesterday I opened the CD tray, then shuffled around the desktop
looking for the CD.  I found it and was just about to close the drawer when
I noticed that a staple had fallen into the CD tray.

Delicate electronics and paper do mix, sometimes not happily.


Password complexity

<Jacob Palme <jpalme@dsv.su.se>>
Wed, 5 Feb 2003 00:32:00 +0100

Suppose you have an 8-digit decimal password. This means there are 100
million possible combinations. You will on average need to try on average 50
million times to find the right password by trial-and-error. Or, if you have
the customary 3 tries before being forbidden access, the probability that
you will get in by trial and error is 3/100 000 000.

Suppose instead that you first have to pass one barrier with a 4-digit
decimal password, and then pass a second barrier with a new 4-digit decimal
password. You will then have to try on average 5 000 times on the first
password, and then an average 5 000 time on the second password, or a total
of on average 10 000 times. Or, if you have the customary 3 tries before
being forbidden access in each step, you will have a probability of passing
the first barrier of 3/10 000 and then a probability of passing the second
barrier of 3/10 000. The probability of passing both barriers is then 9/100
000 000.

In summary: The 8-digit barrier requires 5000 times more trials than the two
4-digit barriers to find the password, and the probability of success with
the customary 3 allowed trials is three times higher with the two 4-digit
passwords than with the single 8-digit password.

I gave this example as a comment on the debate of whether one strong
security measure is better than several weaker, or the reverse.

Jacob Palme <jpalme@dsv.su.se> (Stockholm University and KTH)
for more info see URL: http://www.dsv.su.se/jpalme/


REVIEW: "PC Fear Factor", Alan Luber

<Rob Slade <rslade@sprint.ca>>
Fri, 31 Jan 2003 08:02:55 -0800

BKPCFRFC.RVW   20021219

"PC Fear Factor", Alan Luber, 2003, 0-7897-2825-7,
U$24.99/C$38.99/UK#17.99
%A   Alan Luber www.alanluber.com
%C   201 W. 103rd Street, Indianapolis, IN   46290
%D   2003
%G   0-7897-2825-7
%I   Macmillan Computer Publishing (MCP)
%O   U$24.99/C$38.99/UK#17.99 800-858-7674 info@mcp.com
%O  http://www.amazon.com/exec/obidos/ASIN/0789728257/robsladesinterne
%P   362 p.
%T   "PC Fear Factor: The Ultimate PC Disaster Prevention Guide"

The introduction states that the book is aimed at non-technical users, but
doesn't further refine the purpose beyond saying that bad things happen to
computers.  We are also told that a system administrator is really a risk
manager (which may come as a surprise to a number of sysadmins), and that if
you read this book you will never have to worry about computer disasters
again.

Even after reading chapter one I am not sure what the "root of all computer
disasters" is, although I suppose that there is a fair chance that he means
hard drives.  There is a lot of irrelevant detail about the physical
operations of drives, and Luber also is obviously confused between old hard
drive crashes (caused when the heads physically contacted the platter, which
was spinning at high speed) and modern "crashes," generally caused by bad
pointers or other data errors.  In chapter two, Luber recommends, with
opinions, but not much in the way of proof or backup, a bunch of software.
Chapter three offers us more opinions, this time about buying a PC.  Setting
up a new PC is covered in chapter four.  Most of chapter five prints
documentation for a couple of antivirus programs and a firewall.  A decent
discussion of backup strategy, and more documentation of a backup program,
is in chapter six.  A manual for another backup program is in chapter seven.
Restoring a backup comes in chapter eight.  Chapter nine advises on
maintenance.  Some hoary old myths about risky activities (using shareware,
for example) are recycled in chapter ten.

In one sense, Luber is right.  If you keep your data backed up, you will be
able to recover from pretty much any kind of disaster.  On the other hand, I
have said that in one sentence, and the book is over 300 pages long.

copyright Robert M. Slade, 2002   BKPCFRFC.RVW   20021219
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


REVIEW: "Mastering Network Security", Chris Brenton/Cameron Hunt

<Rob Slade <rslade@sprint.ca>>
Mon, 3 Feb 2003 08:19:32 -0800

BKMSNTSC.RVW   20021220

"Mastering Network Security", Chris Brenton/Cameron Hunt, 2003,
0-7821-4142-0, U$49.99/C$79.95/UK#37.99
%A   Chris Brenton cbrenton@sover.net
%A   Cameron Hunt cam@cameronhunt.com
%C   1151 Marina Village Parkway, Alameda, CA   94501
%D   2003
%G   0-7821-4142-0
%I   Sybex Computer Books
%O   U$49.99/C$79.95/UK#37.99 800-227-2346 info@sybex.com
%O  http://www.amazon.com/exec/obidos/ASIN/0782141420/robsladesinterne
%P   490 p.
%T   "Mastering Network Security, Second Edition"

The introduction states that this book is aimed at systems administrators
who are not security experts, but have some responsibility for ensuring the
integrity of their systems.  That would seem to cover most sysadmins.
However, whether the material in this work is at a suitable level for most
sysadmins is open to question.  Now, to be fair to the authors, it seems
that this second edition is a reissue, only marginally revised, of a book
that was originally published seven years ago.  (Under most standard
contracts, publishers have the right to do this, and authors can't do much
about it.)  At that point, the material might have been pretty reasonable.
Currently, it isn't.

Chapter one discusses systems theory.  While the application of the text to
network and security management is reasonably obvious in hypothetical terms,
it is not at all clear in regard to direct operation in the real world.
(This is particularly true for those who are not security professionals.)
The systems development life cycle (SDLC) is covered in chapter two and,
again, while it is an important topic, the relation to security is not made
manifest.  The introduction to networking itself covers the OSI (Open
Systems Interconnection) model, routing, and bits of TCP/IP, in chapter
three.  One would have thought that this would have been old news to
sysadmins.  The same is true of the material on transmission and network
topology, in chapter four.  There is some mention of security issues, but
the discussion is minimal.

Chapter five has a reasonable overview of firewalls, although the
terminology is not always standard.  Chapter six is documentation for the
Cisco PIX firewall.  The information about intrusion detection systems, in
chapter seven, provides good material on points often neglected by other
works, and adds a guide to Snort.  The coverage of cryptography, in chapter
eight, has a confusing structure.  Most of the material on virtual private
networks consists of screen shots of Microsoft's RRAS (Routing and Remote
Access Server), in chapter nine.

Chapter ten relies on old concepts and technologies to discuss viruses and
other malware.  Disaster prevention and recovery, in chapter eleven,
concentrates on building redundancy and the VERITAS server based backup
system.  A good deal of information about Windows, most of which may have
some relevance to security, is in chapter twelve.  Some introductory, and
some network, data about UNIX is available in chapter thirteen.  Chapter
fourteen describes how information can be obtained about your system in
order to mount an intrusion attack.  Some resources for security are
mentioned in chapter fifteen.

Overall, the book does provide a fair amount of information that would
likely be of help to most network administrators in securing their systems
and networks.  However, there is also a lot of detail that is not directly
relevant to the task, some erroneous content, and not a few gaps.  While the
original authors may have mastered their topic, the volume currently on
offer does not reflect that.

copyright Robert M. Slade, 2002   BKMSNTSC.RVW   20021220
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

x
Top