The RISKS Digest
Volume 22 Issue 29

Wednesday, 9th October 2002

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Police close fake online bank
Dave Stringer-Calvert
Risks of automatic Windows updates, and HIPAA legality
Allan Engelhardt
Weak encryption kills wolves
Urban Fredriksson
Microsoft says 1% of bugs cause half of all software errors
Henry Baker
BugBear steals lead from klez in virus prevalence
Security Wire Digest
No-fly blacklist snares political activists
Tim Meehan
Phone system could have your number
Mark White via Dave Farber
Prediction: e-mail will become double-trouble in 3 years
Gender: Unknown — the risks of perception
Chris Leeson
Re: Too fast fingers, or bad shortcut design?
Greg Searle
Re: Address change blocked by online entry validation
Chris Smith
Re: Butterfly ballots and other election stuff
David Olsen
Leonard Erickson
REVIEW: "Information Security Management", Gurpreet Dhillon
Rob Slade
2003 IEEE Symposium on Security and Privacy, Call for Papers
Steve Bellovin
Info on RISKS (comp.risks)

Police close fake online bank

<Dave Stringer-Calvert <>>
Tue, 08 Oct 2002 19:32:13 -0700

British police on Tuesday said they uncovered a fake Internet bank used to
con at least two people out of nearly $100,000. The National Criminal
Intelligence Service (NCIS) said the Web site had been set up using a domain
name very similar to that of "a major British bank" and appeared almost
identical. "It looks very professional," said a spokesman, declining to name
the bank involved because the investigation is still ongoing. "There's also
a reputation issue to think of and the issue of trust online."

Risks of automatic Windows updates, and HIPAA legality

<Allan Engelhardt <>>
Mon, 07 Oct 2002 19:55:09 +0100

A recent article in InfoWorld discusses Microsoft Windows Service Packs in the
context of health care providers.

Apparently, the latest Service Packs for the popular Microsoft Windows 2000
and XP operating systems contains new licence language that allows Microsoft
to install new updates on your machine at will and without notifying you.

The RISKS of having your computer systems changing on their own accord
should be obvious.  As the article points out, this "upsets many companies
whose PCs can't be allowed to morph at will".  Indeed.

The article quotes a systems manager at a teaching hospital:

  "Our procedures sometimes involve surgery to place over 100 recording
  electrodes in the patient, sometimes on the surface of the brain.  These
  PC-based systems use Microsoft Windows..."

Having a Windows application controlling the voltage to 100 pins surgically
embedded in your brain is scary enough, but what happens if it updates to
the latest Service Pack and that causes the systems to fail?  While the pins
are in your brain...

The article makes the further point that, from 14 Apr 2003, it may be
illegal under the Health Insurance Portability and Accountability Act
(HIPAA) to install Windows Service Packs.  In a strange twist, it may also
be illegal _not_ to install the Service Packs...

See for more information
on the HIPAA.

The article concludes:

  "It's not just hospitals but every user of Windows who should be
  wondering.  You'd think Microsoft would understand that customers don't
  want their mission-critical systems changing in the dead of night. This
  isn't brain surgery."

Allan Engelhardt

Weak encryption kills wolves

<Urban Fredriksson <>>
Mon, 07 Oct 2002 18:02:51 +0200

Well, of course it's really hunters who do it, but there are strong
indications they've been helped by weak encryption. In 1998 40 Swedish
wolves, out of about 100, were fitted with transponders in order to track
their movements to learn more about how wolves reestablish a presence. Of
them, 20 are still alive, 11 have been found dead with working transponders,
one has been found dead as a result of illegal hunting without transponder
and eight (four this summer) have disappeared. That that many transponders
have failed is considered very unlikely. Current plans are to quickly
replace the transponders to something "not everyone can triangulate". It's
not clear from the article in Dagens Nyheter what sort of encryption is used
now, but it's clear from the context transmissions has to be coded and that
one was aware from the beginning wolf-haters would like to take advantage of
the tracking equipment.

Microsoft says 1% of bugs cause half of all software errors

<Henry Baker <>>
Thu, 03 Oct 2002 12:05:00 -0700

I was shocked, shocked, to hear this stunning statistic!
I was also shocked, shocked, to hear that pi was irrational, that
the world was round, and that the Beatles had split up.

Microsoft says 1 percent of bugs cause half of all software errors
Reuters, 2 Oct 2002

One percent of the bugs in Microsoft Corp.'s software cause half of all
reported errors with 20 percent of bugs responsible for 80 percent of the
mistakes, Chief Executive Steve Ballmer said on 2 Oct 2002.  Microsoft has
been criticised for unstable and unwieldy software — which runs on more
than 90 percent of personal computers.  "Let's acknowledge a sad truth about
software: any code of significant scope and power will have bugs in it,"
Ballmer told customers in a memo similar to one by Chairman Bill Gates this
year renewing Microsoft's commitment to trustworthy computing.

But Ballmer said Microsoft was arming itself with better information to help
develop its software, by building error reporting features into its
products.  Engineers use the reports, sent in a short burst over the
Internet, to track software bugs and provide a fix, he said.  "We've been
amazed by the patterns revealed in the error reports that customers are
sending us.  About 20 percent of the bugs cause 80 percent of all errors,
and — this is stunning to me — one percent of bugs cause half of all

While reassuring users the information was used for no other purpose than to
fix bugs, Ballmer said such information was shared with other makers of
software and hardware to try to improve Microsoft's products.  He said
Microsoft would work to better the system.  "As we understand more errors,
we're adding an option for customers to go to a Web site where they can
learn more about and even fix the errors they report.  In the future we want
to enable customers to look up the history of their error reports and our
efforts to resolve them."

BugBear steals lead from klez in virus prevalence

Thu, 03 Oct 2002 01:00:00 -0500

By Shawna McAlearney, SECURITY WIRE DIGEST, 4, 74, OCTOBER 3, 2002 [excerpt]

First found circulating in the wild last Sunday, the W32.BugBear worm has
raced to the top of virus prevalence lists, displacing Klez for the first
time since its discovery last April.

"BugBear is increasing steadily in volume and spreading like Klez, which
became the biggest virus ever," says Alex Shipp, senior antivirus
technologist at MessageLabs. "Each day, we're seeing more of BugBear all
around the world--at least 1,000 copies an hour. It could very well grow to
become as big a problem as Klez has been and has gotten firmly entrenched in
the home user population."

Similarities to Klez include the use of inconsistent body text, attachment
names and subject lines, as well as forged e-mail addresses.

BugBear exploits an unpatched Microsoft vulnerability. After infection, the
worm copies itself into the Windows system directory and start-up folder as
an executable file with a random three-letter name. It installs a Trojan
keystroke logger and attempts to disable antivirus and firewall
software. BugBear also attempts to infect other networked PCs via the
address book and network shares.

"BugBear is another example of a worm written with instructions to kill an
extremely long list of security apps," says Steven Sundermeier, product
manager at Central Command. "The idea of terminating various AV and personal
firewall applications is becoming increasingly popular among virus authors."

On the brighter side, Shipp says the BugBear worm could have been much

"We haven't found any remote control facilities yet, which makes the virus
less dangerous than it could be otherwise," Shipp says. "Our analysis isn't
complete yet so we can't say for certain that it doesn't have that
capability, but it appears unlikely."

Antivirus experts recommend updating AV signatures; blocking all Windows
programs at the e-mail gateway, if possible; and deploying updated
versions of Outlook, Explorer and Outlook Express.

To SUBSCRIBE to Security Wire Digest, go to:

No-fly blacklist snares political activists

<"Tim Meehan - OCSARC" <>>
Tue, 1 Oct 2002 12:40:42 -0400

A federal "No Fly" list, intended to keep terrorists from boarding planes,
is snaring peace activists at San Francisco International and other U.S.
airports, triggering complaints that civil liberties are being trampled.
[...]  Critics question whether Sister Virgine Lawinger, a 74-year-old
Catholic nun, is the kind of "air pirate" lawmakers had in mind when they
passed the law.  Lawinger, one of the Wisconsin activists stopped at the
Milwaukee airport on April 19, said she didn't get upset when two sheriff's
deputies escorted her for questioning.  [Source: Alan Gathright, *San
Francisco Chronicle*, 27 Sep 2002]

Tim Meehan, Communications Director
Ontario Consumers for Safe Access to Recreational Cannabis  Web:

Phone system could have your number (Mark White via Dave Farber's IP)

<"Peter G. Neumann" <>>
Tue, 8 Oct 2002 9:08:44 PDT

>From: Mark White <>

Phone system could have your number
Kate Mackenzie, *The Australian*, 7 Oct 2002

A single telephone number doubling as an e-mail address could soon be
available in Australia despite fears the technology could become a de facto
identification number.  Under the ENUM system being analysed by the
Australian Communications Authority, one number could track down a person
via a home or mobile phone number, or an e-mail or website address.  The
technology has attracted controversy overseas because of privacy
implications of people being identified by a single number.

The ACA wants feedback on a discussion paper it has issued, saying privacy
is one of its concerns.  But ACA numbering manager Neil Whitehead said
potential benefits of the system could be enormous.  "People would only need
to remember one number to contact other people in a variety of devices," he
said.  Equipment manufacturers and Internet service providers were keen to
pursue the technology.

Telstra proposed a single-number service in 1997 and offered numbers
beginning with 0500 that could redirect to any number. Called Telepath, the
service, which cost $7 a month, failed to attract many subscribers.  ENUM
would have to be deployed across all telecommunications and Internet
providers to be effective.

IP Archives at:

Prediction: e-mail will become double-trouble in 3 years

<"NewsScan" <>>
Mon, 30 Sep 2002 08:36:11 -0700

IDC, the technology research firm, is predicting that within just three
years, the number of e-mail messages sent worldwide will increase from the
current level of 31 billion daily to more than 60 billion daily. Most of it
will be spam (unsolicited commercial messages), and if the problem of spam
is not dealt with by more effective message-filtering, the usefulness of
e-mail as an effective business and personal communications tool will be
endangered. IDC executive Mark Levitt says, "Like water flowing out of a
hose, e-mail has the potential to fill our inboxes and workdays,
overwhelming our abilities to navigate through the growing currents of
content." [VNUNet 30 Sep 2002; NewsScan Daily, 30 September 2002]

Gender: Unknown — the risks of perception

<"LEESON, Chris" <>>
Wed, 2 Oct 2002 16:53:00 +0100

An interesting juxtaposition of "Design" and "User Perception".

I had to visit one of our local hospitals. I went to Reception and
identified myself to the receptionist. She asked if I had filled in the
Questionnaire (in effect, the Personal Details form) and I hadn't.

She brought out her copy of the form, which had been partially filled in by
the administrator who made the original appointment.

It started with the following information:

Name: Andrew Leeson   [Andrew being my first name]
Gender: Unknown

Our reactions to this little piece of data were quite different:

Her reaction was to mutter darkly about the administrator who could not tell
that "Andrew" was clearly "Male".

My reaction was that:

 (a) The database designer had understood that it was possible for the
     gender to be unknown (at least at the time the appointment was set up),
     and chosen suitable values for the field: male, female and (default)
 (b) In the absence of supplied information, the administrator had not
     assumed that any one name implied a specific gender.

So, the system was designed correctly, the administrator used it correctly,
but the receptionist interpreted it as "bad" because the result was not what
she thought of as reasonable.

The actual event - wrong gender data - is not much of a risk.  The
difference in perception could be.

Re: Too fast fingers, or bad shortcut design? (Huuskonen, R-22.28)

<Greg Searle>
Wed, 09 Oct 2002 12:14:35 -0400

Note also that the shortcut for inserting a "hard return" in a formatted
e-mail is Shift-Enter.  This is sometimes necessary for, say, creating a
multiple-line item in a bulleted list.  You can easily send your
partially-complete e-mail instead of inserting a hard return just by
accidentally misplacing one finger a little lower on the keyboard.

Send any responses to greg_searle(at)hotmail(dot)com.

Re: Address change blocked by online entry validation (White, R-22.28)

<"Chris Smith" <>>
Wed, 9 Oct 2002 11:27:45 -0400 (EDT)

Hopefully those mailing databases are configured to catch transcription
errors for Canadian postal codes. In all of the above examples,
transcription errors would likely result in the erroneous code failing the
standard test of ANA NAN (letter-number-letter number-letter-number) that
covers all Canadian postal codes. Further reduction in undetected
transcription errors is achieved by disallowing certain letters: Q U O I D F
are not permitted in Canadian postal codes. I suspect that Q O D are just
too similar to sort out, U is too much like V, F confuses the issue with E,
and a plain I (straight vertical stroke) is easily confused with parts of
letters like T and L. Some of these may be driven by the requirement to
determine postal codes on mail by scanning and recognizing handwritten

It's important to know what RISK-reducing features are available - and then
take advantage of them. Better yet would be a snippet of javascript to check
the postal codes before the WWW address form is even submitted.

Re: Butterfly ballots and other election stuff (Russell, RISKS-22.28)

<David Olsen <>>
Tue, 08 Oct 2002 16:50:57 -0700

The messages about elections in Britain and Germany where the ballots are
counted by hand seem to indicate (though it wasn't entirely clear) that each
ballot contains only one or two races.  I agree that in this case hand
counting is quite feasible.  But in the United States, that assumption does
not hold.

As a resident of Portland, Oregon, I get to vote for all of the following
elected positions: US president, US senator, US representative, state
governor, state senator, state representative, secretary of state, state
attorney general, state treasurer, state labor commissioner, state
superintendent of schools, state supreme court judges, state appeals court
judges, state circuit court judges, regional government commissioners,
county commissioners, county sheriff, city mayor, city council members,
school board members, and the water & soil conservation district directors.
Not all of these positions are up for election at the same time, but in the
general election in even numbered years a majority of them are.  In addition
to candidates, I also get to vote for or against any changes to the city
charter or state constitution, any property tax levies, any laws referred to
the voters by the state legislature (usually to avoid the governor's veto),
and any initiatives that citizens have put on the ballot by submitting
enough signatures.

In the November 2000 general election I had about 45 things to vote for on
my ballot.  When all the various cities, special districts, and state
legislature districts are factored in, the county elections board had a
total of 117 different races for which it had to count votes in that

I am by no means an election expert, but here are my opinions anyway: It
seems to me that counting every one of those races by hand would be much
slower, more tedious, and more error prone than counting them by machine.  I
think the best way to cast and count votes is to have the voter fill in
ovals on a piece of paper, have an optical scanner read the ballots and
count the votes, and have any recounts done by hand.  That seems to provide
the best combination of ease and accuracy of voting, quick counting of
results, and verifiability of results when disputes arise.

David Olsen <>

  [The alternative that makes a single-issue piece of paper possible is that
  you vote for your delegated representative, and everything else follows
  therefrom.  You are describing the other extreme.  PGN]

Re: Butterfly ballots (Russell, RISKS-22.28)

< (Leonard Erickson)>
Tue, 8 Oct 2002 18:43:59 -0800

Well, as an example, here in Oregon, we can vote by *mail* in most
elections. But the votes cannot legally be counted until 8 pm on election
day. You can vote as late as that by dropping off the ballot at a collection

That means *millions* of votes have to be counted in a few hours.

> Why keep paper ballots unless you have trained and experienced humans
> in place to count them?  And if you have that, why not just get the
> humans to count the papers in the first place?

Time. We can't *afford* that many people, nor do we have that many
trained volunteers available. So if it *does* come down to a manual
count, it'll require recruiting and training a *lot* of people.

> I'd have to check the Guinness Book of Records for this, but I think
> the record number of counts in a British General Election is
> something like 7, and it took about 20 hours from when the polls
> closed.  A far cry from Florida in 2000, where it wasn't possible to
> count every vote even once in several months.

Much of this was due to court fights. And the fact that the (poorly
designed) ballots were hard to make out the vote on. They had to stop the
count several times, and then restart it. Often with changes in the rules as
to what constituted a "valid" vote ("hanging chad", "dimpled chad", etc)

Also, look up the population of Florida and compare it with the
population of Britain.

[More on multiple races and issues...]  My "ballot" for one election a while
back was both sides of *six* sheets of paper. With something like six
"columns" of things to vote on.

Our ballots are the type where you use a pencil to fill in an oval. The
technology for scanning those is something like 40 years old. It's
pretty mature and reliable.

And I'm told that any questionable ballots get kicked out to be looked
at by a human.

Even so, it only takes a few hours to run the ballots for a major
election in the Portland Metro area.

It's not perfect. But I think it's a pretty good compromise between
speed, usability and security.

Leonard Erickson (aka shadow{G})

  [Further comment on long US ballots from Andrew Sapuntzakis.  PGN]

REVIEW: "Information Security Management", Gurpreet Dhillon

<Rob Slade <>>
Fri, 13 Sep 2002 12:48:08 -0800

BKINSCMN.RVW   20020628

"Information Security Management", Gurpreet Dhillon, 2001,
1-878289-78-0, U$69.95
%A   Gurpreet Dhillon
%C   1331 E. Chocolate Ave., Hershey PA   17033-1117
%D   2001
%G   1-878289-78-0
%I   Idea Group Publishing
%O   U$69.95 800-345-4332 fax: 717-533-8661
%P   184 p.
%T   "Information Security Management: Global Challenges in the New

This is a collection of essays by different authors.  The preface,
however, states that the intention was to bring together diverse views
and yet to "build an argument."  What the argument, or central thesis,
of the work is, has not been stated.

Chapter one is supposed to set forth the new challenges to information
security, but ends up telling us, at great length, that "the times
they are a-changin."  (Extracting further information from the
academic-speak is not made any easier by the many grammatical oddities
and awkward constructions.)  Policy is central to security, and so it
is no surprise to see it as the topic of chapter two.  What is
astounding is the fact that so much is wrong with this paper that it
is hard to know where to start.  Everything seems to be backwards.  It
is stated that an audit should be done as the prelude to policy
development, by how can you conduct an audit with no policy to measure
compliance against?  Again, the essay says that the procedures in
place will form the policy, whereas it should be the policy that
guides development of procedures.  A simplistic discussion of ethics
makes up chapter three.  There really isn't any analysis: after a few
facile presentations of both sides of a variety of issues the author
just asserts that X is or is not moral.  Chapter four is supposed to
argue that ethical policies build trust and trust promotes e-commerce,
but instead actually just lists a number of random security topics.  A
look at "cyber terrorism," in chapter five, seems to consist only of
listing Web sites for known terrorist organizations.  Prescription
fraud is never rigorously defined, so it is hard to say whether the
technical measures proposed in chapter six are relevant or not.
Chapter seven tells us (surprise, surprise) that disaster recovery
planning is often done inadequately, or left undone.  A discussion of
development models, in chapter eight, seems to be so abstract that it
is of no digital use.  Internet and e-business security touches on
some miscellaneous subjects in chapter nine.  The author obviously
thinks Compliance Monitoring for Anomaly Detection (CMAD, with some
kind of trademark symbol appended to it) is vitally important, but
chapter ten's explanation seems to just describe another type of
statistical change measurement.  Chapter eleven vaguely discusses some
of the security issues involved with the use of agent or mobile
software.  The final chapter lists some "motherhood" security

One of the interesting, and disturbing, aspects of the book is that
each paper is accompanied by a bibliography of sources, but almost
none of the standard security reference works in the various fields
addressed are cited.  How can you discuss, for example, computer
ethics without having read Deborah Johnson's (cf. BKCMPETH.RVW) works?

Compilation works tend to be hard to pin down, and to vary in quality
and usefulness.  This work has a remarkable consistency, in that the
items included are all vague, uninteresting to the professional, and
unhelpful to the practitioner.

copyright Robert M. Slade, 2002   BKINSCMN.RVW   20020628    or

2003 IEEE Symposium on Security and Privacy, Call for Papers

<Steve Bellovin <>>
Tue, 08 Oct 2002 01:33:22 -0400

2003 IEEE Symposium on Security and Privacy
11-14 May 2003, The Claremont Resort, Oakland, California, USA
  sponsored by
IEEE Computer Society Technical Committee on Security and Privacy
  in cooperation with
The International Association for Cryptologic Research (IACR)

Paper submissions due:   6 Nov 2002
Panel proposals due:     6 Nov 2002
5-minute abstracts due: 17 Mar 2003
For submission guidelines see
For questions, please contact the program chairs, at

Symposium Committee:
General Chair: Bob Blakley (IBM Software Group - Tivoli Systems, USA)
Vice Chair: Lee Badger (Network Associates Labs, USA)
Program Co-Chairs: Steven M. Bellovin (AT&T Research, USA)
David A. Wagner (University of California at Berkeley, USA)

Steve Bellovin,

  [This has been probably the most important research conference
  on security and privacy for over two decades.  PGN]

Please report problems with the web pages to the maintainer