The RISKS Digest
Volume 22 Issue 37

Saturday, 9th November 2002

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Lynn Landes' analysis of the 2002 Elections
PGN
Quote on election integrity
Susan Marie Weber
Georgia election memory-card problem
Lillie Coney
Unsupervised biometric scanners more toys than serious security measures
c't via Markus Kuhn
U.S. Navy sites spring security leaks
Lillie Coney
Internet home banking unsafe
Erling Kristiansen
Driver killed in "computer-controlled" AirTrain
Daniel Norton
Man banned from driving after trusting in-car computer
Matthew Bloch
Small things add up
Bill Lamb
Re: 'British' spelling
Christopher Allen
Re: What if ... the pundits had nothing ...
Edward Reid
REVIEW: "Information Assurance", Joseph G. Boyce/Dan W. Jennings
Rob Slade
Info on RISKS (comp.risks)

Lynn Landes' analysis of the 2002 Elections

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 8 Nov 2002 11:30:35 PST

  [This item is included in its entirety with the permission of the author.]

2002 Elections: Republican Voting Machines,
     Election Irregularities, and "Way-Off" Polling Results
By Lynn Landes, 8 Nov 2002

"The Republicans will never give up their voting machines," said a top
Republican party official to Charlie Matulka, the Democratic candidate for
the U.S. Senate seat in Nebraska. This statement was in response to
Charlie's very public protest against the conflict-of-interest inherent in
the candidacy of Senator Chuck Hagel (R-NE). Hagel has held top executive
positions (and still has investments) in companies that owned the machines
that counted the vote in Nebraska this election and last.

Republicans dominate the voting machine business. So, I expected the
Republicans to take back the Senate... amid reports of voting machine
"irregularities" in several states and polling results that didn't come
close to election outcomes.  And with billions of dollars at stake, who
could resist the temptation to tweak results? It's duck soup.

Dr. Rebecca Mercuri, the nation's leading expert in voting machine
technology, says, "Any programmer can write code that displays one thing on
a screen, records something else, and prints yet another result." But they
do make mistakes as we know from the multitude of reports in this election
and past ones. Dr. Mercuri's real fear is that one day the "irregularities"
will go away, as programmers learn their clandestine craft all too well.

Then how can we tell if the "fix was in?"  An examination of exit polling
and pre-election polling versus election results could raise a few red
flags.

We can't use Voter News Service (VNS) this year. VNS is a top-secret private
consortium owned by ABC News, The Associated Press, CBS News, CNN, Fox News,
and NBC News that has "projected" election night winners since 1964. VNS
collapsed camp on election day due to technical problems... they said. Or
was it the glare of publicity since the 2000 presidential election that
brought the charade to an end? Questions have been raised since its
inception, that VNS was a cover for election day vote rigging or other
shenanigans. And it was strange that when VNS management made its
announcement on Tuesday, they didn't make a big deal over how the shutdown
affected the 64,000 temporary employees they claim they hired for this
election.

Anyway, that leaves us with pre-election polling to ponder. An intensive
effort to review and interpret that data is currently underway by Bev Harris
and her staff at Talion.com.

Meanwhile, I called John Zogby of the highly respected Zogby International.
I asked him if over the years he had noticed increased variation between
pre-election predictions and election results.  Zogby said that he didn't
notice any big problems until this year. Things were very different this
time.  "I blew Illinois. I blew Colorado (and Georgia). And never in my life
did I get New Hampshire wrong...but I blew that too." Or did he?

This year might instead be a repeat of the 2000 presidential election, when
the polls accurately predicted the winner (Gore), but the voting system in
Florida collapsed under the weight of voting machine failure, election day
chicanery, and outright disenfranchisement of thousands of black voters by
Republican state officials.

And for those who believed that the new election reform law does anything to
protect the security of your vote...think again. The federal standards to be
developed and implemented as a result of the new law will be VOLUNTARY. What
Congress really did was to throw $2.65 billion dollars at the states, so
that they could lavish it on a handful of private companies that are
controlled by ultra-conservative Republicans, foreigners, and felons.

Let's take a moment to look back rather than forward. In the last several
decades the rich have gotten richer and the poor poorer. This is not a
formula for a conservative groundswell. Yet both conservative Democrats and
right wing Republicans have long enjoyed success at the polls. While, most
of Europe still uses paper ballots, voting machines have been in America
since 1889. The use of computers in voting technology began around
1964. Today, less than 2% of the American electorate use hand-counted paper
ballots.

The question is...have elections in America been rigged to slowly, but
surely shift power to the right? In the secretive world of voting machine
companies, anything is possible.

The sad fact is that the legitimacy of government in the United States will
remain in question as long as over 98% of the vote is tabulated by machines
that can be easily rigged, impossible to audit, and owned by a handful of
private companies. Until we get rid of those voting machines, democracy in
America may be a distant memory.

Lynn Landes is a freelance journalist specializing in environment and
election issues on www.EcoTalk.org. Lynn's been a radio show host, a regular
commentator for a BBC radio program, and news reporter for DUTV in
Philadelphia, PA.

Lynn Landes, 217 S. Jessup Street, Philadelphia, PA 19107
(215) 629-3553 / (215) 629-1446 (FAX)  lynnlandes@earthlink.net]

  [Lynn's writings often also run on alternative online media, such as
  www.CommonDreams.com.  She has a Web page for VotingSecurity at
  http://www.ecotalk.org/VotingSecurity.htm .  PGN]


Quote on election integrity

<"SusanMarieWeber" <susanmarieweber@earthlink.net>>
Fri, 8 Nov 2002 23:13:36 -0800

  The right to have the vote counted is infringed, and we have lost the
  integrity of our voting system, when the ease with which ballots can be
  manipulated is greater than the ease with which the manipulation can be
  detected.  (Kevin Craig, 2000) www.electionguardians.org

[See: Broward vote total short by 104,000 in reporting glitch,
Evan S. Benn and Elena Cabral, *Miami Herald*, 7 Nov 2002, for more on
the Broward County bulleted item noted in RISKS-22.36.]
  http://www.miami.com/mld/miamiherald/news/politics/4461857.htm


Georgia election memory-card problem

<Lillie Coney <lillie.coney@acm.org>>
Fri, 08 Nov 2002 10:22:35 -0500

ELECTION 2002: 2,180 Fulton ballots found late,
67 memory cards misplaced, but shouldn't change results,
by Ty Tagami and Duane Stanford, *Atlanta Journal Constitution*, 8 Nov 2002

Fulton County election officials said Thursday that memory cards from 67
electronic voting machines had been misplaced, so ballots cast on those
machines were left out of previously announced vote totals.  Fifty-six
cards, containing 2,180 ballots, were located Thursday.  Eleven memory cards
still were missing Thursday evening. If the cards could not be found, the
votes would be retrieved from the voting machines, election officials said.
[Bibb and Glynn Counties each had one card missing after the initial vote
count, but the cards were located and counted the next day.][PGN-Excerpted]


Unsupervised biometric scanners more toys than serious security measures

<Markus Kuhn>
Wed May 29, 2002  11:16:20 AM US/Pacific

An even more fatal blow to off-the-shelf *unsupervised* biometric
identification products was given recently by three authors in an article in
the well-respected German computer magazine c't:

  Lisa Thalheim, Jan Krissler, Peter-Michael Ziegler: Körperkontrolle --
  Biometrische Zugangssicherungen auf die Probe gestellt.  c't 11/2002,
  Heise Verlag, ISSN 0724-8679, p 114-, 17 May 2002.

An online English translation is now available on
  http://heise.de/ct/english/02/11/114/

The team tested:

 * six products involving capacitive fingerprint scanners
   (Biocentric Solutions, Cherry, Eutron, Siemens and Veridicom)

 * two optical (Cherry, Identix) fingerprint scanners

 * one thermal (IdentAlink FPS100U) fingerprint scanner (Atmel FCD4B14 sensor)

 * Authenticam by Panasonic

 * an iris scanner that is currently being marketed in the USA and is
   scheduled to enter the European market in the near future

 * FaceVACS- Logon, a technical solution for recognizing faces
   developed by the Dresdner Cognitec AG

The authors "were able, aided by comparatively simple means, to outwit all
the systems tested" and concluded that "the products in the versions made
available to us were more of the nature of toys than of serious security
measures" and that "business should not treat the security needs of its
customers quite so thoughtlessly".

It is worth stressing that none of the deception techniques used are really
applicable in a *supervised* two-factor application, for example where a
border control or social benefits officer watches someone using the finger
or iris scanner in order to confirm the identity information stored in a
presented smartcard. The relevance of these attacks to the discussion about
the use of biometric features in a national identity infrastructure is
unfortunately sometimes misrepresented. I am still convinced that both iris
scanning and finger print recognition in a *supervised* scan can be made
easily several orders of magnitude more reliable than human photo/face
comparisons.

What currently marketed sensors lack is a really robust detection technique
for whether the detected signal comes from live human tissue, and this still
looks very much like an open research problem. Parts of suitable solutions
might be:

 * tests of various involuntary reactions that require significant effort to
   simulate, for example, is the iris pattern deforming correctly when the
   pupils contract because of illumination?

 * test whether the body part is functional, i.e. can the fingerprint be
   detected from a finger that is typing fluently on a keyboard or can the
   pupil inside the contracting iris read text at the same time?

 * is it possible to build low-cost spectrographic cameras/scanners that can
   distinguish materials and tissues by using hundreds instead of just three
   (red/green/blue) wavelength bands, etc.

Markus G. Kuhn, Computer Laboratory, Univ. of Cambridge, UK  mkuhn at acm.org


U.S. Navy sites spring security leaks

<Lillie Coney <lillie.coney@acm.org>>
Fri, 08 Nov 2002 11:48:24 -0500

A French group known as Kitetoa discovered that files on several Navy Web
sites and other sides running IBM's Lotus Domino software were easily
accessible.  Exposed information included hundreds of trouble tickets since
1989 for the Consolidated Automated Support System; a Naval Supply Systems
Command site that enables Navy personnel to order commercial software and
internally developed applications — including records on who registered to
use the system and their passwords.  The Navy apparently does not feel the
information thus compromised was particularly sensitive, but has reportedly
taken some systems off the Net and tighter security controls in others.
[Source: Wired News, 6 Nov 2002; PGN-ed]

Lillie Coney, Public Policy Coordinator, U.S. Ass'n for Computing Machinery
Suite 510, 2120 L Street, NW, Washington, D.C. 20037  1-202-478-6124


Internet home banking unsafe

<Erling Kristiansen <erling.kristiansen@xs4all.nl>>
Fri, 08 Nov 2002 22:13:48 +0100

The 28 Oct 2002 edition on the programme "Netwerk" of the Dutch TV station
NCRV ran an item on Internet home banking. The programme featured a person
accessing his bank account via Internet, and another person with a laptop
reading a clear-text transcript of the session.

The programme was not very technical, but two hints were given that helped
in finding out what was going on: The two persons "were colleagues" (in
network terms: were on the same LAN), and the scenario was described as a
"man in the middle" attack.  I know from own experience that the Dutch home
banking system uses a secure web session. A challenge-response
authentication device ("token" or e.dentifier) is used to authenticate the
user, but this is not relevant to this discussion.

Poking around a bit, I found several references to a vulnerability in
Internet Explorer 5.0, 5.5 and 6.0. A good explanation can be found at
http://www.thoughtcrime.org/ie-ssl-chain.txt

I am not an expert in SSL and PKI and such matters. But, in brief, as I
understand it, a certification Authority can delegate its authority to
somebody else. This is designed to be safe, provided, of course, it is
implemented properly. IE skips one step in its implementation of the
procedure, essentially allowing somebody who can gain access to the data
stream (e.g. by being on the same LAN or having access to a router somewhere
along the path) to delegate the certification authority to himself. This, in
turn gives the man-in-the-middle access to the data.  I am sure this
description is not precise, but I hope it catches the essence of the attack.
Otherwise, please read the referenced article.

I had an e-mail conversation with somebody from the TV programme, who
confirmed that "indeed, it is a problem in IE". They did not say this in the
programme because "the problem is the responsibility of the banks, not
Microsoft". Apparently, their aim was to expose the banks.

A few thoughts:

It would seem that the problem affects not only home banking but any
application using a secure web session.
The exploit also highlights that security depends not only on good
design, but also on proper implementation. You have to trust the
software vendor. Do you??

SPECULATION MODE ON
Why is Microsoft reluctant to fix this bug that is present in 3
consecutive versions of IE? In view of the nature of it, it cannot be
that difficult to fix.
Could it be that they do not want to fix it? Either because they want to
exploit it themselves, or because somebody twisted their arm to provide
a back door.
SPECULATION MODE OFF

It is, actually, a very well hidden back door that is not easily
discovered unless you have access to the source code, or you know what
you are looking for. I wonder how it was discovered.


Driver killed in "computer-controlled" AirTrain

<"Daniel Norton" <Daniel@DanielNorton.net>>
Fri, 8 Nov 2002 11:22:40 -0500

I wrote last year (RISKS-21.82) about my concerns of a computer-controlled
train (the JFK AirTrain) being installed that would carry hundreds of
passengers at speeds of over 60 miles per hour (95 kmh).

A test run of the system on 27 Sep 2002 was under manual control with
automatic speed regulators deliberately disabled.  The train was traveling
about 55 miles per hour (90 kmh) when it approached a downhill curve, jumped
the track, knocked away 150 feet (45m) of a concrete wall, and tore a gash
in the front of the train.  Tons of concrete in the train — used as ballast
to simulate passengers — slid along the floor and crushed the driver to
death.

As several pointed out in follow-ups to my post last year, the greater RISKS
of train systems are human errors, and this recent tragedy seems to support
that position.

  [Of course, in the JFK train test, the driver was posthumously blamed for
  going to fast.  Perhaps that was the speed they had asked him to reach, as
  part of the test?  And who is to blame for not realizing that the ballast
  should have been anchored down?  So, that's what testing is for?  A
  substitute for thoughtful design and operation?  PGN]


Man banned from driving after trusting in-car computer

<Matthew Bloch <matthew@bytemark.co.uk>>
Sat, 9 Nov 2002 16:59:39 +0000

A man was banned from driving for 6 months and fined £300 + £45 costs after
being caught doing 92mph down the A64 in England.  "This will now mean
commuter belt train travel for my client.  The ban will cause all sorts of
problems for him at work", said his lawyer.  The reason he gave for speeding
was that he was late for a business meeting in York, a large city in the
North-East, which was caused by a navigation error.  After typing "York"
into his in-car computer, it dutifully guided him to York, a small village
on the opposite side of the country, North-West of Manchester.  The man
claimed to be "very nervous" when he approached Manchester but trusted the
navigation system when it claimed he was "10 miles from York".  "When he was
driving down the M6 he began to have doubts that it was the right way", said
his lawyer, "But he thought 'it must be right, it's a computer'".  [Source:
*York Evening Press*, 9 Nov 2002]

Or maybe he should read comp.risks more often.  Or a map of England :-)

Matthew Bloch  Bytemark Computer Consulting Limited  +44 (0) 8707 455026
http://www.bytemark.co.uk/

  [If the man had ever eaten Yorkshire Pudding not knowing where to find a
  York shire, he may have been pudding it mildly.  Terrier Hair Out!
  (The last sentence is a memory test for long-time readers who were reading
  RISKS in May 1990.)  PGN]


Small things add up

<Bill Lamb <blamb@cox-internet.com>>
Thu, 07 Nov 2002 23:31:49 -0600

My favorite risks are those little things in life that often seem silly
simply because they are - no matter how cool and modern they appear.

I visit a nearby convenience store daily. Over the past few years I have
watched as the owners (a small regional chain) converted its cash register
to a system that controlled the gas pumps, too.  It was a common practice
and one that makes sense, I suppose.  Later, I watched as a new computerized
register system was installed, one with so many buttons, bells and whistles
that the store's constantly rotating staff found the system
difficult-to-impossible to learn.  Still later, a new check system was
added.  One writes a check, signs it, hands it to the clerk who then runs it
through a machine and hands it back to you. I'm sure there is some very
logical reason for this apparent silliness.  (I mean, why write a check if
they're just going to give it back to you? I've watched countless people
ask, "What do I do with it now?")  The latest change involved adding a
credit/debit card unit to the computerized register system.  On the whole,
you'd think all of this was pretty nifty. But not really.

As I have watched all of this advancement taking place at the store, I have
also noticed the lines and waits grow longer and longer.  For all the
technology they've bought into, the time it takes to service a sale has gone
up tremendously.

Ever try finding and swiping the bar code of a Sunday newspaper on a crowded
counter top? It can be a pain, so much so that the clerks now clip and keep
one bar code and swipe the little slip of paper over the reader to avoid the
hassle.

Credit cards? Wait for clearance, then wait for the ticket to print out,
then sign it and get your copy. (Why are those small printers so slow?)

Checks? The same: clearance is slower by far than simply putting the check
into the cash drawer like they used to.

It's bad enough when all the systems work, but when one component fails for
whatever reason, the poor clerks, who know nothing about the system, are
left to try and try again as the rest of us grow impatient in line.

Then today, the ultimate: the entire system died.  Nothing worked. At all.
People were leaving left and right, but I braved the counter and told the
clerk what I wanted.

"Uh ... you have the exact change?" she asked.

Digging in my pocket, I said, "How much is it?"

You guessed it. She didn't know because few of the store's items are priced
in English, only via the bar code. And only the computer knew those prices.
And it wasn't working.

Another example of humans outsmarting themselves.

  [Ah, yes.  We had a big storm.  Huge power outages, one still going
  after 24 hours on Friday evening.  I just got back from dinner where
  the restaurant and a large surrounding area lost power; we were the last
  folks served from gas burners before the kitchen shut down because of no
  fans.  PGN]


Re: 'British' spelling (RISKS-22.36)

<"Christopher Allen" <cpcallen@ruah.dyndns.org>>
Friday, November 08, 2002 4:39 PM

 In comp.risks, Michael (Streaky) Bacon wrote:

> I was raised in Jersey (the Channel Island, not the State).  This is part of
> the United Kingdom, but not the European Union (confusing isn't it?)...

I think you may be mistaken, and in any case it's actually a bit worse than
that: Guernsey and Jersey *not* part of the United Kingdom but are
dependencies of the Crown and so are, as I understand it, consequently
considered to be part of Great Britain.  This puts them in a situation
opposite that of Northern Ireland, which is part of the UK but not Great
Britain.

Furthermore, while it's true that the Channel Islands are not part of
the EU, my partner - like many Channel Islanders - has an EU passport
nonetheless, because of English ancestry.

Risks?  Assuming that jurisdictions are necessarily concentric...  or that
"The United Kingdom of Great Britain and Northern Ireland" actually includes
all of Great Britain.

See also: http://www.fotw.ca/flags/gb-dep.html

Christopher Allen, Studio 10, 319 Archway Rd. London N6 5AA U.K.
cpcallen-usenet@ruah.dyndns.org  http://ruah.dyndns.org/~cpcallen/

  [PGN adds Michael Bacon's response:
    "Mea culpa - I intended to type 'British Isles', it just came out as
    'United Kingdom' - sorry.
    It seems that I suffered an even more severe bout of 'finger trouble',
    as I also intended to type 'Gaelic' but it came out as 'Celtic'."]


Re: What if ... the pundits had nothing ... (RISKS 22.35)

<Edward Reid <edwardreid@spamcop.net>>
Fri, 8 Nov 2002 15:13:04 -0500

> Modern elections have [...] become opportunities for political analysts to
> show off by projecting the results before the votes are counted

Of course, much of this prediction is done by projecting from a few reported
precincts. Pockets of sanity still exist, however. This from the Gadsden
County Times, Quincy FL, 7 Nov 2002, p1:

  Shirley Knight, supervisor of elections [of Gadsden County],
  took much of the suspense out of the night, when she opted
  to wait until all of the votes were tabulated to release them,
  instead of releasing them as the precincts were counted.

  "I wanted to keep down any confusion," she said.


REVIEW: "Information Assurance", Joseph G. Boyce/Dan W. Jennings

<Rob Slade <rslade@sprint.ca>>
Fri, 8 Nov 2002 08:02:44 -0800

BKIAMOIS.RVW   20021012

"Information Assurance", Joseph G. Boyce/Dan W. Jennings, 2002,
0-7506-7327-3, U$44.99
%A   Joseph G. Boyce
%A   Dan W. Jennings
%C   2000 Corporate Blvd. NW, Boca Raton, FL   33431
%D   2002
%G   0-7506-7327-3
%I   Butterworth-Heinemann/CRC Press/Digital Press
%O   U$44.99 800-272-7737 http://www.bh.com/bh/ dp-catalog@bh.com
%P   261 p.
%T   "Information Assurance: Managing Organizational IT Security
      Risks"

The preface states that this book is distinct because 1) it covers concepts
and principles (although how this could be a distinctive is somewhat lost on
me: many of the chapters relate directly to six of the ten CBK [Common Body
of Knowledge] domains), 2) it promotes a defence in depth strategy (hardly
unusual in general security works), 3) it attempts to counter the perception
of an antagonism between security and operations (fairly conventional), and
4) it points out resources for added information (and how is that unique?)

Part one covers the foundational concepts of an organizational IA
(Information Assurance) program.  Chapter one defines IA in a way that makes
it basically the same as any kind of information systems security, and
offers vague thoughts on the importance of information.  There is a brief
review of some basic security concepts (as well as some that are not quite
central) in chapter two.  Defence in depth is also defined at this point:
rather idiosyncratically, it is specified to be in opposition to "security
by obscurity" and perimeter defence.

Part two is supposed to look at determining the organization's current IA
posture.  Chapter three purports to help ascertain an IA baseline, but is
really just a list of possible security technologies.  determining security
priorities, in chapter four, talks about data and resource classification,
but much of it is vague philosophy, rather than practical advice.  While
summarized in tables rather than text, chapter five's material on IA posture
is just plain, old risk analysis.

Part three is presumed to help establish a defence in depth strategy.  There
is a basic introduction to policies in chapter six.  IA management, in
chapter seven, is primarily more suited to system administration.  Chapter
eight's look at IA architecture covers subjects and objects, but has no
security models.  The text does review threats and various security
technologies, and,very strangely, assumes that the OSI (Open Systems
Interconnection) network model can be used as a security structure.
Operational security administration, in chapter nine, recycles random
concepts that have been presented earlier.  Configuration management is held
to be software change control, and chapter nine also concentrates on
"emergency" changes.  Chapter eleven's review of the system development life
cycle is terse.  Chapter twelve, on contingency planning, is extremely
terse, and suggests that you have a backup, UPS (Uninterruptible Power
Supply) and a disaster recovery plan.  The material on training, in chapter
thirteen, is both generic and short.  Policy compliance oversight is limited
to intrusion detection systems, audit logs, and virus scanning, in chapter
fourteen.  Chapter fifteen's look at incident response is basic and brief.
Finally, chapter sixteen examines IA reporting--and suggests that you have a
structure for it.

This work is yet another attempt at a generic security guide.  It has no
distinctives.  In fact, there are simple security guides for home users that
do a better job of explaining the structure, process, and technologies.

copyright Robert M. Slade, 2002   BKIAMOIS.RVW   20021012
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com

Please report problems with the web pages to the maintainer

x
Top