The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 43

Monday 16 December 2002

Contents

Bad circuit crashed $150 million jet at Woomera
George Michaelson
Senate closes accidental anonymizer
Dave Stringer-Calvert
More on identity thieves strike eBay, whose policies make it worse
Elana
Australian ruling is raising worries
Monty Solomon
Moore's Law hits a leak
NewsScan
Paypal scam?
Dawn Cohen
Internet spam mogul can't take what he dishes out
Purkasz
Tower reports customer information "leak"
B Crook
Perils in switching to Yahoo
David Lazarus via Monty Solomon
Community security education contacts
Rob Slade
U.S. Army Research Office Calls For Odortype Detection Proposals
PGN
Re: Anti-worm "throttling"
Jeremy Epstein
The risks of RISKS
Donald A. Norman
REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon
Rob Slade
REVIEW: "Secured Computing", Carl F. Endorf
Rob Slade
Info on RISKS (comp.risks)

Bad circuit crashed $150 million jet at Woomera

<George Michaelson <ggm@apnic.net>>
Thu, 12 Dec 2002 09:39:15 +1000 (EST)

A computer glitch has been blamed for July's disastrous launch of a Japanese
supersonic jet model at South Australia's Woomera rocket range.  Japan's
National Aerospace Laboratory says a design change caused the $150 million
scale model's computer system to short-circuit.  Flight director Kimio
Sakata says the autopilot then reset itself and caused the jet and rocket
booster to separate during take-off.
   http://www.abc.net.au/news/justin/nat/newsnat-12dec2002-22.htm

  Hmm. sounds like bad design *processes* as much as a computer glitch...]


Senate closes accidental anonymizer

<Dave Stringer-Calvert <dave_sc@csl.sri.com>>
Wed, 11 Dec 2002 15:39:27 -0800

Never let it be said that the United States Senate has done nothing for
Internet privacy.  Network administrators for the U.S. government site
www.senate.gov shut down an open proxy server over the weekend that for
months had turned the site into a free Web anonymizer that could have
allowed savvy surfers to launder their Internet connections so that efforts
to trace them would lead to Capitol Hill.  A proxy server is normally a
dedicated machine that sits between a private network and the outside world,
passing internal users' Web requests out to the Internet.
  http://online.securityfocus.com/news/1780


Identity thieves strike eBay, whose policies make it worse

<falcospav@excite.com (Elana Who?)>
13 Dec 2002 06:05:23 -0800

We recently had an article in comp.risks titled "Identity thieves strike
eBay".  Below, author Spider Robinson reports how he was victimized, plus
details on the not-very-good way that eBay handled it, all which made the
situation worse.  Mr. Robinson has been robbed by almost a thousand dollars
because of it.

http://www.theglobeandmail.com/servlet/ArticleNews/PEstory/TGAM/20021211/COSPIDER/Columnists/columnists/columnistsNational_temp/1/1/6/

http://www.theglobeandmail.com/servlet/ArticleNews/PEstory/TGAM/
  20021211/COSPIDER/Columnists/columnists/columnistsNational_temp/1/1/6/


Australian ruling is raising worries

<Monty Solomon <monty@roscom.com>>
Mon, 16 Dec 2002 09:01:00 -0500

A number of concerned First Amendment advocates say a landmark libel
decision by the Australian High Court may have the effect of erecting a
fence on the borderless information frontier opened up by Internet
technology.  The 10 Dec 2002 ruling concluded that an Australian
businessman, Joseph Gutnick, could sue Dow Jones for defamation in Australia
based on a Barron's magazine story that emanated from the company's computer
servers in New Jersey. Although, as attorney Harvey Silverglate explains,
defamation cases have traditionally been brought ''in the jurisdiction where
the speech is uttered or published or where you targeted it,'' the ruling
effectively expanded that jurisdiction in the online world to where a story
can be downloaded.  The case involves a ''United States media publication
which is really focused on United States markets and United States
investors'' and ''a journalist who operated completely out of the United
States,'' says Stuart Karle, a Dow Jones associate general counsel. ''This
dramatically changes how you can communicate within this country.''
[Source: Mark Jurkowitz, *The Boston Globe*, 16 Dec 2002]
http://www.boston.com/dailyglobe2/350/business/Australian_ruling_is_raising_worries+.shtml

  [All sorts of implications.  PGN]


Moore's Law hits a leak

<"NewsScan" <newsscan@newsscan.com>>
Thu, 12 Dec 2002 09:20:13 -0700

Intel chairman Andy Grove warned participants at the International Electron
Devices Meeting this week that electrical current leakage from inactive
processors poses a major challenge to the continued viability of Moore's Law
(which predicts the doubling of transistor densities every couple of
years). "Current is becoming a major factor and a limiter on how complex we
can build chips," said Grove, who added that his company's engineers "just
can't get rid of power leakage." As chips become more powerful, leakage
rates increase, and while the industry is accustomed to low-level leakage
rates, high-end chips made up of a billion transistors may leak between 60
and 70 Watts of power, causing problems with cooling. Grove also warned that
the trend of migrating chip manufacturing to Asian plants could shift the
balance of power eastward. "It is easy to project that the independence
becomes more one-sided, with an adverse impact on our educational system
because so much of the university funding comes from industry. There is a
spiral there in the wrong direction."  [Computerwire/The Inquirer 11 Dec
2002; NewsScan Daily, 12 Dec 2002]
  http://www.theinquirer.net/?article=6677

Copyright 2002. NewsScan Daily (R) is a publication of NewsScan.com Inc.
Reproduced in RISKS with permission.


Paypal scam?

<"Dawn Cohen" <COHEND@wyeth.com>>
Fri, 13 Dec 2002 17:13:31 -0500

I received an e-mail with the subject:
  "Paypal Alert: Please Update your current Billing Information"

In that I don't have a paypal account, I was a little curious, and decided
to investigate.  When I looked at the message, I saw what appears to be a
scam:

  "Unfortunately today we have had some trouble with one of our computer
  systems. While the trouble appears to be minor, we are not taking the
  necessary precautions. We have decided to take the affected system offline
  and replace it with a new system. Unfortunately this has caused us to lose
  member data and information. Please follow the link=link below and log
  into your account to re-enter your information to be assured none of your
  prior information has been lost. Please Note: Account balances have not
  been affected."

Then there is a link "Click Here To Begin the Account Process", with a link
that goes (upon examination of the source HTML) to an IP address at some
Autobahn Access Corporation.

The message was very cleverly constructed, to use Paypal images (based on
their own urls)
  <A href=3D"https://www.paypal.com/" target=3D_blank><IMG height=3D35
  alt=3DPayPal src=3D"http://www.paypal.com/images/email_logo.gif" width=3D25
  5 border=3D0></A>
And it had a reply-to address of customerservice@paypal.com.
(They were careful to say in the message, though, "Please do not reply to
this e-mail.  Mail sent to this address cannot be answered.")


Internet spam mogul can't take what he dishes out

<PURKASZ@aol.com>
Thu, 12 Dec 2002 20:43:10 -0500

West Bloomfield (Michigan) bulk e-mailer Alan Ralsky, who just may be the
world's biggest sender of Internet spam, is getting a taste of his own
medicine.  Ever since I wrote a story on him a couple of weeks ago
(www.freep.com/money/tech/mwend22_20021122.htm), he says he's been inundated
with ads, catalogs and brochures delivered by the U.S. Postal Service to his
brand-new $740,000 home.  It's all the result of a well-organized campaign
by the anti-spam community, and Ralsky doesn't find it funny. ...
[Source: Mike Wendland, *Detroit Free Press*, 6 Dec 2002]


Tower reports customer information "leak"

<<bcrook0926@rogers.com>>
Thu, 12 Dec 2002 12:52:49 -0500

Tower Records, a well known chain of record shops that does business in the
US and the UK, recently suffered an embarrassing information leak due to
amateurish Web programming. A Windows "Active Server Page" script, which
allowed customers to check the status of their orders by entering their
order numbers, was written so that it required no other identification from
the user than the order numbers themselves -- which were assigned in
sequence. Simply modifying a URL to contain an order number one greater or
one less than that assigned to your own order would show you another
customer's information. E-mail addresses, street addresses, phone numbers,
and order information dating back to 1996 were exposed.  The chain reports
that the hole was finally closed this week.
  http://www.extremetech.com/article2/0,3973,760739,00.asp


Perils in switching to Yahoo (David Lazarus)

<Monty Solomon <monty@roscom.com>>
Fri, 13 Dec 2002 22:15:48 -0500

David Lazarus, *San Francisco Chronicle*, 13 Dec 2002

Pacific Bell may be taking on a new name, but it's still up to the same old
tricks.  The company's customers were outraged when I wrote how Pac Bell,
which now wants to be known by the moniker of its corporate parent, SBC,
slipped an insert into recent bills advising that personal information will
be shared with business partners unless the customer says otherwise.  ...
That's not the half of it. For some services, Yahoo says it will request Pac
Bell customers' Social Security number "and information about your assets."
The online company says it will track DSL subscribers' Internet browsing and
share personal information with "trusted partners." Such info will be used
in part "to customize the advertising and content you see."  "Once you
create an SBC Yahoo account and sign in to our services, you are not
anonymous to us," Yahoo warns in surprisingly stark language.  ...
  http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2002/12/13/BU191399.DTL


Community security education contacts

<Rob Slade <rslade@sprint.ca>>
Tue, 10 Dec 2002 16:22:55 -0800

Many of us have known for years that education and heightened awareness are
vital to improving the general information security situation.  It's been
rather frustrating to try and promote the idea.  However, at long last there
seems to be a groundswell of both interest in the topic, and work towards
producing seminars and training.

As a step in getting some cooperation going in terms of the production of
security awareness seminars, I have started a mailing list and a Web page of
contacts.  The mailing list is comseced@yahoogroups.com: if you want to join
send e-mail to comseced-subscribe@yahoogroups.com.  The Web page is at
http://victoria.tc.ca/techrev/comseced.htm or
http://sun.soci.niu.edu/~rslade/comseced.htm.

If you have curricula, materials, or ideas that you would be willing to
share, please drop me a line or join the group.

rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


U.S. Army Research Office calls for odortype detection proposals

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 16 Dec 2002 9:57:05 PST

  <http://www.aro.army.mil/research/index.htm>
The U.S. Army Research Office (ARO) is soliciting proposals to determine
whether genetically-determined odortypes may be used to identify specific
individuals. The proposal also calls for development of the science and
enabling technology to detect and identify specific individuals by such
odortypes.  The Odortype Detection Program will leverage research that has
demonstrated that the same set of genes that code for internal immune system
self/non-self recognition in mice -- the Major Histocompatibility Complex
(MHC) -- also code for individual odortype. Total funding for the research
and development effort may be up to $3.2 million in 2003.
http://www.biometritech.com/enews/121602c.htm

    [De-scent into the pits?  PGN]


Re: Anti-worm "throttling"

<jeremy.epstein@cox.net>
Thu, 12 Dec 2002 23:45:25 -0500

The HP paper you're referring to ("Throttling Viruses: Restricting
propagation to defeat malicious mobile code" by Matthew Williamson,
Hewlett-Packard Labs) was presented this week at the 18th Annual Computer
Security Applications Conference, and won the best paper award.  Along with
Paul Karger's Multics retrospective (discussed in previous issues of RISKS),
it's made this year's ACSAC particularly interesting.


The risks of RISKS

<"Donald A. Norman" <don@jnd.org>>
Mon, 16 Dec 2002 10:03:49 -0600

The RISK of RISKS:

I've become paranoid over the past year, but legitimately. And it is
wrecking my life.

Because I was involved in a National Academies study of anti-terrorism, I
examined how people defeated security systems. The security community --
with some notable exceptions -- seems to think this is a technological
problem: put in enough technology and the system is secure. I have always
thought just the opposite: this is a social problem. Indeed, my belief is
that "The more secure you make the system from a technological point of
view, the less secure you are apt to have made it in reality."  Why? Because
the technology gets in the way of work, and so the most dedicated workers
will defeat the system in order that they can get their work done.  My
studies of the cracker community and discussions with professional "red
team" members simply reinforces the view.

We are social beings: we work well in small, cooperative groups. Part of the
benefits of our society is that we all help one another. We trust one
another. The people who would deceive us understand this and manipulate it.

Well, the social engineer takes advantage of all of this. I've just finished
reading the book by Mitnick and Simon. I recommend it to everyone: it is
scary. It tells how a few simple sounding (but very sophisticated) phone
calls can get the sophisticated con artist almost anything. It gives very
convincing examples.

  Mitnick, K. D., & Simon, W. L. (2002). The art of deception:
  controlling the human element of security. Indianapolis: Wiley.

So now I am on guard. And guess what, I immediately spot spoofs. I get an
e-mail stating that I have just signed up with American Express for
bill-paying, so I should log on to this URL and set up my account.  Except
that I didn't recall signing up, and the URL is not associated with American
Express : it is "thevalidnetwork.com" . Sounded like a spoof to me. I call
up American Express. They deny all knowledge of the site, but they also
refuse to accept my complaint. "Not my department," said the woman, as she
gave me a different phone number to call and hung up on me.  The man at the
other phone number also confirmed that this was not a valid American Express
site, and he wanted to report it, but it wasn't his responsibility either --
the phone number he asked me to use was for the woman who refused to take
it. He tried -- he was turned down too.

So American Express claims this is not their site, but refuses to let me
file a complaint.

Then yesterday, I get a letter inviting me to a conference. Would I send my
address and phone number, and also the phone numbers of anyone else I
thought should be invited. The person said he had gotten my name from X, and
said the conference was run by Consumers Reports. Well, the website he
listed gave no hint of why I should trust this person -- he claimed to be a
contractor. I checked with X, who said, no, he couldn't vouch for the
person.  The letter said time was of the essence, but it came in over the
weekend, so I couldn't call Consumer Reports to check.

Both letters were perfect examples of Mitnick's illustrations of how to con
people. They look legitimate, but if you examine them closely, the URLs are
wrong, and although legitimate names are given, this is an emergency and the
answer must be given now, after hours, when those legitimate-sounding names
can't be checked.

I now have discovered that both e-mails were legitimate. My financial advisor
had signed me up for the bill payment scheme (he says we asked him to). The
site was subcontracted by American Express to do this, but obviously, their
phone support people don't know this.  As for the invitation, the person at
Consumer Reports vouched for it.

But what a life we have to lead: we can easily be conned by legitimate
looking requests. And we might refuse to honor legitimate requests that
could also be frauds.  Or, even if we accept them, we waste a lot of time
checking them out -- a lot of our time and that of the people we have to
bother to find out if it is real. And, along the way, I also discovered that
even if we are recipients of a real fraud, it is very difficult to tell
anyone. An amazing number of websites lack any contact information, any way
of reporting problem. And even if you do report a problem, it is answered
bizarrely.  I just reported over a website to Mindspring that their server
seemed to be down. In reply I was told how to check the modem settings under
Windows 98. That wasn't my complaint, I don't use a dial-up modem, and I
don't run Windows 98. When I complained that the response was not relevant,
I got instructions to check the wiring of my modem.

So consider the RISKS of RISKS.  We waste time every day deleting spam and
backing up our systems. We waste time every week updating our virus controls
and rescanning our computer systems. We no longer can trust the people we
interact with, for social engineers take advantage of all that we have come
to trust.  We are searched at work and when traveling. We have to watch what
we say in public because it might be misinterpreted.  And there is nobody to
complain to.

Trust is rapidly leaving our society, and we all are worse off as a result.

Don Norman, Prof. Computer Science, Northwestern University http://www.jnd.org
and Nielsen Norman Group      http://www.nngroup.com  norman@nngroup.com

  [See Rob Slade's following item.  PGN]


REVIEW: "The Art of Deception", Kevin D. Mitnick/William L. Simon

<Rob Slade <rslade@sprint.ca>>
Thu, 12 Dec 2002 08:00:51 -0800

BKARTDCP.RVW   20021028

"The Art of Deception", Kevin D. Mitnick/William L. Simon, 2002,
0-471-23712-4, U$27.50/C$39.95/UK#19.95
%A   Kevin D. Mitnick
%A   William L. Simon
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2002
%G   0-471-23712-4
%I   John Wiley & Sons, Inc.
%O   U$27.50/C$39.95/UK#19.95 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471237124/robsladesinterne
%P   352 p.
%T   "The Art of Deception: Controlling the Human Element of Security"

Those in the security field know that Kevin Mitnick does not deserve the
reputation he has gained as some kind of technical genius.  His gift was
skill as a social engineer.  Stripped of the five dollar words, this means
that he was a plain, old con man, cheat, or fraud.  In other words, this is
a book about how to fool people.  Theoretically, the determined reader
should be able to use the book to keep from being conned.

In the preface, Mitnick would have us believe that, although he admits to
being a fraud and deceiver, he was never a grifter.  He never harmed
anybody, never obtained a material benefit, and was just curious to see if
he could ride the buses for free (at the expense of the transit system) or
make calls for free (at the expense of an MCI customer).  (The willing moral
blindness of these assertions is possibly the most instructive part of the
book: it is truly representative of large portions of the blackhat
community.)  He would have us believe that he is a "changed person": one of
the most sought- after computer security experts world-wide, and the world's
most famous hacker.  Oh, and just in case the authorities are inclined to
think that this book runs counter to the injunction that he not profit from
the stories of his criminal exploits, the tales are all completely
fictional.  Trust him.

Part one is entitled "Behind the Scenes."  Chapter one states that people
are security's weakest link.  This is a truism well known in the field, but
the first account is really about insider fraud, while the remainder are
generic fear-mongering.

Part two describes the art of the attacker.  (At great length.)  Chapter two
depicts escalation or enumeration through social engineering, and points out
that sometimes innocuous information isn't.  There is a section on
"preventing the con" at the end of each chapter: in this case we are told
not to give out information, but not provided with any advice about
authenticating callers.  Similarly, chapter three says that sometimes
attackers just ask for access or information and says to verify callers, but
doesn't say how.  Chapter four tells you to distrust everyone--which would
probably be more damaging to society than social engineering.
(Interestingly, yesterday a report came out about studies of "freeloading"
in the animal kingdom, which notes that communities with too many non-
contributing members tend not to survive.  By extension, only societies with
an overwhelming majority of trustworthy members exist for any length of
time.)  The prevention bit tells companies not to have people give credit
card information over the phone, but stresses teaching employees about cons
rather than policies.  At about this point the text, which is very
repetitious, throws in some minor technical details.  This is enough to
remind the professional that the book is designed for the naive user, with
extremely lightweight analysis, and implications that would not be useful.
There is more repetitive redundancy in chapter six, on the way to some
useful information about fraudulent e-mail and really lousy data about
viruses and malware, in chapter seven.  Chapters eight and nine are simply
more of the same stories, which start to get very tedious.

Part three is apparently supposed to help us detect intruders.  Chapter ten
has a little useful advice about having termination procedures.  The major
points in chapter eleven seem to be about all the people who have been mean
to our poor Kevin.  Then it is back to the, by now extremely tiresome, con
jobs for another three chapters.

We are intended to believe that part four will help us protect ourselves and
our companies against social engineering.  Chapter fifteen is an attempt to
convince us that the book should be purchased for all employees.  (Nice try,
Kev.)  There is an arbitrary, and oddly both generic and overly detailed,
suggested security policy, in chapter sixteen.

So.  Security professionals already know about social engineering.  It is
unlikely in the extreme that even the most head down, don't-talk-
to-the-users, socially maladept firewall administrator will learn very much
from this book.  But, of course, this is not a trade paperback.  This is a
hardback aimed at the mass market: the non-professionals.  Will they learn
anything from it?  Well, it might be useful for teaching new tricks to those
who like to con people (although fraudsters will likely be disappointed at
the number of times it is assumed that they know how to reprogram DMS-100
switches: don't try this at home).  The prevention sections, as noted, are
big on "don't" and short on "how not to."

Well, but the book can still be a fascinating read, can't it?  Sure.  If
you're the type of person who finds humour in watching someone fall on his
or her face.  Over and over and over and over and over and over and over and
over and over and over again ...

copyright Robert M. Slade, 2002   BKARTDCP.RVW   20021028
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

  [See Don Norman's previous item.  PGN]


REVIEW: "Secured Computing", Carl F. Endorf

<Rob Slade <rslade@sprint.ca>>
Wed, 11 Dec 2002 08:12:25 -0800

BKSCDCMP.RVW   20020905

"Secured Computing", Carl F. Endorf, 2002, 1-55212-889-X,
U$44.95/C$64.00
%A   Carl F. Endorf etresearch@hotmail.com
%C   Suite 6E, 2333 Government Street, Victoria, BC   V8T 4P4
%D   2002
%G   1-55212-889-X
%I   Trafford Publishing
%O   U$44.95/C$64.00 888-232-4444 FAX 250-383-6804 sales@trafford.Com
%O  http://www.amazon.com/exec/obidos/ASIN/155212889X/robsladesinterne
%P   538 p.
%T   "Secured Computing: CISSP Study Guide, Second Edition"

Like Mandy Andress' book (cf. BKCISPEC.RVW), this concentrates on
terminology, rather than the concepts that the CISSP exam actually tests
for.  Like Krutz and Vines' book (cf. BKCISPPG.RVW), this obviously and
slavishly follows the (ISC)^2 syllabus.  Unlike Shon Harris' book
(cf. BKCISPA1.RVW), it doesn't provide much added value or explanation.

It does offer a money back guarantee.  If, within six months of buying the
book, you take the CISSP exam twice (at U$450 a pop) and fail both times,
you get the price of the book back.  Less shipping and handling.  (Also, you
might need to be careful when ordering the book.  The ISBN is identical for
both the first and second editions.)

Some of the errors in the first edition of the book have been corrected, but
a few remain, such as the addition of a "strong star" property to the
Bell-LaPadula security model.

Since the work concentrates on jargon, there are glaring gaps in the
coverage.  For example, the Law, Investigation, and Ethics domain has almost
nothing to say about incident response, investigation, preservation of
evidence, computer forensics, or interviewing.

Added to the book in this second edition is a practice CISSP exam.  Although
the structure of the questions appears to be similar to those you would see
on a real exam, the answers, oddly enough, rely on nonstandard terminology.

Approximately one third of the total material in the second edition is a
reprint of the "Standard of Good Practice" document available from the
Information Security Forum (www.securityforum.org).  While there is nothing
wrong with the document, and it could be a useful aid to the practitioner,
it isn't much of a help in studying for the CISSP.

While this book might provide some assistance in exam prep, it is probably
not a sufficient guide by itself.

copyright Robert M. Slade, 2002   BKSCDCMP.RVW   20020905
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top