The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 61

Thursday 6 March 2003

Contents

Slight change in RISKS e-mail procedure
RISKS List Owner
Computer error means 2.3-trillion-pound electricity bill
Fuzzy Gorilla
Computer error halts fuel payments
Fuzzy Gorilla
Indiana University Center's computers breached by hacker
Sheri Alpert
Risks of using Tax IDs for other things
Peter Wayner
28 Krispy Kreme customers each charged over $84,000
Fuzzy Gorilla
Visa moves to improve customers' privacy
PGN
Credit-card fraud
Thomas Kristmar
Credit company's customer list leaked to an underground gang
Chiaki Ishikawa
16M Yen stolen from sniffed bank passwords at Internet Cafe
Chiaki Ishikawa
Wrongly jailed woman blames system
Fuzzy Gorilla
Re: Reversed 2002 election results in Alabama still unexplained
Dale Pennington
PGN
Re: Computer error grounds Japanese flights
Chiaki Ishikawa
Re: BSA Accuses OpenOffice ftp sites of piracy
Fritz Whittington
New IEEE Security and Privacy magazine
Gary McGraw
REVIEW: "Security in Computing", Charles Pfleeger/Shari Pfleeger
Rob Slade
Info on RISKS (comp.risks)

Slight change in RISKS e-mail procedure

<RISKS List Owner <risko@csl.sri.com>>
Thu, 6 Mar 2003 10:48:55 PST

Although it should be largely invisible to you, this issue is being sent out
in a way that should dramatically simplify our processing of the steadily
large number of e-mail bounces (including unresolvable black-hole bounces
for no-longer-existing mail exchangers).  This will enable us to more easily
cull out the offending addresses.  We will still be very conservative in not
removing temporarily offending addresses.  Please let us know if you find
yourself inadvertently no longer receiving RISKS.  Many thanks to Mike
Hogsett, who has been superb in putting up with the strain that RISKS puts
on our e-mail servers.


Computer error means 2.3-trillion-pound electricity bill

<"Fuzzy Gorilla" <fuzzygorilla@euroseek.com>>
Tue, 04 Mar 2003 18:35:36 -0500

The *Yorkshire Post* reports that after a man had forgotten to pay an
earlier electricity bill of 59 pounds from British Gas for a house in
Fartown, Huddersfield, he received a final demand for 2,320,333,681,613
pounds.  After he was threatened with court action, the local media
intervened.  At that point, British Gas admitted there had been a mistake,
``with a computer mixing up the reference number for the property.''  On the
other hand, a BG spokeswoman was quoted as saying that it was a ``simple
clerical mistake''.  [PGN-ed]
  http://www.ananova.com/news/story/sm_756911.html


Computer error halts fuel payments

<"Fuzzy Gorilla" <fuzzygorilla@euroseek.com>>
Tue, 04 Mar 2003 18:41:51 -0500

1,128 people over 60 are still waiting for their 200-pound winter fuel
payments, two months after they should have been paid.  The Department for
Work and Pensions (DWP) told the BBC that the computer system which handles
payments has 'lost' their records, and that they would have to trace back to
the original applications.  [Source: BBC, Money Box, Paul Lewis, 18 Feb
2003; PGN-ed]
  http://news.bbc.co.uk/1/hi/programmes/moneybox/2764451.stm


Indiana University Center's computers breached by hacker

<Sheri Alpert <salpert@nd.edu>>
Wed, 5 Mar 2003 14:54:01 -0500 (EST)

[Source: Article by Terry Horne <terry.horne@indystar.com>, telephone
1-317-444-6082, *The Indianapolis Star*, 28 Feb 2003; PGN-ed]
http://www.indystar.com/print/articles/3/025875-2223-P.html
(another story at: http://www.sagamore.iupui.edu/32/32-24/24hacker.html)

About 7,000 patients of the Indiana University Center for Sleep Disorders
have had the confidentiality of their Social Security numbers and other
personal information compromised by a hacker who broke into the center's
computer on 27 Nov 2002, although it was not discovered until 3 Jan 2003.
Reportedly, there is no evidence any identities were
stolen or even that files were offloaded.  Intent had apparently to use
this computer system as a bridge to other university computers.

  [This intrusion might have caused some additional sleep disorders after
  the patients were notified.  PGN]


Risks of using Tax IDs for other things

<Peter Wayner <pcw@flyzone.com>>
Thu, 6 Mar 2003 14:03:55 -0500

A Princeton student tried PNC's new Internet banking Web site to check his
student organization's funds and found he could access *all* of the
university's accounts holding almost $10 million in total.  The student
organization used the same taxpayer ID number as the rest of the university,
and the bank's Web site used the ID to link the records.

  http://story.news.yahoo.com/news
  ?tmpl=story2&cid=816&ncid=816&e=5&u=/ap/20030306/ap_on_fe_st/banking_glitch


28 Krispy Kreme customers each charged over $84,000

<"Fuzzy Gorilla" <fuzzygorilla@euroseek.com>>
Tue, 04 Mar 2003 19:31:54 -0500

A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers
while figuratively deep-frying over two dozen customers.  Irrespective of
what they ordered, each of 28 customers using a credit card were charged
EXACTLY $84,213.60 for the purchase.  KK blamed Heartland Payment Systems,
which processes their credit-card transactions.  [Source: KRQE News 13,
Albuquerque, N.M., 19 Feb 2003; PGN-ed]
  http://www.krqe.com/Global/story.asp?S=1140274

  [These charges were actually APPROVED, and of course also blew the
  customers' credit ratings for a few days.  Amazing!
    ``The $84,000 charge, were it legitimate, would have purchased over
    170,000 ... doughnuts, enough to stretch over 9 miles if placed
    end-to-end.''
  (But a few days later, the doughnuts might have settled into substantial
  paving bricks.  Or do Krispy Kremes have a shelf-life of years, like
  the bread and chocolate used in Des(s)ert Shield?)  Of course, stacked
  vertically, they would reach almost 2 miles high.
  Somehow, the name ``Heartland'' seems incompatible with the concept of
  Krispy Kremes, unless it is related to a hospital with the same name.
  PGN]

    [Three sentences back, I have added "(s)" in the archive copy,
    inspired by Mike Yuhas.  PGN]


Visa moves to improve customers' privacy

<"Peter G. Neumann" <neumann@CSL.sri.com>>
Thu, 6 Mar 2003 07:43:42 -0800

Visa International (with over 1 billion credit cards in circulation) is
introducing a new company policy today prohibiting the display of all but
the last four digits of a credit-card number on consumer receipts, a move
intended to better protect customers' privacy and reduce identity theft.
The policy will also remove the expiration date from receipts.  The newly
proposed Senate Identity Theft Protection Act would make this policy
mandatory for all credit-card companies.  (Since 2000, identity theft has
consistently been the most common complaint to the Federal Trade Commission,
with over 160,000 complaints in 2002.)  [Source: Chris Baker, *The
Washington Times*, 6 Mar 2003; PGN-ed]
  http://washingtontimes.com/business/20030306-3647521.htm


Credit-card fraud

<"Thomas Kristmar" <TK@dip.dk>>
Wed, 05 Mar 2003 12:11:38 +0100

An interesting story in a Danish newspapar (in danish,alas)
http://www.bt.dk/Forside.pl?aid=130204

A postman intercepted the new credit card sent to a bank client and waited a
few days and then intercepted the pincode also. The postman made a copy of
the credit card and read the pincode before delivering the card and pincode
a few days later to the client.  Then he waited a few months.  The postman
was caught because he used the card excessively in a 14-day period, stealing
the equivalent of 24.000 euro.  [That's 24,000 euro in English.  PGN]

The problem here is that all Danish credit cards and pincodes are issued
from one location in plain envelopes with a return address. A postman can
easily identify the cards and pincode letters. The pincode is printed in a
tamperproof envelope, but affixing a "sorry, the envelope was damaged during
handling" from the Postoffice will fool the average customer.

  [Plural of "euro" (euro) corrected in archive copy.  PGN]


Credit company's customer list leaked to an underground gang

<Chiaki Ishikawa <ishikawa@yk.rim.or.jp>>
Wed, 05 Mar 2003 21:04:52 +0900

On Japanese TV nightly news, I just learned that a large Japanese credit
corporation, called Orient Corporation, fired a local branch manager-level
senior employee who had leaked the list of about 15,000 customers with
credit card usage, etc. to a member of a Japanese gang syndicate, who in
turn blackmailed the company and demanded 200,000,000 YEN.  Both were
arrested by police today.

Computers have made it so easy to steal such large list of customer
information (to wit, involving 8 million credit-card users in the past
couple of weeks).  If such weakness is employed by an insider, then it would
be really difficult to protect such information at all.

In this case, it was a senior employee, who was second in command to the
local branch manager, and so my hope of protecting such information from
abuse is now getting very thin.

Orient Corporation web page (in Japanese)
http://www.orico.co.jp/orico/index.asp

PS: At least, this company is quick to publicize the response to this
incidence: the web page has a link to this blackmailing incident. Oh, wait,
the link failed to show the contents yet. Since the arrest was announced
only a couple of hours ago, maybe the web site is going through change at
21:00.  I saw the TV news only about 10 minutes ago.


16M Yen stolen from sniffed bank passwords at Internet Cafe

<Chiaki Ishikawa <ishikawa@yk.rim.or.jp>>
Fri, 07 Mar 2003 00:40:28 +0900

On March 6th, two men have been arrested for illegally transferring 16
million YEN from someone's CityBank online banking service account to a
third party account and then take the money from it, Tokyo police announced.

From the descriptions of newspaper articles, it seems that one of the
culprits has installed keyboard sniffer programs on about hundred PCs at a
dozen or so Internet Cafes in Tokyo and Kanagawa prefecture (south of
Tokyo).  He has regularly visited the cafes and brought back the recorded
data with him, and searched for ID/password, and other identification
information.

At the charged man's home, the police has found ID/password for 719
accounts, and about a couple of hundred user profiles meant for dating
services.

One such ID/password for a man's City Bank online banking service was used
to transfer 16 million Yen to a different account at another bank from which
the money was withdrawn.

This is the first time that a keyboard sniffer is implicated in a large
scale ID theft in Japan, from what I know.

It beats me, though, why anyone wants to use a PC at Internet cafe for one's
banking service.  (We should assume doing something on it, like writing a
memo, for example, is akin to writing on a memo pad on a desk at a public
library under which a carbon paper may be secretly placed to record
information and we never know. For that matter, even without the carbon
paper, we often can see the telephone number, etc. left by the previous user
by looking at the indented marks on the next paper sheet, don't we? )

I think the general public should be taught more about the security
implications of various Internet services, which may look useful and handy
on the surface, but may not be so attractive if the security implications
are taken into account. I think it should be the responsibility for the
service provider to tell such risks, but I am not sure how to go about
writing a law because "risk" is a relative thing.

This has been a busy week for computer security professionals in Japan.
First the computer system for handling nations's flight plans collapsed on
the morning March 1st.  Then a large credit card company, Oriental Corp.,
announced the leak of 15,000 user profiles to a member of an underground
gang group who blackmailed the company and was arrested.  Then this
incident.

I hope the general public will start to pay more attention to the computer
security issues thanks to these high-profile incident.  (The ID theft using
keyboard sniffer was the front page head line article in the evening edition
of *Asahi Shimbun*.  It occupies about 1/5 of the paper and is very
conspicuous.)


Wrongly jailed woman blames system

<"Fuzzy Gorilla" <fuzzygorilla@euroseek.com>>
Tue, 04 Mar 2003 19:21:38 -0500

Excerpts, FG-highlights and PGN-ed summarization of a long item
from 11Alive News, Jennifer Leslie, 30 Jan, 10 Feb, 24 Feb 2003:
  http://www.11alive.com/news/news_article.asp?storyid=27020
  http://www.11alive.com/news/news_article.asp?storyid=28128

  "In the first part of this report, 11Alive News Investigative Reporter
  Jennifer Leslie focused on problems with some information in the National
  Criminal Information Computer System that led to as many as 25 percent of
  all arrest warrants in Metro Atlanta being inaccurate and incomplete or
  invalid.  In the second part, Leslie's report focuses on what happens when
  police officers arrest the wrong person because of problems in the
  system."

Highlights (FG):
 * As many as 25 percent of all arrest warrants in Metro Atlanta
   are inaccurate, and incomplete or invalid.  This average is eight times
   the national average.
 * It is easy to confuse two people that share part of a name in common.
 * It is easy to have cascading errors -- once the name was wrong,
   someone else added a wrong SSN.
 * Guilty until proven innocent -- if you lose your receipt, you can
   spend a long time trying to correct a mistake.
 * It is hard to justify success/failure rates if no records are kept.

Mistaken identity (PGN-ed):
 * Melissa Long (8.5 months pregnant) and her husband were stopped by police
   for a missing license plate.  After an NCIC check, she was handcuffed
   and jailed for 10 hours in a 6x8 cell with five other women, supposedly
   for an outstanding warrant for domestic violence.  It was eventually
   realized that the warrant was for someone else with the same name, but
   different middle names and birth dates.  The Sheriff's office had added
   to the confusion by putting the wrong SSN on the NCIC warrant and leaving
   other information unspecified.  Because she was already in the county
   computer as a witness in an unrelated case, the police used THAT info
   to fill out her arrest warrant!

Expired warrants (PGN-ed):
 * Innocent people across Metro Atlanta are going to jail because their old
   arrest warrants were never taken out of a statewide computer system.
 * Nicole Thomas needed a criminal background check to apply for a job as
   a teacher at her son's daycare center in August 2001,  As a result, she
   was jailed -- because of a warrant for an expired tag.  But that warrant
   should have been withdrawn because she had already paid the fine.  (She
   was not allowed the customary phone call.)
 * One other similar case discussed in detail.
 * Procedures to prevent this kind of abuse are not followed.

Error rates for the 11 metro departments:

Atlanta Police Dept.
2001 18%
1999 1.8%

Cherokee County Sheriff's Dept.
2002 16%
2000 22%

Clayton County Sheriff's Dept.
2001 21.6%
1998 16%

Cobb County Sheriff's Dept.
2001 22%
1998 22%

Dekalb County Sheriff's Dept.
2000 57%
1998 40%

Douglas County Sheriff's Dept.
2001 7%
2000 22%

Fayette County Sheriff's Dept.
2000 0%
2002 0%

Fulton County Sheriff's Dept.
2000 80% (more recent audit shows 5%)
1998 28%

Gwinnett County Sheriff's Dept.
2001 28% (more recent audit shows 6.6%)
1999 31%

Henry County Sheriff's Dept.
2002 20%
2000 30%

Smyrna Police Dept.
2001  16%
1998  16%


Re: Reversed 2002 election results in Alabama still unexplained

<"Dale Pennington" <Dale.Pennington@tbe.com>>
Tue, 4 Mar 2003 08:49:41 -0600
  (PGN-ed, RISKS-22.60)

I wish you had read the article a little more carefully. As I live in
Alabama I followed this story carefully.

The time line is that on election night the unofficial total posted to the
press by the county showed Don Siegelman(D) as winning. This was considered
suspicious as the county is question tends to vote heavy Republican. It was
determined that while the precinct totals were correct, the overall total
(which was not official) was wrong by 6300 votes in Siegelman's favor. When
corrected, Bob Riley(R) was the winner of the county and the state.

*The Mobile Register* article is consistent with the above. It says the
cartridge that was used to get the first night total (Siegelman wins) was in
error and the ballot count backed up the eventual (Riley) winner.  The
question is how the cartridge used to get the unofficial totals the first
night went bad.

To sum it up, the person who got the most votes DID win.


Re: Reversed 2002 election results in Alabama still unexplained

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 5 Mar 2003 8:58:30 PST
  (Pennington, RISKS-22.61)

Many thanks to Dale.  I'm glad to be able to correct the RISKS record.

I reread the original article repeatedly, and I can see why I reached a
misinterpretation in my conclusions.  The article was ambiguous as to how
the final official count was reached.  In this case, the overall process is
complicated, with integrity and reliability risks throughout -- relating to
the optical-scan ballots, the local tabulation device that scans them, the
cartridge that records the local results, the paper record of the local
results, the aggregate centralized counting process, and the resolution of
any conflicts.

Here are two of the relevant paragraphs from the cited article.

  Initial, unofficial results from Baldwin County showed that Democrat Don
  Siegelman garnered about 19,070 votes in the county, enough to give him a
  razor-thin victory over Republican challenger Bob Riley.  The next
  morning, however, officials said those totals were inaccurate and
  certified returns giving Siegelman about 6,300 fewer votes -- enough to
  swing the election to Riley.

    [...]

  Officials have traced the problem to a data pack from the Magnolia Springs
  voting location. They said the vote-counting machine there printed out
  accurate results when the polls closed at 7 p.m.  But they said the
  cartridge, which resembles an eight-track cassette, gave bogus figures
  when it was plugged into the computer in Bay Minette.

An important conclusion from this case remains.  In the absence of an actual
recount of the hardcopy ballots (which is especially a problem with
all-electronic voting systems in which there is no voter-verified paper
record), there remain questions as to whether there was fraud or error.  In
this case, the detected discrepancy among the paper counts, the cartridges,
and the final total forced a reassessment (but not a recount).  But in cases
of disagreement, it is important to be able to ascertain what is correct.

The deeper implication of this case is of course that in the absence of
meaningful audit trails and voter-verified ballots or ballot images, the
entire election process can be subject to unresolvable questions.  In
all-electronic systems, the absence of a voter-verified ballot image makes
it possible in any voting machine for the electronic totals at the end of
the day to agree completely with the printed totals, but for both of them to
be seriously in error, for any of a variety of reasons.


Re: Computer error grounds Japanese flights (RISKS-22.60)

<Chiaki Ishikawa <ishikawa@yk.rim.or.jp>>
Wed, 05 Mar 2003 21:04:52 +0900

The Ministry Web page finally had a short comment about the incident (in
Japanese, of course) on 3 Mar, whereas the incident occurred on 1 Mar.  I
know it was a weekend, but since I noticed a well-attended press conference
about the incident over TV, I would think a brief transcript of the
presentation would have been enough and useful to put on the Web to the many
Japanese who tried to learn what was going on on Saturday.

The following is the short notice, mostly the expression of the apology, not
much detail about the technical problem which I learned from newspaper
articles.
  http://www.mlit.go.jp/koku/030301.html


Re: BSA Accuses OpenOffice ftp sites of piracy (RISKS-22.60)

<Fritz Whittington <f.whittington@att.net>>
Tue, 04 Mar 2003 17:19:57 GMT

Since they state "the information in this notification is accurate and
states, under penalty of perjury, that it is authorized to act in this
matter" then, considering that the information is patently false, to which
jurisdiction do we report their perjury?  The EU courts, the US courts?
Perhaps both? Is it possible to commit perjury when you aren't testifying?

Sigh.  The computer-related risk here is enormous.  Dependence on computers
is apparently making a significant fraction of the population incurably
stupid.


New IEEE Security and Privacy magazine

<Gary McGraw <gem@cigital.com>>
Thu, 6 Mar 2003 08:56:22 -0500

The IEEE Computer Society has created a new magazine called "Security and
Privacy" specifically for the security community:
  http://www.computer.org/security/
The magazine intends to present a balanced mix of scientific research and
practical security discussion.  One key aim is to cut through the security
hype promulgated by commercial trade magazines.  The first issue came out
last month.  The editorial board is eager to publish cutting edge research
in the peer-reviewed section of the magazine.  Send your best papers to
<sprivacy@computer.org>.  Also as a member of the task force, I welcome
candid feedback via e-mail.

  [URL fixed in archive copy.  PGN]


REVIEW: "Security in Computing", Charles Pfleeger/Shari Pfleeger

<Rob Slade <rslade@sprint.ca>>
Wed, 5 Mar 2003 08:01:41 -0800

BKSCNCMP.RVW   20030209

"Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger,
2003, 0-13-035548-8, U$79.00/C$122.99
%A   Charles P. Pfleeger
%A   Shari Lawrence Pfleeger s.pfleeger@ieee.org
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2003
%G   0-13-035548-8
%I   Prentice Hall
%O   U$79.00/C$122.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0130355488/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0130355488/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0130355488/robsladesin03-20
%P   746 p.
%T   "Security in Computing"

This work is still obviously a textbook.  The attempts to target it at a
"professional" audience are possibly more convincing than in the first
edition, but it still reads like a text, and includes material that is
addressed at a scholastic, rather than experienced, audience.  Even as a
textbook it difficult to say that it succeeds.  It addresses a broad range
of computer security related topics, although there is a notable shortage of
material dealing with formal security models, access concepts, operational
procedures, physical security, and business continuity.  The level of detail
in the different areas varies greatly, but the shortcomings of the book
could be addressed in the hands of a competent teacher.

The ten chapters in the book are not divided into parts, but seem, in some
cases, to come in chunks.  The introductory chapter is an overview of basic
concepts involved with system security.  Unfortunately, not all of them are
explained fully.  The idea of controls, for example, is a vital one, but the
full ranges and types of controls are not outlined.  There are also some
not-quite-standard additions to the lexicon, such as an attempt to divide
threats into four classes: interception, interruption, modification, and
fabrication.  It is difficult to see why fabrication is added to the list,
or why this provides a clearer view of threats than simply looking to the
opposites of confidentiality, integrity, and availability.  Cryptography
starts in chapter two (and, oddly, ends in chapter ten).  The early coverage
steps through different types of simple encryption algorithms, followed up
by cryptanalysis of the same.  It strenuously avoids using any arithmetic,
which makes discussions of key sizes and strengths a bit difficult, but
throws in lots of symbolic logic, which seems to serve only to cloud the
issue.

Chapter three starts what might be seen as a section on secure systems
development.  This is an important, and often neglected, topic, and is
generally covered reasonably well.  However, the material is not always
completely clear and rigorous.  For example, it is implied that Thompson,
rather than Cohen, was the first to investigate viruses.  Leaving aside the
fact that Cohen's work started a year before Thompson's lecture (only the
date of Cohen's graduation is given), Thompson's thought experiment proposed
only an extremely limited form of reproduction.  Again, when discussing
covert channels, both the terms "timing channel" and "storage channel" are
used, but all the examples given relate only to timing channels.  Operating
system protections are supposed to be covered in chapter four, but the
content is an odd amalgam of computer architecture and high level access
control.  In regard to designing trusted operating systems, chapter five
starts with a very poor outline of formal models (the test is not clear,
and, again, the addition of symbolic logic fails to assist in the tutorial),
presents a fair review of operating system requirements, and then spends a
lot of time going over various evaluation criteria, without presenting much
content of any use.  The outline of database security is disappointing:
chapter six spends too much time on specific details, while almost ignoring
major concepts such as aggregation.

Chapter seven, the longest in the book, devotes excessive space to basic
communications technologies, including two copies of the section on
transmission methods.  Administration, in chapter eight, provides the usual
generic advice on planning, risk, and policies.  Intellectual property,
computer crime, and ethics are presented as problems with no solutions, in
chapter nine.  The closing chapter provides a whirlwind of the mathematics
related to cryptography in an impressive, disorganized, and basically
pointless display.

This book could definitely use a wholesale reorganization and cleanup.  The
level and tone of the content varies tremendously from section to section,
even within given chapters.  While most computer security topics appear
somewhere within the work, there is very little in the way of logical flow
or links between subjects.  Major areas seem to be thrown in with minor
sections simply because they had to be put somewhere.  In terms of
textbooks, I do not know that there is much to choose between this volume
and Bishop's "Computer Security: Art and Science" (cf. BKCMSCAS.RVW),
although Pfleeger and Pfleeger might have a slight edge.  Certainly
Gollman's "Computer Security" (cf.  BKCOMPSC.RVW) is superior to both.  And,
depending upon the course, Anderson's "Security Engineering"
(cf. BKSECENG.RVW) probably outranks them all.

copyright Robert M. Slade, 1993, 2003   BKSCNCMP.RVW   20030209
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top