Although it should be largely invisible to you, this issue is being sent out in a way that should dramatically simplify our processing of the steadily large number of e-mail bounces (including unresolvable black-hole bounces for no-longer-existing mail exchangers). This will enable us to more easily cull out the offending addresses. We will still be very conservative in not removing temporarily offending addresses. Please let us know if you find yourself inadvertently no longer receiving RISKS. Many thanks to Mike Hogsett, who has been superb in putting up with the strain that RISKS puts on our e-mail servers.
The *Yorkshire Post* reports that after a man had forgotten to pay an earlier electricity bill of 59 pounds from British Gas for a house in Fartown, Huddersfield, he received a final demand for 2,320,333,681,613 pounds. After he was threatened with court action, the local media intervened. At that point, British Gas admitted there had been a mistake, ``with a computer mixing up the reference number for the property.'' On the other hand, a BG spokeswoman was quoted as saying that it was a ``simple clerical mistake''. [PGN-ed] http://www.ananova.com/news/story/sm_756911.html
1,128 people over 60 are still waiting for their 200-pound winter fuel payments, two months after they should have been paid. The Department for Work and Pensions (DWP) told the BBC that the computer system which handles payments has 'lost' their records, and that they would have to trace back to the original applications. [Source: BBC, Money Box, Paul Lewis, 18 Feb 2003; PGN-ed] http://news.bbc.co.uk/1/hi/programmes/moneybox/2764451.stm
[Source: Article by Terry Horne <firstname.lastname@example.org>, telephone 1-317-444-6082, *The Indianapolis Star*, 28 Feb 2003; PGN-ed] http://www.indystar.com/print/articles/3/025875-2223-P.html (another story at: http://www.sagamore.iupui.edu/32/32-24/24hacker.html) About 7,000 patients of the Indiana University Center for Sleep Disorders have had the confidentiality of their Social Security numbers and other personal information compromised by a hacker who broke into the center's computer on 27 Nov 2002, although it was not discovered until 3 Jan 2003. Reportedly, there is no evidence any identities were stolen or even that files were offloaded. Intent had apparently to use this computer system as a bridge to other university computers. [This intrusion might have caused some additional sleep disorders after the patients were notified. PGN]
A Princeton student tried PNC's new Internet banking Web site to check his student organization's funds and found he could access *all* of the university's accounts holding almost $10 million in total. The student organization used the same taxpayer ID number as the rest of the university, and the bank's Web site used the ID to link the records. http://story.news.yahoo.com/news ?tmpl=story2&cid=816&ncid=816&e=5&u=/ap/20030306/ap_on_fe_st/banking_glitch
A Krispy Kreme doughnut shop in Albuquerque seemingly greased its coffers while figuratively deep-frying over two dozen customers. Irrespective of what they ordered, each of 28 customers using a credit card were charged EXACTLY $84,213.60 for the purchase. KK blamed Heartland Payment Systems, which processes their credit-card transactions. [Source: KRQE News 13, Albuquerque, N.M., 19 Feb 2003; PGN-ed] http://www.krqe.com/Global/story.asp?S=1140274 [These charges were actually APPROVED, and of course also blew the customers' credit ratings for a few days. Amazing! ``The $84,000 charge, were it legitimate, would have purchased over 170,000 ... doughnuts, enough to stretch over 9 miles if placed end-to-end.'' (But a few days later, the doughnuts might have settled into substantial paving bricks. Or do Krispy Kremes have a shelf-life of years, like the bread and chocolate used in Des(s)ert Shield?) Of course, stacked vertically, they would reach almost 2 miles high. Somehow, the name ``Heartland'' seems incompatible with the concept of Krispy Kremes, unless it is related to a hospital with the same name. PGN] [Three sentences back, I have added "(s)" in the archive copy, inspired by Mike Yuhas. PGN]
Visa International (with over 1 billion credit cards in circulation) is introducing a new company policy today prohibiting the display of all but the last four digits of a credit-card number on consumer receipts, a move intended to better protect customers' privacy and reduce identity theft. The policy will also remove the expiration date from receipts. The newly proposed Senate Identity Theft Protection Act would make this policy mandatory for all credit-card companies. (Since 2000, identity theft has consistently been the most common complaint to the Federal Trade Commission, with over 160,000 complaints in 2002.) [Source: Chris Baker, *The Washington Times*, 6 Mar 2003; PGN-ed] http://washingtontimes.com/business/20030306-3647521.htm
An interesting story in a Danish newspapar (in danish,alas) http://www.bt.dk/Forside.pl?aid=130204 A postman intercepted the new credit card sent to a bank client and waited a few days and then intercepted the pincode also. The postman made a copy of the credit card and read the pincode before delivering the card and pincode a few days later to the client. Then he waited a few months. The postman was caught because he used the card excessively in a 14-day period, stealing the equivalent of 24.000 euro. [That's 24,000 euro in English. PGN] The problem here is that all Danish credit cards and pincodes are issued from one location in plain envelopes with a return address. A postman can easily identify the cards and pincode letters. The pincode is printed in a tamperproof envelope, but affixing a "sorry, the envelope was damaged during handling" from the Postoffice will fool the average customer. [Plural of "euro" (euro) corrected in archive copy. PGN]
On Japanese TV nightly news, I just learned that a large Japanese credit corporation, called Orient Corporation, fired a local branch manager-level senior employee who had leaked the list of about 15,000 customers with credit card usage, etc. to a member of a Japanese gang syndicate, who in turn blackmailed the company and demanded 200,000,000 YEN. Both were arrested by police today. Computers have made it so easy to steal such large list of customer information (to wit, involving 8 million credit-card users in the past couple of weeks). If such weakness is employed by an insider, then it would be really difficult to protect such information at all. In this case, it was a senior employee, who was second in command to the local branch manager, and so my hope of protecting such information from abuse is now getting very thin. Orient Corporation web page (in Japanese) http://www.orico.co.jp/orico/index.asp PS: At least, this company is quick to publicize the response to this incidence: the web page has a link to this blackmailing incident. Oh, wait, the link failed to show the contents yet. Since the arrest was announced only a couple of hours ago, maybe the web site is going through change at 21:00. I saw the TV news only about 10 minutes ago.
On March 6th, two men have been arrested for illegally transferring 16 million YEN from someone's CityBank online banking service account to a third party account and then take the money from it, Tokyo police announced. From the descriptions of newspaper articles, it seems that one of the culprits has installed keyboard sniffer programs on about hundred PCs at a dozen or so Internet Cafes in Tokyo and Kanagawa prefecture (south of Tokyo). He has regularly visited the cafes and brought back the recorded data with him, and searched for ID/password, and other identification information. At the charged man's home, the police has found ID/password for 719 accounts, and about a couple of hundred user profiles meant for dating services. One such ID/password for a man's City Bank online banking service was used to transfer 16 million Yen to a different account at another bank from which the money was withdrawn. This is the first time that a keyboard sniffer is implicated in a large scale ID theft in Japan, from what I know. It beats me, though, why anyone wants to use a PC at Internet cafe for one's banking service. (We should assume doing something on it, like writing a memo, for example, is akin to writing on a memo pad on a desk at a public library under which a carbon paper may be secretly placed to record information and we never know. For that matter, even without the carbon paper, we often can see the telephone number, etc. left by the previous user by looking at the indented marks on the next paper sheet, don't we? ) I think the general public should be taught more about the security implications of various Internet services, which may look useful and handy on the surface, but may not be so attractive if the security implications are taken into account. I think it should be the responsibility for the service provider to tell such risks, but I am not sure how to go about writing a law because "risk" is a relative thing. This has been a busy week for computer security professionals in Japan. First the computer system for handling nations's flight plans collapsed on the morning March 1st. Then a large credit card company, Oriental Corp., announced the leak of 15,000 user profiles to a member of an underground gang group who blackmailed the company and was arrested. Then this incident. I hope the general public will start to pay more attention to the computer security issues thanks to these high-profile incident. (The ID theft using keyboard sniffer was the front page head line article in the evening edition of *Asahi Shimbun*. It occupies about 1/5 of the paper and is very conspicuous.)
Excerpts, FG-highlights and PGN-ed summarization of a long item from 11Alive News, Jennifer Leslie, 30 Jan, 10 Feb, 24 Feb 2003: http://www.11alive.com/news/news_article.asp?storyid=27020 http://www.11alive.com/news/news_article.asp?storyid=28128 "In the first part of this report, 11Alive News Investigative Reporter Jennifer Leslie focused on problems with some information in the National Criminal Information Computer System that led to as many as 25 percent of all arrest warrants in Metro Atlanta being inaccurate and incomplete or invalid. In the second part, Leslie's report focuses on what happens when police officers arrest the wrong person because of problems in the system." Highlights (FG): * As many as 25 percent of all arrest warrants in Metro Atlanta are inaccurate, and incomplete or invalid. This average is eight times the national average. * It is easy to confuse two people that share part of a name in common. * It is easy to have cascading errors — once the name was wrong, someone else added a wrong SSN. * Guilty until proven innocent — if you lose your receipt, you can spend a long time trying to correct a mistake. * It is hard to justify success/failure rates if no records are kept. Mistaken identity (PGN-ed): * Melissa Long (8.5 months pregnant) and her husband were stopped by police for a missing license plate. After an NCIC check, she was handcuffed and jailed for 10 hours in a 6x8 cell with five other women, supposedly for an outstanding warrant for domestic violence. It was eventually realized that the warrant was for someone else with the same name, but different middle names and birth dates. The Sheriff's office had added to the confusion by putting the wrong SSN on the NCIC warrant and leaving other information unspecified. Because she was already in the county computer as a witness in an unrelated case, the police used THAT info to fill out her arrest warrant! Expired warrants (PGN-ed): * Innocent people across Metro Atlanta are going to jail because their old arrest warrants were never taken out of a statewide computer system. * Nicole Thomas needed a criminal background check to apply for a job as a teacher at her son's daycare center in August 2001, As a result, she was jailed — because of a warrant for an expired tag. But that warrant should have been withdrawn because she had already paid the fine. (She was not allowed the customary phone call.) * One other similar case discussed in detail. * Procedures to prevent this kind of abuse are not followed. Error rates for the 11 metro departments: Atlanta Police Dept. 2001 18% 1999 1.8% Cherokee County Sheriff's Dept. 2002 16% 2000 22% Clayton County Sheriff's Dept. 2001 21.6% 1998 16% Cobb County Sheriff's Dept. 2001 22% 1998 22% Dekalb County Sheriff's Dept. 2000 57% 1998 40% Douglas County Sheriff's Dept. 2001 7% 2000 22% Fayette County Sheriff's Dept. 2000 0% 2002 0% Fulton County Sheriff's Dept. 2000 80% (more recent audit shows 5%) 1998 28% Gwinnett County Sheriff's Dept. 2001 28% (more recent audit shows 6.6%) 1999 31% Henry County Sheriff's Dept. 2002 20% 2000 30% Smyrna Police Dept. 2001 16% 1998 16%
(PGN-ed, RISKS-22.60) I wish you had read the article a little more carefully. As I live in Alabama I followed this story carefully. The time line is that on election night the unofficial total posted to the press by the county showed Don Siegelman(D) as winning. This was considered suspicious as the county is question tends to vote heavy Republican. It was determined that while the precinct totals were correct, the overall total (which was not official) was wrong by 6300 votes in Siegelman's favor. When corrected, Bob Riley(R) was the winner of the county and the state. *The Mobile Register* article is consistent with the above. It says the cartridge that was used to get the first night total (Siegelman wins) was in error and the ballot count backed up the eventual (Riley) winner. The question is how the cartridge used to get the unofficial totals the first night went bad. To sum it up, the person who got the most votes DID win.
(Pennington, RISKS-22.61) Many thanks to Dale. I'm glad to be able to correct the RISKS record. I reread the original article repeatedly, and I can see why I reached a misinterpretation in my conclusions. The article was ambiguous as to how the final official count was reached. In this case, the overall process is complicated, with integrity and reliability risks throughout — relating to the optical-scan ballots, the local tabulation device that scans them, the cartridge that records the local results, the paper record of the local results, the aggregate centralized counting process, and the resolution of any conflicts. Here are two of the relevant paragraphs from the cited article. Initial, unofficial results from Baldwin County showed that Democrat Don Siegelman garnered about 19,070 votes in the county, enough to give him a razor-thin victory over Republican challenger Bob Riley. The next morning, however, officials said those totals were inaccurate and certified returns giving Siegelman about 6,300 fewer votes — enough to swing the election to Riley. [...] Officials have traced the problem to a data pack from the Magnolia Springs voting location. They said the vote-counting machine there printed out accurate results when the polls closed at 7 p.m. But they said the cartridge, which resembles an eight-track cassette, gave bogus figures when it was plugged into the computer in Bay Minette. An important conclusion from this case remains. In the absence of an actual recount of the hardcopy ballots (which is especially a problem with all-electronic voting systems in which there is no voter-verified paper record), there remain questions as to whether there was fraud or error. In this case, the detected discrepancy among the paper counts, the cartridges, and the final total forced a reassessment (but not a recount). But in cases of disagreement, it is important to be able to ascertain what is correct. The deeper implication of this case is of course that in the absence of meaningful audit trails and voter-verified ballots or ballot images, the entire election process can be subject to unresolvable questions. In all-electronic systems, the absence of a voter-verified ballot image makes it possible in any voting machine for the electronic totals at the end of the day to agree completely with the printed totals, but for both of them to be seriously in error, for any of a variety of reasons.
The Ministry Web page finally had a short comment about the incident (in Japanese, of course) on 3 Mar, whereas the incident occurred on 1 Mar. I know it was a weekend, but since I noticed a well-attended press conference about the incident over TV, I would think a brief transcript of the presentation would have been enough and useful to put on the Web to the many Japanese who tried to learn what was going on on Saturday. The following is the short notice, mostly the expression of the apology, not much detail about the technical problem which I learned from newspaper articles. http://www.mlit.go.jp/koku/030301.html
Since they state "the information in this notification is accurate and states, under penalty of perjury, that it is authorized to act in this matter" then, considering that the information is patently false, to which jurisdiction do we report their perjury? The EU courts, the US courts? Perhaps both? Is it possible to commit perjury when you aren't testifying? Sigh. The computer-related risk here is enormous. Dependence on computers is apparently making a significant fraction of the population incurably stupid.
The IEEE Computer Society has created a new magazine called "Security and Privacy" specifically for the security community: http://www.computer.org/security/ The magazine intends to present a balanced mix of scientific research and practical security discussion. One key aim is to cut through the security hype promulgated by commercial trade magazines. The first issue came out last month. The editorial board is eager to publish cutting edge research in the peer-reviewed section of the magazine. Send your best papers to <email@example.com>. Also as a member of the task force, I welcome candid feedback via e-mail. [URL fixed in archive copy. PGN]
BKSCNCMP.RVW 20030209 "Security in Computing", Charles P. Pfleeger/Shari Lawrence Pfleeger, 2003, 0-13-035548-8, U$79.00/C$122.99 %A Charles P. Pfleeger %A Shari Lawrence Pfleeger firstname.lastname@example.org %C One Lake St., Upper Saddle River, NJ 07458 %D 2003 %G 0-13-035548-8 %I Prentice Hall %O U$79.00/C$122.99 +1-201-236-7139 fax: +1-201-236-7131 %O http://www.amazon.com/exec/obidos/ASIN/0130355488/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0130355488/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0130355488/robsladesin03-20 %P 746 p. %T "Security in Computing" This work is still obviously a textbook. The attempts to target it at a "professional" audience are possibly more convincing than in the first edition, but it still reads like a text, and includes material that is addressed at a scholastic, rather than experienced, audience. Even as a textbook it difficult to say that it succeeds. It addresses a broad range of computer security related topics, although there is a notable shortage of material dealing with formal security models, access concepts, operational procedures, physical security, and business continuity. The level of detail in the different areas varies greatly, but the shortcomings of the book could be addressed in the hands of a competent teacher. The ten chapters in the book are not divided into parts, but seem, in some cases, to come in chunks. The introductory chapter is an overview of basic concepts involved with system security. Unfortunately, not all of them are explained fully. The idea of controls, for example, is a vital one, but the full ranges and types of controls are not outlined. There are also some not-quite-standard additions to the lexicon, such as an attempt to divide threats into four classes: interception, interruption, modification, and fabrication. It is difficult to see why fabrication is added to the list, or why this provides a clearer view of threats than simply looking to the opposites of confidentiality, integrity, and availability. Cryptography starts in chapter two (and, oddly, ends in chapter ten). The early coverage steps through different types of simple encryption algorithms, followed up by cryptanalysis of the same. It strenuously avoids using any arithmetic, which makes discussions of key sizes and strengths a bit difficult, but throws in lots of symbolic logic, which seems to serve only to cloud the issue. Chapter three starts what might be seen as a section on secure systems development. This is an important, and often neglected, topic, and is generally covered reasonably well. However, the material is not always completely clear and rigorous. For example, it is implied that Thompson, rather than Cohen, was the first to investigate viruses. Leaving aside the fact that Cohen's work started a year before Thompson's lecture (only the date of Cohen's graduation is given), Thompson's thought experiment proposed only an extremely limited form of reproduction. Again, when discussing covert channels, both the terms "timing channel" and "storage channel" are used, but all the examples given relate only to timing channels. Operating system protections are supposed to be covered in chapter four, but the content is an odd amalgam of computer architecture and high level access control. In regard to designing trusted operating systems, chapter five starts with a very poor outline of formal models (the test is not clear, and, again, the addition of symbolic logic fails to assist in the tutorial), presents a fair review of operating system requirements, and then spends a lot of time going over various evaluation criteria, without presenting much content of any use. The outline of database security is disappointing: chapter six spends too much time on specific details, while almost ignoring major concepts such as aggregation. Chapter seven, the longest in the book, devotes excessive space to basic communications technologies, including two copies of the section on transmission methods. Administration, in chapter eight, provides the usual generic advice on planning, risk, and policies. Intellectual property, computer crime, and ethics are presented as problems with no solutions, in chapter nine. The closing chapter provides a whirlwind of the mathematics related to cryptography in an impressive, disorganized, and basically pointless display. This book could definitely use a wholesale reorganization and cleanup. The level and tone of the content varies tremendously from section to section, even within given chapters. While most computer security topics appear somewhere within the work, there is very little in the way of logical flow or links between subjects. Major areas seem to be thrown in with minor sections simply because they had to be put somewhere. In terms of textbooks, I do not know that there is much to choose between this volume and Bishop's "Computer Security: Art and Science" (cf. BKCMSCAS.RVW), although Pfleeger and Pfleeger might have a slight edge. Certainly Gollman's "Computer Security" (cf. BKCOMPSC.RVW) is superior to both. And, depending upon the course, Anderson's "Security Engineering" (cf. BKSECENG.RVW) probably outranks them all. copyright Robert M. Slade, 1993, 2003 BKSCNCMP.RVW 20030209 email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer