The RISKS Digest
Volume 22 Issue 62

Monday, 10th March 2003

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Identity mixup: NZ teacher identified as prostitute
Ruth Berry via Max Power
The darkest side of ID theft
Bob Sullivan via Monty Solomon
Wrong man arrested after identity theft
Neil Youngman
Microsoft speaks, site goes dark
Joe Wilcox via Monty Solomon
Computer crashes threaten hospital operations
Monty Solomon
Toronto public health computer accidentally erases records
Chris Smith
Inappropriate HMI on medical device
Erling Kristiansen
Security firm shuttered by sabotage
Andrew Colley via Keith Rhodes
Sendmail flaw tests Homeland Security
Robert Lemos via Monty Solomon
Hackers access University of Texas database
Mike Swaim
You might just be a hacker if...
Andrew Orlowski via Tim Finin
Kevin Poulsen: Windows root kits a stealthy threat
Monty Solomon
FirstUSA/BankOne sends login ID & PW as clear text
Ric Cohen
Nigerian scams continue to thrive
Monty Solomon
Traffic lights don't work in the snow
Bob Copeland
Re: Computer error means 2.3-trillion-pound electricity bill
Michael Bacon
Re: Someone protecting patient data well
Edwin Culver
Re: BSA Accuses OpenOffice ftp sites of piracy
Fuzzy Gorilla
Re: Visa moves to improve customers' privacy
Brett Glass
Margie Wylie
New article on critical infrastructure risks
Fred Cohen
Info on RISKS (comp.risks)

Identity mixup: NZ teacher identified as prostitute

<Max Power <mikehack@u.washington.edu>>
Thu, 6 Mar 2003 18:14:45 -0800 (PST)

Michelle Garforth (Dunedin, NZ) applied to be registered as a teacher, after
finishing four years of training.  She was notified that she was "likely" to
be a prostitute convicted on four charges, including two assaults, based on
a computer match of her maiden name and birthdate.  Despite going to the
police and submitting to fingerprinting that demonstrated she was not the
person in question, she was not cleared until weeks later — after her local
Member of Parliament had intervened.  [Source: Prostitute mix-up shocks
teacher, by Ruth Berry, 06 March 2003; PGN-ed]
  http://www.stuff.co.nz/stuff/0,2106,2309649a7694,00.html


The darkest side of ID theft

<Monty Solomon <monty@roscom.com>>
Mon, 10 Mar 2003 09:49:24 -0500

Malcolm Byrd was confronted at home by three Rock County, Wisconsin,
sheriff's officers with a warrant for Byrd's arrest for cocaine possession,
with intent to distribute.  He tried to tell them that he was a victim of
identity theft.  So, he was handcuffed and taken away.  Again!

"This is the worst-case scenario for identity theft victims.  Losing your
clean credit history is one thing; losing your freedom is another.  And
victims of America's fastest-growing crime are discovering they often have
much more to worry about than the hundreds of hours of paperwork necessary
to clean up the financial mess associated with ID theft.  Sometimes, they
have to worry about ending up in jail - again and again."  [Source: ... When
impostors are arrested, victims get criminal records, Bob Sullivan, MSNBC, 9
Mar 2003; PGN-ed]
  http://www.msnbc.com/news/877978.asp


Wrong man arrested after identity theft

<Neil Youngman <n.youngman@ntlworld.com>>
Sun, 9 Mar 2003 19:55:25 +0000

A British man was arrested in South Africa and held for 2 weeks on an FBI
warrant after his identity was stolen by a fraudster. He was only released
after the real suspect was picked up in the U.S.
  http://news.bbc.co.uk/1/hi/england/2806827.stm


Microsoft speaks, site goes dark

<Monty Solomon <monty@roscom.com>>
Sat, 8 Mar 2003 17:28:46 -0500

Microsoft speaks, site goes dark, by Joe Wilcox, CNET News.com, 7 Mar 2003

In an uncommonly harsh application of a widely used Internet enforcement
tool, a Windows news site was taken offline for nearly 24 hours this week
after Microsoft accused the site of infringing its copyrights.

Neowin was shut down late Thursday and came back online Friday afternoon.

Microsoft's Internet investigator sent a takedown notice on Tuesday,
alleging the site was infringing the company's copyrights relating to its
recently released Windows XP Peer-to-Peer Software Development Kit (SDK),
apparently due to a message posted by a reader in an online feedback forum.

Such legal filings are routine. But in this case, the request turned into a
nightmare for Neowin when it was sent not to the site but to the upstream
Internet service provider responsible for Neowin's Web connection. That
provider responded by pulling the entire site offline. Neowin declined to
name the ISP, but a traceroute on the Neowin.net address showed Williams
Communications Group, now known as WillTel Communications, as its furthest
upstream provider. Sources later confirmed that Microsoft contacted the
closer upstream provider, Hurricane Electric Internet Services of Fremont,
Calif.

Neowin and its Web host, Invision Power Services Hosting (IPS), blamed
Microsoft for the incident, saying the software giant gave them no chance to
fix the problem before referring it to the ISP for more draconian measures.
[...]

http://news.com.com/2100-1025-991624.html


Computer crashes threaten hospital operations

<Monty Solomon <monty@roscom.com>>
Sun, 9 Mar 2003 00:28:12 -0500

Beth Israel Deaconess Medical Center was paralyzed for four days by a
computer crash in November 2002.  Dr. Peter Kilbridge, an independent
consultant who reviewed the incident at Beth Israel at the request of the
*New England Journal of Medicine* editor, Dr. Jeffrey Drazen, said even if
hospitals have policies in place to encourage the appropriate use of
computers, those policies are often are ignored.  [Source: Associated Press,
7 Mar 2003]
  http://www.boston.com/dailynews/066/
  region/Computer_crashes_threaten_hosp:.shtml


Toronto public health computer accidentally erases records

<Chris Smith <smith@interlog.com>>
Mon, 10 Mar 2003 08:52:26 -0500 (Eastern Standard Time)

As reported 10 Mar 2003 *Toronto Star*, GTA section, page B5:

  "Health records feared erased"

  A computer fault may have accidentally erased the immunization records of
  thousands of Toronto school children, the city's public health department
  fears.  Last April, the department discovered that its immunization
  records information system was erasing files from among 425,000 student
  records, Dr. Barbara Yaffe, associate medical officer of health, said.
  "It appears it was randomly erasing files - and we don't know how many,"
  Yaffe said.

  The department tried to get technical help from the provincial health
  ministry, but its technicians were among the 45,000 Ontario civil servants
  taking part in a 54-day strike last spring.

I suppose this is better than the traditional health info problem of
accidental privacy breaches, but not by much. The department will have to
contact parents to have them supply — again — the immunization status of
their children in the above cases.

This is especially important since failure to ensure appropriate
immunizations can possibly result in suspension of children from school.

Article is online at...
  http://thestar.ca/NASApp/cs/ContentServer?pagename=thestar/Layout/Article_PrintFriendly&c=Article&cid=1035778928098&call_pageid=968350130169


Inappropriate HMI on medical device

<Erling Kristiansen <erling.kristiansen@xs4all.nl>>
Sat, 08 Mar 2003 20:38:46 +0100

I spent some time in a hospital recently. The patient next to me, a woman in
her late seventies, was being treated with a suction pump to remove fluid
from an infected operation wound.

This pump was a very neat, portable, lightweight device that allowed the
patient to move around relatively freely. After a few days, the patient was
sent home. A short instruction course was given to her and her husband, who
was about the same age.

The next day, she was back. In tears and very depressed. Her husband did
not accompany her: He had had a nervous breakdown.

They had been unable to figure out how to operate the pump.

I did not want to interfere directly, but tried to figure out from
conversations, events and casual inspection what the HMI of the pump looked
like. It was a menu-driven interface with a small LCD display and at least 4
push-keys. Activating the pump seemed to require at least 4 key-pushes, as
did resetting the alarm that went off if the device was not operating
properly for more than a given time. As far as i could figure out, some of
the 4 steps were actually going through menus that allowed to re-configure
the operating parameters, so a real risk existed of accidentally changing
the setup.

A scenario that played out several times, was: The patient wanted to go to
the bathroom at night; she disconnected mains power (switching from mains to
battery and back seemed to require operator intervention); after some 15
menus, the alarm went off; pushing any key seemed to reset the alarm, that
then went off again 15 minutes later. And so on. The poor lady was so
embarrassed keeping other patients awake that she even tried to wrap the
device in towels to subdue the alarm!  Most of the medical staff did not
know how to operate the pump, either, so much confusion ensued, often
resulting in a trial-and-error scenario.

My remarks:

- A medical device designed to be operated by patients, and in particular
elderly patients, should have a very clear separation between configuration
HMI and routine operation HMI. The configuration HMI should be lockable or
mechanically shielded to prevent accidental operation.

- The patient HMI should be as simple as at all possible, preferably a
single on/off or enable/disable switch and a very clear indication whether
the device is operating.

- Alarm handling, if needed, should be simple and clear. In particular,
reacting on an alarm, it should be immediately obvious whether the alarm
condition had been solved or persisted. A design where the alarm is reset,
just to re-appear after a time-out, because the underlying cause was not
resolved, is confusing.

- Switching between mains and battery power should be fully transparent to
the user.


Security firm shuttered by sabotage

<Keith Rhodes <rhodesk@gao.gov>>
Tue, 4 Mar 2003 04:09:21 -0800 (PST)

The enemy could be sitting next to you.  An Australian security firm was
forced to close due to a major internal security breach — reportedly caused
by a disgruntled employee.  [Andrew Colley, ZDNet Australia, 3 Mar 2003]
  http://zdnet.com.com/2100-1105-990747.html


Sendmail flaw tests Homeland Security

<Monty Solomon <monty@roscom.com>>
Wed, 5 Mar 2003 16:19:31 -0500

A critical flaw in Sendmail, the Internet's most popular e-mail server, has
become the first test for the newly minted Department of Homeland Security
and its cyberdefense arm.  The agency's Directorate of Information Analysis
and Infrastructure Protection (IAIP) worked with security company Internet
Security Systems, which discovered the flaw, and Sendmail Inc. to create a
patch while keeping news of the issue from leaking to those who might
exploit the vulnerability.  "Working with the private sector, we alerted key
owners of the vulnerable software and got them talking," said David Wray,
spokesman for the IAIP Directorate. "We think this is a great example of how
this should, and does, work."

Word of the vulnerability, which would let an attacker take control of a
Sendmail server and execute a malicious program, was more widely
disseminated Monday.  The Department of Homeland Security got high marks
from the security community for giving companies the necessary time to
create the patch and for synchronizing its release.  [...]

Robert Lemos, CNET News.com, 3 Mar 2003
  http://news.com.com/2100-1009-990879.html


Hackers access University of Texas database

<Mike Swaim <swaim@hal-pc.org>>
Thu, 06 Mar 2003 21:09:04 -0600

According to the *Houston Chronicle*, hackers were able to obtain
information, including Social Security numbers on 59,000 former and current
students, staff and faculty members between 26 Feb and 1 Mar 2003.  "The
theft was discovered Sunday evening by university computer systems employees
performing routine maintenance, Updegrove said. They immediately
disconnected the compromised database from the Internet, later hooking up a
database of useless information.  Computer logs indicate the information was
taken by a computer in Austin on Wednesday, Thursday and Friday last week
and by a computer in Houston on Saturday and Sunday, Updegrove said. He said
the intrusions were likely done by the same person or persons, he added."
The obvious risk is having a production system directly accessible from the
Internet.
  http://www.chron.com/cs/CDA/ssistory.mpl/front/1806724

  [Also noted by David Newman from the *Austin American-Statesman*:
    http://www.austin360.com/aas/metro/030603/0306uthack.html
    http://www.austin360.com/aas/metro/030603/0306uthack_update.html
  citing 55,200 SSN/Name pairs; David added
    "I admire the willingness of the VP to admit to a failure in his
    department. His honesty is refreshing in the Age of the Lawyers."
  Also noted by Fuzzy Gorilla from the same news account, from slashdot:
    http://slashdot.org/articles/03/03/06/1720224.shtml
  which again used the 59,000 number.  PGN]


You might just be a hacker if...

<Tim Finin <finin@cs.umbc.edu>>
Mon, 10 Mar 2003 01:30:25 -0500

... you vote the wrong way in Senate Majority Frist's poll.  That 60% of the
Internet voters were against a pre-emptive invasion of Iraq doesn't seem
like evidence of hacking. Frist's site claimed that only one vote per person
was counted. I assume they had implemented a trivial "One IP address, one
vote" check, which, while subject to subversion, was probably more ok than
not.

  Senate Leader scraps Web site war poll, blaming hackers
  Andrew Orlowski, 7 Mar 2003
  http://www.theregister.co.uk/content/55/29654.html

Senate majority leader Bill Frist has yanked a "Bomb Iraq" poll from his Web
site.

Frist's office told The Register that "tampering" was to blame for the
removal of the poll, which asked "Should the United States use force to
remove Saddam Hussein from power? Your opinion is important to Senator
Frist."

"Clever computer programmers created a program that generated 8,700
votes in a day," a spokesperson told us. Which is where the mystery
really begins.

The spokesperson couldn't say whether the software was running inside
the firewall, representing a major breach of the Senate IT security,
or was a robot-style vote generator run by netizens.

The curious thing is that Frist's poll page already banned robots -
including the Wayback Machine, archive.org - from the
site. Respondents could vote once and then return to the site later to
change their vote; only the latest response would be counted.

"As you know government computers are constantly being attacked by
hackers," he suggested.

Nor could Frist's office explain why the Web site administrators simply
didn't exclude the votes they didn't want to count - Florida-style.

One correspondent has noted the increasing tally of No votes:-

"At 1:35 pm Washington DC time on March 6, the Frist site reported
31,118 responses to the war poll. Anti-war respondents (55%) had
gained a clear majority over pro-war respondents (44.6%). (These
figures do not quite add up to 100%, apparently because of the
rounding method used by Senator Frist's staff.)

"Within the hour, at 2:23 pm, the anti-war fever had risen, with 56.9%
anti-war, 42.9% pro-war. By 4:29 pm, according a snapshot of the Frist
site, with 37, 742 total responses, the anti-war vote registered
59.5%, with the pro-war vote ebbing at 39.8%."

The Senate site has been defaced before. Whether this represents a new
and more serious breach - as Frist's office suggests - we don't know.

But our enquiries continue.


Kevin Poulsen: Windows root kits a stealthy threat

<Monty Solomon <monty@roscom.com>>
Mon, 10 Mar 2003 09:16:00 -0500

Hackers are using vastly more sophisticated techniques to secretly control
the machines they've cracked, and experts say it's just the beginning.

By Kevin Poulsen, SecurityFocus Mar 5 2003 5:12AM

Barron Mertens admits to being puzzled last January when a cluster of
Windows 2000 servers he runs at an Ontario university began crashing at
random. The only clue to the cause was an identical epitaph carved into each
Blue Screen of Death, a message pointing the blame at a system component
called "ierk8243.sys." He hadn't heard of it, and when he contacted
Microsoft, he found they hadn't either. "We were pretty baffled," Mertens
recalls. "I don't think that cluster had bluescreened since it was put into
production two years ago."

Mertens didn't know it at the time, but the university network had been
compromised, and the mysterious crashes were actually a lucky break — they
gave away the presence of an until-then unknown tool that can render an
intruder nearly undetectable on a hacked system.  Now dubbed "Slanret",
"IERK," and "Backdoor-ALI" by anti-virus vendors, experts say the tool is a
rare example of a Windows "root kit" — an assembly of programs that
subverts the Windows operating system at the lowest levels, and, once in
place, cannot be detected by conventional means.  [...]
  http://www.securityfocus.com/news/2879


FirstUSA/BankOne sends login ID & PW as clear text

<Ric Cohen <cohen@aros.net>>
Thu, 6 Mar 2003 22:20:08 -0700

This afternoon, I attempted to review my credit card account by logging in
at: http://cardmemberservices.firstusa.com/index.jsp as I have for several
years.  My security software stopped the login and warned me that the Web
page was attempting to send my password as clear text. I phoned the number
on the Web page to report this, and eventually got to a low level
tech. After he said that no one in the company had changed the Web page
software for a long time, I pointed out this implied the Web site was
hacked. He said he would report the problem.  After an hour, I concluded
that this person didn't appreciate the fact that a hacker reading the login
information would also have access to credit card numbers.  I attempted to
access the same Web site, and was redirected to:
http://online.firstusa.com/bolHOME.aspx
-- which presented a Web page identical to that on the first Web site.  The
same problem appeared when I attempted to login.

The problem centers upon a risk I have wondered about for years. None of
BankOne's (or its' subsidiaries) login Web pages begin on a secure https
page. They require you to enter your user ID and password on an insecure
http page, and this information is supposed to be encrypted immediately
prior to submission. They even have a friendly 'security help' page which
describes how this *should* work without problem.  I never trusted this
approach which is used on several Web sites, and that is why I use software
which monitors for passwords.

Because my software always stopped the login process as the password was
about to be sent, I decided to experiment.  I chose a nonsense login ID and
password, and set my software to look for them both (but allow them to be
sent to FirstUSA).  What I observed was both the ID and password text being
sent several times by TCP port 80, to the bank's IP 159.53.21.247.  Only
then, did the Web page change to a secure page using port 443, and tell me
that it did not know me.

After this happened, I called a local bank branch just before closing time,
described the problem, and got a phone number for the 'Office of the
Chairman'.  I talked with someone who seemed intelligent, who seemed to
understand that credit card numbers could be stolen if someone were to make
use of customer's login information, and who seemed to agree that the
Web site should be shut down.  However, 6 hours later, I write this as the
Web site is still (dys)functioning as before.

The last time I logged into FirstUSA was Feb. 27 (without a problem).
Somewhere between then and today, their Web site was altered and who knows
what problems will eventually come of this.  FWIW, I attempted earlier to
login at http://www.bankone.com with my nonsense ID and PW.  They were
encrypted properly, and nothing at all was sent clear text. I have not
tried their other subsidiary's Web sites.

  [Added by Ric 7 Mar 2003:]

There is now a new Web site that requires login in a secure environment:
  https://online.firstusa.com/bank/bolLogin.aspx
However, the same Web site mentioned in the last note (which has existed for
years) still exists today and continues to transmit user login info as
clear text.


Nigerian scams continue to thrive

<Monty Solomon <monty@roscom.com>>
Sun, 9 Mar 2003 14:56:37 -0500

Cashier's checks, Iraqi plea add two new flavors to old story
By Bob Sullivan, MSNBC, 5 Mar 2003

Two new flavors of the age-old Nigerian e-mail scam are making the rounds,
and at least one of them appears to be gaining traction. Hundreds of victims
have recently fallen for a variation that plays upon people's
misunderstanding about how bank cashier's checks work. Meanwhile, other
scammers are trying to take advantage of heightened interest in Iraq, posing
as frightened Iraqis trying to move money out of that country before
hostilities begin. The scam also took a deadly turn last month, when a
victim in the Czech Republic allegedly shot and killed a Nigerian diplomat
after losing his life savings to the scam.  [...]
  http://www.msnbc.com/news/881169.asp


Traffic lights don't work in the snow

<Bob Copeland <bobc@ieee.org>>
Mon, 3 Mar 2003 21:43:03 -0500

In my area, northern Virginia, nearly every intersection is outfitted
with inductance loops — sensors for detecting when a large metal
object (often, a car) sidles up to a traffic light.  Ideally, this is
so it turns green more quickly for you, but of course in practice,
it usually turns green more quickly for the other guy.  Most of these
intersections operate in normal turn-based fashion but speed up or slow
down when cars are present.

However, at least one such light refuses to turn green unless there is
a car present.  Recently, a 24 inch snowfall and a snow plow conspired
to bury the sensor at that light under a mountain of ice, so when I
approached it last weekend, the car ahead of me and I had to stop in the
left turn lane.  After sitting at red for 2 cycles, we gave up and ran
it.  One more risk of driving in the snow!


Re: Computer error means 2.3-trillion-pound electricity bill

<michael_bacon@synigystic.com>
Sat, 8 Mar 2003 05:40:15 -0000
  (RISKS-22.61)

Two things in particular surprise me about this.  The first is that
apparently someone designed a system that would accommodate a consumer bill
reaching into the trillions of pounds.  The second is that there were
seemingly no validity (or common sense if the letter was hand-typed) checks
that detected a consumer bill many times the UK National Debt!

Of course this could be the same sort of "clerical error" that led Civil
Servants recently to claim that they had frozen a 'Bin Laden' bank account
containing =A323.19 million.  The true figure was just 23 pounds and 19
pence!


Re: Someone protecting patient data well (RISKS-22.60)

<Edwin Culver <emculver@snet.net>>
Fri, 07 Mar 2003 13:27:27 -0500

In a similar story to Dr O'Keefe's:

When I was working in the aerospace industry, the method we had chosen for
making sure magnetic media no longer contained classified data was very
simple: remove the platters from the disk drives (or the floppies from their
sleeves or the tape from its reel) and sand blast the magnetic coating off.
We all thought this was a mite drastic, as a degausser should scramble all
the bits.

Sandblasting may be more subtle than the sysadmin at his university's
medical research group, but probably quite as effective.

The mistake trying to recover the residual value of the disk drives.


Re: BSA Accuses OpenOffice ftp sites of piracy (RISKS-22.61)

<"Fuzzy Gorilla" <fuzzygorilla@euroseek.com>>
Thu, 06 Mar 2003 17:19:41 -0500

Unfortunately, they are not claiming, under penalty of perjury, that the
notification is accurate, only that they are authorized to "act in this
matter on behalf of the copyright owners listed above. [Microsoft]"

Basically, they cannot legally act on behalf of someone who has not given
them that authority.


Re: Visa moves to improve customers' privacy (RISKS-22.61)

<Brett Glass <brett@lariat.org>>
Thu, 06 Mar 2003 13:29:44 -0700

[Blanking out part of the credit-card number and the expiration date] has
already been the law in California for more than a year.  It would actually
cost them more not to have a uniform policy nationwide.


Re: Visa moves to improve customers' privacy (RISKS-22.61)

<Margie Wylie <mwylie@earthlink.net>>
Thu, 06 Mar 2003 12:51:00 -0800

[...] Many businesses are already complying, but the final deadline for
implementing the change is Jan. 1, 2004.
  http://www.bankrate.com/brm/news/cc/20010129a.asp


New article on critical infrastructure risks

<Fred Cohen <fc@all.net>>
Thu, 6 Mar 2003 18:34:23 -0800 (PST)

Your readers may be interested in:
http://all.net/
	=> InfoSec Baseline Studies
		=> Cyber-Risks and Critical Infrastructures

Fred Cohen - http://all.net/  fc@all.net  fc@unhca.com tel/fax: 925-454-0171
Fred Cohen & Associates	- University of New Haven - Security Posture

Please report problems with the web pages to the maintainer

x
Top