The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 80

Wednesday 16 July 2003

Contents

Helios loss
Peter B. Ladkin
Error In e-mini Dow Futures creates havoc at CBOT, CME
Conrad Heiney
A Virginia law aids identity theft victims
Michael D. Shear via Monty Solomon
David Nelson and CAPPS II?
Rob Slade
Man charged in e-mail stalking of anchor
Rick Jervis via Monty Solomon
Has your PC been hijacked to spread pornography?
NewsScan
Remotely disabling PCs as an anti-theft measure
Nick Brown
Walk-By Hacking
Erik Sherman via Monty Solomon
Secure eBay password changes
Scott Ehrlich
Adobe Acrobat and PDF security: no improvements for 2 years
Monty Solomon
Bank advises ActiveX is a security product
Charles Williams
"Complex" security -- what hope mere mortals?
Ben Low
New Kind of Snooping Arrives at the Office
Marci Alboher Nusbaum via Monty Solomon
Canada and the FTC Do Not Call list
Tony Harminc
Washing machine does the right thing after power outage
Erik Klavon
Sony recalling some Vaio laptops for shock risk
Monty Solomon
Re: "Soft walls" = dangerous avionics?
Thomas Wicklund
Robert Woodhead
Re: RFID Site Security Gaffe ...
Crispin Cowan
Re: The risks of assuming things: German payrolls
Josef Janko
REVIEW: "Computer and Intrusion Forensics", George Mohay et al.
Rob Slade
Info on RISKS (comp.risks)

Helios loss

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Wed, 16 Jul 2003 22:28:22 +0200

The Helios solar-powered flying wing was lost in June in the Pacific just
west of the Hawaiian Islands, whence it was flying, due to "control
difficulties that resulted in severe oscillations" at about 3,000 ft
altitude [1]. The craft set an altitude record for propeller-driven craft of
nearly 100,000 ft in its previous set of flights for NASA.

Helios is (rather, was) extremely lightweight and remote-piloted. Lots of it
has been recovered from the ocean, but the fuel-cell system, reported to
cost $10m, sank in about 1,800m of water and is unlikely to be recovered.

The National Research Council Committee on the Effects of Aircraft-Pilot
Coupling [APC] on Flight Safety reported in 1997 that, although APC events
are rare, they occur "at some point during the development of almost all FBW
[Fly-By-Wire] aircraft" and notes that they are often associated with the
introduction of new technologies [2, p6], of which the Helios is one of the
more remarkable.

[1] Guy Norris, Helios board looks at cause of `severe oscillations´,
Flight International, 15-21 July, 2003, p26.

[2] National Research Council, Committee on the Effects of Aircraft-Pilot
Coupling, "Aviation Safety and Pilot Control", National Academy Press, 1997.

Peter B. Ladkin, University of Bielefeld, Germany
http://www.rvs.uni-bielefeld.de


Error In e-mini Dow Futures creates havoc at CBOT, CME

<"Conrad Heiney" <conrad@fringehead.org>>
Thu, 3 Jul 2003 14:16:01 -0700

The *Wall Street Journal* reported today that a mistaken order on the
Chicago Board of Trade's "e-mini Dow Jones Industrial Average Futures"
caused wild market swings today.

Apparently an order to sell 10,000 contracts instead of 100 was put in by
mistake. This caused the market, which had been on the upswing htat day, to
plunge downwards in both the Chicago Board of Trade and the Chicago
Mercantile Exchange. Several traders reported assuming that some bad news
such as a terrorist attack had sparked the sell-off.

The RISK of a typo on an electronic system causing financial havoc is
once again made clear.

Conrad Heiney  conrad@fringehead.org  http://fringehead.org


A Virginia law aids identity theft victims

<Monty Solomon <monty@roscom.com>>
Sun, 13 Jul 2003 22:25:39 -0400

By Michael D. Shear, *The Washington Post*, 13 Jul 2003

Federal and state police put the handcuffs on 32-year-old Angel Gonzales in
front of his wife and two young children just as the neighborhood school bus
pulled up. ''We're taking your father to jail,'' they told his 6-year-old
daughter, walking Gonzales to the cruiser as his neighbors gawked.  The
police had nabbed Gonzales, who lives in the Tidewater area of Virginia, on
a Las Vegas fugitive warrant on cocaine charges. The warrant said he was
armed and dangerous.

Ambur Daley, 27, was arrested in a North Carolina airport as she returned
from visiting her grandmother in Canada. The Staunton, Va., resident was
booked, fingerprinted, and kept overnight in jail, accused of writing bad
checks.

In fact, neither Daley nor Gonzales had done anything wrong. The crimes they
were accused of were committed by phantoms -- identity thieves who have
stolen their names, Social Security numbers, addresses, and telephone
numbers. Dependent on electronic records in databanks, police across the
nation were chasing the wrong people.

Both now have a Virginia Identity Theft Passport, the first two victims to
participate in a program aimed at giving people such as Daley and Gonzales a
fighting chance in convincing police of their innocence. A state law
creating the program took effect July 1.  Issued by a judge and bearing the
seal of Attorney General Jerry W. Kilgore, the passport is intended to aid
Virginia residents who are the victims of identity theft.  ...

  http://www.boston.com:80/dailyglobe2/194/nation/
  A_Virginia_law_aids_identity_theft_victims+.shtml


David Nelson and CAPPS II?

<Rob Slade <rslade@sprint.ca>>
Mon, 14 Jul 2003 12:18:20 -0800

According to a story in the "This is True" mailing list, based on another
from the *Los Angeles Daily News*, 6 people in the Los Angeles area, 18 in
Oregon, and 4 in Alaska, all with the name David Nelson, have been pulled
from commercial flights even after passing security checks.  The
Transportation Security Administration is quoted as saying that the name is
not on any list, but that pattern matching technology is flagging the name.
Does anyone have any further information on this phenomenon?

rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Man charged in e-mail stalking of anchor

<Monty Solomon <monty@roscom.com>>
Wed, 16 Jul 2003 02:39:05 -0400

Tonny Horne, an Indiana man who thought Chicago WFLD (Channel 32) news
anchor Tamron Hall was talking to him through his television set, and who
showered her with affectionate and obscene e-mails for two years, will be
among the first people charged under Illinois' 2001 cyberstalking law.  A
grand jury indicted him on charges of cyberstalking and criminal
trespassing.  He had been arrested on 16 Jun 2003 outside the Chicago Fox
studios.  If convicted, he could face 2 to 5 years in prison.  [Source:
article by Rick Jervis, *Chicago Tribute*, 13 Jul 2003; PGN-ed]
  http://www.chicagotribune.com/technology/chi-0307130506jul13,1,2009477.story


Has your PC been hijacked to spread pornography?

<"NewsScan" <newsscan@newsscan.com>>
Fri, 11 Jul 2003 09:40:42 -0700

Computer security expert Richard M. Smith says that in the last month
network vandals (possibly linked to Russian organized crime) have found ways
to take over PCs with high-speed connections to the Internet and use them,
without their owners' knowledge, to send Web pages advertising pornographic
sites. Smith says that "people are sort of involved in the porno business
and don't even know it." Most PC owners don't know when their computers have
been hijacked and the hijacking apparently doesn't damage the computer or
disrupt its operation. Because so many different machines are hijacked to
perpetrate this scheme, there's no single computer that be shut down to end
the problem. Smith adds: "We're dealing with somebody here who is very
clever." (*The New York Times*, 11 Jul 2003; NewsScan Daily, 11 Jul 2003)
  http://partners.nytimes.com/2003/07/11/technology/11HACK.html


Remotely disabling PCs as an anti-theft measure

<BROWN Nick <Nick.BROWN@coe.int>>
Fri, 30 May 2003 16:04:59 +0200

ZDNet reports yet another attempt to "discourage PC theft":

http://zdnet.com.com/2100-1105_2-1009807.html

A short extract:

"Every time a computer outfitted with TheftGuard connects to the Internet,
it pings the TheftGuard site. A computer-theft victim can register the
machine at the site. If the stolen machine is brought online, the original
owner can arrange to have the machine crippled or crippled with all data
erased, and can determine the Internet Protocol address used--which can help
in hunting down the thief."

Naturally:
- The TheftGuard site can and will never, ever be hacked - or even a
  tempting target for hackers;
- Extensive checks will be put in place to ensure that only the registered
  owner of a PC can call in to say it's been stolen (perhaps they'll ask for
  your SSN ?);
- The world's law enforcement agencies have thousands of officers just
  standing by reports saying "the person who used IP address A.B.C.D at
  <timestamp> is a thief; go get them !".

Nick Brown, Strasbourg, France

  [Now, that is nice sarcasm.  PGN]


Walk-By Hacking

<Monty Solomon <monty@roscom.com>>
Sun, 13 Jul 2003 12:28:15 -0400

Erik Sherman, *The New York Times*, 13 Jul 2003

''We've got 12 . . . wait, 13. Another just came in!''

On the hunt for 30 seconds, Gary Morse is jazzed. We've walked about 45 feet
down Avenue of the Americas in Midtown Manhattan, and he has been counting
the number of chirrups coming from the speaker of his hand-held
computer. Each represents potential prey: wireless networks in the offices
and apartments above us. So far, we have had more than a dozen chances to
sneak Internet access, reap user ID's and passwords and otherwise peer into
the private affairs of individuals and businesses.

Morse is an expert -- president of Razorpoint Security Technologies Inc., a
computer security consulting firm that helps companies find their weak spots
and fix them -- and a self-described ''professional hacker.'' He knows
dozens of tricks to ease his way into any of the networks he has found. Most
users don't realize that left untended, the wireless technology that can
quickly connect computers will literally broadcast every bit of transmitted
information to anyone with a computer and a $40 wireless networking card.

The software package running on Morse's hand-held is called Kismet, from a
Turkish-derived word meaning fate. The program uses the wireless card like a
police band scanner, noting each wireless network that makes its presence
known. ''I could put it in my pocket and record all the networks without
anyone seeing,'' he says. The program is available to security experts and
would-be hackers for a perfectly legal and free download.  ...

http://www.nytimes.com/2003/07/13/magazine/13HACKING.html


Secure eBay password changes

<se@panix.com (Scott Ehrlich)>
15 Jul 2003 19:31:53 -0400

  [Cf. the item by Paul Festa via Monty Solomon in RISKS-22.40.  PGN]
    http://catless.ncl.ac.uk/Risks/22.40.html#subj3

eBay's Web site allows for SSL (https -- i.e., secure) logins, but non-SSL
(http -- i.e., insecure) password changes.

A recent visit to half.com, and eBay company, provides for SSL logins,
and, to my surprise, an SSL password change screen.  I promptly changed my
password using half's ssl form, logged out, then logged into eBay via SSL
using my new password from half.com, and it took.

So, even if eBay doesn't change their 'Change Password' form [back] to
SSL, we can still use half.com's form and do it securely.

Now watch - I say this and half.com will magically remove SSL capability
from its password change form.


Adobe Acrobat and PDF security: no improvements for 2 years

<"monty solomon" <monty@roscom.com>>
Tue, 8 Jul 2003 11:58:00 -0400

Software released in 2003 contains vulnerabilities disclosed in 2001
8 Jul 2003

Summary:
In early 2001, we have discovered a serious security flaw in Adobe Acrobat
and Adobe Acrobat Reader. In July'2001, we've briefly described it in "eBook
Security: Theory and Practice" speech on DefCon security conference. Since
there was no reaction from Adobe (though Adobe representative has attended
the conference), we have reported this vulnerability to CERT in
September'2002 (after more than a year), still not disclosing technical
details to the public. Only in March'2003, CERT Vulnerability Note
(VU#549913) has been published, and after a week, Adobe has responded
officially (for the first time) issuing the Vendor Statement (JSHA-5EZQGZ),
promising to fix the problem in new versions of Adobe Acrobat and Adobe
Reader software expected in the second quarter of 2003. When these versions
became available, we have found that though some minor improvements have
been made, the whole Adobe security model is still very vulnerable, and so
sent a follow-up to both CERT and Adobe. Both parties failed to respond.
Full story:
  http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0011.html


Bank advises ActiveX is a security product

<Charles Williams <C.D.H.Williams@exeter.ac.uk>>
Tue, 8 Jul 2003 19:26:56 +0100

The Internet bank Egg <http://www.egg.com/> has just sent me an
unsolicited leaflet (EP1996 06/03) trying to induce me to sign up for
its account aggregation service. Step 2 of its four-step procedure
says:

"Read and accept the terms and conditions. Then download a piece of
software from Microsoft, called ActiveX. This acts like a digital
safe and sits on your PC protecting your password and log in details."

How many of Egg's customers have now installed ActiveX in the belief
that it is a security product?


"Complex" security -- what hope mere mortals?

<Ben Low <ben@bdlow.net>>
Tue, 15 Jul 2003 14:18:36 +1000

The Center for the Study of Complex Systems (CSCS) at the University of
Michigan appears to be staffed with competent, knowledgeable people who
study "complex systems".

Yet their Computer Lab Security page at
http://www.pscs.umich.edu/lab/security.html advises the user, when faced
with a ssh host key change warning (potential "man in the middle" attack) to
essentially ignore the warning, and to simply delete the offending key.

When a group studying "complex systems" has difficulty dealing with the
issues of computer security, what hope to mere mortals hold?


New Kind of Snooping Arrives at the Office (Marci Alboher Nusbaum)

<Monty Solomon <monty@roscom.com>>
Mon, 14 Jul 2003 21:57:44 -0400

Corporate executives are becoming increasingly aggressive about spying on
their employees, and with good reason: now, in addition to job shirkers and
office-supply thieves, they have to worry about being held accountable for
the misconduct of their subordinates.  Even one offensive e-mail message
circulated around the office by a single employee can pose a liability risk
for a company. Not only that, but a wave of laws - including the federal
Health Insurance Portability and Accountability Act of 1996 and the
anticorruption and corporate-governance Sarbanes-Oxley Act of 2002 - have
imposed new record-keeping and investigative burdens on companies. Not
complying with some laws can result in the personal liability of officers
and directors.

As a result, employers have stepped up their surveillance of employees,
often using stealth techniques to peer deep into their computer use. As of
2001, more than a third of all American workers with access to computers, or
14 million in all, were being monitored in one way or another, according to
the Privacy Foundation, a Denver research group; with added pressure on
executives to oversee their employees' electronic activities, experts
predict that those numbers will grow.  ...

[Source: Marci Alboher Nusbaum, *The New York Times*, 13 Jul 2003]
  http://www.nytimes.com/2003/07/13/business/yourmoney/13EXLI.html


Canada and the FTC Do Not Call list

<"Tony Harminc" <tony@harminc.com>>
Tue, 8 Jul 2003 19:54:58 -0400

Curious, I went to the FTC site and tried to register my Canadian home phone
number. It was rejected with an uninformative error message. However the
site was quite happy to accept my (also Canadian) 800 number. This raises a
blend of techno-legal issues, because it is not possible to distinguish
syntactically or in any simple way between a US and Canadian 800 number, and
indeed one number can terminate in multiple locations based on the caller's
location, the time of day, load, etc. So what's the legal situation if I get
a junk call at this number from a US telemarketer? From a non-US one? US
legislators have not been shy in the past about extending the reach of their
laws outside their borders. Is this legislation written clearly enough to
provide a definitive answer?

The Canadian telecom regulator (the CRTC) has been mumbling about Do Not
Call for some years. Perhaps they should get together with their southern
counterparts and arrange a common site and database. On second thought,
maybe they should just go for a friendlier message.


Washing machine does the right thing after power outage

<Erik Klavon <erik@eriq.org>>
Tue, 15 Jul 2003 10:11:13 -0700

Readers of RISKS are now doubt familiar with some of the less then graceful
ways in which technology fails in the event of a brown or black out. When
the electricity to my apartment building went out recently, I thought I
might experience just such a failure.

Five minutes prior to losing power, I had started a load of laundry in the
shared washing machine on my floor. The laundry machines in my complex use a
smart card system for payment as opposed to coins. The machines have a
digital control system that displays the remaining time and the cycle on an
LCD display. After power was lost I checked the machine to verify that it
had lost power. No display, not noise and no overhead light in the laundry
room. I figured I was out US$1.25, good for the recently increased bus fare
in San Francisco.

When power was restored, I returned to the laundry room to find that the
machine had restarted and was prompting me to select a cycle. It appears the
designers had thought about the problem of losing power mid cycle and
decided to start the cycle over after user input once power had been
restored. This is the right thing when you consider a repair person who
wouldn't want the machine starting by itself unexpectedly when power is
restored after electrical work.


Sony recalling some Vaio laptops for shock risk

<Monty Solomon <monty@roscom.com>>
Wed, 9 Jul 2003 22:06:16 -0400

Sony is recalling some Vaio FRV laptops because of a static-electric shock
hazard, which can occur if and your phone rings whenever the laptop is
plugged in and and connected to a grounded peripheral, the phone line is
disabled, and you are touching a metal part of the laptop.  No injuries have
been recorded, and fewer than 10 complaints.  (PGN-ed from 9 Jul 2003
Reuters item)
  http://finance.lycos.com/home/news/story.asp?story=34798831


Re: "Soft walls" = dangerous avionics? (DeForest, RISKS-22.79)

<Thomas Wicklund <wicklund@eskimo.com>>
Fri, 11 Jul 2003 09:43:19 -0600

The "soft walls" idea of steering planes away from restricted airspace
leaves the question of what constitutes "restricted" airspace? After
adding all possible terrorist targets, I can imagine a flight into a
large east coast city weaving through the narrow "safe" course to the
airport but leaving the airlines bankrupt paying for air sickness bags.

Of course, the airport itself is a terrorist target and should be
restricted, right?


Re: "Soft walls" = dangerous avionics? (DeForest, RISKS-22.79)

<Robert Woodhead <trebor@animeigo.com>>
Wed, 9 Jul 2003 19:23:05 -0400

> ... and it only takes one airplane with the soft-wall avionics missing or
> disabled, to defeat the purpose of the whole system.

Not to mention subverting the code so that at a particular date and
time, the logic inverted and the exclusion zones became the only
place where the airplanes would fly...


Re: RFID Site Security Gaffe ... (Solomon, RISKS-22.79)

<Crispin Cowan <crispin@immunix.com>>
Tue, 08 Jul 2003 22:53:41 -0700

Hmmm ... How well do RFID embedded chips survive exposure to stun guns,
cattle prods or other colorful toys?
http://www.violetwands.com/entrance.html

I'm not above wanding my groceries with some high voltage to preserve some
privacy. Chips can be hardened, but radio chips would seem to be more
difficult to harden against high voltage.

Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
Chief Scientist, Immunix  http://immunix.com  http://www.immunix.com/shop/


Re: The risks of assuming things: German payrolls (DWW, RISKS-22.79)

<"Josef Janko" <josef.janko@web.de>>
Sun, 13 Jul 2003 15:26:31 +0200

It must be a wonderful picture imagining how thousands of software
developers delay their vacations to provide a poor public servant like DWW
with her paycheck in time... However, recalling my experience with the
Berlin local government, the reality is not so dramatic. The payment system
now is not more "wacky" than it was 28 years ago, when I first came into
contact with it. Every year the government and the unions have "concocted"
changes like these, and without a word the additional money has been paid
one, two, or even three months later. So where is the problem, the reason
for this outburst? The problem is, that for the first time after WW II in
Germany public servants have to work more and get less for that - from my
point of view only a fair deal under the circumstance that their jobs
guaranteed. It is not a problem of IT: it is a problem of perception - being
forced to face the reality outside the ivory tower.


REVIEW: "Computer and Intrusion Forensics", George Mohay et al.

<Rob Slade <rslade@sprint.ca>>
Tue, 15 Jul 2003 07:59:12 -0800

BKCMINFO.RVW   20030605

"Computer and Intrusion Forensics", George Mohay et al., 2003,
1-58053-369-8, U$79.00
%A   George Mohay
%A   Alison Anderson
%A   Byron Collie
%A   Olivier de Vel
%A   Rodney McKemmish
%C   685 Canton St., Norwood, MA   02062
%D   2003
%G   1-58053-369-8
%I   Artech House/Horizon
%O   U$79.00 800-225-9977 fax: +1-617-769-6334 artech@artech-house.com
%O  http://www.amazon.com/exec/obidos/ASIN/1580533698/robsladesinterne
    http://www.amazon.co.uk/exec/obidos/ASIN/1580533698/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1580533698/robsladesin03-20
%P   395 p.
%T   "Computer and Intrusion Forensics"

The traditional data recovery aspect of computer forensics has been covered
by Kruse and Heiser in "Computer Forensics" (cf. BKCMPFRN.RVW), and by
Caloyannides in "Computer Forensics and Privacy" (cf. BKCMFRPR.RVW) (and
somewhat less ably by Casey [cf.  BKCMCRIN.RVW], Kovavish and Boni
[cf. BKHTCRIH.RVW], Icove, Seger, and VonStorch [cf. BKCMPCRM.RVW], Marcella
and Greenfield [cf.  BKCYBFOR.RVW], van Wyk and Forna [cf. BKINCRES.RVW],
and Mandia and Procise [cf. BKINCDRS.RVW]).

So far network forensics has only been specifically dealt with in the
not-terribly-useful "Hacker's Challenge," by Schiffman (cf. BKHKRCHL.RVW).

"Computer and Intrusion Forensics" is the first attempt to bring both topics
into a single book.  (It is intriguing to note that Eugene Spafford, who
wrote the foreword, is a pioneer of the "third leg": software forensics,
which the book does not cover.)

Chapter one is an introduction to computer and network (intrusion)
forensics, pointing out the ways that computers can be involved in the
commission of crimes and the requirements for obtaining and preserving
evidence in such cases.  While the material provides a good foundation, the
text is inflated in many places, and could benefit from stricter adherence
to the topic and more focused writing.  (One illustration shows a pattern of
concentric rings indicating that the set of productive activities
encompasses all legal endeavors which, in turn, encompasses all approved
actions.  I suspect that a great many legal and even approved activities are
unproductive--while no doubt a number of illegal activities would be
approved, at times.)  "Current Practice," in chapter two, is a broad
overview of the concerns, technologies, applications, procedures, and
legislation bearing on digital evidence recovery from computers.  In fact,
this single chapter is the equivalent of, and sometimes superior to, a
number of the computer forensics books mentioned above.  However, the
breadth of the discussion does come at the expense of depth.  This content
is quite suitable for the information security, or even legal, professional
who needs to understand the field of computer forensics, but it does not
have the detail that a practitioner may require.  Although chapter three is
supposed to deal with computer forensics in law enforcement (and there is a
brief section on the rules of evidence), it is primarily a reiteration (and
some expansion) of the procedures for data recovery and the software tools
available for this task.  Forensic accounting, and the algorithms that can
be used to detect fraud, are outlined in chapter four, but very little is
directly relevant to computer forensics as such.  Case studies,
demonstrating the techniques discussed earlier and some that are not, are
described in chapter five.  Intrusion forensics concentrates on intrusion
detection systems (IDS), although it does not provide a very clear or
complete explanation of the distinctions in data collection (host- or
network-based) or analysis engines (rule, signature, anomaly, or
statistical).  Chapter seven finishes off the book with a list of computer
forensic research which is being, or should be, undertaken.

While the computer forensic content is sound, and it is heartening to see
other fields being included, the very limited work on network forensics is
disappointing.  This text is a useful reference for those needing background
material on forensic technologies, but breaks no new ground.

copyright Robert M. Slade, 2003   BKCMINFO.RVW   20030605
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top