The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 82

Sunday 27 July 2003

Contents

Serious flaws in electronic voting systems
NewsScan
South Africa bank Internet spyware and fraud
Heinz M. Kabutz
Stealing passwords from Kinko's
John F. Whitehead
New method cracks passwords in seconds
NewsScan
Bypassing the safeguards
Mark Lutton
Limit to stupidity? Credit card scam uses rather nasty flaw.
Gillian Brent
Biometrics technology: not yet ready for primetime
NewsScan
Spammers who don't read RISKS
Diamond
Adieu to 'e-mail'?
NewsScan
E-mail harvesting and re-use as a new virus vector?
Jim Garrison
Identity theft: a crime that pays?
NewsScan
Cross *words*?
Mark Brader
Presidential "doublespeak" ...
Jim Bauman
Owner of stolen 'sex.com' can sue VeriSign
Monty Solomon
Another risk of decency filters
J. Lasser
SCO wants licensing fees from corporate Linux users
Monty Solomon
Microsoft rediscovers MultiLevel Security
Jeremy Epstein
Re: Powergenitalia
Eliah Grabbet
Re: Error in E-Mini Dow Futures creates havoc at CBOT, CME
Greg Compestine
Re: GPS-piloted tractors?
Kent Borg
Re: GPS-piloted tractors? Hell yes! Que Stephen King!
Fredric L. Rice
Info on RISKS (comp.risks)

Serious flaws in electronic voting systems

<"NewsScan" <newsscan@newsscan.com>>
Thu, 24 Jul 2003 09:28:33 -0700

Johns Hopkins University experts say that high-tech voting machine software
from Diebold Election Systems has flaws that would let voters cast extra
votes and allow poll workers to alter ballots secretly. Aviel D. Rubin,
technical director of the Information Security Institute at Johns Hopkins,
led a team that examined the Diebold software, which has about 33,000 voting
machines operating in the United States. Adam Stubblefield, a colleague of
Rubin's, said that "practically anyone in the country -- from a teenager on
up -- could produce these smart cards that could allow someone to vote as
many times as they like." Diebold has not seen the Institute's report and
would not comment on it in detail, but a company spokesman said: "We're
constantly improving it so the technology we have 10 years from now will be
better than what we have today. We're always open to anything that can
improve our systems." Peter G. Neumann, an expert in computer security at
SRI International, said the Diebold code was "just the tip of the iceberg"
of problems with electronic voting systems.
  [*The New York Times, 24 Jul 2003; NewsScan Daily, 24 Jul 2003]
  http://partners.nytimes.com/2003/07/24/technology/24VOTE.html


South Africa bank Internet spyware and fraud

<"Dr. Heinz M. Kabutz" <heinz@javaspecialists.co.za>>
Mon, 21 Jul 2003 08:42:44 +0200

ABSA, the leading bank in South Africa has very weak Internet security.  All
you have to know is someone's bank account number and their pin, and you can
set up beneficiaries, pay money over, to your heart's content.  There is no
TAN like in German banks.  This story is not surprising at all, what is
surprising is that it took so many years for this to happen on such a big
scale.

Here is the story according to the Sunday Times.  Simple spyware was
installed on victim's computers and the account numbers and PIN sent back to
the perpetrator.  This allowed the thief to steal approximately R500,000
(about US$ 65000) from various victims.
  http://www.sundaytimes.co.za/2003/07/20/news/news01.asp

The bank responded with the usual tips:
  http://www.absa.co.za/ABSA/Media_Releases/Article_Page/0,1551,424,00.html

These were the funniest:

* Make sure that the software that is loaded onto your PC via a third party
is licensed. (How would that make a difference?)

* Update your operating system and browser with the latest Microsoft patches
to protect your PC from exploitation. These can be downloaded from the
Microsoft website http://www.microsoft.com (Assuming of course that everyone
in South Africa uses Microsoft - oh, all the victims used Microsoft!)

I am fairly confident that the police will catch the thief.  You cannot
transfer money out of the country from South Africa without special
clearance, so at least we did not have the problem with money ending up in
some country that would not cooperate.

He will probably be given a death sentence.  (Not directly, but a visit to
our jails is akin to a death sentence through HIV infection :-(

Dr. Heinz M. Kabutz (Maximum Solutions), Author of "The Java(tm)
Specialists' Newsletter" http://www.javaspecialists.co.za  +27 (83)340-5633


Stealing passwords from Kinko's

<"John F. Whitehead" <jfw@well.com>>
Sat, 26 Jul 2003 12:41:31 -0700

For two years a man stole passwords from customers in New York City Kinko's
copy/printing/office services stores, and used the information to try to
access and open bank accounts:

  "In pleading guilty to computer damage, [Juju] Jiang admitted that,
  between February 14, 2001, and December 20, 2002, without the permission
  of Kinko's Inc., he installed special keylogging software on computer
  terminals located at Kinko's stores throughout Manhattan to
  surreptitiously record keystroking activity on those computers, and
  collect computer usernames and passwords of Kinko's customers.

Jiang also admitted that he then used the confidential information he
obtained to access, or attempt to access, bank accounts belonging to other
persons, and fraudulently open on-line bank accounts.

Jiang also pled guilty to similar fraudulent conduct that he continued to
commit while on bail after his arrest on December 20, 2002."

For more see the Dept of Justice press release:
  http://www.cybercrime.gov/jiangPlea.htm


New method cracks passwords in seconds

<"NewsScan" <newsscan@newsscan.com>>
Wed, 23 Jul 2003 08:48:41 -0700

A senior research assistant at the Swiss Federal Institute of Technology's
Cryptography and Security Laboratory has published a paper outlining a way
to speed up the process of cracking alphanumeric Windows passwords to only
13.6 seconds on average. The previous average time was 1 minute, 41
seconds. The new method uses massive lookup tables to match encoded
passwords to the original text entered by a person, thus reducing the time
it takes to break the code. "Windows passwords are not very good," says
researcher Phillippe Oechslin. "The problem with Windows passwords is that
they do not include any random information." The only requirement for the
cracker is a large amount of memory in order to accommodate the lookup
tables. The larger the table, the shorter the time it takes to crack the
password. Users can protect themselves by adding nonalphanumeric characters
to a password, which adds another layer of complexity to the process. Any
cracker would then need more time or more memory or both to accomplish the
break-in. For more information on Oechslin's method, check out
http://lasecwww.epfl.ch/php_code/publications/search.php?ref=Oech03 [CNet
News.com 22 Jul 2003; NewsScan Daily, 23 Jul 2003]
http://news.com.com/2100-1009_3-5053063.html


Bypassing the safeguards

<Mark Lutton <mlutton@rcn.com>>
Thu, 24 Jul 2003 23:48:51 -0400

On 23 Jul 2003, New York City Councilman James E. Davis was shot to death by
political opponent Othneil Boaz Askew inside New York's City Hall.  Davis
had a concealed handgun of his own.

How did the two opponents get their weapons past the metal detectors?
According to the news report, the councilpersons (and apparently their guests)
routinely bypass the detectors.

You can have all the technology in the world against violence and terrorism
and it won't do you a damn bit of good if you let everybody and his enemy go
around it.


Limit to stupidity? Credit card scam uses rather nasty flaw.

<Gillian Brent <reynardo@pnc.com.au>>
Fri, 25 Jul 2003 23:19:17 +1000

The following Spam arrived on the alt.devilbunnies newsgroup. As we are
fairly used to a couple of certain rabbits trying to pull similar schemes,
we weren't fooled - but I'm sure some people were.

> Finally I found a hack that really works to get free VALID CREDIT CARD
> NUMBERS!  I bought the information off ebay for $15.00.
> Using a valid credit card account, you can get many more VALID CREDIT
> CARD NUbers for free using my method.
>
> You basically send a coded message to the yahoo account information
> computer database.
> All the account information still active is in this computer.  Iam not
> going to explain exactly how it works(its around 7 pages long), I'll
> just tell you a little and how to do it.
>
> Copy the information below in its exact format or it will not work.
> Make sure to put a zero under each character(number, letter, hyphen, etc)
> you type. Type in small caps.  If you capitalize, it will not work.
> And if you do not send the exact information on the credit card, it
> will not work.  The computer has to register the information to be
> valid before it will send you an account.  I've tried to use a false
> account, it doesn't work.

(I very much doubt whether this information actually came from eBay.)

I'm not going to insult your intelligence with the rest of this, but apart
from the risk of losing control of your own credit card, it seems to be
using a vulnerability in the yahoo system.

Or just the gullibility of the fools sending their credit-card info to
(account_deleted)@yahoo.com.


Biometrics technology: not yet ready for primetime

<"NewsScan" <newsscan@newsscan.com>>
Tue, 22 Jul 2003 09:27:32 -0700

Gartner Research director Anthony Allen told guests at the launch of
European Biometrics Forum that while widespread use of biometrics was likely
by 2008, the technologies still had some kinks to be ironed out.
Biometrics, which includes technologies used for voice, face, iris and
fingerprint identification systems, is virtually useless without adequate
back security measures and databases, said Allen, and current systems have
several fallibilities that must be corrected. For instance, evidence shows
that wearing eyeglasses can fool an eyescanner, prosthetic makeup can
confuse face scanners, a sore throat can change a voice print and breathing
heavily on a fingerprint scanner can make prints unrecognizable. However,
newer generations of technology are beginning to rectify some of these
shortcomings; the latest fingerprint scanners now incorporate methods of
detecting body heat and blood flow and can scan below the surface later,
making it more difficult to deceive.  [*The Register*, 22 Jul 2003; NewsScan
Daily, 22 Jul 2003]
  http://www.theregister.co.uk/content/55/31865.html


Spammers who don't read RISKS

<<diamond@swcp.com>>
Sat, 26 Jul 2003 17:11:48 -0000

Reuters Internet Report:

  A hoax e-mail was circulating around the Internet on Friday purporting to
  be a new cookery book from British celebrity chef Jamie Oliver dishing up
  recipes from sushi rolls to fish and chips.

Now here's the kicker:

  Penguin Books, the UK publisher for Oliver's books, said it was trying to
  track down the e-mail's author.  It contained a 121-page Microsoft Word
  document attachment replete with color photos, scores of recipes and a
  fictitious title, "The Naked Chef 2."

Anyone care to place bets on where they're most likely to find the author's
name?


Adieu to 'e-mail'?

<"NewsScan" <newsscan@newsscan.com>>
Mon, 21 Jul 2003 08:39:36 -0700

France's Culture Ministry has announced a ban on the use of the word
"e-mail" in all government ministries, publications or Web sites and is
encouraging French Internet users to adopt the term "courriel" when
referring to electronic mail. Courriel is derived from "courrier
electronique" -- electronic mail -- and, according to the General
Commission on Terminology and Neology, the term is "broadly used in the
press and competes advantageously with the borrowed 'mail' in English."
However, some Internet industry experts disagree with that assessment: "The
word 'courriel' is not at all actively used.   Protecting the language is
normal, but e-mail's so assimilated now that no one thinks of it as
American," says Marie-Christine Levet, president of French ISP Club
Internet, who adds that her company has no plans to switch its terminology.
[AP, 19 Jul 2003; NewsScan Daily, 21 Jul 2003]
  http://apnews.excite.com/article/20030719/D7SCS9201.html

  [I presume this is in part the result of the use of the word "email"
  (e'mail is a perfectly good French word relating to lacquer, and email
  without the hyphen is unfortunately ACM's publication standard!).  Nothing
  in the foregoing to the contrary notwithstanding, my long-time crusade for
  "e-mail" rather than "email" continues.  See
    http://www.csl.sri.com/neumann/hyphen.html
  if you have not already.  On the other hand, one of the musical
  instruments I play is certainly not a Freedom Horn.  PGN]


E-mail harvesting and re-use as a new virus vector?

<Jim Garrison <jhg@acm.org>>
Sat, 26 Jul 2003 21:34:31 -0500

I've recently received several e-mails from my Dad, with whom I regularly
correspond.  However, the subject lines and message texts were obviously not
intended for me, and I was able to deduce both the intended recipient and
the original time period when the messages were written, which was over a
year ago.  Each such message also contained an e-mail virus.  The headers
indicated the messages originated in Spain (where my Dad is living), but not
from his ISP.

I think this represents a disturbing new trend in virus vectors, the
'harvesting' of messages and correspondence addresses in order to sneak in a
virus disguised as a legitimate message from a trusted correspondent.  I use
Mozilla as my mail reader so of course I see the complete filename
(file.doc.exe) and cannot be tricked into opening it, but people with
Outlook or Outlook Express might easily be fooled.

Is this new, or have I just missed seeing it before?  Anyone else having
this experience?

  [It's been around for some time, but seems to be increasing.  PGN]


Identity theft: a crime that pays?

<"NewsScan" <newsscan@newsscan.com>>
Tue, 22 Jul 2003 09:27:32 -0700

The number of victims that have fallen prey to identity thieves is severely
underreported, according to a study by Gartner Research, which estimates
that 3.4% of U.S. consumers -- about 7 million adults -- have suffered ID
theft in the past year. Moreover, identity thieves generally get away with
it -- arrests are made in only one out of every 700 cases. "The odds are
really stacked against consumers," says Gartner VP Avivah Litan.
"Unfortunately, they are the only ones with a vested interest in fixing the
problem." Typically, victims of ID theft learn of the crime a year or more
later after it happens -- long after the trail has gone cold. "It is
different from payment fraud, where the thief takes a credit card number and
consumers are innocent until proven guilty. With identity theft, it is the
opposite: Consumers are thought to be guilty until proven innocent," says
Litan. "There is a serious disconnect between the magnitude of identity
theft that innocent consumers experience and the [financial] industry's
proper recognition of the crime. Without external pressure from legislators
and industry associations, financial services providers may not have
sufficient incentive to stem the flow of identity crimes."  [CNet News.com
21 Jul 2003; NewsScan Daily, 22 Jul 2003]
http://news.com.com/2100-1009_3-5050295.html


Cross *words*?

<msb@vex.net (Mark Brader)>
Wed, 23 Jul 2003 10:57:03 -0400 (EDT)

I don't know how long it will remain online, but
  <http://www.guardian.co.uk/crossword/nonjava/blank/0,7095,-6003,00.html>
currently contains a recent crossword puzzle from the British newspaper
The Guardian.  And above the puzzle diagram, it says:

  Special instructions: Two of the solutions to today's quick crossword
  (no10362) contain numbers.  Unfortunately, we cannot show numbers in
  answers in the usual way.  Click here to view a pdf file...

Risks of unwarranted character set assumptions!

  [Pointed out by Owen McShane in rec.puzzles.crosswords.]


Presidential "doublespeak" ...

<Jim Bauman <JBauman@safety-kleen.com>>
Thu, 24 Jul 2003 09:27:00 -0500

The risk here is that what is purported to be a way to enhance communication
could actually be a way to do the opposite (Hmmm ... Navigate nine Web pages
instead of sending an e-mail from your mail client to
president@whitehouse.gov ... Gee, which would you choose?).  Is it a muddled
signal from the White House that they want the American public's feedback
and yet they don't?

Also, it's a handy way for the White House to sort its e-mail---those in
favor of their position and those who are not.  Would then, the President or
his people bother to read and consider the e-mails not favoring the White
House's policy on a certain national/foreign affair?  Would they pay more
attention to those that favor their position?

Would they have an "accurate" number of e-mails in favor of their policies,
but a nebulous one in regards to the e-mails that don't?

White House puts up obstacle course for e-mails
Critics cite burden of additional steps
By John Markoff, *The New York Times*, 18 Jul 2003
http://www.chicagotribune.com/technology/chi-0307180184jul18,1,7186833.story

Do you want to send an e-mail message to the White House?  Good luck.
In the past, to tell President Bush--or at least those assigned to read
his mail--what was on your mind it was only necessary to sit down at a
personal computer connected to the Internet and dash off an e-mail note to
president@whitehouse.gov.

But this week, Tom Matzzie, an online organizer with the AFL-CIO, discovered
that communicating with the White House has become a bit more daunting. When
he sent an e-mail protest against a Bush administration policy, the message
was bounced back with an automated reply that instructed him to send the
message in a new way.

Under a system deployed on the White House Web site for the first time last
week, those who want to send a message to President Bush must navigate as
many as nine Web pages and fill out a detailed form that starts by asking
whether the message sender supports or differs with White House policy.

The White House says the new system, at http://whitehouse.gov/webmail, is
an effort to be more responsive to the public and offer the administration
"real-time" access to citizen comments.  [...]


Owner of stolen 'sex.com' can sue VeriSign

<Monty Solomon <monty@roscom.com>>
Fri, 25 Jul 2003 23:04:16 -0400

Elinor Mills Abreu, Reuters, 25 Jul 2003

The owner of "sex.com," once considered one of the Internet's hottest
addresses, can seek payment from the company that improperly transferred the
domain to a "con man" who later fled to Mexico when ordered to pay $65
million, a court ruled on Friday.  The Ninth Circuit Court of Appeals in San
Francisco ruled that "computer-geek-turned-entrepreneur" Gary Kremen can
hold VeriSign Inc.'s Network Solutions unit liable for handing the sex.com
Web address over to a "con man."  The decision has widespread implications
for companies that register domains, which until now have not been held
responsible when Web sites are switched from their rightful owners, a lawyer
for the plaintiff said.  ...
  http://finance.lycos.com/home/news/story.asp?story=35007290


Another risk of decency filters

<"J. Lasser" <jon@lasser.org>>
Sun, 20 Jul 2003 17:30:40 -0600

You could lose a customer.

I've moved out to Colorado and was pursuing broadband through my phone
company. After they verified that my line was DSL-capable, they gave me a
call and asked what ISP I'd like to use. Helpfully, they suggested that MSN
had the best pricing deal with them.

After I agreed that this would be fine, they asked what user ID I would
like. I said 'jonlasser' would be ideal. The system rejected that and
several other variations due, the support technician decided, to the
three-letter word buried in my last name. She asked if I'd like to pick
another user ID.

I said no, and asked about other service providers I could use with their
service. It turns out that there's an option for those of us who already
have mail/web from elsewhere and just need the broadband, which is really
what I wanted in the first place. But for that decency filter, however, MSN
would have had another customer.

Jon Lasser jon@lasser.org 410-659-5333


SCO wants licensing fees from corporate Linux users

<"monty solomon" <monty@roscom.com>>
Mon, 21 Jul 2003 17:48:44 -0400

SCO wants licensing fees from corporate Linux users
Otherwise, SCO said, companies could be in legal hot water
Todd R. Weiss, *Computerworld*, 21 Jul 2003

The gloves are now officially off -- all enterprise Linux users have to
pay The SCO Group Inc.  new licensing fees to use Linux, or they could
find themselves on the wrong end of a copyright infringement lawsuit.
That was the ultimatum laid out today by SCO CEO and President Darl
McBride, who said that the $3 billion lawsuit against IBM in March was
apparently just the start of his company's march to defend itself from
what it sees as rampant theft of its Unix System V intellectual property
(IP).  ...

http://www.computerworld.com/softwaretopics/os/linux/story/0,10801,83287,00.html


Microsoft rediscovers MultiLevel Security

<Jeremy Epstein <jeremy.epstein@webmethods.com>>
Fri, 25 Jul 2003 14:01:31 -0700

Seems that Microsoft has rediscovered the value of MLS, allowing "analysts
who hold the appropriate security clearance and have a need to know with the
ability to access information across databases that may be compartmentalized
or "air-gapped" for security reasons".  The idea is to run multiple OSes on
top of a VMWare (or similar) base, and then run multiple classifications of
windows on the screen.

  http://www.computerworld.com/securitytopics/security/story/
  0,10801,83465,00.html?nas=PM-83465

The more things change, the more they stay the same.


Re: Powergenitalia (RISKS-22.81)

<Eliah Grabbet <eligrab@totalise.co.uk>>
Mon, 21 Jul 2003 16:09:37 +0100

It should be pointed out that while the unfortunately named
http://www.powergenitalia.com
really exists, and it has caused much merriment in other newsgroups, too, it
is not the website of Powergen's [a British power company] Italian
subsidiary.  As far as I know, Powergen does not even have an Italian
subsidiary.

  [This was noted by several RISKS readers.  Many thanks.  PGN]


Re: Error in E-Mini Dow Futures creates havoc at CBOT, CME

<Greg Compestine <gmc444@yahoo.com>>
Sat, 26 Jul 2003 17:07:49 -0600

> Apparently an order to sell 10,000 contracts instead of 100 was put in by
> mistake.

Physical checking always uses double entry for amounts. Why not trading
systems? Sounds like a perfect application for voice recognition technology
(no pun intended). The person entering the number has to type in and then
say the amount, and if the two don't agree, then the transaction isn't
accepted.


Re: GPS-piloted tractors? (Heiney, RISKS-22.81)

<Kent Borg <kentborg@borg.org>>
Mon, 21 Jul 2003 15:47:36 -0400

> The RISK of unmanned vehicles relying on GPS signals, with or without
> rotating blades attached, is interesting to contemplate, especially at night!

The article said nothing about "unmanned" tractors.  This equipment is
expensive, farmers aren't stupid, they don't send them off on their own,
they ride in them.

Farmers also know that things that have nothing to do with GPS can go wrong
and they want to be there to notice and do something about them when they
do.

Don't jump to such conclusions!  If you want to worry about such things
worry about unmanned lawn mowers or house vacuum cleaners or swimming pool
vacuum cleaners even--they all do exist.


Re: GPS-piloted tractors? Hell yes! Que Stephen King!

<"Fredric L. Rice" <quack@skeptictank.org>>
Mon, 21 Jul 2003 11:24:42 -0700 (PDT)

In RISKS-22.81 it's noted that there's advocacy of GPS-piloted tractors
going into operation in Australia, sent in by Conrad Heiney who notes that
tractors "with or without rotating blades attached is interesting to
contemplate."

Where's the RISK?  I *love* the idea of fully automated whirling machines of
horrible, mangling death roaming the countryside at night, hiding from
villagers by day, emerging in packs to assault gasoline stations to steal
fuel, killing anyone who tries to stop them.

What's the down side?  I'm sure Stephen King would agree with my delight
that there are people out there working hard on the technology that would
allow roaming packs of automated, economically efficient death to go from
city to city harvesting and de-boning humans, cutting them into manageable
sizes, and packaging them up in shrink wrap for your grocery shelf.  Soylent
Green has to start somewhere!

These machines will dispassionately collect humans just as dispassionately
as they collect potatoes and I can't wait to see what hackers and
anti-genetically modified food activists would make of such wonderful toys.

Man, I hope like hell they call the new technology "Godzilla."

Please report problems with the web pages to the maintainer

Top