The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 9

Thursday 23 May 2002

Contents

Re: S-P-A-M-demonium
PGN
Kevin
Computer failure grounds over 300 flights in minutes
Chris Brady
Air-traffic controllers can't read the new screens
Chris Brady
Paper: How to own the Internet in your spare time
Nicholas C. Weaver
Credit-card data from wireless registers
Jim Laurenson
Ford Motor Credit office baffled by theft
Dave Hansen
Vending Machines - Poor Programming
T.J. Griesenbrock
RISKS of providing smart-alecky false information
Daniel P. B. Smith
Phony 'soldier' needs your help giving him your money
NewsScan
Re: Fun with fingerprint readers
Arnt Gulbrandsen
Re: 2 unsolved telephone mysteries
Stanislav Meduna
Chris Barnabo
Re: Copy-Protected CDs
Jan Ingvoldstad
Sean A Dunn
Russ Perry Jr
Martin Ward
Re: More on Klez
Joseph Brennan
REVIEW: "Cyber Forensics", Albert J. Marcella/Robert S. Greenfield
Rob Slade
Info on RISKS (comp.risks)

Re: S-P-A-M-demonium (RISKS-22.08)

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 22 May 2002 13:18:00 PDT

My lead message in RISKS-22.08 announcing the use of a filter resulted in
those of us using that filter to have the issue designated as s-p-a-m!  If
you did not receive that issue because YOUR filtering is configured to pipe
the message off to somewhere else or to delete it altogether, then you may
pick RISKS-22.08 up at www.risks.org.  But the effect of installing that
filter was very dramatic, having taking the RISKS spam rate instantly from
98% to close to 0%.

The false positive trigger on RISKS-22.08 resulted largely from one triggers:

 Hit! (4.4 points) BODY: O-n-e h-u-n-d-r-e-d p-e-r-c-e-n-t g-u-a-r-a-n-t-e-e-d

which had to do not with s*p*a*m, but with fraud detection.
  [Hyphens inserted to minimize further false positives?  PGN]

Incidentally, because of the new regime, I will be able to look at more
messages from you all, in the same amount of my limited screen time.


Re: S-P-A-M-demonium (RISKS-22.08)

<nobody@tex.kom (Kevin)>
Thu, 23 May 2002 17:24:19 GMT

Also install Vipul's Razor if you can, from razor.sourceforge.net .
My own experience is that SpamAssassin is the best spam trapper I've ever
used, and I've tried a lot of them over the last several years.  But, make
sure you have auto-whitelisting turned on.  You also might want to salt your
config file(s) with whitelist and blacklist information based on your
history, which SpamAssassin won't know about yet.  Once I did that salting,
my false negatives and false positives dropped to zero per month, but I only
process 10Meg of mail in that time.


Computer failure grounds over 300 flights in minutes

<Chris Brady <chrisjbrady@yahoo.com>>
Thu, 23 May 2002 12:29:19 +0100 (BST)

Yet again the new multi-million-pound air-traffic computer system at Swanwick
near Heathrow crashed last Friday (May 17, 2002) shortly after 6.30 am.

This is a time of maximum inbound flights from the Middle and Far East --
with full 747's arriving at one a minute. Also too it is just when the
morning rush hour for domestic and European departures and arrivals begins
to build up.

The crash was the result of a 'routine upgrade' which made half the air
traffic controllers' computer screens inoperable. This meant that only half
the normal flights could be handled. This meant that airlines had to cancel
most of their flights into and out of Heathrow - a situation which lasted
for most of the day. Imagine one flight being canceled and all the
disruption that can cause, then multiply that by many hundreds. And the
knock on effect of the wrong planes and crews in the wrong places at the
wrong times lasted for most of the following weekend. The consequent loss of
revenue to the struggling airline industry is inestimable, to say nothing of
the increased loss of confidence in the safety of flying amongst the
traveling public.

The risks are obvious. The new computer system at Swanwick is a disaster
waiting to happen. A 'routine upgrade' should not result in a major loss of
service.  The upgrade was obviously made to the primary system before
testing on any back up system (is there one?), and if a routine upgrade can
cause such a system loss then what would happen to a major upgrade?

Confidence in the safety of the ATC system at Heathrow is not increased with
the U.K. Government's refusal to financially bale out - yet again - to the
tune of millions of pounds - the owners of the new system, the privatised
NATS (National Air Traffic Services).


Air-traffic controllers can't read the new screens

<Chris Brady <chrisjbrady@yahoo.com>>
Thu, 23 May 2002 12:10:41 +0100 (BST)

Confusing screens at Swanwick's new air-traffic control centre near Heathrow
have resulted in aircraft being directed towards the wrong airports.
Controllers have also misread the altitude of aircraft because letters and
numbers are difficult to distinguish on the screens, according to the *Daily
Mail*, 23 May 2002.  For example, the numbers 0, 8 and 6 are confused,
leading to mistakes of thousands of feet in the height of flightpaths
(noted in a report in *Computer Weekly* magazine).

Controllers and their supervisors at the privatised NATS (National Air
Traffic Services) centre at Swanwick have detailed the errors in a health
and safety report, which revealed that one controller has repeatedly misread
requested flight levels, and mixed up FL360 (36,000 ft) with FL300
(30,000ft).

Others reported difficulties of seeing some letters clearly, particularly
the Glasgow code EGPF and the Cardiff code EGFF.

NATS and the CAA (Civil Aviation Authority, U.K.) have said that
difficulties in reading screens has been experienced only by a small number
of controllers, and that it is not a safety matter. NATS also said that an
improved display had been developed and a prototype was shortly to undergo
testing.

The risks are many and unfortunately obvious. But what happened to the
principles of good HCI design (human-computer interface) and user acceptance
testing? Obviously no-one thought to ask the controllers if they could
actually read the screens clearly as they play three-dimensional chess with
the aircraft and passengers flying into, out of, and past one of the busiest
airports in the world.


Paper: How to own the Internet in your spare time

<"Nicholas C. Weaver" <nweaver@CS.Berkeley.EDU>>
Wed, 22 May 2002 12:38:44 -0700 (PDT)

Stuart Staniford, Vern Paxson, and I have completed our paper,
  "How to Own the Internet in Your Spare Time"
  http://www.cs.berkeley.edu/~nweaver/cdc.web/
to appear in the 11th Usenix Security Symposium (Usenix Security '02).

We've combined an analysis of Code Red I (which is still endemic on the net,
with ~2000+ hosts still infected), the effects of Code Red II and Nimda,
with the possibility of some new threats we have discussed before (Warhol
strategies, Flash worms), and some we haven't (contagion worms, which are
highly resistant to traffic analysis and similar detection strategies, and
programmatic updates which represent a natural evolution in utility for worm
writers).  We then use this to make a case for a CDC-like institution to
proactively develop defenses for such threats.

Nicholas C. Weaver nweaver@cs.berkeley.edu


Credit-card data from wireless registers

<"Laurenson, Jim" <JLaurenson@icfconsulting.com>>
Wed, 22 May 2002 16:43:56 -0400

On May 1, MSNBC ran a story, "Best Buy closes wireless registers; Hackers
say credit-card data vulnerable; other retailers at risk."  It's still there
at http://www.msnbc.com/news/746380.asp.  But the story also says "An
anonymous security researcher announced on a computer security research
mailing list Wednesday that several U.S. retailers have made the mistake of
installing wireless cash registers and transmitting the traffic in clear
text, without encryption."  So what's that other mailing list?

Jim Laurenson, ICF Consulting, JLaurenson@ICFConsulting.com *
http://www.ICFConsulting.com


Ford Motor Credit office baffled by theft

<"Dave Hansen" <iddw@hotmail.com>>
Wed, 22 May 2002 16:49:40 -0400

Apparently, someone was able to steal credit reports from Experian by
masquerading as Ford Motor Credit.  They don't know how, but it won't happen
again.  Very confidence inspiring...

No further comment, just some excerpts:

  Officials still aren't sure who, or how, someone snatched 13,000 credit
  reports through Ford Motor Credit Co.'s Grand Rapids office."  What they
  are sure about, however, is that no more credit reports will be stolen --
  at least from this group.  "We're not sure how this happened, to be
  honest," said Melinda Wilson, spokeswoman for Ford Motor Credit. "We
  thought we had a tight system. We're going to have an even tighter system
  now."  The reports provided the intruders with a wealth of information,
  such as Social Security numbers, credit ratings, account numbers for bank
  accounts and credit cards, and creditors names and payment histories,
  Experian said.

Full Story at
http://www.mlive.com/business/grpress/index.ssf?/xml/story.ssf/html_standard.xsl?/base/business-0/102199233690053.xml
  (watch URL wrap).


Vending Machines - Poor Programming

<"T.J. Griesenbrock" <ruritani@earthlink.net>>
Wed, 22 May 2002 19:50:34 -0400

Oh, vending machines are the most defective thing I have ever seen in
public service.  Check around for a vending machine with a green/blue
LCD screen, and a numeric pad using a telephone-style grid.  Press 8.
 Then press 2.  Then quickly press 8 and 2 at the same time.  It will
crash, and reboot.  Any money in the slot is 'forgotten.'  An obvious
sign of buffer overflow bug, or a sad case of a slow processor trying
to keep up with an user's fast fingertips, as programmers tend to
have. :)

Unfortunately, I do not remember to check for any identifying signs
to distinct that model from any other models.  Also equally
unfortunate, I do not find any bugs that somehow reward the user
instead of the vendors, implying that the developers were at least
careful enough to prevent users from grabbing free grub.


RISKS of providing smart-alecky false information

<"Daniel P. B. Smith" <dpbsmith@theworld.com>>
Wed, 22 May 2002 20:06:51 -0400

At one time or another, I signed up for Passport--I believe because it
was required to get the 90 days of free technical support with some
software product or another.  Recently, Microsoft decided to opt in
every Passport user for information sharing.

I went to my Passport account to attempt to change it this preference,
but found that I could not, because between the time when I first
enrolled in Passport and now they have added a number of new personal
information items--and (for some reason) it will not allow you to change
ANY of the items unless you've entered ALL of them.

Naturally, I did what anyone would do--filled in all the blanks with
bogus information.  And while I was at it, I decided to change my first
name to "Mickey," my last name to "Mouse," and my date of birth to 04/01/2001.

I unchecked the "Share Information" box and clicked the confirmation
button.  To my horror, a screen came up saying that because I was under
thirteen I would need my parents' consent!  I then received the
following email:

"Dear Parent or Guardian:

Your child, Mickey Mouse, has registered for a Microsoft .NET Passport
and needs your consent to sign in to a Kids Passport-participating Web
site or service. Your child indicated that he or she is under 13, and
according to U.S. law, Web sites and services that collect, use, or
share visitors' personal information must obtain a parent or guardian's
consent to allow children under 13 to sign in....

If you do not have a .NET Passport:

You need to have a .NET Passport in order to give or deny consent. .NET
Passport is a free service from Microsoft that allows you to use a
single e-mail address and password to sign in to a growing number of
participating Web sites.

NOTE: To register as a parent or guardian, you will need to verify that
you are at least 18. You can use a credit card to do this. Your credit
card account will not be charged, and .NET Passport will not retain or
share the information."


Phony 'soldier' needs your help giving him your money

<"NewsScan" <newsscan@newsscan.com>>
Thu, 23 May 2002 09:03:23 -0700

A scam e-mail message now circulating the Internet purports to be from a
"Special Forces Commando" in Afghanistan who's found $36 million in drug
money while on patrol, and who wants your help in moving the cash. Sure he
does. "We will thus send you the shipment waybill, so that you can help
claim this luggage on behalf of me and my colleagues. Needless to say the
trust in you at this juncture is enormous. We are willing to offer you an
agreeable percentage of funds." Stop laughing, and grab onto your wallet.
[AP/San Jose Mercury News 23 May 2002; NewsScan Daily, 23 May 2002]
  http://www.siliconvalley.com/mld/siliconvalley/3319360.htm

    [The Nigerian scams have been spawning numerous copycats, but
    this one is a new variant.  PGN]


Re: Fun with fingerprint readers (RISKS-22.08)

<Arnt Gulbrandsen <arnt@gulbrandsen.priv.no>>
Thu, 23 May 2002 10:25:37 +0200

He tried eleven commercially available fingerprint systems and spoofed *all*
of them (100%). The average single attempt had an 80% chance of success.

The reputable German magazine c't ran a cover story just now with similar
claims. They tested 11 iris, face, and fingerprint recognition system and
spoofed *all* of them. Some of their techniques were hilariously simple...
it'll be a long time until this reader can take biometrics seriously.

  [Quite a few readers noted my mistake in RISKS-22.08.  It has been
  corrected in the archives.  Thanks to all of you.  PGN]


Re: 2 unsolved telephone mysteries (Goodman-Jones, RISKS-22.08)

<Stanislav Meduna <stano@meduna.org>>
Wed, 22 May 2002 21:57:35 +0200 (CEST)

> How did her mobile phone make a call by itself at 5am?

I don't know Samsung phones, but does it have a quick-dial feature using a
longer press of a key? I can well imagine some conductive piece of dirt or
moisture "making" the call - these keypads are not very robust. It stopped
before answering it because the calls get dropped by the switches if not
answered in 1 minute or so (pretty normal at this time).

As to why at 5 am I have another story: Plain old alcaline batteries in one
of my devices have the nasty habit of going empty early in the morning (the
device tells it quite loudly). They seem to nearly always wait with their
last breath until I sleep the best. My theory is that it is simply colder at
this time and as the voltage correlates with the temperature, the most of
the daily voltage drop occurs when the temperature also falls and so it is
more probable that the warning is triggered at night.

If the quick-dial theory is right, a change in temperature could well be the
triggering factor.

Sometimes there are connections where nobody expects them - this
is often a risk.

> Here's the weird bit: A call at a very similar time was made on
> my HOME phone to the same number (which I don't recognise at all).

There are some obscure possibilities involving callback requests (possible
in some networks) or redirecting calls, but this really smells like a
problem of the phone company (either billing software, or worse -
phreaking).

I heard of people finding missed calls from themselves on a mobile phone -
and without an entry in the outgoing calls list.


Re: 2 unsolved telephone mysteries (Goodman-Jones, RISKS-22.08)

<"Chris Barnabo" <chris@spagnet.com>>
Wed, 22 May 2002 16:03:06 -0400

Gremlins in the mobile firmware?  Unlikely - since caller-id typically
doesn't pick up a telephone number until the _second_ ring I suspect mum was
awakened by a wrong number or a crank caller, and the mobile phone & caller
id were simply showing a call completed earlier in the day (or perhaps the
preceding day, given the time!)


Re: Copy-Protected CDs (Arthur, RISKS-22.07)

<Jan Ingvoldstad <jani+comp.risks@ifi.uio.no>>
23 May 2002 09:29:15 +0200

For one thing, they aren't copy protected, and for another, they aren't CDs.

We should be careful about allowing Sony to call the disks "CDs", because
that is making their stunt legitimate.  We should also be careful about
allowing Sony to call the scheme "copy protection", because it does not
protect against copying, but rather against (presumably legitimate) use.
Call it "usage prevention", "usage limitation" or other such.

> But it would seem that the folks that created the format in direct
> violation of published standards should share some of the blame and
> resulting liability.

If we choose to follow the line of thinking I mentioned above, we
should also take the consequences when the disks are marketed without
clearly specifying that they aren't CDs, or that they may possibly
break your CD players if you do so; just labelling them with "Does not
play on PC or Mac" is hardly sufficient.  Return the disk to the
vendor, asking for your money back.  If it has damaged your equipment,
require an adequate replacement or financial compensation for the
damage.  And if you're a US citizen, consider the possibility of a
class action lawsuit.


Re: Copy-Protected CDs (Bumgarner, RISKS-22.08)

<Sean A Dunn <sad@cyberlink.ch>>
Wed, 22 May 2002 15:22:32 -0400

I agree that it can be considered unfair to PC manufacturers that CDs are
being deliberately 'corrupted' in the name of Copy Protection. However, I am
not convinced that liability should be considered to be anywhere other than
with the PC hardware/software manufacturers when the PC crashes/freezes.

Why shouldn't either the hardware or OS handle the error when the CD is
corrupted?  After all, corruption could happen for other reasons. Even
though it is extremely unlikely that a dirty/scratched/faulty CD will
contain the stream of bits that cause the current problems, there should
never be a case that can't be handled by the combination of PC hardware and
operating system.

The good news for consumers: Surely it can't be long before PCs simply
ignore the 'error' and carry on...


Re: Copy-Protected CDs (Bumgarner, RISKS-22.08)

<Russ Perry Jr <slapdash@enteract.com>>
Wed, 22 May 2002 21:28:19 -0500

I think in this case the liability is ENTIRELY in the hands of those making
the discs.

Anyone with a modicum of smarts will know that ONLY gas should go into the
gas tank.  And even though we call it toilet "paper", most know that only
"real" paper goes into a printer.

But who would suspect that a CD shouldn't go into a CD drive?  It's worse
than someone trying to throw in a Playstation disc or a DVD.  Even BY NAME
it's the same thing.  Unless there's a warning on the disc, and in big
print, the people making the discs are simply inviting trouble and
encouraging consumer problems.  That ain't right.

And I'm sitting here facing the old Mac that IS my CD player; haven't ripped
a single song with it, or my newer Mac, which would probably be my new CD
player if the built-in speakers were better.  So if one of these discs
messes up my computer, when I had no intention or violating copyright law,
you'd better believe that I'm not going to be happy at all.

How can you tell the regular CDs from these killer CDs?

Russ Perry Jr   2175 S Tonne Dr #114   Arlington Hts IL 60005
847-952-9729    slapdash@enteract.com


Re: Apple: break your new PC with a copy-protected CD ... (R 22 07)

<Martin.Ward@durham.ac.uk (Martin Ward)>
Thu, 23 May 2002 10:02:07 +0100 (BST)

Who's fault is it if a service station starts selling petrol (gas)
containing a significant percentage of sugar solution?  Especially if said
garage does not give any indication that their product is any different from
that which is for sale at every other station?

Note that these copy-protected CDs are deliberately designed *not* to work
in a PC. If the PC manufacturer "fixes" their machines so that the CDs
*will* work, then they will be in violation of the DMCA.

Martin.Ward@durham.ac.uk http://www.cse.dmu.ac.uk/~mward/ Erdos number: 4


Re: More on Klez (Mech, RISKS-22.07)

<brennan@columbia.edu (Joseph Brennan)>
23 May 2002 11:49:44 -0400

> To my experience, the Return-Path header generally contains the infected
> person's address, or enough of a clue that you can narrow down the
> listmember[0] who _might_ be infected.

I have yet to see a single case where the Return-Path (that is, the smtp
"mail from:") is the real sender.  On the contrary, we are rejecting 400,000
relay attempts a day pretending to be our users sending mail.  When we
detect campus hosts sending Klez, the logged "mail from:" has never been the
address of the owner of the PC.

The biggest fallout problem is anti-virus programs smart enough to recognize
Klez but not smart enough to know the sender is always faked.  For Klez,
sending a "helpful" notice to the apparent sender is a really bad idea.  It
adds to the problem, not to the solution.  The only useful notice would be
to postmaster or abuse at the host that sent the message.  We can filter
Klez; it is almost impossible to filter the varying notices that anti-virus
programs send, so they ironically are now the biggest headache for support
staff.

Joseph Brennan  Postmaster  Academic Information Systems
Columbia University in the City of New York  postmaster@columbia.edu


REVIEW: "Cyber Forensics", Albert J. Marcella/Robert S. Greenfield

<Rob Slade <rslade@sprint.ca>>
Mon, 20 May 2002 20:25:10 -0800

BKCYBFOR.RVW   20020319

"Cyber Forensics", Albert J. Marcella/Robert S. Greenfield, 2002,
0-8493-0955-7, U$49.95
%E   Albert J. Marcella
%E   Robert S. Greenfield
%C   823 Debra St, Livermore, CA   94550
%D   2002
%G   0-8493-0955-7
%I   Auerbach Publications
%O   U$49.95 +1-800-950-1216 auerbach@wgl.com orders@crcpress.com
%P   443 p.
%T   "Cyber Forensics: A Field Manual for Collecting, Examining, and
      Preserving Evidence of Computer Crimes"

The introduction to this book emphasizes the fact that this is a field
manual, designed for quick reference, and not a textbook for study.
Unfortunately, the authors seem to have taken this as licence to throw in
all manner of random text and documents, without much structure or thought
for the user.

Section one outlines the various aspects of cyber forensics, according to
the book's definition.  Chapter one is entitled "The Goal of the Forensic
Investigation," but the actual contents offer both more and less than that.
The chapter starts with a few possible specific investigations, and provides
directions on initial questions to ask.  When the material moves to more
general discussion of investigations, it becomes vague, and loses utility.
Non-liturgical investigation (one that is not expected to end up in court)
is examined in chapter three, even though the text admits that the procedure
should be the same whether you expect to end in court or not: just collect
everything you can.  The content is limited to Windows, and specifically to
the use of Internet Explorer.  Much the same, with a little additional
material on the Registry and event log, is done with liturgical
investigations in chapter three.  A repetition of the same information about
Internet Explorer cache and cookies is found in chapter four.  Chapter five
describes nmap, and its author, in some detail, and then lists a number of
other UNIX utilities.  The broadest possible interpretation of intrusion
investigation is discussed in chapter six, and, again, the advice boils down
to the importance of careful collection of all possible information.
Chapter seven outlines rules of and considerations for evidence in US courts
of law.

Section two expands on this last chapter, looking at US (and supposedly
international) statutes.  Chapter eight examines US law regarding the
admissibility of evidence intercepted from communications or recovered from
seized computers.  Changes to the US National Information Infrastructure
Protection Act, and an editorial stating that cybercrime is bad, are given
in chapter nine.  The preamble to, and some questions about, a draft of the
Council of Europe Convention on Cybercrime, are reproduced in chapter ten.
Chapter eleven contains random comments on privacy.  US Presidential
Decision Directive 63, calling for a plan for protection of information
infrastructure, and a speech justifying the use of Carnivore are reprinted
in chapter twelve.  Chapter thirteen replicates an overview of US Public Law
106-229 on electronic signatures (E-SIGN) as well as a number of other
pieces relating to electronic commerce.  Legal considerations in providing
the electronic systems mandated by the US government paperwork reduction act
are discussed in chapter fourteen.  Speeches and comments on the US
government's attitude towards encryption ore given in chapter fifteen.
Chapter sixteen looks at various pieces of US legislation related to
copyright.

Section three concerns tools for forensic investigation.  Chapter seventeen
discusses such tools in a very generic way, and then briefly lists a number
of specific programs.  There is a two page list of FBI office phone numbers
in chapter eighteen, which is supposed to guide you in reporting
Internet-related crime.  Chapter nineteen is a simplistic four page list of
questions to ask when conducting a computer audit.

This is definitely not a field manual.  It offers almost no practical advice
on collecting evidence from computers: if the material in this book is
helpful to you, you have too little knowledge of the technology to have any
business being engaged in computer forensics.  The most valuable part of the
book involves the collection of documents regarding US computer related
legislation, but that would be of interest only to American lawyers.  It
would be difficult to recommend this work to anyone else.  Even security
personnel wanting a background on US federal legislation might be advised to
look elsewhere, since the lack of structure and analysis in the book makes
it very hard to read.

copyright Robert M. Slade, 2002   BKCYBFOR.RVW   20020319
rslade@vcn.bc.ca  rslade@sprint.ca  slade@victoria.tc.ca p1@canada.com
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top