The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 95

Friday 10 October 2003

Contents

New breed of 'spackers' eludes antispammers
NewsScan
OCLC ILL System's rolls over 130th time...
Brig C. McCoy
SunnComm: DCMA strikes again
Peter Houppermans
SunnComm won't sue Princeton student over "shift key" paper
Declan McCullagh
Microsoft to fix Windows -- again
Gene Lambson
Winning the security trifecta
Jeremy Epstein
Something's fishy with Diebold in California
Craig DeForest
Data transfer Excel-COBOL loses voter data
Patrick O'Beirne
The shape of elections to come in England
C. Cartledge
Risks of living in New Mexico
Kent Hartfield
Re: Unencrypted credit-card submission forms
Jeffrey W. Baker
Re: Hidden risks: location dependence
Mark Brader
Re: Identity Denial really exists
Paul Wallich
Re: Too much spam filtering
John Bechtel
Observed sudden 1400-fold increase in W32/Swen infected e-mails
Jon Seymour
Re: Difficulties with Census Bureau income data
Tony Lima
Re: Getting over that fishbowl feeling
Identity withheld
Info on RISKS (comp.risks)

New breed of 'spackers' eludes antispammers

<"NewsScan" <newsscan@newsscan.com>>
Thu, 09 Oct 2003 09:35:20 -0700

Computer crackers have joined forces with spammers to devise new ways of
defrauding hapless Internet users.  The latest technique enables spammers to
create Web sites that are virtually untraceable, making it impossible for
antispammers to shut down those sites by conventional means.  Typical of the
scam is a group in Poland currently advertising "invisible bulletproof
hosting" for $1,500 a month, which provides its clients protection from
network sleuthing tools such as 'traceroute' and 'whois' by routing traffic
through thousands of hijacked computers (most of them home computers running
Windows and having broadband connections).  The technique is effective.
"You're not going to have much success trying to follow IP addresses through
hacked hosts," says one security researcher.  "About all you can do is follow
the money -- sign up for whatever it is they're selling and try to figure
out who's behind the whole thing." Fueling the new tactics is an influx of
"engineers who have been laid off or fired, and people who really know what
they're doing with networking and DNS," says Steve Linford, head of the
Spamhaus Project.  "Hackers used to detest spammers, but now that spamming
has become such a big business, it's suddenly cool to be a spammer."
[Wired.com 9 Oct 2003; NewsScan Daily, 9 Oct 2003]
  http://www.wired.com/news/business/0,1367,60747,00.html


OCLC ILL System's rolls over 130th time...

<"Brig C. McCoy" <brigc@world.std.com>>
Fri, 10 Oct 2003 15:38:34 -0500

The OCLC (Online Computer Library Center) Interlibrary Loan System is used
by many libraries around the world to facilitate interlibrary loan of
materials.

Unfortunately, the system display only shows record numbers up to 999999.

This means that, with OCLC ILL transaction 130,000,000 due to happen in a
few days, they will have rolled over 130 times without changing the system
to allow for an appropriate number of digits!

Brig C. McCoy, 4722 Oak St, Apt 1033, Kansas City, MO 64112
<http://www.theworld.com/~brigc>  1-816 885-2700   <BRIGC@WORLD.STD.COM>


SunnComm: DCMA strikes again

<Peter Houppermans <peter.houppermans@paconsulting.com>>
Fri, 10 Oct 2003 07:17:58 +0100

If I buy a doorlock I'd be jolly grateful to find out that it takes hairpin
+ primary school kid to brake it (and I'd be rather annoyed with the
supplier).  But instead of said supplier fixing the problem - you guessed
it, they go and sue the person who told the world.

Same with SunnComm: a student discovers a simple bypass for their heavily
marketed "CD" protection - and hey, new, surprising move: they sue.

Register article "SunnComm to sue 'Shift key' student for $10m", URL
  http://theregister.co.uk/content/6/33322.html

Question: is this really the best way to rescue your reputation?
Answer: if you want to create the impression that you don't want to fix the
problem you couldn't have chosen a better route.

The longer I've been on the RISKS list, the more convinced I become the DCMA
is a serious threat to security.  I'd like to hear of examples where it has
contributed to actual security rather than allow security through obscurity
to prolong its life ..

Peter Houppermans, PA Consulting Group, 123 Buckingham Palace Road
London  SW1W 9SR  +44 (0)20 7333 5303   http://www.paconsulting.com


SunnComm won't sue Princeton student over "shift key" paper

<Declan McCullagh <declan@well.com>>
Fri, 10 Oct 2003 14:25:01 -0400

SunnComm won't sue grad student, By Declan McCullagh, 10 Oct 2003
  http://news.com.com/2100-1027-5089448.html

In an abrupt reversal, SunnComm Technologies said Friday that it would not
sue a Princeton University graduate student who had published a paper that
describes how to bypass CD copy protection technology simply by pressing the
Shift key.  SunnComm had angrily assailed Princeton doctoral student John
"Alex" Halderman just a day before, claiming that his academic paper was "at
best, duplicitous and, at worst, a felony." The company had pledged to file
a civil suit against Halderman under the Digital Millennium Copyright Act
(DMCA) and lobby federal prosecutors to indict him on criminal charges.

Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)


Microsoft to fix Windows - again

<"Gene Lambson" <genengail@earthlink.net>>
Thu, 9 Oct 2003 16:19:50 -0500

According to NewScientist
http://www.newscientist.com/news/news.jsp?id=3Dns99994258
Microsoft is making some changes to "fix" security problems with Windows - I
quote: "The update will make a program more likely to crash than let a
hacker in, Oaken says."

How nice.  If you can't fix it make sure it breaks.  Good thing MS
doesn't give advice to the airline industry.


Winning the security trifecta

<Jeremy Epstein <jeremy.epstein@webmethods.com>>
Fri, 10 Oct 2003 09:24:17 -0400

Reported in all the media... "The U.S. Securities and Exchange Commission
has filed civil charges against a Pennsylvania man for computer hacking and
identity theft in a scheme last July to dump worthless options for Cisco
Systems Inc. stock" (Computerworld).  The story I heard on NPR is that he
sold "puts", and when they were about to close out and lose $37,000, he
decided to take action.  So he created a web site with a Trojan keyboard
logger, and enticed investors to visit his site with the promise of stock
charts.  Those who bit (and downloaded his Trojan) had their passwords &
account numbers stolen.  He then logged into one of the stolen accounts, and
transferred his (negative value) position to the victim.

Result: he's been indicted for securities fraud, hacking, and identity
theft... the first time (according to NPR) that all three have been brought
together... the "security trifecta".

The "moral" of the story given on NPR was that you should always check your
statements, so you catch unexpected transactions.  Seems to me that the
moral of the story is that managing your finances, or anything else
sensitive, using the Internet is inherently RISKy.  Customers are being told
that if they use SSL, everything is safe.  But as all of us know, all SSL
provides is a protected pipe, which can be used as effectively for attacks
as legitimate transactions.

The RISKS, as we say, are obvious.  But to tie it to Mercuri's comments on
California voting in RISKS 22.94 ... anyone who alleges that there's no
practical way to subvert Internet voting should take a look at this case,
assuming it's as claimed.  It's not hard to imagine an over-enthusiastic
campaign worker enticing voters to download a Trojan that causes votes to go
the "right" way... especially in an election with 135 candidates where
stranger things are happening every day.


Something's fishy with Diebold in California

<zowie@euterpe.boulder.swri.edu (Craig DeForest)>
Fri, 10 Oct 2003 09:19:56 -0600

Mark Crispin Miller asserted, on the basis of a statistical analysis of
California counties and vote distribution in the recent gubernatorial
circus, that votes appear to have been "skimmed" from front-running
contenders and redistributed to definite non-contenders in counties that use
Diebold voting machines.

 http://www.markcrispinmiller.blogspot.com/

Out of curiosity, I visited the California election-return website

 http://vote2003.ss.ca.gov/Returns/gov/00.htm#cty

and did a cursory analysis myself.  It appears that the sum of all the votes
for the sixth-runner through the bottom is not enough to change the outcome,
even if they were all assigned to Bustamante (the second-place candidate):
Schwarzenegger won by 1.3E6 votes, while all candidates below the top five
only garnered 2.2e5 votes.

Nevertheless, I agree with Mark that the per-county statistics look
very fishy: many of the minor candidates received a much higher
percentage of the vote in those counties with Diebold machines, and
the difference is strongly significant.


Data transfer Excel-COBOL loses voter data

<"Patrick O'Beirne" <mail2@sysmod.com>>
Fri, 10 Oct 2003 09:50:58 +0100

http://www.ddtonline.com/articles/2003/10/08/news/news2.txt
Officials begin affidavit count, By Amy Redwine / Delta Democrat Times

More than 1,600 affidavit ballots remain to be counted from Monday's
Democratic primary, Greenville election officials said this morning, when
officials began counting the affidavits in City Council chambers.

City Attorney Andy Alexander explained why there were so many affidavits.
He said the city had to go through a three-step process for elections: The
first part was getting the voting books from the county and checking them.
After that step was completed, the names were added to an Excel spreadsheet
in the city's computer.  "The information from Excel had to be entered into
another database, COBOL.  Apparently what happened is that when the rolls
were printed, all the information did not get transferred," Alexander said.
"Entire neighborhoods were left off of the voter rolls."

Patrick O'Beirne,  Systems Modelling Ltd., Villa Alba, Tara Hill, Gorey,
Co. Wexford, Ireland    http://www.sysmod.com  Tel. +353 55 22294


The shape of elections to come in England

<"C.Cartledge" <C.Cartledge@sheffield.ac.uk>>
Fri, 10 Oct 2003 16:02:47 +0100

Given the comments on the use of technology in US elections, readers may be
interested in the approach being recommended by the body responsible for
overseeing elections in England.  Hand counting of ballot papers is the norm
in England and is implicitly retained in the information referenced.

There is no mention of dedicated voting equipment, but there are innovations
such as:

  The roll-out of all-postal elections (The English are careful
  with their use of new technology - it is 163 years since the
  "penny post" was established here.)

  The use of watermarked ballot papers to replace the stamped
  official mark as proof of authenticity;

  Barcodes to replace serial numbers on ballot papers

All-postal voting should be made the norm at all local elections throughout
Great Britain, says The Electoral Commission in its evaluation of voting
trials at the May 2003 local elections in England[1]. In its independent
report, The shape of elections to come, the Commission also concludes that
further piloting of electronic voting is essential before setting a date for
an e-enabled general election.  ...  31 Jul 2003

See full press release at:
  http://www.electoralcommission.gov.uk/media-centre/
  newsreleasereviews.cfm/news/214

The English are careful with their use of new technology.  It is after all
just 164 years since the "penny post" was established here.


Risks of living in New Mexico

<"Hartfield, Kent" <kent.hartfield@lmco.com>>
Wed, 08 Oct 2003 07:31:45 -0500

  [The main risk of living in New Mexico is trying to make a phone purchase
  from another state and being told they don't ship to foreign countries,
  but that's another matter.]

Risks of Living in New Mexico?

This happened last week to a friend of mine in Taos, New Mexico.

Event one.  Friend gets purse stolen at school she teaches at.  Doesn't
report it for an hour thinking it was misplaced.

Event two.  She finally reports purse stolen.  Notifies one of two credit
card companies about theft, can't notify the second card company because she
can't remember who issued it (had the card for years but never used it).

Event three.  Wal-Mart calls and said the "unknown card" was used at their
store by a former employee.  Wants to know if she was authorized to do this.
Wal-Mart brought up to speed on events of the day.

Event four.  Now card issuer is known since Wal-Mart revealed it.  Friend
calls and cancels card.  Told many purchases are made on card around town.
Card cancelled.

Event five.  Find out that not only did cashier at Wal-Mart know the person
using stolen card, cashier also knew the real owner of the card, but didn't
make the connection since the card listed the first name but she knew the
owner only by her middle nickname. Small but slightly disconnected world.

Event six.  Go to Department of Motor Vehicles to get new driver's license.
Need Social Security card as identification, but that was stolen too.
Finally DMV acquiesces to accept passport.  Reports that person can't get
new driver's license since didn't have valid driver's license to start with
since not renewed two years ago.

Event seven.  Disagree with DMV clerk.  Clearly remembered renewing license
since did it same day husband renewed his.  Call husband to get day of
renewal off of his license.  Clerk reports husband doesn't have valid
renewed license either even though husband comes to office to display actual
license. Physical evidence does not take precedence over computer records.

Event eight.  Police not yet arresting "perp" for unauthorized use of credit
card even though recorded on video and ID'ed by clerk.  Police inform friend
and husband they are lucky they found out their drivers licenses were
invalid since they would have been arrested if stopped for any routine
traffic violation.

OK, so it took to Event Seven to get a computer risk out of this.  Still,
wasn't this a fun story?

  [They don't yet know why their licenses were not in the system, even
  though they were issued physical licenses.  KH]

Kent Hartfield, Lockheed Martin Missiles and Fire Control


Re: Unencrypted credit-card submission forms (Silverberg, R-22.92)

<"Jeffrey W. Baker" <jwbaker@acm.org>>
Thu, 09 Oct 2003 20:04:02 -0700

The "Snake Oil Ltd." certificate is indeed a testing certificate.
Specifically, it is the self-signed certificate generated by the
installation procedure of Apache-SSL.  The presence of this certificate does
not make your SSL connections less secure: they will still be encrypted and
therefore difficult to intercept or corrupt.

What the web server at "Linux Web Toast" is saying is "Our name is company
XYZ, just take our word for it."  Your software (the browser) is bringing
this to your attention because it is not configured to just take anybody's
word for anything.  A normal secure web server would say something like "Our
name is company XYZ according to VeriSign, Inc, and you can take their word
for it."  Your web browser is probably configured to automatically trust
VeriSign, Inc.

I hope you see the risks here.  Why would you trust VeriSign?  They are one
of the least trustworthy organizations I can think of.  See "VeriSign
responds with arrogance to Site Finder critics"
[http://www.siliconvalley.com/mld/siliconvalley/6960632.htm]
and "VeriSign settles FTC complaint"
[http://news.com.com/2100-1025-5081941.html].
Do you realize, when you are using your web browser, that you implicitly
trust this distant corporation?  Does the average user of the Internet have
any understanding of certificates and trust graphs?  Is there any particular
reason to trust VeriSign more than you trust, say, me, or your barber, or
the guy who lives around the corner?

A further risk is that VeriSign operates a toll gate to the Internet.  As
the previous correspondent has ably demonstrated, you must pay VeriSign to
sign your SSL certificate or you will lose customers.  In this way VeriSign
has electronic commerce cornered.

The final risk is that VeriSign acts as a single point of failure in the
trust system.  Anyone who compromises VeriSign's root private keys will be
able to issue legitimate-sounding certificates claiming to be anyone.
VeriSign has previously been tricked into issuing certificates in the name
of Microsoft Corp. and other entities [RISKS-21.29,30,32]

PS: I checked the certificate of linuxwebhost.com, and it appears to be
signed by Equifax, not self-signed.


Re: Hidden risks: location dependence (RISKS-22.85)

<msb@vex.net (Mark Brader)>
Fri, 10 Oct 2003 01:26:56 -0400 (EDT)

Another surprising location-dependency led to a key discovery in nuclear
physics, according to Richard Rhodes in "The Making of the Atomic Bomb"
(1986, Simon & Schuster, ISBN 0-671-44133-7).

In 1934, physicists Edoardo Amaldi and Emilio Segre were exposing samples of
various elements to streams of neutrons: they hoped for a reaction where the
neutrons would be captured, creating a new isotope that would be revealed by
its radioactivity.  This worked, but they found that the results varied
greatly according to *where in the lab* they did the experiment.

This was in Italy, where marble was cheap enough that some of the lab tables
were made of it.  And as it turned out, that was the difference: more
neutrons were captured when the experiment was done on a wooden table than a
marble one.

It was Enrico Fermi who figured it out: neutrons were captured more easily
if they were moving slower.  Wood, unlike marble, contains a substantial
proportion of hydrogen atoms, which are the right size to slow some of the
neutrons and deflect them back.  And in this way the concept of a moderator
for nuclear reactions was discovered.

(I suppose that in this particular case, some people may feel that
the Risk was that nuclear reactions *would* be discovered!)

  [Old item.  Catching up, thanks to Mark's prompt.  PGN]


Re: Identity Denial really exists (Clark, RISKS-22.93)

<Paul Wallich <pw@panix.com>>
Wed, 08 Oct 2003 09:49:01 -0400

Depending on what's meant by "cancel" this doesn't seem too uncommon or
unlikely.  Death certificates in many US states, for example, can be forged
with relatively basic tools, and some institutions don't require even that
level of proof.  And the corpse will find out only if they try to use some
service that depends on being officially alive.  (Some years back, I was
surprised to receive condolences from a pension-fund officer on the
ostensible demise of a sibling -- who was similarly surprised to hear of the
event.)


Re: Too much spam filtering

<John Bechtel>
Wed, 8 Oct 2003 10:07:07 +0100

I read with interest the item in RISKS-22.92 about spam filtering for good
e-mail, and note as well the comment about not trusting your ISP.  I have
recently had to change my ISP from AXX (name changed) because of their
aggressive spam filtering policy.  AXX advertise that they aggressively
filter spam, and equally go after spammers.  I applaud the attitude.  I
cannot applaud their mechanism.

After too many games of "Did you get my e-mail?"  ... "What e-mail?"
leading to missed appointments and what-have-you I was told that 1) AXX was
spam filtering my e-mail even though I had set my account not to filter
anything, 2) I would not be allowed to see or change the policies used to
decide what was spam and what wasn't, 3) It was not possible for me to see
what was being "filtered" in order to rescue it, and 4) Filtering could not
be turned off.  After I gave them a list of addresses that I knew were being
blocked I was told that AXX had detected spam from their ISPs... not my
people specifically, just the ISP.  I was told it was best for me to contact
those people's ISPs to ask the ISPs to stop allowing spam.  Only then would
AXX stop deleting my e-mail.  BTW, I don't consider that AXX was filtering
my e-mail...  they were deleting it, at random, without notice.

They produced some discussion about possibly being able to selectively allow
specific addresses, in the concept of allowing known addresses through, but
were not sure it would work, and of course that would not solve the problem
of e-mails from third parties that I do want being filtered never to be seen
again.

I believe some new versions of AXX can allow users more control since
then, but I was not told about that at the time (1 month ago), nor am I
sure now, nor do I care.

John Bechtel, 1 Farnham Road, Guildford, Surrey, UK, GU2 4RG


Observed sudden 1400-fold increase in W32/Swen infected e-mails

<Jon Seymour <jon.seymour@acm.org>>
Thu, 09 Oct 2003 04:10:21 +1000

I'd like to draw attention to a phenonmenon associated with the W32/Swen
worm with which I have just painfully become acquainted.

At 10pm, October 7 Sydney time (12:pm October 7 GMT), I noticed a sudden
increase in the number of W32/Swen-infected e-mails that my spam filter was
detecting.

To put the increase in perspective. Between September 23 and October 7, I
had received 12 e-mails infected with W32/Swen. With each e-mail weighing in
at roughly 145kB that's around 6kB per hour over 298 hours.  Irritating, but
tolerable. Starting at 10pm October 7, I started receiving one of these
145kB e-mails every 6 minutes.

That's a 1400-fold increase in the rate of W32/SWEN infected e-mails hitting
my inbox.

And as I write this, over 28 hours later -- it still hasn't stopped. I am
still receiving infected e-mails -- from a wide variety of different hosts
-- at the roughly same rate as when the deluge started at 12:00 GMT on 7
Oct.  That's an inbound rate of 38MB in one day. If it keeps going at this
rate, my mail box will receive about 1GB of this stuff each month.

Some points of note:

  * The e-mails appear to originate from random ISP accounts around the
    world.
  * There is no reason to believe that my e-mail address was harvested from
    the local address books of these machines -- suggesting that these
    zombies are acquiring their address lists from some external agency.
  * Each account is responsible for a small number (usually < 3, always less
    than 6) e-mails.
  * From my perspective, this is not an exponential growth characteristic -
    more of a step - suggesting that these infected hosts were "switched on"
    at 12:00 GMT, perhaps because my e-mail address was added to some pool
    of addresses at that time.

So, the lesson here is: even if you keep your virus software up to date,
discard all suspicious e-mail, don't use peer-to-peer software, install a
personal firewall, yada, yada, yada you can still fall victim to a worm
created by a suitably deranged mind.

  [Added note, Fri, 10 Oct 2003 08:38:59 +1000:]

I understand what the trigger for the deluge was now.  Unfortunately, I
hadn't read:
  http://www.f-secure.com/v-descs/swen.shtml
If I had, I would have realised that a post to USENET would have this
effect.

So, it would appear that, if the consequence of posting to USENET is to
provision oneself with a 38MB/day stream of virus-laden spam, it would then
seem that USENET is now effectively, finally, dead.


Re: Difficulties with Census Bureau income data (Mannes, RISKS 22.93)

<Tony Lima <TonyLima2@att.net>>
Thu, 09 Oct 2003 15:15:53 -0700

  [I took the liberty of asking my colleague Dr. Nan Maxwell about this
  issue.  Her reply is below (forwarded with her permission, naturally).
  Dr. Maxwell is Director of the Human Investment Research and Education
  Center at California State University, Hayward.  She is also Professor of
  Economics and a respected researcher into the relationship between
  demographics and economics.  Tony Lima]

Thu, 09 Oct 2003 08:54:02 -0700, "Nan Maxwell" <nmaxwell@csuhayward.edu>

The census has always capped income figures (as the article notes) for
reasons of confidentiality.--if there are 26 people in the us making over $1
million and you know their gender, race, place of residente, industry,
occupation, etc. you can pretty much guess who they are. When I first
started in this business the cap was $100,000!!! The cap has always been the
source of discussion like the one below, but confidentiality always
wins. (And I guess I believe it should).  The real question (in my mind)
is...has the cap become more constraining over time?

Nan L. Maxwell, Co-Chair and Professor of Economics and Executive Director,
HIRE Center, Cal State University, Hayward College of Business and Economics
25800 Carlos Bee Blvd., Hayward, CA 94542 510.885.3191


Re: Getting over that fishbowl feeling (Smith, R-22.94)

<[Identity withheld by request]>
10 Oct 2003 09:02:18 -0400

> A piece of evidence he presented to support this was a set of estimates of
> the street value of ID information: $1 for a valid card number, $5-10 for
> one with personal info to back it up (name, addr, etc), and $10-15 if it
> includes the CVV2 number from the back ...

The numbers are high, by about three orders of magnitude.  The normal way to
quote prices of stolen credit card numbers is for a thousand.  Prices such
as $10 to $60 per 1000 numbers are not unusual (the price depends on the
presence of billing information and CVV2 code, but mostly on the
pseudonymous reputation of the seller).  It is easy to purchase the numbers
on the net anonymously (but credit card payment will not be accepted).

Please report problems with the web pages to the maintainer

Top