The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 97

Thursday 23 October 2003

Contents

Computers may be bad for your health
NewsScan
Recent London power outage
Peter Amey
Justice Department e-censorship error
Kevin Poulsen via jones-gill
RISKS Offshore: A tough lesson on medical privacy
David Lazarus via Scott Miller
"Victoria's Secret Reaches a Data Privacy Settlement"
Drew Dean
First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE!
Mark Brader
Discover cancels 60,000 accounts
Charlie Shub
Nokia and mobile-phone battery explosions
Monty Solomon
Teen rides Trojan Horse defense
Keith Rhodes
Feds admit error in hacking conviction
Robert Lemos via ikanal
Digital signatures: When will they learn?
Jeremy Epstein
Senate votes to can spam
NewsScan
Re: Difficulties with Census Bureau income data
Patrick J. Kobly
Re: Fun with stolen credit-card numbers
Dimitri Maziuk
Re: And I thought I had it bad...
Anthony W Youngman
Re: The Joy of Good Design
Debora Weber-Wulff
Info on RISKS (comp.risks)

Computers may be bad for your health

<"NewsScan" <newsscan@newsscan.com>>
Thu, 23 Oct 2003 09:39:21 -0700

Nine out of 10 computer users are stressed out by such regular occurrences
as performance slowdown, spam overload and lost files, and the time wasted
fixing problems just makes it worse, according to security firm Symantec.
Anger management experts say computer stress must be alleviated before it
affects productivity and human-to-human interactions. "If you are suffering
from stress, the best thing to do is to breathe deeply, and remind yourself
to keep your cool," says Mike Fisher, of the British Association of Anger
Management. The top five stress triggers, according to Symantec, are: 1)
Slow performance and system crashes; 2) Spam, scams and e-mail overload; 3)
Pop-up ads; 4) Viruses; and 5) Lost or deleted files. Men tend to freak out
over viruses, spam and general information pollution, while crashing systems
and sluggish performance really irk women. More than a third of both sexes
will resort to extreme behavior during computer-related meltdown, including
violence, swearing, showing and desperately hitting random keys. The good
news is that 40% will actually try to fix the problem, often asking someone
else for help. Symantec's Kevin Chapman suggests a few ways to reduce the
potential for problems: "For example, don't download lots of large files and
applications, and remove the clutter left behind by long periods on the
Internet. To avoid spam, don't sign up for lots of mailing lists, and if you
do receive spam-mail, never reply to it asking to be removed from the list
as this will confirm your e-mail address." [Eds. Note: NewsScan never, ever
shares your e-mail addresses with *anyone*, so we hope you'll stay on *our*
list.]  [BBC News 23 Oct 2003; NewsScan Daily, 23 Oct 2003]
  http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/3204719.stm


Recent London power outage

<"Peter Amey" <peter.amey@praxis-cs.co.uk>>
Mon, 20 Oct 2003 09:49:36 +0100

The London power cut that followed shortly after the great New York
blackout, was quickly blamed on an unforeseeable chain of events including
the fitting of an incorrect valued relay (widely reported as a "fuse").  It
has now emerged that the root cause, the one which led to reliance on the
incorrect relay and the power loss, was simple, old-fashioned poor
maintenance.

The chain of events started when a sub-station transformer alarm sounded.
The problem at this transformer turns out to have been an oil leak which had
been noticed and reported but not dealt with.  A power company spokesman
said on the BBC news that they couldn't necessarily take a transformer out
of service as soon as a problem like this was found but, instead, had a
system of managing the leak until it was convenient to correct the problem
permanently.  The problem in this case was that the leak wasn't managed (the
request having passed into a planning centre described by one contributor as
a "black hole"), the oil ran out, the alarm sounded, the transformer was
switched out and the incorrect relay failed.

The risk I think is the rush to blame unforeseeable chains of events and
freak failures rather than to admit to failures of basic preventive
maintenance.

  http://news.bbc.co.uk/1/hi/england/london/3199594.stm
  http://news.bbc.co.uk/1/hi/england/london/3199784.stm

Peter Amey, Principal Consultant, Praxis Critical Systems, 20, Manvers St.
Bath, BA1 1PX UK   +44 (0)1225 466991  www.praxis-cs.co.uk  www.sparkada.com


Justice Department e-censorship error (Kevin Poulsen)

<<jonesgill@jones-gill.co.uk>>
Thu, 23 Oct 2003 06:19:33 -0000 (GMT)

Justice e-censorship gaffe sparks controversy
By Kevin Poulsen, SecurityFocus
Posted: 23/10/2003 at 09:37 GMT
Taken from www.theregister.co.uk
(http://www.theregister.co.uk/content/55/33549.html)

A government watchdog group Wednesday accused the Justice Department of
improperly censoring portions of a key report on internal workplace
diversity, after online activists successfully unmasked the blacked-out
portions of an electronic copy of the document.

The 186-page report was released to the public under the Freedom of
Information Act last week and posted to Justice Department's Web site in
Adobe's "Portable Document File" (PDF) format. But the department blacked
out vast portions of the document's text, citing an exemption to FOIA that
permits agencies to keep internal policy deliberations private.

The text didn't stay concealed for long. On Tuesday a Web site called the
Memory Hole, dedicated to preserving endangered documents, published a
complete version of the report, with the opaque black rectangles that once
covered half of it completely removed. Memory Hole publisher Russ Kick won't
say how he unmasked it, but experimentation shows that the concealed text
could be selected and copied using nothing more than Adobe's free Acrobat
Reader. Once copied, the text is easily pasted into another document and
read.

It turns out the report began its life as a Microsoft Word document, and
whoever was in charge of sanitizing it for public release did so by using
Word's highlight tool, with the highlight color set to black, according to
an analysis by Tim Sullivan, CEO of activePDF, a maker of server-side PDF
tools. The simple and convenient technique would have been perfectly
effective had the end product been a printed document, but it was all but
useless for an electronic one. "Using Acrobat, I'm actually able to move the
black boxes around," says Sullivan. "The text is still there."

In 2000, *The New York Times* made a similar error in publishing on its
Web site a classified CIA file documenting American and British officials'
engineering of the 1953 coup that overthrew Iran's elected leadership.
Before releasing the document as a PDF file, the paper blacked out the names
of Iranians who helped with the plot. But online intelligence archivist John
Young published an unsanitized version of the report after discovering that
the opaque black lines and boxes concealing the names could easily be
removed.

Both cases demonstrate that what you see is not always what you get in
electronic documents. Censors could have more effectively eliminated the
text by deleting it, rather than painting it over. Additionally, commercial
software is available that's designed specifically to help government
agencies redact PDF files for release under FOIA and the Privacy
Act. Pennsylvania-based Appligent even sells its "Redax" Acrobat plug-in to
the Justice Department. "The amazing thing is that there are different
divisions in the Department of Justice that are using our software, so it's
a little shocking that they would do this in Word," says company president
Virginia Gavin.

Denuded of its censorious kludgework, the report -- produced last year by
KPMG -- reveals much about the Justice Department's gender and ethnic
diversity issues. But, significantly, it also shows that the department is
overly aggressive in cutting documents for public release, according to the
Federation of American Scientists (FAS). On Wednesday FAS wrote a letter to
the Justice Department's Office of the Inspector General -- the DoJ's
internal investigators -- urging a full investigation into officials'
"unauthorized withholding of information."

"Too much information was withheld," says FAS's Steven Aftergood.
"Information that was purely factual was censored as if it were
deliberative...  We want agencies to be able to discuss different policy
options and to make recommendations outside of a charged political
environment, and the deliberative exemption allows them to do that. But the
exemption does not apply to factual material."

For example, a section of the text notes, "sexual harassment is not
perceived by attorneys to be a problem in the Department, but racial
harassment is." That should never have been cut from the public version,
says Aftergood. "That's something that ought to be made publicly available."

Much, if not most, of the scores of blacked out pages should have been
released under law, Aftergood says. He credits the PDF blunder with exposing
a systemic problem in the Justice Department's FOIA compliance, and he hopes
an internal review will result in an overhaul of the system.  A Justice
Department spokesman declined to comment on the matter, and the
almost-censored document disappeared from the department's Web site Wednesday
afternoon.  oops!


RISKS Offshore: A tough lesson on medical privacy (David Lazarus)

<Scott Miller <SMiller@unimin.com>>
Thu, 23 Oct 2003 11:56:32 -0400

"Lazarus at large", David Lazarus, *San Francisco Chronicle*, 22 Oct 2003

"Your patient records are out in the open... so you better track that
person and make him pay my dues."

A woman in Pakistan doing cut-rate clerical work for UCSF Medical Center
threatened to post patients' confidential files on the Internet unless she
was paid more money.To show she was serious, the woman sent UCSF an e-mail
earlier this month with actual patients' records attached.
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2003/10/22/MNGCO2FN8G1.DTL

  [Just one of the risks of outsourcing.  PGN]


"Victoria's Secret Reaches a Data Privacy Settlement"

<Drew Dean <ddean@csl.sri.com>>
Tue, 21 Oct 2003 14:37:41 -0700 (PDT)

That fabulous headline appeared in *The New York Times* online.  Quick
summary: Their Web site had a security problem where by anyone could check on
the status of anyone else's order, although they could _not_ get credit card
information.  Given the nature of the store, this is even more problematic
than usual.  Victoria's Secret paid a fine ($50K) without admitting guilt.
Interestingly enough, this happened under consumer protection laws, because
Victoria's Secret violated their own privacy policy.  Two good quotes -- the
opening line: "There's private, and then there's private." and "'The core of
it is, what do people expect will be kept secret? And of course when you're
dealing with Victoria's Secret, you expect that a lot will be kept secret.'"

Full story:
  http://www.nytimes.com/2003/10/21/technology/21priv.html


First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE!

<msb@vex.net (Mark Brader)>
Fri, 17 Oct 2003 16:57:06 -0400 (EDT)

The morning after the New York Yankees beat the Boston Red Sox to win the
2003 American League baseball pennant, early editions of the *New York Post*
included an editorial bemoaning that the Yankees had lost.  Apparently TWO
versions of the editorial had been prepared, one for each eventuality, and
the wrong one was published -- reportedly because someone hit "the wrong
button."  The AP item in the *NYTimes* began with ``The curse of the Bambino
[Babe Ruth, erstwhile Red Sox pitcher, for non-baseball fans!] struck the
*New York Post*, too.''  ["NY Post Editorial Says Yankees Lost", 17 Oct
2003; PGN-ed]
  http://www.nytimes.com/aponline/national/AP-Post-Yankees-Editorial.html
  ?ex=1067422908&ei=1&en=97f6f670437f48ef


Discover cancels 60,000 accounts

<Charlie Shub <cdash@ludell.uccs.edu>>
Wed, 22 Oct 2003 13:07:19 -0600 (MDT)

On 15 Oct 2003, I received an e-mail from discover saying
  Your Discover(R) Card account is part of a group of accounts whose
  information may have been illegally obtained by unauthorized persons. As a
  protective measure, we will be issuing you a new account number. We
  believe this proactive step is necessary to protect your account from
  potential fraud activity.

After a heated conversation with the people at the other end of their 800
number, they agreed to keep my particular card active through the weekend as
I was leaving on a trip early the following morning.  They also assured me
that in the interval between when the account was turned off and the new
cards arrived, they would be able to authorize individual purchases via a
manual override process.  That statement proved to be false.

charlie shub   University of Colorado at Colorado Springs
cdash@cs.uccs.edu  http://cs.uccs.edu/~cdash  1-719-262-3492


Nokia and mobile-phone battery explosions

<Monty Solomon <monty@roscom.com>>
Fri, 17 Oct 2003 08:00:47 -0400

     Nokia Recommends Using Only Original Batteries with Nokia
     Products; All Investigated Mobile Phone Battery Explosions Caused
     by Non-Original Batteries
     - Oct 17, 2003 07:23 AM (BusinessWire)

Recently, in the Netherlands a battery used in a Nokia 7210 mobile phone
exploded.  An investigation by Nokia experts clearly proved that the battery
involved in the incident was not a Nokia battery.

Over the past months, cases have been reported of non-original mobile-phone
batteries exploding, causing damage to both batteries and phones. In all the
reported cases, the battery has been a non-original battery. Nokia offers
its cooperation to authorities in taking legal measures available against
those who sell and distribute poor quality non-original mobile phone
enhancements compatible to Nokia products.

In general, the reported incidents are due to an internal short circuit. An
internal short circuit can be caused by careless design, an uncontrolled
production process or a combination of both. Original Nokia batteries and
chargers are designed and manufactured adhering to stringent safety and
quality measures. These include very strict requirements regarding the
materials and insulation used inside the batteries as well as continuous
production control and intensive product testing.  ...

  http://finance.lycos.com/home/news/story.asp?story=36124379


Teen rides Trojan Horse defense

<rhodesk@gao.gov>
Fri, 17 Oct 2003 09:28:31 -0700 (PDT)

A UK teen, accused of launching a DDoS attack, was acquitted as a jury
apparently believed his explanation that a hacker had exploited his computer
with a Trojan Horse.  [Source: Munir Kotadia, zdnet]
  http://zdnet.com.com/2100-1105-5092745.html?tag=sas_email


Feds admit error in hacking conviction

<notsp_ikinal@ieee.org>
Fri, 17 Oct 2003 06:35:26 -0700 (PDT)

Federal prosecutors asked an appeals court to reverse a computer-crime
conviction that punished a California man for notifying a company's
customers of a flaw in its e-mail service.  Bret McDanel had already served
his 16-month sentence, and is on supervised release with curtailed computer
access.  The original conviction resulted from McDanel having notified
customers of Tornado Development (subsequently defunct) that their e-mail
was susceptible to attack.  An appeal was filed by Jennifer Granick in
Stanford's Law School.  [Source: Robert Lemos, zdnet, 16 Oct 2003; PGN-ed]
  http://zdnet.com.com/2100-1105-5092697.html?tag=sas_email


Digital signatures: When will they learn?

<Jeremy Epstein <jeremy.epstein@webmethods.com>>
Thu, 23 Oct 2003 14:20:25 -0700

Microsoft has a deal with the US Postal Service for Office 2003 where USPS
will store a permanent record of a document, so anyone can validate the
document for the next seven years.  The goal is "to sign and secure
documents in a way that is legally binding".  The record (which is
presumably a signed hash) includes "a unique time- and date-stamped record
based on the file's exact content".  Sounds good... an unbiased third party
is part of what you need.

However, there are problems:

* WYSMNBWYS: What You Sign May Not Be What You See.  Small fonts, hidden
  data, bits & pieces of deleted stuff lying around, etc.  'nuff said,
  especially given the legacy of examples in RISKS.

* Incompatibility: How often has Microsoft introduced a version of Office
  that was compatible with any other version?  Never!  So why should we
  believe you'll be able to verify one of these signed
  documents... especially for the next seven years?  Or that it'll look like
  the document that was "signed"?  C'mon!

* What safeguards this repository against tampering?  If I can modify the
  document and the repository's view of what was signed, I can change
  history.

  http://www.computerworld.com/securitytopics/security/story/
  0,10801,86300,00.html?nas=SEC2-86300


Senate votes to can spam

<"NewsScan" <newsscan@newsscan.com>>
Thu, 23 Oct 2003 09:39:21 -0700

The U.S. Senate has unanimously approved the "Can Spam" bill, sponsored by
Sens. Conrad Burns (R-Mont.) and Ron Wyden (D-Ore.), which would ban the
sleaziest techniques used by spammers to spew out millions of junk e-mail
messages each day. Under the provisions of the bill, senders of unsolicited
e-mail would be prohibited from disguising their purpose by using a fake
return address or misleading subject line, and would no longer be allowed to
harvest e-mail addresses off the Web to bulk up their lists. In addition,
junk e-mail would be required to include a legitimate "opt out" function
that recipients could use to get off lists. A provision proposed by
Sen. Charles Schumer (D-N.Y.) authorizes the Federal Trade Commission to
establish a "do-not-spam" list, similar to the recently implemented
"do-not-call" list that blocks telemarketing calls. "Kingpin spammers who
send out e-mail by the millions are threatening to drown the Internet in a
sea of trash, and the American people want it stopped," said Wyden, who
urged foreign countries to adopt similar measures.  [AP 23 Oct 2003;
NewsScan Daily, 23 Oct 2003]
  http://apnews.excite.com/article/2031023/D7UBQISG0.html


Re: Difficulties with Census Bureau income data (Lima, RISKS-22.95)

<"Patrick J. Kobly" <patrick@kobly.com>>
Tue, 14 Oct 2003 17:31:34 -0600

Tony Lima <TonyLima2@att.net> relayed comments from Dr. Nan Maxwell that:

> The census has always capped income figures (as the article notes) for
> reasons of confidentiality.--if there are 26 people in the us making
> over $1 million and you know their gender, race, place of residence,
> industry, occupation, etc. you can pretty much guess who they are.

This is a red herring.  There really is no (or minimal) privacy risk at the
data-collection side of things.  These privacy concerns (while very real)
shouldn't be dealt with with this kind of gross clipping at collection-time,
but rather with reasoned bucketing schemes at aggregation and reporting
time.

Once the data is collected, the census bureau then can do bucketing based on
the character of the data - there is plenty of academic work on this subject
and market researchers have been doing this for years -- such that we don't
report on buckets small enough to individually identify people.  There are
issues that arise, including methods to infer numbers in an intersection of
two aggregation queries where just requesting the intersection yields
unreportable (for privacy reasons) numbers, but these issues can be
addressed with careful analysis.

Even if the data is reported in unaggregated form (ie. some complete
individual surveys are shown), bucketing of answers can still have an
anonymizing effect...

There are a number of ways of dealing with confidentiality issues without
killing the quality of your data.


Re: Fun with stolen credit-card numbers (Maziuk, RISKS-22.94)

<Dimitri Maziuk <dmaziuk@bmrb.wisc.edu>>
Fri, 10 Oct 2003 14:33:33 -0500

I received a few e-mail replies to my post and since I'm not subscribed to
the list I don't know how many replies went there.  Or how many bounced
because you didn't check my Reply-To address before sending (sorry, too much
spam).  I think I should clarify a couple of points.

Simplified transaction I described comes from personal experience. I worked
at a place that had an EFT server supplied by the bank (vendor approved by
the bank, actually). It talked to the bank via leased line and generally
worked like an ATM -- sans magnetic card reader.

I wrote the software that talked to EFT server so I know exactly what
information my software supplied to it: card number and transaction amount.

Different banks/clearing houses mey have different rules, but unless you
know exactly what the rules are in every particular case, there's no reason
to assume a particular vendor makes use of anything other than card number.
(Obviously, they need an address to ship the goods to, but that has nothing
to do with credit card payment.)

My other point was that none of the other information can be used as 100%
reliable fraud indicator. Even the signature: I could take my wife's credit
card, put my signature on the slip, and -- (in theory) our bank should
honour that transaction. Even though my signature doesn't match the one on
the back of the card, it's still valid for our joint account.

Ergo, if the vendor decides to do fraud detection they have to deal with
false positives. Vendor who makes the living from selling stuff has
financial incentive to assume that the positive was, indeed, false.

The form you signed probably said (in a very small print) that it's your,
not someone else's, responsibility to check your statement for transactions
you didn't authorize. So the vendor doesn't have to bother with fraud
detection at all. (Aside: we ended up building a database of "known
offenders" and analysing the logs for usage patterns. And I spent more time
on the phone to fraud agencies than I ever wanted to.)

So the system is insecure by design. As for secure alternatives (and that's
what keeps coming up in RISKS): there are two ways to authenticate you
(credit card user, airplane passenger, computer user). It's either something
you know (PIN, password), or for something you have (fingerprint, barcode
tattooed into your forearm, face on the photograph on your driver's
license).  For either way to work reliably, two conditions must be met:

1. Authentication token must be established beforehand using trusted
channel.  (cf. e-mailing passwords unencrypted. (It's not clear if
encrypting them does that much good here, as there's no reason to believe
joe@aol.com account really belongs to John A. Doe of 123 Beltway,
Washington, DC, but still...))  (Do you want to have to travel to Amazon's
head office with your driver's license, birth certificate, and two reliable
witnesses to leave your thumbprint there before they let you buy anything?)
(Do you want your fingerprints to be instantly available to (potentialy)
anyone who declares themselves "an on-line vendor"?)

2. Token must be transmitted via trusted channel during the transaction.
(cf. Web sites that accept your credit card information via non-encrypted
HTTP connection.)  (With biometrics you have to also verify operation of the
scanner device and make sure the finger, eye, or what have you is actually
attached to a living body -- naturally attached, not surgically.)

Of course for a bad guy ther isn't much difference between torturing you to
learn your PIN and chopping off your thumb to take it to thumbprint reader.
If they want it bad enough, they'll figure out how defeat the system.

Given a choice between having $1000 stolen and having my thumb chopped off,
I think maybe existing system is not that bad after all.


Re: And I thought I had it bad... (RISKS-22.96)

<"Anthony W Youngman" <Anthony.Youngman@eca-international.com>>
Tue, 21 Oct 2003 10:30:32 +0100

Take a look at the guff about Demon's mail screwup ... (demon.co.uk,
demon.net).

They upgraded their mail systems to cope with the ever-increasing tide of
spam etc. Unfortunately, due to a config mistake, this made the problem
worse (I'm guessing their SMTP kick for dial-ups got screwed).

As a result, they ended up backing up and deleting all pending mail on their
servers, correcting the config blunder, and then feeding it all back in over
the next few days.

I very nearly got badly stuffed -- I e-mailed some personal work home on the
Monday to work on. As an exam assignment, it HAD to be delivered to Uni for
marking by the Friday. The e-mail arrived home Friday evening -- past the
deadline! Fortunately I didn't need it to be able to carry on working.


Re: The Joy of Good Design (Don Norman in NewsScan, RISKS-22.96)

<Debora Weber-Wulff <weberwu@fhtw-berlin.de>>
Sun, 19 Oct 2003 23:19:31 +0200

> Design guru Don Norman says the way a device looks, feels and gives
> pleasure is just as important as how it works, and that good design can
> make up for some -- though not all -- shortcomings. [...] Good emotional
> design must incorporate all three levels, and Norman cites Apple and Sony
> as two companies that have managed to do that well.
> <http://news.bbc.co.uk/1/hi/technology/3175506.stm>

Yes, but.  It doesn't cover all shortcomings. At least in Europe, Sony has
just as bad a "hotline service" as the rest of the lot. I'm planning on
purchasing a new laptop, and I just realized that my Sony Camera wouldn't
talk to my Sony laptop (and the service center couldn't help) and my Sony
PDA has flaky battery problems (and the service center couldn't help) that
seemed to be linked to the Sony Memory Stick (if I take it out, it is less
flaky). So I asked myself: do I really want another Sony? Of course, they
are beautiful. My answer: no. Since all of the service centers tested "D" or
"F" on a school grading scale (4 or 5 on the German scale), why pay more
just for design?

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, FB 4, Treskowallee 8, 10313 Berlin
Tel: +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/

Please report problems with the web pages to the maintainer

Top