The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 22 Issue 98

Monday 27 October 2003

Contents

Internet fraud update
NewsScan
Casino barcode forgery
Steve Dunbar
Air Traffic Control vulnerable to fire!
Paul Cox
South Carolina DMV software glitch costs Sumter County $164,000
Frank Carey
New risk of leaving devices OFF
Walter Roberson
Mississippi liquor stores and restaurants risk going dry
Ben Moore
RFID friend and foe, with a note on biometric passports
Markus Kuhn
Amazon's new 'search inside the book' feature
NewsScan
Amazon's new text search service
Drew Dean
Google Stumbles?
Monty Solomon
Unwanted e-mail turns into a "chain of stupidity"
William Colburn
Re: Recent London power outage
Martin Ward
Re: First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE!
Amos Shapir
Yet Another eBay-Spoofing Scam
David Graham
Self-inflicted phishing
Andrew Yeomans
SNAFU at the bank
Walter Regan
Re: Top 10 data disasters
Merlyn Kline
Info on RISKS (comp.risks)

Internet fraud update

<"NewsScan" <newsscan@newsscan.com>>
Fri, 24 Oct 2003 08:17:15 -0700

The Federal Trade Commission says that complaints of Internet-related
identity theft more than tripled last year, to 2,352 last year from the year
before.  Jay Foley of the Identity Theft Resource Center says, "Online fraud
is becoming as big an issue for eBay and AOL as security is for Microsoft."
Typically, eBay covers buyers or sellers for up to $200 (or $500 for some
listings) if an item is not delivered or is in bad condition, though there
is a $25 processing fee.  Posting safety tips for eBay transactions are
listed at at www.ebay.com/securitycenter.  [*USA Today*, 24 Oct 2003;
NewsScan Daily, 24 Oct 2003]
  http://www.usatoday.com/tech/news/2003-10-23-fraud_x.htm


Casino barcode forgery

<Steve Dunbar <stvdnb@yahoo.com>>
Sat, 18 Oct 2003 12:06:20 -0700

The Kalispel Indian Tribe's Northern Quest Casino near Spokane, Washington,
lost around $100,000 to forgers who printed copies of barcoded payout
tickets.

  http://www.registerguard.com/news/Wire/N1620WA--CasinoScam.html


Air Traffic Control vulnerable to fire!

<"Paul Cox" <pcox@eskimo.com>>
Mon, 27 Oct 2003 00:51:34 -0800

I work as an air traffic controller at Seattle Air Route Traffic Control
Center.  We were less busy than usual today, because nearly all of the
flights to/from southern California were severely delayed or canceled.

Not only did the fires in the SoCal area generate large volumes of smoke
(reducing visibility and slowing traffic in general) but the fires
threatened the physical structure of the main Southern California Terminal
Radar Control (SoCal TRACON) facility.

From the controllers' union regional vice president, Bob Marks...

  "SCT structurally received minimal damage, but the pine trees at the
  entrance caught fire and the Fire Department chopped them down so they
  wouldn't fall into the building.  The field next to the facility burned
  completely.

  The facility was full of smoke, and we estimate a minimum of two days
  before it reopens.  The FAA has been great, and honored our request for
  air sampling prior to having controllers come back."

The RISK here should be obvious; you've got a facility that is designed and
intended to be in operation 24X7, no matter what.  They have power backup
systems there that can run the TRACON for at least a week on the on-site
diesel fuel.

But if the air outside is too smoky from fires in the immediate vicinity,
and people cannot work inside the building (apparently it was so smoky
inside people were coughing up hunks of lungs... well, not quite, but really
bad) then the precautions don't do much good.

Additionally, the physical building itself was threatened with fire damage.

The controllers at the enroute facility (like I work at) in Los Angeles were
able to take over the airspace that SoCal TRACON works, but at
greatly-reduced traffic rates.  Again, from Bob Marks...

  "ZLA took over TRACON ops.  My deepest gratitude and thanks to the good
  members at my old facility for dealing with this emergency.  The news is
  not all good, however, as it appears there is pressure to try and run the
  system "nominally" when the busiest TRACON on the planet is ATC-Zero.  A
  center cannot safely run a significant percentage of approach traffic
  during a sustained period for several reasons:

  Technical: Finals, MVAs, and other map items are not displayed.  Mosaic
  requires 5-mile minimum separation.  Radar ID is more cumbersome, since
  usually the a/c is more than a mile from the departure end of the runway
  before tag-up.

  Training: Most center controllers don't do approach control work, or
  haven't for years.

  Proficiency: When was the last time you got a thorough briefing and
  training on ATC-Zero procedures?"

Basically, to maintain the minimum level of safety, controllers had to
drastically reduce the numbers of flights from what the TRACON would
ordinarily handle.

More RISKS... lack of training, lack of forethought in planning video maps,
keeping copies of routes and procedures handy, and some other technical
issues (facilities that had a need to talk to one another had to rely on
regular commercial telephones, or cellphones, because the FAA doesn't have
the proper 24X7 dedicated circuits between all of them).

In the end?  Kept the skies safe, as always, but the monster delays (several
flights that I personally knew of from Portland, Oregon, and from Seattle,
Washington, were delayed by 10+ hours) showed that lack of good contingency
planning- and drills on contingency plans- severely hampered the FAA's
ability to react to the problems.


South Carolina DMV software glitch costs Sumter County $164,000

<Frank Carey <Carey1938@aol.com>>
Sat, 25 Oct 2003 20:56:49 EDT

The South Carolina Department of Motor Vehicles says it has sent Sumter
County officials a list of nearly 1,000 automobile tax records that were
possibly left off the county's tax rolls because of problems with their
Project Phoenix software which had been installed last year.  In August of
this year Sumter County officials discovered they were missing a large
number of car tax records and that the missing records had cost the county
$164,000.  When first confronted with the situation in August, DMV officials
said they were unaware of any problems with the software.  After looking
into the Sumter County complaint, the state DMV officials recognized that
records might have been omitted but also that the software glitches caused
billing problems.  Other South Carolina counties have also reported the same
problems.  [*The Item*, Sumter, SC, front page, 24 Oct 2003]


New risk of leaving devices OFF

<Walter Roberson <roberson@ibd.nrc.ca>>
Wed, 22 Oct 2003 13:32:12 -0500 (CDT)

Cisco recently announced an unusual problem with leaving some of its devices
*off*. It seems that a particular lot of electrolytic capacitors in some of
its 2900XL and 3500XL switches undergo chemical degradation when the devices
are powered off for extended periods.  This can lead to Cyclic Redundancy
Check (CRC) and Frame Check Sequence (FCS) errors in the switches.
  http://www.cisco.com/warp/public/770/fn26174.shtml

[Somehow I never expected quite this form of "bit rot"!]


Mississippi liquor stores and restaurants risk going dry

<Ben Moore <ben.moore@juno.com>>
Mon, 27 Oct 2003 01:39:35 GMT

Mississippi's Alcohol Beverage Control division shut down the warehouse last
week for an indefinite amount of time to fix computer problems, with an
estimated outage of at least one week.  (Most establishments do not keep
more than a week's backlog.)    [Source: AP item, PGN-ed]
  http://www.godesoto.com/modules.php
  ?op=modload&name=News&file=article&sid=2313&mode=thread&order=0&thold=0


RFID friend and foe, with a note on biometric passports

<Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>>
Sun, 26 Oct 2003 22:28:47 +0000

One is tempted to think of the planned RFID tagging of all US DoD supplies
as a major step forward. This will finally enable the design of a new and
far safer generation of mines that detonate only near people carrying DoD
equipment.

  Defense Department drafts RFID policy

  Matthew Broersma, CNET News.com

  The U.S. Department of Defense will give radio frequency identification
  technology a massive boost with a new policy requiring its suppliers to
  use RFID chips. [...]

  RFID chips, or tags, contain identification information that can be
  wirelessly passed on to a reader, allowing, for example, the contents of
  a shipping container to be identified without opening it. This promises
  huge improvements in supply-chain efficiency, but also raises the
  prospect of remote tracking of consumers via RFID chips embedded in
  their clothes or the cards in their wallets.

  The Defense Department's policy requires that by January 2005 all
  suppliers embed passive RFID chips in each individual product if
  possible, or otherwise at the level of cases or pallets. [...]
  http://news.com.com/2100-1008-5097050.html

But progress will not stop there. With the "US PATRIOT Act" requiring
contactless ID chips to be embedded in passports from October 2004, mines
and booby-traps will soon also be able to read out remotely the victim's
name, age, height, sex and nationality right before triggering, providing an
unprecedented reduction in the RISK of killing the wrong person in your next
local invasion, terror, anti-terror, or genocide campaign.

A related and more serious note on passport security:

The ICAO radio transmitters about to be added to new passports from later
next year on will enable every country on the planet to query the chip's
data at a few meters distance (with suitably constructed
antennas). Representatives of two German government agencies (BSI, BKA)
expressed serious concerns about the security and privacy implications of
this in the relevant standards committee. They suggested to use the data on
the existing optical character recognition (OCR) stripes in each passport as
a code for enabling access to the chip. This way, the passport could only be
read by anyone who had already seen its written content before. The idea
would be perfectly practical, as the RFID readers at border stations would
normally be integrated in the optical readers needed for existing
machine-readable travel documents. US representatives, however, have already
rejected this quite elegant suggestion in the relevant standards committee.

I suggested at an ISO/ICAO meeting last July in London to add a small metal
shield to the front cover page of the passport, such that the RFID coil
antenna in the back cover page can work effectively only while the passport
booklet is open. Again, this idea was quickly rejected by some of those
driving the project as a privacy concern and therefore "of little interest
here". But as it is not dependent on any provisions in the chip's
internationally standardized protocol, it can still be hoped that
responsible passport issuers will implement something along these lines
anyway.
  http://www.icao.int/mrtd/

Markus Kuhn, Computer Laboratory, University of Cambridge
http://www.cl.cam.ac.uk/~mgk25/ || CB3 0FD, Great Britain


Amazon's new 'search inside the book' feature

<"NewsScan" <newsscan@newsscan.com>>
Fri, 24 Oct 2003 08:17:15 -0700

Amazon.com has announced a new feature called "Search Inside the Book" that
is making the text of 120,000 books (more than 33 million pages) fully
searchable at no charge. The feature makes it possible to scan a database
for the word or phrase entered by a visitor to Amazon's site for each
relevant portion of a searchable book. The pages that are found can be read
onscreen and printed but not copied or downloaded. University of Washington
computer scientist Oren Etzioni says: "It's an impressive feat -- a bold
concept, coupled with nice execution and clear business thinking. This
really shows Amazon is a technology company, not innovating just with things
like free shipping but putting something out there that's brand
new."  [Seattle Post-Intelligencer 24 Oct 2003; NewsScan Daily, 24 Oct 2003]
  http://www.siliconvalley.com/mld/mercurynews/business/7092377.htm


Amazon's new text search service

<Drew Dean <ddean@csl.sri.com>>
Fri, 24 Oct 2003 16:12:01 -0700 (PDT)

Amazon recently announced a new full text search service of 120,000 books:
  http://www.siliconvalley.com/mld/mercurynews/business/7092377.htm
I decided to try a random search.  As "To be or not to be" is a really bad
search string (it consists entirely of stop words, that is, words to be
ignored by text indexers), I decided on "Call me Ishmael."  [For RISKS'
international audience, this is the opening line of Herman Melville's Moby
Dick, quite possibly the most famous opening line in all of American
literature.]

The results are interesting: 2704 books are found, the 1st is "Call me
Ishmael," the 2nd is "Call Me Ishmael Tonight: A Book of Ghazals," the 3rd
is "The First Five Pages: A Writer's Guide to Staying Out of the Rejection
Pile," and the 4th is "Programming Windows with C# (Core Reference)" !!

The highest rated match that directly relates to Moby Dick is the
Cliffs Notes at #15.  Moby Dick itself isn't in the top 20.  <sigh>

Drew Dean, Computer Science Laboratory, SRI International


Google Stumbles?

<Monty Solomon <monty@roscom.com>>
Sun, 19 Oct 2003 01:00:43 -0400

Is Google starting to show signs of strain against spammers and Web
scammers?

  Chatters at the geek news site Slashdot observed this week that using the
  search engine to track down certain oddball series of words, such as
  "speaker bracelet" or "candle truck," turned up strangely low results.
  Instead of finding only the expected handful of sites, Google reported
  that none could be found.  Cambridge, Mass., computer programmer Seth
  Finkelstein, an expert on Internet filters, thinks he's figured out the
  reason.  "The Google search results are crashing, presumably as a result
  of a bug in the spam-filtering measures."  (See www.sethf.com)

The explanation involves dummy Web sites with long lists of words that
are intended to provide matches and then link to Web scammer sites.
[Source: Mike Musgrove, Google Stumbles? Web Watch, 12 Oct 2003, F07; PGN-ed]
  http://www.washingtonpost.com/wp-dyn/articles/A11461-2003Oct11.html


Unwanted e-mail turns into a "chain of stupidity"

<"Schlake (William Colburn)" <schlake@nmt.edu>>
Mon, 20 Oct 2003 13:50:39 -0600

Several years ago I wrote a print accounting filter for LPRng.  In case of a
problem it sent e-mail to a list of people here at work.  Another department
on campus wanted it, so I sent the filter to them.  I later remembered (when
I started getting e-mail) that there was a hard coded address in it.
Attempts to get them to remove or change it proved fruitless, so I just made
a procmailrc script to mail the error back to them.  Today, after a good two
years of my sending the e-mail back to them, that department apparently got
fed up, and set up a procmail script of their own which mails me back a
thank you for each of these messages I forward to them.  I added their thank
you to my spam filter, and I'm blocking them now.

The risk here is a chain of stupidity.  I gave out some software that meant
for in house use.  They are using it but are unable or unwilling to change
an e-mail address in it.  I use procmail to push the problem back to them.
They use procmail to push the problem back to me.  I use a Sendmail milter
to block their e-mail.  Another escalation like this and I'll be hoarding my
precious bodily fluids and calling for Wing Attack Plan R.


Re: Recent London power outage (Amey, RISKS-22.97)

<Martin Ward <Martin.Ward@durham.ac.uk>>
Fri, 24 Oct 2003 09:47:59 +0100

It is irrelevant *when* the transformer was switched out.  Transformers are
expected to be switched out occasionally (for either routine maintenance, or
emergency maintenance).  The circuits are designed to take the extra load
when one or two transformers are switched out. In this case, one circuit
experienced an extra load which was still well within its design capacity,
but a relay with the wrong rating (1,020 amps instead of 5,100 amps) had
been installed on the circuit which tripped while the cable was well within
its operating capacity of 4,450 amps.

The point is that the accident was waiting to happen from the time the relay
was fitted: "basic preventive maintenance" of fixing the leak as soon as it
was found would have necessitated switching out the transformer and would
also have triggered the power outage.

Martin.Ward@durham.ac.uk http://www.cse.dmu.ac.uk/~mward/


Re: First DEWEY DEFEATS TRUMAN, and now YANKEES LOSE!

<amos083@walla.co.il>
Sat, 25 Oct 2003 12:35:40 +0200

A similar error, but much more embarrassing (*) had happened on Ynet,
Israel's largest news site (www.ynet.co.il): on the day the Columbia shuttle
was lost, at 16:09 local time (09:09 EST) -- the time it was due to land --
an item was released bearing the title COLUMBIA LANDED SAFELY, with some
details of what Israel's first astronaut Ilan Ramon was supposed to be doing
oafter landing.  The item was removed after a few minutes, but apparently not
soon enough to be copied and spread around the net for infamy.

  * For those of us who consider matters of life and death more important
    than baseball...


Yet Another eBay-Spoofing Scam

<David Graham <davidg1@cox.net>>
Sun, 19 Oct 2003 13:20:39 -0400

I received an unsolicited e-mail yesterday (one of the hundred or so
unsolicited e-mails a day that I am up to now), with this link:

http://scgi.ebay.com%69%6E%64%65%78%75%70%64%61%74%65%79%6F%75%72%69%6E%66%6F%72%6D%61%74%69%6F%6E%73%65%63%75%72%65@%32%31%31%2E%31%34%32%2E%32%32%36%2E%31%36%37:%34%39%38%37/%69%6E%64%65%78%2E%68%74%6D

followed by several lines of semi-nonsense.  The link resolves to
211.142.226.167:34/index.htm

The e-mail included a GIF which, if loaded inline, would display what looks
like a completely legitimate account verification message from eBay,
together with a faked link to a (legitimate looking) eBay URL.  The real URL
above would not be disabled, however; only covered up.  I did not try this,
but I *think* that clicking the faked link would actually load the real one
hidden underneath.

  [The attached GIF was deleted.  Vastly too long for RISKS.  PGN]

I tried to notify eBay but eventually gave that up as too much trouble.

(1) Simply forwarding suspect e-mail to abuse@ebay.com no longer works;
all I got was a bounce directing me to a notification URL.

(2)  As always, I had to login to eBay insecurely, just to try to tell
them about this new scam.

(3) The notification page, once I got to it, would only accept text.  No
way to send eBay the "faked text" GIF which made this scam noteworthy
(and potentially very effective).

Risks:
1.  Letting your browser autoload anything other than plain text.
2.  Trusting eBay not to be clueless about security.

  [Furthermore, this was the first legitimate message to RISKS among
  the week's more than 7000 spams.  It was the "notsp" that enabled me
  to spot it.  TNX!  PGN]


Self-inflicted phishing

<"Andrew Yeomans" <andrew_yeomans@yahoo.com>>
Mon, 27 Oct 2003 22:21:07 -0000

In September I received a newsletter from BT Openworld, which very kindly
warned me about "e-mails titled 'From your ISP'. You're asked to download
'new' dial-up software* - this may result in high connection charges". Later
on they helpfully offer "if you're worried that you've installed a 'fake'
dialer, simply download BT Openworld's ICM dialer to replace it. To do this,
click here...".

But the URL provided is
  http://www.digitaldataanalysis.com/btopenworld/r.emt?h=www.btopenworld.com/
  business/help/sections/0,,1_23_2_0,.html&t=IEiFHQ&e=QJmXtQtyJPQ
The headers of the message also indicate it was sent from
"BT Openworld Business Team" <btopenworld@digitaldataanalysis.com>

I tried asking BT Openworld whether
a) This was a "phishing" scam, or
b) They were incapable of running URL click tracking themselves.
Unfortunately their help desk was unable to give me a definitive answer, as
e-mail bounced ("mailbox full") when I tried to forward the original e-mail.

Not to be outdone, Smile on-line bank in their October newsletter say "To
find out more about the recent e-mail scam affecting various UK banks, visit
http://www.smile.co.uk". But the URL at the end is actually
  http://www.foretelsystems.com/eventmonitor/monitor.aspx
  ?cn=76&id=6936&ev=12&rd=http://www.smile.co.uk
This had Return-Path: <bounce@foretelsystems.com>

At least their help desk could assure me "The e-mail that you attached is a
genuine e-mail, and has not been spoofed.  Fortel systems handle the smile
marketing e-mails."

So how can I tell whether future e-mails are genuine?

A case of "Give a man a phish; you might catch account details today.
Teach a man to phish; and you have been caught for a lifetime".

Andrew Yeomans, 65 Grove Road, Tring, Herts, HP23 5PB, UK
andrew_yeomans@yahoo.com


SNAFU at the bank

<"Walter Regan" <regan@comnet.ca>>
Thu, 23 Oct 2003 21:51:50 -0400

On my way to work this (Thursday) morning, I heard a news item on the radio
concerning a drive-thru ATM machine at a bank. It was reported that, over
the last weekend, at least one customer had had his bank account drained by
someone who had installed a 'skimmer' over top of the card reader to copy
customers' ATM cards and a pinhole camera to capture customers'
P.I.N. numbers.

I found this story of particular interest because my wife had used that very
ATM machine on Sunday morning. So I decided to call the bank to see if my
wife's ATM card had been compromised. I dialed the number for what is
laughably called 'customer service'. An automated voice read a menu to me
detailing what information I could obtain by selecting one, two and three
and then went on to say that, if I really wanted to talk to a customer
service representative, I should select zero. I selected zero and, after a
short pause, I got a busy signal.

I decided to try again. This time I thought I might be able to pre-empt the
menu by selecting zero before it was finished. No such luck. As soon as I
selected zero, an automated voice, (which sounded very disappointed with
me), told me that I had made an invalid selection and the menu spiel
restarted from the beginning. So I waited until it had finished, selected
zero and got a busy signal again.

As it appeared that it would involve a long and frustrating ordeal to
contact the bank in question, I instead phoned the main branch of the same
bank. Surprisingly, a very obliging human being answered and, after I had
explained the problem, gave me the unlisted phone number of the manager at
the bank in question. I phoned this number, which got me to an answering
machine. I left my phone number and a brief description of the problem.

Hours later, I received a phone call from someone (not the manager) at the
bank in question. She said that my account did not seem to have been
tampered with. I asked if they could tell from the surveillance cameras when
the skimmer had been removed. She told me that the surveillance cameras
transmit the pictures directly to a central location in another city so that
they had no way to tell how long the skimmer had been installed. She said
that, for my own peace of mind, I could replace the ATM card or change the
P.I.N. number.

Several RISKS present themselves here - the vulnerability of the ATM
machines to the skimmer , the poorly designed automated answering system,
the bureaucracy that centralizes the capture of data but apparently cannot
analyze it in a timely fashion, the lackadaisical attitude.


Re: Top 10 data disasters (RISKS-22.96)

<"Merlyn Kline" <merlyn@zyweb.com>>
Mon, 20 Oct 2003 10:24:42 +0100

> This could be a result of the rush to complete work and leave early for
> the weekend on Friday afternoons, as well as a lack of staff concentration
> on Monday mornings,"

Or perhaps it could be a result of the fact that many of these cases are
precisely *not* those where human error is to blame -- computer failure
often occurs in machines running 24x7 so, given a reasonably even
distribution, around 35% of such failures will occur at the weekend and not
be discovered until Monday morning when the users arrive to discover their
data loss and ask for assistance with recovery. This will obviously give
rise to a peak in recovery activity on Mondays. Recovery "experts" should be
very familiar with this.

[...] Recovery "experts" should not be amazed by the fact that a physically
damaged computer often does not contain a completely destroyed hard drive.

RISKS readers should not be amazed to see yet another marketing
press-release reproduced as "news", even on the BBC site.  For the same to
make it into RISKS is another thing altogether...

Please report problems with the web pages to the maintainer