The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 70

Weds 9 February 2005

Contents

Off-by-one error: Evacuate the entire state!
Howard M Israel
Food via inkjet printer
Joyce Scrivner
An example of vulnerable OS creating havoc in new/unexpected locations
Karl Klashinsky
What's Bugging the High-Tech Car?
Tim Moran via Howard M Israel
Zuerich Main Railway Station Outage
Peter B. Ladkin
Supermarket: Let your fingers do the paying
Monty Solomon
How GPS Is Killing Lighthouses
sakshale
J.K. Rowling denounces Internet fraudsters
NewsScan
Most Dangerous Types Of Spyware Increasing, States SpyAudit Survey
Monty Solomon
Spammers try a new tack
NewsScan
Goofy account identification
Geoff Kuenning
The Land Registry
Ben Laurie
Weak on the concept
Elias Levy via PGN
U of Calgary adding spam and spyware
Rob Slade
Re: Thief-proof' car key cracked. What, already?
Steve Wildstrom
Re: It's a feature, not a bug!
Kees Huyser
Re: 'Hot' URLs in e-mail
William L Anderson
Balancing security and our lives
Jeremy Epstein
REVIEW: "Managing Security with Snort and IDS Tools", Cox/Gerg
Rob Slade
COMPSAC 2005: Extended deadline for paper submission
Yuen Tak YU
Info on RISKS (comp.risks)

Off-by-one error: Evacuate the entire state!

<Howard M Israel <hisrael@avaya.com>>
Wed, 2 Feb 2005 11:33:13 -0500

Connecticut state emergency management officials said a worker entered the
wrong code during the weekly test of the emergency alert system, leading
television viewers and radio listeners to believe that the state was being
evacuated: "Civil authorities have issued an immediate evacuation order for
all of Connecticut, beginning at 2:10 p.m. and ending at 3:10 p.m."  The
code that was mistakenly entered appeared on a monitor one line above the
intended code for the test.  As soon as the error was detected, faxes went
out to every police department in the state.

Source: Emergency broadcast test mistakenly calls for evacuation, AP item
[PGN-ed], The Hartford Courant, 1 Feb 2005, http://www.ctnow.com/
http://www.nynewsday.com/news/local/wire/ny-bc-ct---evacuationerror0201feb01,0,6738941.story


Food via inkjet printer

<Joyce Scrivner <kscriv@earthlink.net>>
Fri, 04 Feb 2005 11:24:48 -0600

Moto, a Chicago restaurant, serves "sushi" with maki-like images printed
with a Canon i560 inkjet printer using organic food-based inks jetted onto
edible "paper" made from soybeans and cornstarch and flavored with powdered
soy and seaweed seasonings.  Even the menu is edible.

http://www.nytimes.com/2005/02/03/technology/circuits/03chef.html?ei=5088&en=86bc342e2ce05d47&ex=1265086800&partner=rssnyt&pagewanted=print&position=

 [This article has been severely PGN-ed.  Actually, squid ink might be an
  interesting choice, unless it would clog the jets.  Joyce wondered whether
  a diner could be poisoned by the inkjet food.  But perhaps the menu is
  also printed from the same printers, using the same inks, and not used for
  other porpoises?  You might ask, what do they do for cuttlery?  (That's a
  pun, not a mispeling; a cuttlefish has 10 arms, and is related to the
  squid.  A live one might make an interesting array of chopsticks.)  And,
  if you knew Sushi like I know Sushi, you might want to Moto-r on over.  Or
  maybe not.  It might be overpriced, but not overriced.  And the chef will
  maki-a-velli nice presentation.  PGN]


An example of vulnerable OS creating havoc in new/unexpected locations

<Karl Klashinsky <klash@cisco.com>>
Wed, 26 Jan 2005 16:02:43 -0800

The topic of software flaws in the embedded systems within modern
automobiles has been discussed in RISKS several times.  But here's a new
twist (to me, at least), a case where the on-vehicle software is corrupted
by a virus, inserted into the automobile's computing systems, via a
blue-tooth enabled cell-phone:

URL CHANGED FROM
http://www.infosecnews.com/news/index.cfm?fuseaction=newsDetails&newsUID=bc5789cf-e448-4a6e-bee9-a5dd291405ed&newsType=News
TO (CORRECTED):
http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=bc5789cf-e448-4a6e-bee9-a5dd291405ed&newsType=Latest%20News

[ Same article in shorter URL: http://tinyurl.com/5p3jh ]

There's the obvious risk here... a vehicle can be infected by the cell-phone
in the vehicle next to you while stopped in traffic or sitting in a parking
lot.  As this vulnerability becomes known in the cracker community, how long
before someone tailors a virus specific to a vehicular target -- perhaps
creating runaway-vehicle scenarios similar to the "faulty cruise control"
incidents reported here in RISKS.


What's Bugging the High-Tech Car? (Tim Moran)

<Howard M Israel <hisrael@avaya.com>>
Mon, 7 Feb 2005 09:29:29 -0500

Tim Moran, What's Bugging the High-Tech Car? *The New York Times*, 6 Feb 2005
http://www.nytimes.com/2005/02/06/automobiles/06AUTO.html?oref=3Dlogin

On a hot summer trip to Cape Cod, the Mills family minivan did a peculiar
thing. After an hour on the road, it began to bake the children. Mom and Dad
were cool and comfortable up front, but heat was blasting into the rear of
the van and it could not be turned off.  Fortunately for the Mills children,
their father - W. Nathaniel Mills III, an expert on computer networking at
I.B.M. - is persistent. When three dealership visits, days of waiting and
the cumbersome replacement of mechanical parts failed to fix the problem, he
took the van out and drove it until the oven fired up again. Then he rushed
to the mechanic to look for a software error.

"It took two minutes for them to hook up their diagnostic tool and find
the fault," said Mr. Mills, senior technical staff member at I.B.M.'s T.
J. Watson Research Center in Hawthorne, N.Y. "I can almost see the
software code; a sensor was bad."


Zuerich Main Railway Station Outage

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Tue, 08 Feb 2005 11:49:54 +0100

On Monday, 7th February the central computer at the rail control center for
Zuerich main station in Switzerland failed.  The outage was noticed at
08:40, and had deleterious consequences for further control centers which
were dependent on the Zuerich center.  It was partially back on-line at
13:40. No cause has yet been announced.

Zuerich is the largest city in Switzerland, and the train lines converging
on the main railway station are fairly complicated. Chaos was reported. The
Associated Press reported that trains between Zuerich and Pfaeffikon, a
commuter line on the left bank of Lake Zuerich, were all canceled for nearly
four hours. Buses were used to ameliorate the situation, for example for
trains in the direction of Chur. The Swiss television SF-DRS was reporting
on its WWW site that many commuters were delayed by two and a half
hours. Also that the trip between Lachen SZ and Zuerich, normally 45
minutes, took four hours.

The Swiss railway is renowned for its punctuality. They are amongst the
foremost, maybe the foremost, in the world in research into railway
scheduling and its implementation in the RAIL 2000 program.  I heard a talk
at the FORMS/FORMAT 2004 conference from Oskar Stalder about experiments in
continual punctuality information transfer to drivers, which enabled the
equipped trains to maintain a schedule on certain main lines to within a
ten-twenty-second margin of error - almost unthinkable. This incident will
worsen the stats for 2005 just a little.

The information about the outage came from
http://www.sfdrs.ch/system/frames/news/sda-news/index.php?/content/news/sda-news/meldung.php?docid=20050207d395595158238553833

Peter B. Ladkin, University of Bielefeld, Germany  www.rvs.uni-bielefeld.de


Supermarket: Let your fingers do the paying

<Monty Solomon <monty@roscom.com>>
Wed, 2 Feb 2005 02:04:53 -0500

Excerpted from an article by Jo Best, news.com, 1 Feb 2005

A supermarket has given its customers the choice of paying by fingerprint at
a store in the state of Washington--and has found them surprisingly willing
to use the biometric system.  U.S. chain Thriftway introduced the system,
which uses technology from Pay By Touch, in its store in the Seattle area in
2002. It said it now sees thousands of transactions a month using the
payment method.  Once people have enrolled in the Pay By Touch system, they
have their fingerprint scanned as verification of identity at the
checkout. They then choose which credit card they want to pay the bill with,
having already registered the credit cards with the store.

Thriftway President Paul Kapioski said rather than shying away from
the technology because of concerns about protecting their privacy,
customer demand ensured that the biometric payment system made it
past the pilot stage.  ...

http://news.com.com/2100-1029-5559074.html


How GPS Is Killing Lighthouses

<sakshale@equoria.net>
Tue, 8 Feb 2005 18:08:43 -0500

Spiegel Online has an article about the impact of GPS systems on
Lighthouses.  They claim that the popularity of the satellite-based global
positioning system has led to the closure of lighthouses along the German
coast. Critics question whether the new system is reliable and safe enough
to warrant the closure of these historical beacons of safety.

http://service.spiegel.de/cache/international/0,1518,340729,00.html


J.K. Rowling denounces Internet fraudsters

<"NewsScan" <newsscan@newsscan.com>>
Wed, 02 Feb 2005 12:09:39 -0700

J.K. Rowling, author of the mega-popular Harry Potter series, is warning
fans to beware of Internet "phishing" scams claiming to sell electronic
copies of her latest book, "Harry Potter and the Half-Blood Prince." "The
only genuine copies of Harry Potter remain the authorized traditional book
or audio tapes/CDs distributed through my publishers," says Rowling, and her
copyright lawyer, Neil Blair, notes that Rowling has never granted licenses
for electronic versions of her books. "Please, please protect yourselves,
your computers and your credit cards and do not fall for these scams," says
Rowling. Police say they suspect organized crime gangs in Eastern Europe are
behind the fraudulent e-mail offers.  [Reuters/*The Washington Post*,
2 Feb 2005; NewsScan Daily, 2 Feb 2005]
  http://www.washingtonpost.com/wp-dyn/articles/A56379-2005Feb2.html


Most Dangerous Types Of Spyware Increasing, States SpyAudit Survey

<Monty Solomon <monty@roscom.com>>
Wed, 2 Feb 2005 09:35:22 -0500

The most malicious forms of spyware, system monitors and Trojans, increased
in the last three months of 2004, according to the quarterly SpyAudit
report, the nation's next-generation Internet Service Provider, and Webroot
Software, a producer of award-winning privacy, protection and performance
software. The report also documents the complete SpyAudit results for 2004,
which tracked the growth of spyware on consumer PCs since the report's
inception on January 1, 2004.  It shows the instances of system monitors
rose 230 percent, while the instances of Trojans rose 114 percent from
October 2004 to December 2004. Trojans, keystroke loggers and system
monitors are capable of capturing keystrokes, online screenshots, and
personally identifiable information like your social security number, bank
account numbers, logins and passwords, or credit card numbers.

The number of SpyAudit scans performed during the fourth quarter also rose
with an increase of 72 percent from October 2004 through December 2004. In
total for 2004, more than 4.6 million scans were performed, discovering
approximately 116.5 million instances of spyware, adware or potentially
unwanted software. An average of 25 traces were found per SpyAudit scan for
2004. The complete report is available at
http://www.earthlink.net/spyaudit/press .  ...

PR Newswire, 2 Feb 2005
  http://finance.lycos.com/home/news/story.asp?story=46604321


Spammers try a new tack

<"NewsScan" <newsscan@newsscan.com>>
Fri, 04 Feb 2005 10:02:08 -0700

Tired of being blocked by "blacklists," spammers are turning to a new
technique -- routing it directly through the computers of their Internet
service providers, rather than sending it from individual machines. The
result poses a dilemma: to block spam coming directly from an ISP's servers
would mean blocking all its mail, crippling the system. "From what we've
seen, the volumes of this type of spam are going up dramatically," says
Steve Linford, who heads up the Spamhaus Project. "We're really looking at a
bleak thing" if ISPs don't quickly deploy countermeasures, he adds. Such
measures could include more aggressive monitoring and limiting how much mail
is being sent from individual machines on their networks. In addition, ISPs
should beef up efforts to authenticate mail they pass on through their own
computers, says Linford. A study released yesterday estimates that deleting
spam costs nearly $22 billion per year in lost productivity, based on a
survey of 1,000 adults who said they spend about three minutes per day
trashing spam when they check their e-mail. (*The Washington Post*, 4 Feb
2005; NewsScan Daily, 4 Feb 2005)
  http://www.washingtonpost.com/wp-dyn/articles/A61901-2005Feb3.html


Goofy account identification

<Geoff Kuenning <geoff@cs.hmc.edu>>
01 Feb 2005 23:30:25 +0100

To make a fairly long detective story very short, I have discovered that
amazon.com uses not only your e-mail address, but also your password, to
uniquely identify your account.  It is perfectly possible to have two
completely different accounts under the same e-mail address, distinguished
only by the password.

Huh?

My guess is that Amazon does this to make it possible for people who share a
single e-mail account to have different accounts at Amazon.  But it's not
documented anywhere, and can lead to great confusion for those who forget
that they have an account, create a new one, and later use the original
one's password.

And I wonder what happens when you click on the "Forgot your password?"
link.  Do they reset the passwords on all accounts?  When I have a bit more
time, I might set up some accounts on a dummy e-mail address to answer to
latter question.  -- Geoff Kuenning geoff@cs.hmc.edu
http://www.cs.hmc.edu/~geoff/


The Land Registry

<Ben Laurie <ben@algroup.co.uk>>
Tue, 01 Feb 2005 22:33:56 +0000

The UK Government has decided to make the Land Registry available online.
For those who don't know, this says who owns a property, what the property
is (i.e., the boundary), who has charges on the property, similarly whether
covenants apply, and so forth.

I suppose this risk isn't new, since this information was available offline,
but ... one of the people with a charge on your house is your mortgage
lender.  This is clearly stated in the Land Registry document.  What an
excellent resource for phishing and other fraud - both via e-mail and more
personal contact.

The relevant Land Registry data is available to all comers for 2 pounds. No
restrictions. And now, much easier to get.

http://www.apache-ssl.org/ben.html http://www.thebunker.net/


Weak on the concept

<"Peter G. Neumann" <neumann@csl.sri.com>>
Tue, 1 Feb 2005 17:15:39 PST

Elias Levy (Symantec) noted a cute illustration of the weakest link in a
would-be security system:
  http://www.syslog.com/~jwilson/pics-i-like/kurios119.jpg


U of Calgary adding spam and spyware

<Rob Slade <rslade@sprint.ca>>
Sun, 6 Feb 2005 16:53:48 -0800

The University of Calgary is back at it again.

http://www.cbc.ca/story/canada/national/2005/02/05/email-course050205.html
http://pages.cpsc.ucalgary.ca/~aycock/
aycock@cpsc.ucalgary.ca, barker@cpsc.ucalgary.ca

(Interesting that his homepage is entitled "Unfettered by Content."  He
certainly seems to be unfettered by logic.)

This time they are adding spam and spyware to the curriculum.

I can vaguely see a dim advantage to having students write viruses in order
to understand them (rather inefficiently, in terms of time spent), but
getting them to write a spamming program in order to understand how to fight
spam seems even less effective.

As previously noted, John Aycock doesn't seem to have any credentials in
security or malware (no papers published prior to the virus course, nobody
in the field seems to know him), so why he, and the university, chose to do
this, other than pure self-promotion, is completely beyond me.

I am somewhat relieved by the fact that the paper submitted to EICAR shows
that a modicum of thought was given to the security of the laboratory.  The
irrelevance of the measures undertaken is no great surprise.  The
bibliography is interesting: Lugwig's second edition is there, along with
Mitnick's "19 chapters of gotcha," but on the AV side Cohen's 1994 edition
stands alone with Skoudis' rather pathetic work.  I would have thought that
anyone with even a pretence of academic intentions would have consulted
Ferbrache, and possibly Nazario's pompous but flawed attempt at worm
analysis.  Given Aycock's involvement in a rather banal crypto lab, I'm a
bit surprised that he hasn't tried to create Young and Yung's proposed
crypto-nasties.

rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Re: Thief-proof' car key cracked. What, already? (RISKS 23:69)

<"Steve Wildstrom" <steve_wildstrom@businessweek.com>>
Mon, 7 Feb 2005 11:05:27 -0500

I'm late reading and others have probably pointed this out, but Chris Leeson
misstates the purpose of the RFID chip in car keys. These are "immobilizer"
systems, designed to keep the car from starting, even with a physical key
present, unless the RFID tag responds correctly to a crypto challenge.

The full paper, by Steve Bono, Matthew Green, Adam Stubblefield, and Avi
Rubin of Johns Hopkins and Ari Juels and Michael Szydlo of RSA, is
available at http://rfid-analysis.org <http://rfid-analysis.org/>  .

Steve Wildstrom, BusinessWeek 1200 G St NW Suite 1100, Washington, DC 20005
www.businessweek.com/technology/

  [Also noted by Alexandre Peshansky.  PGN]


Re: It's a feature, not a bug! (Weber-Wulff, RISKS-23.69)

<Kees Huyser <kees@huyser.net>>
Wed, 2 Feb 2005 01:28:18 +0100

> a non-printable PDF file

ehhh... non-printable? Hit "print screen"... If you want it to look nicer,
OCR the screendump.  Even the press should be able to figure this one
out. Obviously the Govt. agency responsible for the mess hasn't, which could
explain why it is such a mess...

  [Dag-Erling Smørgrav says use GNU Ghostscript.  PGN]


Re: 'Hot' URLs in e-mail (Ashworth, RISKS-23.69)

<William L Anderson <band@acm.org>>
Wed, 02 Feb 2005 11:16:56 -0500

There's a small fact error in this piece:

  Mozilla Thunderbird is an e-mail client.
  Mozilla Firebird (and Camino (for the Mac)) are the browsers.


Balancing security and our lives

<Jeremy Epstein <jeremy.epstein@cox.net>>
Wed, 2 Feb 2005 11:23:32 -0500

In RISKS-23.68 I wrote about security problems with changing my address
online through Bank of New York, and in 23.69 Robert Ellis Smith
(justifiably) criticized my original action, saying "We gotta resist, this
so that organizations are sensitized to the risks of using SSNs."

After feeling suitably red-faced about my error, I pondered his point.  How
much can and should we, as the cognoscenti, do in our every day lives to
fight silly security?  I know full well that most of the airport security is
useless (Schneier and others have done a great job pointing this out), but I
don't have the luxury of fighting it every time I make a trip.  While I
might object to showing an ID, unlike John Perry Barlow, I need to earn a
living.  I don't have the financial or time option of fighting a court
case because I think the rule is wrong.  I don't even have the time to
argue with the underpaid TSA person about the rules, which say you don't
have to take off your shoes (but woe be unto you if you refuse).

This was recently driven home to me as I helped my daughter with college
applications, which routinely ask for SSNs.  We compromised that when the
form is asking about financial information, we'd provide the SSN, since
they're asking for copies of tax returns which have the SSN anyway, but we
wouldn't put the SSN on the general application for admission.  Is this the
right tradeoff?  If she weren't asking for financial aid, I'd probably
refuse to provide the SSN at all.

What are some *practical* measures that we can and should be doing as
computer security professionals to help further understanding?  I agree with
Robert Ellis Smith that I shouldn't provide the information I did to
change an address, but I need to get the procedure done, and not spend a
week arguing that they shouldn't need my SSN to do a change of address.

I suggest that we'd be more effective if we all tried to do *something*,
rather than despairing about our inability to accomplish all the changes
we'd like to see.  Smith's web page has a good list
(http://www.privacyjournal.net/bio.htm); how many of us have the time &
energy to do more than a handful of them?  He hits the nail on the head when
he says ``Choose your battles. Not every collection of personal
information or every intrusion is worth expending your energy. Decide which
information is most sensitive to you and which moments in your life are most
important to protect.''

Where can and should working security professionals draw the line?


REVIEW: "Managing Security with Snort and IDS Tools", Cox/Gerg

<Rob Slade <rslade@sprint.ca>>
Wed, 9 Feb 2005 08:20:13 -0800

BKMSWSIT.RVW   20041106

"Managing Security with Snort and IDS Tools", Kerry Cox/Christopher
Gerg, 2004, 0-596-00661-6, U$39.95/C$57.95
%A   Kerry Cox
%A   Christopher Gerg
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2004
%G   0-596-00661-6
%I   O'Reilly & Associates, Inc.
%O   U$39.95/C$57.95 800-998-9938 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/0596006616/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0596006616/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596006616/robsladesin03-20
%O   tl a rl 2 tc 3 ta 3 tv 2 wq 2
%P   269 p.
%T   "Managing Security with Snort and IDS Tools"

Chapter one explains what Snort, and network intrusion detection, is.  The
basics of network traffic sniffing and analysis, and the operation of
tcpdump and ethereal, are described in chapter two.  Installation, options,
and the basic operation of Snort are outlined in chapter three.  Chapter
four details the different types of blackhat and intruder activity in terms
of network intrusion.  Chapter five details the configuration file and
choices.  How, and where, to use and set up Snort is the topic of chapter
six.  Snort rules are explained in chapter seven, which also outlines the
system for creating them.  Snort can also be used for intrusion prevention,
as chapter eight points out.  Tuning sensitivity, and establishing
thresholds and clipping levels, is discussed in chapter nine.  Chapter ten
reviews the use of ACID (Analysis Console for Intrusion Detection) as a
management console.  An alternative program is SnortCenter, described in
chapter eleven, and more options are listed in twelve.  Chapter thirteen
notes possibilities for the use of Snort in high bandwidth situations.

For those interested in the standard intrusion detection program, here is a
set of useful explanations for its use and operation.

copyright Robert M. Slade, 2004   BKMSWSIT.RVW   20041106
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


COMPSAC 2005: Extended deadline for paper submission

<CS Asst Prof Dr Yuen Tak YU <ytyu@cs.cityu.edu.hk>>
Tue, 8 Feb 2005 05:40:18 +0800 (HKT)

The 29th Annual International Computer Software and Applications Conference
                           COMPSAC 2005
                 Edinburgh, Scotland, July 25-28, 2005
                http://aquila.nvc.cs.vt.edu/compsac2005
         The major theme will be HIGH ASSURANCE SOFTWARE SYSTEMS.

Please note that the deadlines for submission of both regular and
workshop papers to COMPSAC 2005 have recently been extended.
The EXTENDED deadline for paper submission is only three weeks away:

** Extended deadline for conference papers: Feb 28, 2005 **
** Extended deadline for  workshop  papers: Feb 28, 2005 **
   Deadline for fast abstracts (unchanged): Mar 21, 2005

E-mail enquiries
-Program Co-Chairs: irchen@cs.vt.edu  rni@inf.ed.ac.uk  meih@pku.edu.cn
-Workshop Chair:             ewong@utdallas.edu
-Fast Abstract Co-Chairs:    xie@cs.pdx.edu  ylei@cse.uta.edu
-Steering Committee Chair:   yau@asu.edu

Y T Yu, Publicity Chair, COMPSAC 2005
Department of Computer Science, City University of Hong Kong
csytyu@cityu.edu.hk  http://www.cs.cityu.edu.hk/~ytyu

COMPSAC is a major international forum for researchers, practitioners,
managers, and policy makers interested in computer software and
applications. It was first held in Chicago in 1977, and since then it has
been one of the major forums for academia, industry, and government to
discuss the state of art, new advances, and future trends in software
technologies and practices.  The technical program includes keynote
addresses, research papers, industrial case studies, panel discussions and
fast abstracts. It also includes a number of workshops on emerging important
topics.

For more detailed and updated information, please refer to
http://aquila.nvc.cs.vt.edu/compsac2005

For further information, please contact:
Stephen S. Yau, Arizona State University, USA
E-mail: yau@asu.edu

Please report problems with the web pages to the maintainer

Top