The RISKS Digest
Volume 23 Issue 85

Tuesday, 26th April 2005

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Amtrak's high-speed Acela trains sidelined until summer
Monty Solomon
Amtrak woes echo standard software engineering complaints
Michael J Harrison
Remote computer locks the doors, or does it?
Mark Lutton
Hacker broke into CMU computers
Bill Schackner via Monty Solomon
Bob Heuman
Another out-of-bounds condition that needs NO checking
David Lesher
A large scale disruption caused by incorrect virus-definition file
Chiaki
The risks of opening a PayPal account
Ross Anderson
Risks of having a distinctive surname
Stefek Zaba
SFPD officer accused of using airport cameras to ogle women
Bob Van Cleef
Trial ID card scheme is withdrawn in Cornwall
Chris Leeson
Audit shuts down Minnesota Car License Web
Steven Hauser
Oops! US Air round trip for $1.86
Howard M Israel
Banks still force users to be vulnerable to ID theft
Brad Hill
"The national phone system failed"?
Mark Brader
Re: Michigan message board says speed limit 100 mph
Jeffrey Waters
Re: SecurID and E*TRADE
Jonathan Lewthwaite
Kurt Raschke
Info on RISKS (comp.risks)

Amtrak's high-speed Acela trains sidelined until summer

<Monty Solomon <monty@roscom.com>>
Thu, 21 Apr 2005 01:12:32 -0400

Amtrak will not be able to run any of its high-speed trains until the summer
because of delays in getting replacement parts to correct brake problems on
Acela Express cars.  The brakes were to last 1 million miles; the current
Acela fleet had about half of that mileage.

Amtrak pulled all of its 20 Acela trains out of service on Friday after
finding millimeter-size cracks in 300 of the fleet's 1,440 disc brake
rotors.  Each Acela train has 72 brakes.  This part is unique to the Acela
and there is no active production line casting them.  Fewer than 70 disc
brakes are currently available.

  [Source: The Associated Press, article by Donna De La Cruz, 20 Apr 2005;
  PGN-ed]

http://www.boston.com/news/local/massachusetts/articles/2005/04/20/amtraks_high_speed_acela_trains_sidelined_until_summer/

  [Amtrak had cannibalized parts from other trains to get one or
  two trains able to run, but quickly abandoned that effort.
  Risks of custom design and no spare parts...  Risks of building a system
  that really required new tracks, rather than trying to run on old
  tracks...  PGN]


Amtrak woes echo standard software engineering complaints

<Michael J Harrison <mharrison@us.ibm.com>>
Tue, 19 Apr 2005 16:32:23 -0700

A paragraph from an op-ed in *The New York Times*, 19 Apr 2005
(http://www.nytimes.com/2005/04/19/opinion/19tierney.html):

"He chronicled the Acela mistakes, starting with Amtrak's decision to build
a new train instead of modifying an existing European one, and to build it
as a working train without first testing a prototype. The result was a long
series of problems, design changes and lawsuits between Amtrak and its
Canadian contractor, each accusing the other of botching the job."

It seems that old-fashioned mechanical engineering is not immune from the
ills commonly ascribed to its software counterpart.


Remote computer locks the doors, or does it?

<<Mark.Lutton@thomson.com>>
Thu, 21 Apr 2005 11:32:00 -0400

I found this at http://www.stupidsecurity.com, which references
http://www.wral.com/news/4354102/detail.html

  Wake County, N.C. uses a central computer to lock 50 of its buildings in
  and around Raleigh.  The Wake Country Animal Shelter was closed on Easter
  Weekend, but the computer didn't know that.  The doors were left unlocked
  and several animals were stolen from the shelter.

It would be cynical of me to note that animal shelters are one service where
pilferage of the goods reduces net costs, so I won't.


Hacker Broke Into CMU Computers (Bill Schackner)

<Monty Solomon <monty@roscom.com>>
Sun, 24 Apr 2005 01:09:26 -0400

A hacker who tapped into business school computers at Carnegie Mellon
University may have compromised sensitive personal data belonging to 5,000
to 6,000 graduate students, staff, alumni and others.  The breach confirmed
by officials in the Tepper School of Business is the latest in a recent
string of campus computer break-ins nationally and the second since early
March affecting Tepper.  There is no evidence that any data, including
Social Security and credit card numbers, have been misused, officials
said. But they have begun sending e-mails and letters alerting those
affected.  They include graduate students and graduate degree alumni from
1997 to 2004, master's of business administration applicants from September
2002 through May 2004, doctoral applicants from 2003 to this year, and
participants in a conference that was being arranged by the school's
staff. ...  [Source: Bill Schackner, *Pittsburgh Post-Gazette*, 21 Apr 2005]
http://www.post-gazette.com/pg/05111/491836.stm


Hacker Broke Into CMU Computers

<Bob Heuman <rsh@idirect.com>>
Thu, 21 Apr 2005 16:50:58 -0400

Another case of not knowing how long the exposure existed and therefore how
much exposure the personal information really had. Once again we have Social
Security Numbers, credit card data, etc. exposed for an indeterminate amount
of time. I have gone to the university's own web site and the Tepper School
web site and neither has any mention of this report as of the time I
checked, which is Apr 21 at 4:45PM EDT.
  http://kdka.com/local/local_story_111102454.html


Another out-of-bounds condition that needs NO checking

<David Lesher <wb8foz@nrk.com>>
Thu, 21 Apr 2005 12:16:07 -0400 (EDT)

X-URL: http://www.nytimes.com/2005/04/21/nyregion/21check.html?pagewanted=print&position

*The New York Times*, 21 Apr 2005

New York City's school system recently agreed to pay $86,000 to the lawyer
of a child with autism to cover special educational services for his
client. But when the lawyer opened his mail on Tuesday, he found a check for
slightly more: $8.6 million.

{off-by-one decimal point; usual excuses cited...}


A large scale disruption caused by incorrect virus-definition file

<Chiaki <ishikawa@yk.rim.or.jp>>
Tue, 26 Apr 2005 02:14:34 +0900

It is widely reported in Japan that an errant virus definition distributed
by a anti-virus PC software company caused a large scale disruption of
businesses and individual users.

The company, TrendMicro with its headquarters in Tokyo, has been selling its
anti-virus PC software products for quite some time. Its first product was
developed in 1991.

Now, on Saturday morning 07:30 (JST), the software's automatic update site
in the Philippines released a new virus definition file which, according to
the company's comment, was not adequately tested. This file was picked up by
many users in Japan and abroad who either automatically or manually invoked
the virus definition update function of the software.

Unfortunately, Windows XP sp2 and Windows 2003 server users with this
software installed (there are a few variants of the products in the software
suite and a few of them were affected.) and updated the definition file AND
rebooted the PC after the update (as suggested by the software it seems) saw
the CPU usage go up to 100% immediately after booting and could not do much
on their PCs.

The problem was that the incorrect update caused the infinite looping of
scanning of a certain system file and no CPU time was left for any task to
do.

(If the user didn't boot and waited for another several hours, the re-worked
update file was again automagically picked up if automatic update feature
was enabled and there would be no harm.)

According to the various reports, corporate licensees include media big
names such as Asahi Shimbun newspaper, Kyodo wire news service, and
reservation division of railway company JR East. (The company put the user
number around 10 million individual users.)

I noticed that the early reports of disrupted computer network at Asahi
Shimbun and Kyodo wire service on Saturday morning and wondered what could
cause LAN disruption at such well-protected places. (It seems that DHCP
client could not get the address after boot due to the heavy CPU load inside
the anti-virus service).

After many inquiries began pouring, the company checked and released the
re-worked virus definition file. However, 170000 download took place during
the incorrect definition was at the download server.  Many individual or
small business users who didn't realize the problem was caused by the virus
definition update brought their PCs to tech service companies or
re-installed the OS, etc.. Some had their disks got re-formatted.

The scale of the disruption was rather large and on Saturday evening many TV
stations carried the news of the disruption with the correct cause
identified. Some affected users who tried to `fix' their computer noticed
these news broadcasts and could now bring their PC into normal status.

The word cyberterrorism came to my mind, but it is ironical that the cause
was due to the inadequate testing at an anti-virus software corporation.

Of course, we will see whether the release of the definition file without
adequate testing was a deliberate act or simple neglect.

Lucky me: I am using Symantec Anti-Virus software on an Windows PC, and
linux on another PC. Diversity is wonderful when we can afford it.

PS: The remedy was to reboot the computer into safe-mode (after forced
power-off in many cases) and replaced the errant file and reboot. The
anti-virus software now would pick up the new corrected file.

PPS: I think I should add, in order to feel the scale of the problem, we now
know Monday morning that on Saturday,

- JR railway reservation division could not check the reservation status
(fed via network to PCs?) and so diverted (telephone) inquiring customers to
manned counters at railway stations,

- Kyodo wire service could not send out automatic wire service news for a
few hours, and so resorted to send out important news via FAX (I believe
that the initial news articles from Kyodo was sent in this manner.),

- Osaka subway system saw its computer to distribute accident information to
its stations failed to reboot, and

- Toyama city's election committee could not handle advance voting for its
mayoral and city alderman elections on their computer and had to resort to
manual processing.

These are just a part of problems reported in Japanese press Monday morning.

However, life goes on as usual as of Monday morning as far as I can tell.
(But those unfortunate companies who had suffered from the problem over the
weekend may have a hectic time right now.)


The risks of opening a PayPal account

<Ross Anderson <Ross.Anderson@cl.cam.ac.uk>>
Tue, 26 Apr 2005 16:16:33 +0100

Regular RISKS readers know that many things can go wrong with naming and
authentication. Here is an interesting example.

I opened a PayPal account on the 18th April and tried to link it to a
checking account I have at a UK bank (the NatWest). The PayPal website
balked at the name of the bank branch ("Cambridge King's Parade") on the
grounds that it contained a non-ascii character. It was also too long for
the web form. All I could do was enter "Cambridge" and hope for the best.

Now it's prudent for programmers to check input, but this is rather
extreme. After all, most of the names of people and places in this world are
non-ascii. Compulsory asciification turns that inoffensive Italian, Signor
de'Ath, into the sinister Transylvanian Mr Death.  Also, when I worked in
banking many years ago, a common source of fraud was that when money arrived
at the wrong branch, staff put the money into a "suspense account" while
they queried the sender. Fraud and abuse involving suspense accounts was a
serious problem.

So I tried to bring to PayPal's attention that their web page was not merely
culturally inappropriate, but also a security vulnerability. I was unable to
get their help-desk to link up successive e-mails about the issue, let alone
refer me to someone who could talk policy.

So far, so broken. I reported the incident on a local mailing list
(ukcrypto) where one of the regulars informed me that the King's Parade
branch had in fact closed, with all the customers being transferred to
another branch. This was the first I'd heard of it! I walked by my bank
branch and found it indeed closed. The two small payments that PayPal said
it would send to my bank account, to check I have access to the bank
statements, have vanished.

You just could not make this up. PayPal relies for authentication on bank
branch names, which a large UK bank will change without notifying its
customers (at least, not in any way I noticed). I won't even begin to
speculate about all the possible risks.

Ross Anderson  http://www.cl.cam.ac.uk/users/rja14/


Risks of having a distinctive surname

<Stefek Zaba <stefek.zaba@hp.com>>
Thu, 21 Apr 2005 19:40:59 +0100

Generally, having a distinctive forename-surname combination serves me well
enough: not much chance of double-booking in hotels, and people find it easy
enough to remember. There's a privacy downside, in that once you know the
surname and city (country, even) I'm not hard to find.  And I acquired the
obvious surname-related domain, zaba.com, getting on for a decade ago.

Then, about the middle of March 2005, my inbox started to attract angry
emails: "remove me from your Website immediately"! Since the www.zaba.com
page has been unchanged since my mid-1997 entry on "what I did in the UK
crypto-policy wars", I at first thought this was a new form of e-mail
address harvesting — send an angry accusation, attract an indignant
response, email address confirmed. But few of the correspondents' addresses
seemed suspect, and when I got one from a .mil address I started filing them
away.

It took another week or so for one of the e-mails to identify, by way of a
screenshot, which website people were concerned about.

US readers will have cottoned on by now; but for The Rest Of Us: there's a
new people-searching website appeared in the US, under the name of
zabasearch.com. Frantically trying to deal with their unhelpful "optout"
procedures (which change frequently, and require you to submit personal
data!), some people hit on the idea that zaba.com would be a better place to
send emails, or Googled for the unusual word in question and found my email
address. It's since been circulated in warning messages which get passed on
in Craig Shergold fashion.

zabasearch.com themselves say they're 'only republishing publicly available
information'. RISKS readers, well-versed in notions of fair information
handling, will just about be able to grasp the distance between "on file at
the county records office", and "made available at no cost, pre-indexed by
name". What's made available for free is basic personal info - name,
address, phone numbers, years-at-address; for a fee they'll do further
background checks. All with the same rigorous attention to data quality
which has led colleagues to find themselves listed under addresses they left
several years ago, and having 30 years added to their age.

What's been interesting is receiving over a hundred angry "REMOVE ME"s, only
three or four of which identified the website in question.  "Clearly", with
that website covered in Zaba-this and Zaba-that, the great majority of
correspondents observed the name coincidence and inferred identity.

Carl Ellison's "10 RISKS of PKI", and the SPKI work about the unreliability
of global naming, just got validated again, at my expense.

More gory details over at < http://www.zaba.com >

Stefek Zaba, HPLabs, Bristol, England

  [Many thanks.  Having a unique name sounds like a recipe for Zaba-loney.
  Or maybe someone is being fed Za-baloney?  PGN]


SFPD officer accused of using airport cameras to ogle women

<Bob Van Cleef <bob@vancleef.org>>
Thu, 21 Apr 2005 12:42:08 -0700

Another case of "who is watching the watchers".

According to a report on a local TV station, KTVU 2 in San Francisco, CA, a
police officer is facing possible disciplinary action for allegedly using
surveillance cameras at San Francisco International Airport to ogle women as
they walked through the terminal.
  http://www.ktvu.com/news/4398749/detail.html


Trial ID card scheme is withdrawn in Cornwall

<"LEESON, Chris" <chris.leeson@atosorigin.com>>
Tue, 19 Apr 2005 13:33:04 +0100

The BBC News site has an article reporting that an ID card
system being used in Cornwall has been withdrawn:

  "Plans for national ID cards may need to be reconsidered following the
  breakdown of a pilot project in Cornwall.  The 'smart card' was tested
  through the Cornish Key scheme, but now the trial is to be withdrawn,
  despite an investment of £1.5m of government cash."

The withdrawal is being blamed on problems with the readers, and the system
is being replaced by a newer system with "dumber" smart cards.

http://news.bbc.co.uk/1/hi/england/cornwall/4459493.stm


Audit shuts down Minnesota Car License Web

<Steven Hauser <hause011@tc.umn.edu>>
Tue, 19 Apr 2005 15:42:28 -0500 (CDT)

The Minnesota Legislative Auditor report shut down a web service: Department
of Public Safety Web-based Motor Vehicle Registration Renewal System
Security Audit Security Controls as of March 2005
http://www.auditor.leg.state.mn.us/fad/2005/fad05-23.htm
The report based its audit on http://www.owasp.org/documentation/topten.html
the Open Web Application Security Project's top ten list and a previous
audit in 2001 in which the findings and recommendations were ignored.

This story was front page news in the *Saint Paul Pioneer Press* and
*Minneapolis Tribune* on 19 Apr 2005.

Other MN Department of Public Safety website shutdowns occurred from the
Minnesota Legislative Auditor include the Bureau of Criminal Apprehension's
CriMNet. The legislative auditor seems to find a lot of RISKS in the
Department of Public Safety.

Steven Hauser  http://www.tc.umn.edu/~hause011/


Oops! US Air round trip for $1.86

<"Israel, Howard M \(Howard\)" <hisrael@avaya.com>>
Tue, 19 Apr 2005 11:40:11 -0400

http://money.cnn.com/2005/04/19/news/fortune500/usair_cheap_flights/index.htm?cnn=3Dyes

Oops! US Air round trip for $1.86
Report: Carrier will honor more than 1,000 tickets sold at discounted
price due to computer glitch.

The airline also was hit by what its chief executive termed a "meltdown" of
its baggage system </2004/12/27/news/fortune500/plane_woes/> during the
Christmas holiday. That problem resulted in it sending some flights out of
its Philadelphia hub without any bags.


Banks still force users to be vulnerable to ID theft

<Brad Hill <hillbrad@gmail.com>>
Wed, 20 Apr 2005 12:52:05 -0600

This may have been discussed before, but with the recent spate of DNS cache
poisoning attacks and fake WiFi hotspot proliferation I believe it has new
relevance.

I was actually rather shocked to find that U.S. Bank
(http://www.usbank.com/), Chase (http://www.chase.com) and Bank of America
(http://www.bankofamerica.com) all still *force* users to enter their login
and password on an insecure page. This exposes account holders to a great
risk of their credentials being stolen. The login forms on their genuine
home pages are submitted to a secure site, as they claim. The problem is
that you need security *before* you enter your data. If DNS, a router or a
proxy server anywhere along the path to their server were compromised, the
login page could be substituted for one that submits to another site or
injected with JavaScript that sends info elsewhere, asynchronously, before
it goes to the real destination. Without an SSL certificate chain there is
no way to verify that the insecure page with the form came from a trusted
source and no way short of exhaustive code inspection to tell where the form
data is actually going.

BankOne, Wells Fargo, Citi, Washington Mutual, Bank of the West, Key Bank
and Sun Trust all offer SSL versions of their login page, but for some
reason, U.S. Bank, BofA and Chase redirect to an insecure site or return an
error when trying to connect with SSL. You *can't* log in securely, even if
you try. The existence of this kind of obvious and fundamental security
mistake after all the publicity about this category of attack (note that all
these banks *do* have a user education page on phishing/fraud prevention!)
is definitely something to keep in mind when choosing a bank.


"The national phone system failed"? (Goodman-Jones, Risks-23.84)

<msb@vex.net (Mark Brader)>
Mon, 18 Apr 2005 20:45:00 -0400 (EDT)

> Ch7 is one of the three national commercial TV stations in Australia.

"The national phone system failed", and what RISKS hears about is a
*television* outage?  Please tell me that this was just a careless wording!

Mark Brader, Toronto, msb@vex.net

  [Probably not.  TV is much more visible than electricity to many people...
  PGN]

    [On 27 Jan 2006 Mark Brader noted earlier private communications,
    including one that said the problem was restricted only to the internal
    interstate network.  PGN]


Re: Michigan message board says speed limit 100 mph (R 23 84)

<"Jeffrey Waters" <jwaters@htimes.com>>
Tue, 19 Apr 2005 13:44:02 -0500

While living in Florida, I always wondered what would happen if one
of the message boards on northbound I-95 would have said something
along the lines of "Notice - DEA Checkpoint 2 Miles"


Re: SecurID and E*TRADE (Taft, RISKS-23.84)

<"Jonathan Lewthwaite" <JLewthwaite@passgo.com>>
Mon, 25 Apr 2005 16:11:56 +0100

Online security with usability problems?

In RISKS-23.84 Ed Taft wrote an article about the potential drawbacks of
using a keyfob device to facilitate two-factor authentication.
Ed made several observations of his experience and notes that:

  "... while this appears to have good security, some potential deficiencies
  come to mind: It requires more typing than the old scheme, including an
  unfamiliar sequence of characters that changes every time.  A better
  arrangement would be for the keyfob to have a USB connector that I plug
  into my computer to prove that I have the keyfob."

This 'deficiency' has already been addressed:

The solution is to allow the 'token' software to be installed on some other
device such as a USB memory stick. This can then be used to prove that the
authenticating user has the device (by plugging it in).  For an example and
explanation have a look at:
http://www.passgo.com/products/softwareTokens.shtml

To maintain the two-factor authentication plugging in the device by itself
is not enough — the user must supply something they know. As Ed noted this
is an unfamiliar sequence of characters that changes every time. With the
software token installed on your USB memory stick, supported application
ions can be configured to require a PIN allowing the challenge/response
sequence to be handled automatically.

The solution ports to other common electronics that folks have such as PDA's
and Mobile devices giving even greater freedom to the end user.

For further information on the need for strong two factor authentication =
and solutions RISK readers can follow this up at:
http://www.passgo.com/products/defender/index.shtml

Jonathan Lewthwaite  Technical Account Manager  www.passgo.com


Re: SecurID and E*TRADE (Taft, RISKS-23.84)

<Kurt Raschke <kurt@raschke.net>>
Mon, 18 Apr 2005 20:59:42 -0400

Ed Taft's commentary in RISKS-23.84 on E*TRADE's apparent use of RSA's
SecurID system to authenticate users to their website raised a few points
that I think merit additional consideration.

On Ed's first point, about the added typing necessitated by the system and
his desire that it have a USB plug: Having a keyfob with a display allows
the device to be used with any sort of computer--not every computer out
there has a USB port, or one that is user-accessible.  What if you log in
using a phone or a PDA?

On multiple service providers using SecurID: Theoretically this could become
a problem, but there's no reason why a trusted third party couldn't run a
copy of RSA's ACE/Server (the app used to authenticate SecurID tokens) that
others could connect to over a VPN to use for authentication.  One token,
many sites. (This, though, has plenty of inherent RISKs too.)

Finally, on his point about the keyfob's battery dying: RSA has a good plan
for that--replace the unit.  It's as simple as that.

Ed raises these issues as though E*TRADE is the first company to ever
implement SecurID (and they may be the first to implement it for a
public-facing service, but not the first ever), but in reality they are not
very grave issues, and many government labs and other organizations find
SecurID to be a good security method despite them

The real RISK?  Weaknesses in the SecurID system:
http://www.homeport.org/~adam/dimacs.html.

Please report problems with the web pages to the maintainer

x
Top