The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 11

Tuesday 6 January 2004

Contents

Bank of England falls victim as e-mail scams rise by 400%
Keith A Rhodes
Get ready for SPIM
NewsScan
Israeli government suspends purchases of Microsoft software
NewsScan
Input data error on tag transfer causes driver's arrest
Stanley A. Klein
Forget your bank balance? It's available on the Internet
Monty Solomon
Inadvertent use of wireless network
Ben Rosengart
Car-monitoring service allows you to be your own Big Brother
Monty Solomon
Secret ballots the Tel-Aviv University way...
Yaron Davidson
Electronic voting: computer reliability aspects
Bob Axtell
Re: Why have electronic voting machines at all?
Mark Newton
Re: Loss of bus braking due to nearby illegally modified transceivers
Kenji Rikitake
REVIEW: "Disaster Recovery Planning", Jon William Toigo
Rob Slade
Info on RISKS (comp.risks)

Bank of England falls victim as e-mail scams rise by 400%

<"Keith A Rhodes" <RhodesK@GAO.GOV>>
Mon, 05 Jan 2004 10:41:28 -0500

The Bank of England became the latest victim of e-mail fraudsters yesterday
when many hundreds of thousands of people were sent hoax messages from
admin@bankofengland.co.uk, a nonexistent bank address, urging them to open
an attachment that would help prevent credit card fraud.  This was
reportedly the first time BoE was victimized by a "phishing" expedition that
apparently fooled about 5% of their Visa customers into divulging their card
and PIN numbers.  The scam was detected when the Bank received over 100,000
automated replies mostly from corporate mailsites whose employees were on
holiday!  Halifax, NatWest, Barclays, Lloyds TSB, and Nationwide Building
Society have also been previously subjected to similar attacks.  [Source:
James Moore and Robert Uhlig, *The Daily Telegraph*, 31 Dec 2003, PGN-ed]
  http://www.telegraph.co.uk/connected/main.jhtml?xml=/connected/
  2003/12/31/ecntbofe31.xml&sSheet=/connected/2003/12/31/ixconnrite.html


Get ready for SPIM

<"NewsScan" <newsscan@newsscan.com>>
Wed, 31 Dec 2003 08:48:41 -0700

Instant messenger spam, dubbed "spim," is increasingly clogging users'
computers, popping up with the real-time regularity of instant messages and
annoying users who complain they're now receiving several messages a day.
Users can either accept or decline the spim, which often contains a link to
-- what else? -- a pornography site. Ferris Research estimates about 500
million spim messages were sent in 2003, double the number sent in the
previous year. And while instant-messenger spam "isn't nearly the industry
that e-mail spam is, it's starting to increase," says the CEO of an antispam
consulting firm. Experts warn that the recent crackdown on conventional spam
may push illicit marketers to explore new avenues, including instant
messaging. "The irony is that focusing like a laser on our No. 1 concern --
spam -- has painted e-mail spammers into a corner like never before and
incited them to find other ways to try and reach our membership online,"
says an AOL spokesman.  [*Wall Street Journal*, 31 Dec 2003; NewsScan Daily,
31 Dec 2003]
  http://online.wsj.com/article/0,,SB107228175621944800,00.html (sub req'd)


Israeli government suspends purchases of Microsoft software

<"NewsScan" <newsscan@newsscan.com>>
Wed, 31 Dec 2003 08:48:41 -0700

The Israeli government has become the latest national government to seek
open-source alternatives to Microsoft's productivity software, citing cost
as a major motivating factor. "The move with Microsoft was a purely economic
decision," says a Finance Ministry spokeswoman. "The Israeli government will
not be purchasing new products from Microsoft, but will implement its
contract to secure existing systems. On a policy level, the government is
committed to expanding computer use. We want open source technology to
spread, so more people will be able to afford computers." The Finance
Ministry has been working with Sun Microsystems and IBM to create a Hebrew
language version of OpenOffice software, an open-source alternative to
Microsoft Office. Some federal agencies in France, China and Germany, as
well as the city government in Munich, have switched over to Linux-based
servers and individual workstations. Other governments exploring open source
alternatives include those in Britain, Brazil, Japan, South Korea, China and
Russia. Governments account for about 10% of global information technology
spending, according to IDC.  [AP/*USA Today*, 31 Dec 2003; NewsScan Daily, 31
Dec 2003]
  http://www.usatoday.com/tech/world/2003-12-30-israel-vs-microsoft_x.htm


Input data error on tag transfer causes driver's arrest

<"Stanley A. Klein" <sklein@cpcug.org>>
Mon, 05 Jan 2004 13:29:21

I met Ms Reed at the Maryland Technology Showcase and heard this story.  I'm
cc'ing her so she can correct or update the story if necessary.

Ms Paula Reed traded in her minivan for an SUV over a year ago.  The dealer
told her that because the weight classes of the two cars were the same, she
could transfer her tags, and that the dealer would take care of it.
Maryland has a two year cycle for tag renewal, and she didn't know the
details of what to expect, so she went about her life.

She was driving down the street a few months ago when she was stopped by a
police officer.  The officer told her she was driving on expired tags.  She
replied that she usually sends in her tag renewals promptly and didn't
remember receiving a renewal notice.  The officer asked for her registration
and all she had was the paperwork given her by the dealer when she bought
the car.  The officer checked her tag number with the Maryland Motor Vehicle
Administration and found that there was no such tag in the system.  The
officer then accused Ms Reed of obtaining counterfeit tags, arrested her,
and took her to the police station.

After she was released (with a court date), she checked on her tag
situation.  It turned out that somewhere in the tag transfer process someone
entered the wrong weight class for her new car.  Somehow the system rejected
the tag transfer but the error was not corrected.  When her used minivan was
resold by the dealer, her tags were deleted from the system.  Either nobody
knew that all this was happening, or whoever knew failed to take action to
correct the error.

As of early December, she had been required to obtain new tags and was still
awaiting her court date on the charges growing out of her arrest.


Forget your bank balance? It's available on the Internet

<Monty Solomon <monty@roscom.com>>
Sun, 4 Jan 2004 01:33:52 -0500

Eric F. Bourassa, a privacy advocate at the Massachusetts Public Interest
Research Group, knows how difficult it is to keep personal financial
information personal. But even he was surprised at how easy it was for *The
Boston Globe* to obtain his private bank account information.  Trafficking
in confidential financial information is commonplace on the Web, with a
quick Google search turning up more than a dozen sites selling everything
from Social Security numbers to bank balances.  *The Globe* tested one of
the sites in September, paying $125 for Governor Mitt Romney's credit report
and in the process discovering a major security weakness in the nation's
credit reporting network.

In November, with Bourassa's blessing, the Globe began to explore the
shadowy world of asset search firms, which advertise that they can unlock
the financial secrets of virtually anyone. The mystery is where these firms
get their information. Does it come directly from financial institutions? Or
does it come through more indirect, possibly illegal, methods?

The Globe agreed to pay Ohio-based I.C.U. Inc., whose Web address is
Tracerservices.com, $475 for Bourassa's bank account information and his
stock and bond holdings. Not all of the information the Web site provided
was accurate, but the bank account information, with the balance listed
right down to the penny, was so close that it made Bourassa feel violated.
  [Source: Bruce Mohl, *The Boston Globe*, 4 Jan 2004]


Inadvertent use of wireless network

<Ben Rosengart <ben@narcissus.net>>
Tue, 30 Dec 2003 18:45:00 -0500

My brother D., home from college, called me today.

  D.: I don't want to jinx anything, but it seems that my computer
      is connected to the Internet.  I turned it on and saw that I
      had two new messages.  And they're from *today*.
  Me: I take it you're at Dad's [where nothing is set up for Internet
      access].  Do you have a wireless card in there?
  D.: Um, I don't know.
  Me: Ok, go to System Preferences ... Network ... what do you see?
  D.: [...] Connected via Airport.
  Me: There you go.
  D.: Are you saying there's a wireless network at Dad's?
  Me: Wireless doesn't care about walls.  [I know, that's not strictly
      true, but it's what I said.]
  D.: So I'm on some *neighbor's* wireless network?
  Me: Yup.
  D.: [Amazement and then laughter.]

I pointed out that all his network traffic is being broadcast on radio
frequencies, and counseled him to configure his mail client to use encrypted
protocols, and to watch out in general.


Car-monitoring service allows you to be your own Big Brother

<Monty Solomon <monty@roscom.com>>
Thu, 1 Jan 2004 03:04:56 -0500

Don't trust your teenagers or your spouse? Networkcar can tell you where
they've been driving.

The way George Orwell imagined Big Brother was as a police state that
imposed unrelenting surveillance on an unwilling public.  Orwell never
imagined that people would actually make nice with Big Brother as a matter
of convenience, but that's one way to view the growing stream of data from
automobiles that has attracted a lot of interest from the government and, so
far, not a lot of suspicion from the public.  Some consumers actually are
willing to pay for a service that lets the government know your car isn't
breaking the law.  For about a year, a La Jolla company has offered to
provide remote sensing of a car's systems and to post that data to a private
Web page, along with verifying to state agencies that the car is in
compliance with the emission laws of California and a few other states.  ...
[Source: Ralph Vartabedian, *Los Angeles Times*, 31 Dec 2003]
  http://www.latimes.com/classified/automotive/highway1/
  la-hy-wheels31dec31,1,1009805.story


Secret ballots the Tel-Aviv University way...

<Yaron Davidson <yarondav@post.tau.ac.il>>
Thu, 01 Jan 2004 14:33:29 +0200

The elections for faculty representatives in the Tel-Aviv University student
union were held two days ago.  (Now, this may be not as important as votes
for government, but many of the representative run for actual political
parties, and there are serious sums of money involved higher up, so these
votes to have a meaning)

In the last couple of years , for all the usual reasons, the voting
mechanism was changed to e-voting, namely a temporary PC with custom-made
software connected over the university LAN to a server. No paper audit of
course, have to match industry leading standards after all.  The voting
process itself is quite simple. You pass a bar-code reader over the student
card to get an ID, select the faculty to vote in if you have more than one,
get a list of all available candidates for the faculty, click on small
"select" buttons next to those you want (with visual indications being both
a check-box next to the names, and a second list containing those you voted
for), and press a confirmation button.

No problems for me last year, but is seems many students had difficulties
with either the bar-code reader or the program interface.  So, the delays
caused being apparently the most serious problem with the system, this year
we had a wonderful solution.  Oh, yes, before that, if I forgot to mention,
votes of course must be secret, and they place a temporary barrier around
the computer preventing anyone from looking in at you while you vote.

I got to the computer, and a man with a badge claiming him a "voting
supervisor" or some such takes my student's card, pass the bar-code reader
in front of it, hands it back to me, motions toward the chair, and tells me
to go ahead and vote. But he stays there, and looks at me and at the
computer screen with a bored expression.

Me:"Eh... The votes are supposed to be secret..."
Him:"Yes, so ?"
Me:"So you can see who I'm voting for"
Him:"Oh, don't worry about that. I'm not related to any of this. See ?"
  and points to the nice badge.
Me:"What do you mean, not related. You're here, and you can see who I
  vote for. That's not secret!"
I get a "Why can't this idiot get it" and again
Him:"But it doesn't matter. I'm not even from this faculty. I don't care
  who you vote for."
Me:"But surely I can't know that. I do have a right not to have people
  seeing who I vote for". Heck, right, officially I'm not even supposed to
  have a choice, nobody should come in a look even if I want them to.
Him:"Look, I'm not here to look at your vote. We had lots of people
  having trouble understanding how to vote, and the reader couldn't handle
  about two thirds of the cards, so I'm just here to help students vote
  and save time. And you're holding up the line. Just vote already"
Me:"Fine, but not until you get outside this barrier and don't look in.
  This won't solve the very serious general problem here, but it will
  solve my immediate one and let me finish..."
So the dear fellow gets out with a bemused expression. I vote. I press the
confirmation button (15sec process so far, mostly spent locating my least
worse candidates in the rather long list). Then I have to wait around 20-30
seconds more because the confirmation screen insists on staying there with
my name and the candidates regardless of my clicking on it to make to go
away. All the while the "supervisor" muttering that it takes too long and
that's what he's there for. You want to speed up the process, put an OK
button on the confirm screen instead of time delaying it. That's 20 seconds
per student times several thousands of student, right there.

I go out, someone else gets in, and after he reads his cards and explains
what those "select" buttons are for to the poor soul, the "supervisor" turns
back to me still trying to figure out what the fuss is about.
Him:"You know, I really don't care about those votes. What I see doesn't
  matter. I don't know who you are or who the candidates are."
  I see one of our esteemed candidates standing there, points at her and
  proceed.
Me:"And I'm supposed to trust your word for it? How can I know
  you're not friends with her, or supports the same party that's behind
  her? Maybe she bribed me to vote for her, and I could see I didn't?
  Maybe you just nods to her to indicate who voted and who didn't? It
  doesn't matter if none of these things are true. What matter it that it
  can theoretically be. You want to say the votes are not secret, take
  away this barrier, and let anyone see, fine. That's one way to do it.
  But if you claim the votes are secret, and go through all this trouble,
  then keep it secret and don't put someone in with me."
  At this point several other students on the line starts to claim that
  I'm right, and another one asked him to look outside. A former student
  representative in the faculty gets there too and tries to mollify me by
  saying that she'd watch over him. Right.
  Anyway, than the guy comes up with another brilliant riposte.
Him: "Besides, if I wanted to see what you voted, I could just look it
  up at the server later, I wouldn't have to sit here and watch you"
Ah. So he's saying that:
1. It doesn't matter what he does is wrong and forbidden, since he can
   do the same thing in several different ways. Makes perfect sense to me.
2. He can see at the server not only total vote counts, but WHAT I
   PERSONALLY HAVE VOTED. WHAT?!
Me: "Are you trying to tell me your database doesn't hold an aggregate
  count of vote and a separate list of who voted, but a list of what every
  ID has voted ?!"
Him: "Ah... Well... See... Err..."
Me: "Because that's very bad practices. You should never keep this
  information in the database in a way that's easily accessible. It would
  make a mockery of calling these elections secret." Oh, wait, aren't we
  doing that already? Hmmm...
Him: "No, no. Of course we only keep aggregative information. Sure.
  Certainly. No individual votes. Nope. Not at all." Well, he denies it
  three times, even more actually, so he must have been convincing. So why
  didn't I buy it? Well, let's attack on a different front.
Me: "So in that case you can't go to the computer later and see what I
  voted, then. You can only see the totals, but that will be published
  anyway. If you want to see what I voted, you have to look here" Or put a
  sniffer on a connected computer, or logging software on this computer,
  or... Anyway, there went argument #1. I'd felt better to see #2 go but
  I'd have a hard time buying that now.

Unfortunately, by that time the former representative got really insistent
about making me stop making a fuss, and the "supervisor" just had to help to
current voter, so I left the scene.

At least they solved the problem of students not understanding the voting
system. It is a biggie.  Imagine someone solving that whole butterfly-ballot
fiasco at the US by putting someone to help people punch the right hole, and
not to worry since he's from a different state so he really doesn't care...


Electronic voting: computer reliability aspects

<Bob Axtell <engineer@cotse.net>>
Thu, 01 Jan 2004 13:50:18 -0700

I perform electronics analysis on a consulting basis for clients.

A few years ago I was asked by a financial services client to verify a
design concept which used, as its brain, a Windows-based computer
system. Since the application was to maintain the credit-card numbers and
transaction records of hundreds of people inside its memory and hard drive,
an analysis was required. 50 hardware CPU's were used as engineering
samples, using two Windows operating systems, and over a 3-month period, the
results were clearly known, and the project dropped.

The results (still confidential), were eye-opening. In a nutshell:

1. Only ONE CPU ran without error for a continuous 96-hr period. In essence,
it was determined that Windows O/Ss were too "buggy" to perform such a
sensitive task.

2. Sensitive data could NOT be protected from an unknown trojan or virus
attack.

The other day, I learned, to my astonishment, that some new "voting
machines" use Windows O/S as their core!

Why is it that my financial client saw fit to verify hardware security, yet
States don't seem to see a need...

  [Because they were protecting MONEY.  Votes don't count.  (Joke)  PGN]

Bob Axtell PIC Hardware & Firmware Dev  http://beam.to/baxtell 1-520-219-2363


Re: Why have electronic voting machines at all? (Williams, R-23.06)

<Mark Newton <newton@internode.com.au>>
Wed, 31 Dec 2003 10:54:17 +1030

 > If you don't vote, you get fined about $20, unless you have a very good
 > reason.

Before the Yanks get too upset about that, it's best to clarify.

Voting isn't compulsory.  Registering to vote at least two weeks prior to
the first election after your 18th birthday is compulsory.  If you are a
registered voter, it is compulsory to attend a polling place.

Once you have attended the polling place, it is not compulsory to vote
(i.e., if you have some reason for not voting after you've gone to the
trouble of locating yourself 50 feet from a ballot box on election day,
there's no reason why you can't just leave after having your name checked
off).

Mark Newton, Network Engineer, Internode Systems Pty Ltd  +61-8-82282999


Re: Loss of bus braking due to nearby illegally modified transceivers

<Kenji Rikitake <kenji.rikitake@acm.org>>
Wed, 31 Dec 2003 09:04:02 +0900

RF Interference issues are getting much complicated these days.  Many of
them are caused by lack of understanding on using proper preventive
methods, such as installing RF common-mode filters (or Ferrite cores) or
decoupling the circuits with proper amount of capacitors on the power
and input/output lines.

I once had to troubleshoot the interference to 100BASE-TX line from a
legal 50W ERP (Effective Radiated Power) 1.9-to-28MHz amateur radio
transceiver, simply because the antenna and the Ethernet link was too
close, less than 2-meter distance.  Two Ferrite cores at the each end of
a long Ethernet cable solved the problem.  I also observed a common-mode
loop problem when you tried to connect a notebook PC to the transceiver.

Even a optocoupled device such as MIDI patchbays are prone to the RF
interference because the optocoupling junction between the LED and
phototransistor has certain amount of capacitance (a few picofarads),
which a strong RF energy could pass through.

Truck drivers are unfortunately one of the major sources of illegal
radio operators here in Japan, occupying most of V/UHF amateur radio
frequencies and CB bands.  They tend to raise the output of the
transmitters to the maximum, typically in a few hundred watts, so many
of car devices could be affected.

So you've got to be very careful.  Your RFID card could be erratically
activated.

Kenji Rikitake, JJ1BDX/3, JQ2KST and K1BDX


REVIEW: "Disaster Recovery Planning", Jon William Toigo

<Rob Slade <rslade@sprint.ca>>
Mon, 5 Jan 2004 12:47:56 -0800

BKDIREPL.RVW   20031105

"Disaster Recovery Planning", Jon William Toigo, 2003, 0-13-046282-9,
U$54.99/C$85.99
%A   Jon William Toigo www.drplanning.org
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2003
%G   0-13-046282-9
%I   Prentice Hall
%O   U$54.99/C$85.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0130462829/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0130462829/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0130462829/robsladesin03-20
%P   482 p.
%T   "Disaster Recovery Planning"

Toigo's first edition outshone almost all later DRP (Disaster Recovery
Planning) and BCP (Business Continuity Planning) works.  This edition
vastly expands the resources and thinking on the topic.  In the
preface, Toigo examines the question of whether people will see this
new edition as simply an exercise in opportunistic marketing, using
the events of September 11, 2001 to promote a fresh work.  He
concludes that changes in technology do justify another edition.  In
addition, the new pieces giving post-9/11 perspectives from various
parties (generally vendors) do provide some additional insights.  The
leading foreword, a first-hand account of the evacuation of one of the
World Trade Center towers, offers interesting observations such as the
fact that the tens of thousands of people using the exit stairwells
created potential problems with respect to condensation on the stairs
and walls of the structure.

Chapter one, an introduction to the topic, is no longer as incisive as
it once was.  However, there are still striking items, such as the
mention of the Bank of New York information technology outage (lasting
twenty seven hours) which led to a requirement to borrow twenty two
billion dollars, cascading into destabilization of the federal reserve
fund and interest rate fluctuations.  The advice is still practical,
pointing out legislation that may indirectly support disaster recovery
planning (although there is no mention of the widely used Americans
with Disabilities Act), a detailed assessment of the uselessness of
disaster recovery certifications and related groups, and suggestions
for dealing with political realities.  Various perspectives and
disputes over risk are reviewed in chapter two, although the material
becomes a bit disjointed when it ends with policy development.  There
is an excellent overview of fire protection and power problems, but
the rest of the facility management material in chapter three is quite
limited.  A detailed examination of the options, products, and vendors
related to data recovery (well beyond the usual discussion of full,
incremental, and differential backups) is given in chapter four.

Chapter five deals with strategies for the recovery of centralized
systems.  This is the standard view of disaster recovery, but Toigo
offers good, quality advice.  Recovering decentralized systems is
analysed in chapter six, although most of the solutions seem to rely
on recentralising.  End-user requirements, touching on remote
computing, virtual private networks, and so forth, are discussed in
chapter seven.  Examination of network recovery, in chapter eight, is
useful, although many solutions (such as wireless LANs) are not
perused for problems (such as security), while, at the same time, they
are not pushed far enough (groups in many locations are now planning
city-wide wireless networks which should be available in the event of
the collapse of major telecommunications carriers).  Emergency
decision making, in chapter nine, concentrates on teams, functions,
and flowcharts.  References and resources for recovery management,
mostly in the US, are in chapter ten.  There is an odd inclusion of a
story about vendor versus reseller infighting in the plan maintenance
material in chapter eleven.  The book concludes in chapter twelve.

While the later edition is sometimes too verbose, this work is
definitely worthwhile for anyone in the security or disaster recovery
planning field.  Even if you have the first edition, continuity and
recovery professionals will probably find that this latest work has
fresh insights that justify its purchase.

copyright Robert M. Slade, 2003   BKDIREPL.RVW   20031105
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top