The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 69

Tuesday 1 February 2005

Contents

'Thief-proof' car key cracked. What, already?
Chris Leeson
Incredible Hulk No-Coaster
Frank Carey
Tiger triggers the car window?
Wendell Cochran
Search engine risks
Marcos H. Woehrmann
German Toll Collect - an exercise in Graph Theory
Debora Weber-Wulff
It's a feature, not a bug! The saga of the German dole continues
Debora Weber-Wulff
Oops: 'Can Spam Act' seems to be no-can-do
NewsScan
The joys of auto-complete
Thom Kuhn
Panix.com domain name hijacking
Cyrus R Eyster
Are *you* on a list of aggressive drivers? You could be, if I say so!
Dawn Cohen
Most identity theft occurs offline
NewsScan
Grocery store robot scanner a royal pain
Mark Rockman
American Express or Phishing?
John Pettitt
Re: HTTPS .ne. secure
Robert Ellis Smith
'Hot' URLs in e-mail
Jay R. Ashworth
REVIEW: "Open Source Security Tools", Tony Howlett
Rob Slade
Info on RISKS (comp.risks)

'Thief-proof' car key cracked. What, already?

<"LEESON, Chris" <chris.leeson@atosorigin.com>>
Tue, 1 Feb 2005 10:55:50 -0000

According to an article in *The Register*, the security on RFID devices used
in car keys and petrol pump payment systems has been broken (the article
actually says "Researchers have discovered cryptographic vulnerabilities in
the RFID technology..."

http://www.theregister.com/2005/01/31/rfid_crypto_alert/

The encryption uses "an unpublished, proprietary cipher that uses a 40-bit
key".

The researchers managed to reverse-engineer the system and program a
microchip to do the decoding in 10 hours. Using 16 of the chips in parallel
reduced the search time to 15 minutes. At about $200 per chip that's not an
expensive brute force attack.

The article notes that although potential criminals could make fraudulent
petrol charges and deactivate vehicle immobilisation systems, they would
still have top get past physical locks in the car.

Provided that the car has them, of course.

I can't resist quoting from the last two paragraphs:

 "The team recommends a program of distributing free metallic sheaths to
  cover its RFID devices when they are not being used in order to make
  attacks more difficult.

 The company that markets ExxonMobil's SpeedPass system has said it has no
 knowledge that any fraudulent purchases have ever been made with a cloned
 version of its device."

The Risks? Well, apart from the fairly obvious security/fraud issues, it
does seem to me that this is using technology for technology's sake.  When I
want to disarm the alarm on my car, I point the remote at it and press the
button.  I don't need an "always on" control...


Incredible Hulk No-Coaster

<Frank Carey <Carey1938@aol.com>>
Sat, 29 Jan 2005 10:07:47 EST

Several riders were assisted to safety [28 Jan 2005] after a car became
stuck on the Incredible Hulk Coaster at Universal Orlando's Islands of
Adventure theme park, according to Local 6 News.  A Universal spokesman said
a computer glitch stopped the train at one of three braking points.  Twenty
riders walked to safety.  Four others in the front of the car were forced to
wait until firefighters arrived.  There were no injuries reported.
[*Florida Today* 29 Jan 2005, p. 8B]


Tiger triggers the car window

<Wendell Cochran <atrypa@eskimo.com>>
Sun, 30 Jan 2005 08:12:08 -0800

'A stripper mauled by a tiger in an Ontario safari park has won $650,000 in
damages ...  'Jennifer-Anne Cowles was driving through the park ... with
her boyfriend when a tiger jumped into their car and tried to drag them
away.  The two insisted their windows had been shut when the tiger charged
...  'The judge accepted the couple's testimony that the power windows had
been inadvertently lowered when one of the big cats bumped against the car.
The boyfriend was awarded $1.37 million.  [Source: Reuters item in the
*Seattle Times*, 29 Jan 2005.  The Times doesn't believe in copyediting
wire-service stories, even those from Reuters.  WC]

  We may indeed have here a computer-related risk, but another possibility
  is gullible-judge risk.


Search engine risks

<"Marcos H. Woehrmann" <marcos@panix.com>>
Tue, 1 Feb 2005 14:36:33 -0500 (EST)

Microsoft today (02/01/05) announced a new and more precise search engine
(http://www.imagine-msn.com/search/tour/moreprecise.aspx).

As part of the announcement they gave some example searches, one of which
was "What is the mass of Jupiter?".

The search.msn.com result for that search does indeed return the mass of
Jupiter: "Answer: Jupiter mass: 318 Earth masses".  But what is an "Earth
mass"?

Entering "What is the mass of Earth?" into search.msn.com produces "Answer:
World: mass: 1 Earth masses".  I suppose that answer doesn't violate the
definition of precise (though to be even more precise they could have said
"1.0000 Earth masses").  Entering "What is an Earth mass?" produces the
same, meaningless, result.

BTW, entering "What is the mass of Saturn?" into search.msn.com produces:
"Saturn: Mass: 5.69x10", which since it's missing its units doesn't seem
precise to me (and it's probably not accurate either, unless the missing
units are 10^25 kilograms).

Just to demonstrate that this isn't too hard I did the same searches on
Google, which produced more reasonable results:
  mass of Earth = 5.9742 x 10^24 kilograms
  mass of Saturn = 5.6851 x 10^26 kilograms
  mass of Jupiter = 1.8987 x 10^27 kilograms

The risk here is that if you give an example search to demonstrate your new
search engine capabilities, you should test to see if related searches work
as well.   [Or, if you pardon a pun on the ambiguity of "as well",
if they work as poorly.  PGN]

Marcos H. Woehrmann  marcos@panix.com  http://www.panix.com/~marcos


German Toll Collect - an exercise in Graph Theory

<Debora Weber-Wulff <weberwu@fhtw-berlin.de>>
Fri, 28 Jan 2005 20:35:40 +0100

The German IT magazine c't reports in its number 2/2005 on the current state
of the German Toll Collect system, which does appear to be functioning and
raking in some money, much to the glee of the politicians who are now
dreaming of exporting this technology.

A few highlights not making the daily newspapers:

* Checking trucks to make sure they paid the toll is easy if the truck has
an OBU (On Board Unit) - mobile checkers can query the box without stopping
the truck. Trucks without the OBU pass occasional bridges that photograph
the truck, recognize the license plate, calculate the truck geometry to
determine the axle count, and then check if this bit is paid for in the
central data base. There are pull-off areas that were specially built so
that offenders can be pulled off and fined on the spot.

Unfortunately, when calculating the distance between the bridge and the
pull-off area the engineers used an optimistic assumption on the time needed
for the calculations, and used the *middle* of the rest area for calculating
the distance between the bridge and the rest area. But actually, if you want
to flag down a truck you have to have someone standing a good bit before the
rest area.

Since neither moving the pull-off area nor the bridge are options, traffic
is slowed at these points to give the computers time to grind....

* The mobile checkers have a few problems of their own. Heise reports in
http://www.heise.de/newsticker/meldung/mail/55332 that the checkers use
infrared communication. They have to drive in front of the truck they are
checking and are having problems during fog and snow. The company producing
this device insists, however, that there are no problems.

* c't tried to make sense of the public database listing the autobahn
crossings and the tolls assessed. There is no obvious connection between the
numbers for the exchanges and the exchanges, some (in different parts of the
country) even have the same number. Other bits of autobahn are only listed
in one direction, not in both. Some crossings have multiple numbers, other
multiple names. They used the data to build a graph of the German autobahn
(> 2000 edges), a nice exercise for students of computing to then calculate
the shortest path between A and B. Interestingly, 23 of the edges are listed
as being 0,0 km long. Toll Collect says that these are bits of non-autobahn
that connect up isolated autobahn portions.

c't concludes that it will be difficult for a company to prove that they
have been charged the wrong toll - and in a new law rushed through in
December the government has stated exactly that - Toll Collect does not have
to prove that they charged the correct toll, but a shipper has to prove that
they were charged the wrong toll.

For those interested in the database:
  http://www.mauttabelle.de/maut.html (in German)

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Internationale Medieninformatik,
Berlin   +49-30-5019-2320  http://www.f4.fhtw-berlin.de/people/weberwu/

  [Slight typo fixed in archive copy.  PGN]


It's a feature, not a bug! The saga of the German dole continues

<Debora Weber-Wulff <weberwu@fhtw-berlin.de>>
Sun, 23 Jan 2005 15:57:03 +0100

Germany switched to a new dole system on 1 Jan 2005 and has been coping with
problems ever since. Many people who submitted their paperwork back in
October still do not have money - because the paperwork was "misplaced".
[Maybe they were just entering in the data LIFO... --dww]. The media in
Germany are enjoying finding problems with the system, especially as the
officials are announcing it all a roaring success.

The Heise Ticker (http://www.heise.de/newsticker/meldung/55427) notes that
the "problem" of the software only counting 360 days to a year is a feature
and not a bug. According to spokespeople, it lets them figure the amount of
the dole much faster [I didn't realize that the isLeapYear routine took
*that* much time to compute.... --dww]. The Westfälischen Nachrichten
reported the computation, which is also discussed in Spiegel-online at
http://www.spiegel.de/wirtschaft/0,1518,338133,00.html will save government
about 100 million Euros a year because the payments are done according to a
daily rate. All months are now fixed at 30 days.

Other fun games: In order to keep people who just barely earn too much from
making themselves eligible for money by purchasing health insurance (which
is deductible) they are apparently paying people 1 cent a month so they can
keep their cheaper public health insurance.

The problems with the system are being collected in a database in Nürnberg
and are sent out in a non-printable PDF file to keep people from printing it
out and giving it to the press. The file has, however, grown larger than 2
MB and is now being rejected by the mail servers throughout the work payment
administration. This is the only problem that the officials will admit to in
public.

The saga will continue!

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Internationale Medieninformatik
10313 Berlin  +49-30-5019-2320 http://www.f4.fhtw-berlin.de/people/weberwu/


Oops: 'Can Spam Act' seems to be no-can-do

<"NewsScan" <newsscan@newsscan.com>>
Tue, 01 Feb 2005 07:57:15 -0700

The Can Spam Act went into effect in January of last year, yet unsolicited
commercial e-mail on the Internet is now estimated to account for at least
80% of all e-mail sent -- a figure up from 50-60% percent of all e-mail
before the law went into effect. A number of critics of the law had argued
that it would make the spam problem worse by effectively giving bulk
advertisers permission to send junk e-mail as long as they followed certain
rules. Steve Linford, the founder of the UK-based Spamhaus Project, says the
law "legalized spamming itself." The law's chief sponsor, Senator Conrad
Burns (R- Montana) says the problem isn' t the law but the ineffective
enforcement of the law: "As we progress into the next legislative session,
I'll be working to make sure the FTC utilizes the tools now in place to
enforce the act and effectively stem the tide of this burden." Anne Mitchell
of the Institute for Spam and Internet Public Policy comments: "Most people
say it's a miserable failure, but I see it as a lawyer would see it. To
think that law enforcement agencies can make spam stop right away is
silly. There's no such thing as an instant fix in the law."  [*The New York
Times 1 Feb 2005; NewsScan Daily, 1 Feb 2005]
  http://www.nytimes.com/2005/02/01/technology/01spam.html?hp
  &ex=1107320400&en=f7486f68b21cb2cc&ei=5094&partner=homepage
http://www.nytimes.com/2005/02/01/technology/01spam.html?hp&ex=1107320400&en=f7486f68b21cb2cc&ei=5094&partner=homepage


The joys of auto-complete

<"Thom Kuhn" <tkuhn@mail.acponline.org>>
Thu, 27 Jan 2005 19:54:57 -0500

A while ago I was listening to a public affairs program on NPR. One of the
speakers was representing a trade association, and his comments really got
to me. I Googled him and sent him a somewhat venomous e-mail. A few hours
later I got an even more venomous reply. End of story? Not quite. My e-mail
address was now in his shortcut list. A few weeks later I was copied on what
was clearly meant to be an internal and confidential e-mail from this
gentleman to this colleagues.


Panix.com domain name hijacking

<Cyrus R Eyster <cyruse@MIT.EDU>>
Mon, 17 Jan 2005 16:55:09 -0500

Quoting from http://www.panix.com:

>Panix's main domain name, panix.com, was temporarily hijacked over the
>weekend by parties unknown. The false information for the panix.com
>domain was present at the top-level Internet domain servers from 04:30
>Saturday morning Jan 15 until 6 PM Sunday Jan 16 (US-EST), when the
>domain was returned to us. As a result of this attack, mail, Web
>access, and other connectivity to the panix.com domain was disrupted.

and

>Panix's main domain name, panix.com, was hijacked by parties
>unknown. The registration of the panix.com domain was moved to a
>company in Australia, the actual DNS records were moved to a company
>seemingly in the United Kingdom (but with servers in Canada and
>corporate registration in Delaware), and panix.com's mail was
>redirected to servers in Canada. None of the systems exploited to
>perform this hijacking were under Panix's control.
>
>It's not supposed to be possible to transfer a domain name from one
>registrar to another without notifying both the current registrar and
>the current domain owner, but that's what seems to have happened.
>
>As the hijacking occurred over the weekend, we had great trouble
>reaching responsible parties at the other companies involved. The
>domain was not returned to us until the beginning of the business day
>in Australia on Monday. None of the companies involved had support
>numbers that were available over the weekend, or even emergency
>contact numbers.

More info at http://www.panix.com and http://www.panix.net/hijack-faq.html


Are *you* on a list of aggressive drivers? You could be, if I say so!

<"Cohen, Dawn" <dcohen@ets.org>>
Tue, 18 Jan 2005 14:33:03 -0500

Apparently several websites have come up that allow random drivers to report
other random drivers for aggressive driving.  See a story by Charisse Jones,
USA TODAY

http://story.news.yahoo.com/news?tmpl=story&cid=710&e=35&u=/usatoday/2005011
8/pl_usatoday/websitesletdriversflagroadragers

unsafedriver.com will allow you to register for free, which entitles you to
enter reports about other cars.  However, you must pay $24.99 for the first
vehicle, and $14.99 for each additional vehicle, in order to (and these are
quotes from the web site)

 * Receive the details of the driving complaints made against your
   registered vehicles.
 * Keep the complaints made against your registered vehicles confidential
   subject to our Terms and Conditions
 * Attach a dispute to any complaints made against your registered vehicles
 * Check any plate for violations.

This sounds an awful lot like that scam that was going around a couple of
years ago...Word-of-Mouth.org, right?

I haven't dug deeply into this, but Yahoo reports that the unsafedriver.com
site was started by Lt. Mark Hafkey of the Phoenix Police Department (though
it's a "private business", not affiliated with the police department).

I have successfully registered at this site, using, let's just say sketchy
data.  I have verified that this permits me to enter a report about an
"incident".  It gives me a choice, as an incident reporter to "remain
anonymous" or "I am willing to be contacted by Law Enforcement or an
Insurance Carrier via e-mail for clarification and/or further investigation
if necessary."

This smells like a scam to me, but I'm surprised that it would be
perpetuated by a source as reputable as USA Today.  If it's not a scam, it's
an outrage.


Most identity theft occurs offline

<"NewsScan" <newsscan@newsscan.com>>
Thu, 27 Jan 2005 10:44:39 -0700

Despite growing concerns over online fraud, a new study conducted by the
Better Business Bureau and Javelin Research finds that most cases of
identity theft can be traced to a lost or stolen wallet or checkbook, rather
than vulnerable online financial data. Computer crimes make up just 12% of
all ID fraud cases in which the origin is known, and half of those are
attributed to spyware that sneaks onto computers and steals private
information.  [AP, 27 Jan 2005; NewsScan Daily, 27 Jan 2005]
  http://apnews.excite.com/article/20050127/D87SE8NO0.html


Grocery store robot scanner a royal pain

<"Mark Rockman" <mrockman@acm.org>>
Thu, 27 Jan 2005 03:57:36 -0500

The local chain grocery store recently got rid of its personnel problem by
hiring a customer-operated robot scanner.  The scanner comes with a series
of metal bridges that overarch the conveyor belt.  The store had removed the
arches from the machines because the arches prevent large items from
proceeding to the item storage area at the end of the belt.  I bought a
large, economy size package of paper towels.  It would be stopped by the
arches, were they in place.  The software "knows" about the arches and
stopped my checkout process cold while it called a store employee to
manually move the package to the end of belt, a process that had already
completed.

The robot scanner "weighs" items as they travel along the belt, a security
measure to ensure the customer placed the scanned item on the belt.  I
watched the customer in front of me try to buy the candy bar she had eaten,
while shopping, by placing the scanned wrapper on the belt.  No soap.  The
wrapper didn't weigh enough.  She tried three times to buy the candy bar.
Her solution: get another candy bar from the handy display in the checkout
aisle and buy 1, get 1 free.

The robot scanner refuses to transact business while anything is traveling
down the conveyor belt.  Its mechanical voice instructed me to "wait" while
it did its business.  I was trying to pay for my order.  A human clerk who
did that may well lose her job.

Before experience taught what the machine expects from me, I tossed items
that I had scanned onto the belt.  Sometimes this would put the item too far
along to be "weighed."  The machine refused to recognize the object,
reversed belt motion to return the item, and credited my bill.  There was no
sufficient explanation for this behavior until a human employee provided
insight.

Buying fruits and vegetables with robot is a trip.  You press a GUI button
and are presented with page upon page of photographs of fruits and
vegetables organized I don't know how.  People spend a great deal of time
trying to identify the item at hand and do not understand that some fruits
and vegetables must be weighed, at the scanning station not the belt, for
the cost to be figured.

Bagging groceries with a robot is left to the customer unless some store
employee takes pity.

You can be bagging furiously, having paid for your items, while the next
customer is sending his items to commingle with yours.

The motivation for these devices is obvious: lower cost to the low margin
store.  The introductory customer instruction was nil and remains nil.  I'm
surmise there is a certain acceptable level of loss of goods not paid for
because the machine cannot catch everything a customer might do.


American Express or Phishing?

<John Pettitt <jpp@cloudview.com>>
Tue, 01 Feb 2005 09:03:28 -0800

I just got this in my e-mail.

> Dear Cardmember,
>
> Your 2004 Year-End Summary is now ready to view online. To access your
> Year-End Summary, please log in to
> http://americanexpress.com/yearendsummary2004
> <http://www65.americanexpress.com/clicktrk/Tracking?mid=IUYES03020050201053636024433&msrc=ENG-YES&url=https://www124.americanexpress.com/cards/yes/yes_home.jsp?campaignid=Jan_email_05>.
>
> With the online version you can view charges by merchant name, date,
> or charge amount; view your spending, spending of an Additional Card,
> or everything at once; and print and save your Year-End Summary for
> future use. As a *new* feature this year, you can also use business
> and personal check boxes to sort your annual transactions.
>
> We look forward to serving you.

As far as I can tell it's real - the sites it links to have certificates
that are issued to Amex.  However there is no way to tell without clicking
the link and checking the certificate (something I teach my users not to do)
that the mail really came from Amex.  Even the message headers show it
originating from aexp.com which sounds close but then so do the best
phishing scams.

Given that a large percentage of the world now uses s/mime capable mailers
(Outlook, Outlook express, Thunderbird, Mozilla, etc.), why is it that
institutions are still sending unsigned e-mail?


Re: HTTPS .ne. secure (Epstein, RISKS-23.68)

<"Robert Ellis Smith" <ellis84@rcn.com>>
Sun, 30 Jan 2005 18:38:00 -0500

> I went to their web page, and filled out the form using name, address, SSN,

Why, why WHY is a participant in the RISKS list submitting an SSN on-line
and why is he even providing an SSN when making an address change?  We gotta
resist, this so that organizations are sensitized to the risks of using
SSNs.

Robert Ellis Smith, Publisher, Privacy Journal, PO Box 28577, Providence
RI 02908  ellis84@rcn.com  1-401/274-7861  http://www.privacyjournal.net


'Hot' URLs in e-mail (Re: PayPal contradicting..., Huckvale, R-23.68)

<"Jay R. Ashworth" <jra@baylink.com>>
Mon, 31 Jan 2005 21:44:34 -0500

In RISKS-23.68, Tim Huckvale bemoans the fact that after giving good advice
to it's clients about how to avoid phishing attacks in an e-mail it sent him,
PayPal then made the mistake of making the URL in it's message a 'hot' link.

I'm not sure which e-mail program he's using; he doesn't say.

But it's worth noting that that e-mail (and it's sender) may not be at
fault.  Some *mail programs* heat up those links 'for you'.  The RISK?
Assuming you know where the RISKS are actually *coming* from.

Mozilla's Thunderbird browser is getting anti-phishing measures even as I
type.  A bit later than I'd have liked.  But at least they're there.

Jay R. Ashworth, Designer, Ashworth & Associates, St Petersburg FL USA
http://baylink.pitas.com   +1 727 647 1274  jra@baylink.com

  [We received a slew of e-mail on this subject.  I picked just one
  thus far.  PGN]


REVIEW: "Open Source Security Tools", Tony Howlett

<Rob Slade <rslade@sprint.ca>>
Fri, 28 Jan 2005 08:01:11 -0800

BKOPSOST.RVW   20041203

"Open Source Security Tools", Tony Howlett, 2005, 0-321-19443-8,
U$49.99/C$71.99
%A   Tony Howlett tony@howlett.org
%C   One Lake St., Upper Saddle River, NJ   07458
%D   2005
%G   0-321-19443-8
%I   Prentice Hall
%O   U$49.99/C$71.99 +1-201-236-7139 fax: +1-201-236-7131
%O  http://www.amazon.com/exec/obidos/ASIN/0321194438/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0321194438/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0321194438/robsladesin03-20
%O   tl a rl 2 tc 3 ta 3 tv 2 wq 2
%P   578 p. + CD-ROM
%T   "Open Source Security Tools"

The tools listed in this book are for network security, almost without
exception.  The preface states that the book is intended primarily for
systems administrators, although security professionals may find useful
information as well.  Howlett makes an effort to include items that have
Windows versions, although only about a third do.  He has also included
tutorial materials on detailed aspects of the TCP/IP protocols that have a
bearing on the operation of security software.

Chapter one outlines the open source concept, starting with a fairly
idealized scenario, but continuing with some history, advantages (and
disadvantages), and a brief look at two of the major open source licences.
The nominal topic of chapter two is operating systems, and so it is rather
odd that most of the tools described are network utilities.  However, the
descriptions are better than are given in most reviews of software tools,
and the details are clear for all who may read them.  While chapter three
does provide a quick overview of TCP/IP and filtering, it does not cover the
full range of firewall types.  The programs listed are comprehensively
described in terms of installation and administration commands.  Port
scanning is covered in chapter four, and, again, while the programs are
explained well, other details, such as the services that would need to be
turned off to reduce the danger of open ports, are not.  Much the same can
be said about the discussion of vulnerability scanners, in chapter five.

Chapter six looks at the most widely used network sniffers.  The concepts
behind, and examples of, both network- and host-based intrusion detection
systems are given in chapter seven.  Logging and audit data can accumulate
quickly and overwhelm the administrator, so chapter eight reviews some
common tools to present, analyse, and manage the information.  Chapter nine
lists a variety of encryption tools.  Wireless tools, primarily for finding
networks, are given in chapter ten.  Forensic tools are examined in chapter
eleven, but there may not be a sufficient distinction made between the
network and data recovery tools.  Chapter twelve finishes off with some more
general discussion about open source software, and where to find it.

There are some helpful appendices: well-known TCP/IP port numbers, and a
large list of plug-ins for Nessus.

The tutorial material could have had more depth and care, but there is no
denying the value of the compilation (particularly with all the software
included on the CD).

copyright Robert M. Slade, 2004   BKOPSOST.RVW   20041203
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

Top