The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 84

Monday 18 April 2005

Contents

Ch7 Australia off-air due to multiple system failures
Andrew Goodman-Jones
310,000 Lexis-Nexis records accessed by identity thieves
PGN
Polo Ralph Lauren customer database attacked
Mohl/Bray via Monty Solomon
Tufts alumni data compromised
Hiawatha Bray via Monty Solomon
BofA agent gives out personal information to finder of lost VISA card
Caskey L. Dickson
Computer-generated gibberish conference paper accepted
PGN
Vatican's prescient Web masters
Diomidis Spinellis
Bullet trains with faulty speed controls
Dennis Mullin
Michigan message board says speed limit 100 mph
Monty Solomon
Israeli system for secure e-mail with the government
Shoshannah Forbes
The risks of phone number rollover procedures
Karl Klashinsky
"War"driving a minefield?
Rob Slade
Online security with usability problems
Ed Taft
So is this a phishing attack or not?
Jim Horning
Re: Short links and phishing
Alan D. Zimmerman
Re: Times change ... problems don't
Michael Bacon
Medical errors/usability
Jim Jewett
Comcast cable daylight savings change over problem
Mark A. Biggar
Info on RISKS (comp.risks)

Ch7 Australia off-air due to multiple system failures

<"Andrew Goodman-Jones" <goodie@ozemail.com.au>>
Fri, 15 Apr 2005 14:06:47 +1000

Ch7 is one of the three national commercial TV stations in Australia.  On
the evening of 13 Apr 2005 they had a power failure and a back-up power
failure in Melbourne, the automatic cutover to an alternate broadcast center
failed, and the national phone system failed.  All national transmissions
come from a single center.  Almost a million viewers had 41 minutes of the
blank screen.  Lost ad revenues were estimated at AU$600,000.  The cause was
apparently not known.

[Source: Australia's Channel 7 loses bucks in blackout,
By Eleanor Sprawson, *The Herald Sun*, 15 Apr 2005; PGN-ed]

Because transmissions for the whole country come from the one broadcasting
centre, Seven was unable even to broadcast a message apologising for the
situation until power in Melbourne was restored at 9.50pm.

But the glitch did not result in a ratings boost for public broadcaster SBS,
with figures showing viewers preferred Seven's blank screen.

To Seven's astonishment more than 900,000 viewers stayed tuned to the
network after screens went blank 38 minutes into the nail-biting episode.
"Around a million Australians hung in there for us and we thank them for
their commitment," Seven Sydney spokesman Simon Francis said last night.

He also apologised to viewers who tried to ring Seven on Wednesday night, as
the network's national phones were down too.

Seven will re-screen the episode next Wednesday at 8.30pm, then a new
episode in the current serial killer storyline at 9.30pm.

Johnson confirmed the network "lost quite a bit" in advertising from the
shutdown. Last night Geoff Clarke, media investment director for MindShare,
estimated it had cost the network more than half a million dollars.

The shutdown meant Seven came third in the ratings on Wednesday night.


310,000 Lexis-Nexis records accessed by identity thieves

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 14 Apr 2005 10:15:21 PDT

The saga of hacked personal information continued with a report as we go to
press that Lexis-Nexis admitted to having been victimized by the theft of
personal records of 310,000 people (10 times more than originally reported),
including SSNs and drivers' license numbers.  59 cases were discovered of
access by unauthorized persons using legitimate IDs and passwords.  64,145
of those lost records involved California residents.  [Source: David Colker
and John Spano, *Los Angeles Times*, 13 Apr 2005; PGN-ed]


Polo Ralph Lauren customer database attacked

<Monty Solomon <monty@roscom.com>>
Fri, 15 Apr 2005 22:14:59 -0400

The scope of a computer system breach at a national retailer widened on 13
Apr 2005 to involve the customers of a second major credit card firm, but
those companies refused to divulge the name of the retailer.  The existence
of the security breach first surfaced this week when HSBC North America
began notifying 180,000 of its GM MasterCard customers that their credit
card information had potentially been compromised. HSBC, which issues the GM
cards, urged each customer to replace their card as quickly as possible.
[Source: Breach in security reaches 2nd credit firm;
MasterCard, Visa refuse to identify retailer whose computer system was hit
Bruce Mohl, *The Boston Globe*, 14 Apr 2005; PGN-ed]
http://www.boston.com/business/technology/articles/2005/04/14/breach_in_security_reaches_2d_credit_firm/

A computer security breach at Polo Ralph Lauren Corp. that has recently
roiled two major credit card companies actually occurred last fall. But Polo
only made the problem public on 14 Apr 2005.  [Source: Retailer knew last
fall about security breach that recently roiled credit card companies, By
Hiawatha Bray, *The Boston Globe*, 15 Apr 2005]
http://www.boston.com/business/globe/articles/2005/04/15/retailer_knew_last_fall_about_security_breach_that_recently_roiled_credit_card_companies/


Tufts alumni data compromised

<Monty Solomon <monty@roscom.com>>
Fri, 15 Apr 2005 22:12:07 -0400

Tufts University began sending letters to 106,000 alumni, warning of
''abnormal activity" on their fund-raising computer system that contained
names, addresses, phone numbers, and, in some cases, Social Security and
credit card numbers.
[Source: Tufts warns alumni on breach; Computer attack exposed names, numbers
to theft, By Hiawatha Bray, *The Boston Globe, 12 Apr 2005; PGN-ed]
http://www.boston.com/business/technology/articles/2005/04/12/tufts_warns_alumni_on_breach/


BofA agent gives out personal information to finder of lost VISA card

<"Caskey L. Dickson" <caskey@technocage.com>>
Thu, 07 Apr 2005 14:44:01 -0700

While out shopping, my wife found a credit card dropped in the parking lot.
Since the facility was a strip-style mall there wasn't an obvious place it
could be left for the owner to pick it up.

She decided to call the 1800 number on the back of the card to find out
where she should mail or drop off the card.  What happened next was almost
surreal.

After much button pressing to get past the automated prompts (my wife didn't
want to just enter the card number because then she may hear information
like the owner's balance) she finally got in touch with an agent.  My wife
tells the agent the story of the found card and after giving only the name
on the card and the account number, the agent proceeds to tell her three
things (completely unbidden):

1) The card has not yet been reported stolen
2) The cardholder's billing address
3) The cardholder's home phone number

Combine this with *physical possession* of the card, you can see the
problem.

It was midway through item number 2 that my wife realized that the address
wasn't the address of a branch or office and she tried to stop the agent
from revealing more information.  The agent more or less insisted that this
was the best way to get the card back to the owner and when the agent was
told that she was in essence enabling identity theft, her reply "oh, that's
not a problem".

My wife elected to drop it by a branch she passed en route home.  The teller
there was at least surprised at the story of the phone agent's activity,
commenting that "she must be new".

I can only hope that it is a poorly trained phone agent, however the fact
that BofA's training program doesn't condition agents to resist giving out
personal information so easily is more than a little disturbing.


Computer-generated gibberish conference paper accepted

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 15 Apr 2005 17:12:11 PDT

Three MIT students developed a program to generate papers with more-or-less
random text based on a context-free grammar, and submitted it to the World
Multi-Conference on Systemics, Cybernetics and Informatics (WMSCI) to be
held in Orlando in July.  Not surprisingly, one of their papers, "Rooter: A
Methodology for the Typical Unification of Access Points and Redundancy",
was accepted.  The paper features such gems as: "the model for our heuristic
consists of four independent components: simulated annealing, active
networks, flexible modalities, and the study of reinforcement learning" ...
"We implemented our scatter/gather I/O server in Simula-67, augmented with
opportunistically pipelined extensions."  [According to other out-of-band
sources, this is reportedly a conference that generally accepts a paper from
every would-be author, but charges speakers to attend; perhaps no one else
attends other than those gullible speakers?]

According to CNN, the prank was reminiscent of a 1996 hoax in which New York
University physicist Alan Sokal succeeded in getting an entire paper with a
mix of truths, falsehoods, non sequiturs and otherwise meaningless
mumbo-jumbo published in the quarterly journal *Social Text*, published by
Duke University Press.

[Source: PGN-ed from a Reuters item]
  http://www.cnn.com/2005/TECH/science/04/14/mit.prank.reut/index.html


Vatican's prescient Web masters

<Diomidis Spinellis <dds@aueb.gr>>
Sat, 09 Apr 2005 10:46:39 +0400

The "Vacancy of the Apostolic See" Web page appears to have been prepared
one day BEFORE the Pope's death.

The page's <http://www.vatican.va/gpII/documents/index_en.htm>
HTML markup contains the following meta tags:

<meta name="title" content="vacancy of the Apostolic See" />
<meta name="creator" content="Vacancy of the Apostolic See" />
<meta name="subject" content="Vacancy of the Apostolic See, death of
John Paul II, Holy Father" />

<meta name="date.created" content="2005-04-01" />
<meta name="date.issued" content="2005-04-03" />
<meta name="date.expires" content="" />

Thus it appears that the web page was created on April 1st, yet the Pope's
death certificate clearly indicates that the Pope died on April 2nd.

"His Holiness John Paul II (Karol Woytyla) born in Wadovice (Crakow, Poland)
the 18th of May 1920, resident of Vatican City, expired at 9:37 on the
evening of April 2, 2005"

It is a well-known fact that journalists prepare in advance obituaries of
public figures that appear to be nearing their life's end.  See for example
the article "Quirk in British Computer Privacy Laws" (RISKS-11.63).

Nevertheless, for the Vatican's content creators to advertise the fact that
they were creating the "Vacancy of the Apostolic See" Web page while the
Pope was still alive and struggling is at the very least a sign of poor
taste; worse, the fact will now provide food to conspiracy theorists who
thrive on these details.

The risk: accurate metadata is not always appropriate.

Diomidis Spinellis - http://www.spinellis.gr


Bullet trains with faulty speed controls

<Dennis Mullin <dmullin@sentex.net>>
Sat, 26 Mar 2005 13:38:42

Bullet trains run for years with faulty speed controls
[Source: Mainichi Shimbun, Japan, 23 Mar 2005]
http://mdn.mainichi.co.jp/news/20050323p2a00m0dm013000c.html

Series 300 bullet trains have been running for years with faulty speed
control equipment, Central Japan Railway Co. (JR Tokai) officials said.

Automatic Train Control (ATC) devices that prevent Shinkansen trains from
exceeding certain speeds have been faulty on the Series 300 trains, with 52
malfunctions reported this year alone.

In one case, a train traveled at 280 kilometers per hour between
Shin-Yokohama and Odawara stations in Kanagawa Prefecture on March 3, even
though the speed limit on the line is 270 kilometers per hour.

JR Tokai says the error came from faulty software supplied by the makers of
the devices and that the glitch was not even detected during test runs.

Land, Infrastructure and Transport Ministry officials have asked JR Tokai to
provide a complete explanation of the case.

JR Tokai said one of the cases involved a Series 300 bullet train driver
being forced to reduce speed manually after the ATC on the train he was
driving on March 19 failed to work.

A check of the ATC later revealed that software supposed to detect train
speeds was not working properly. This caused the ATC to estimate the train
was traveling slower than it actually was.

JR Tokai has stopped using the faulty equipment.

  [Incidentally, Amtrak's Acela trains have been shut down for the past few
  days because of detected failures in brake discs.  PGN]


Michigan message board says speed limit 100 mph

<Monty Solomon <monty@roscom.com>>
Sun, 10 Apr 2005 02:38:42 -0400

http://www.boston.com/news/odd/articles/2005/04/08/mich_message_board_says_speed_limit_100/

Drivers on southbound Interstate 75 in Michigan saw a construction message
board that previously had been alerting drivers in Genesee County near Clio
that construction was soon to start.  One morning it said
  "speed limit 100 mph go go go."
(The speed limit in that area is 70 mph.  The sign is controlled remotely
by a subcontractor's computer.)
  [Source: AP item from *The Boston Globe*, 8 Apr 2005; PGN-ed]


Israeli system for secure e-mail with the government

<Shoshannah Forbes <xslf@xslf.com>>
Mon, 18 Apr 2005 12:32:35 +0400

Israelis to receive secure e-mail address to be used for contacts with
authorities
http://www.ynetnews.com/articles/0,7340,L-3073923,00.html

"The Social-Economic Cabinet approved Sunday a plan put forth by Finance
Minister Benjamin Netanyahu to expand Israel's *approachable Government*
program.  The government also approved the *safe deposit box* program, a
system of secure e-mail boxes that would allow government offices to send
official permits, signed forms, receipts and messages to businesses and
individuals.  [...]  At first, the system will support forms in text format
(TXT, PDF, RTF, HTML, XML), the last two without Active Script.  The `safe'
will require the recipient to send a `proof of receipt' to the sender. Each
sent message will be coded to identify the sender, to allow the recipient to
forward the message to a third party, and an expiry date.  [...]  In order
to use the system, individuals and businesses will be required to obtain a
smart card, a card reader (estimated cost: NIS 55 or about USD 12), and to
register an electronic signature (approximately NIS 20 or about USD 4.5)."

In addition to all the usual RISKS such a scheme brings up, I should note
that to this date, the bill paying website (http://www.mybill.co.il) works
only with Win/IE, so I won't be surprised if the above setup will also be
Win/IE only.

Shoshannah Forbes  http://www.xslf.com

  [... and that it might therefore be subject to exploitation of Winflaws.
  PGN]


The risks of phone number rollover procedures

<Karl Klashinsky <klash@cisco.com>>
Fri, 15 Apr 2005 16:26:43 -0700

A story on the Canadian Broadcasting Corp's web site, from Saint John,
New Brunswick:

A federal government toll-free phone line to encourage safe boating is
directing callers in New Brunswick to a phone-sex offer instead.
http://www.cbc.ca/story/canada/national/2005/04/14/boating-sex-mixup050414.html

The article implies that an internal Canadian government re-organization
resulted in a toll-free number being returned to a pool of available
toll-free numbers, and the number was then probably picked up four months
later by a phone-sex line (again, this is implied by the article above, but
not stated as fact).

The risk here is that the "recycle" process does not appear to check that
the prior use of a toll-free number doesn't conflict in some social/moral
way with the new user's intended use of the number.

Oh, well, it could have been worse... at least the number wasn't previously
used for Mattel's "Barbie" hotline.

Semi-related anecdote... our local telephone supplier provides a service
whereby we get a tool-free number for my residential phone, with a single
(cheap) rate for callers from anywhere in North America.  Useful when me or
other members of my family are traveling, and even for friends to use to
call.

The snag... our toll-free number is one-digit off from the toll-free support
number for one of the largest Cable/Internet/Phone service providers in the
USA.  As a result, I typically get one or two calls a week from customers of
the service provider... since they are typically looking for support, they
are often a big grumpy.  When told "this isn't Company X's support line",
some callers berate me, accusing me of trying to dodge their call (it's
obviously not their first call to the support line).


"War"driving a minefield?

<Rob Slade <rslade@sprint.ca>>
Wed, 13 Apr 2005 11:15:18 -0800

*The Register* reports that the US is deploying newly developed wireless
LAN- enabled mines, supposedly code-named Matrix:

http://www.theregister.co.uk/2005/04/12/laptop_triggered_landmine/

(Any comments about "minefield" testing a new technology?)

With the US being one of the few holdouts against the ban on landmines,
there are predictable concerns about the danger the new mines hold for
civilian populations.  However, there would also seem to be any number of
potential dangers to the troops using them.

There are very few details provided in regard to the new mines.  There
appear to be different types.  They have some kind of wireless capability.
They have remote detonation capability.

Based upon what is said, we can determine some additional aspects of the
technology, as well as surmise more.  They likely communicate via radio
frequencies.  They will have some kind of (likely minimal) software for
reception of signal, authentication, and activation.  (Deactivation is
likely accomplished by activating the mine when [hopefully] nobody is
around.)  The mines are probably individually addressable: blowing an entire
minefield for a single intrusion would not seem to be an effective use of
resources.  Radio communication would imply that either the mines are
battery powered, or that they contain an antenna and transponder.  Given the
purpose and use of mines, it is likely that there is an alternate and more
standard triggering mechanism such as pressure plates or tripwires that does
not require wireless activation.

There are, of course, other more advanced possibilities for such a
technology.  Mines could be remotely enabled and disabled, could communicate
with each other, or could communicate sensor results with a central
location.  However, these functions are unlikely in a first generation
device.

The potential risks are numerous.  With radio communications mines that are
buried, or placed under or behind metal or water, may fail to detonate when
needed, or deactivate.  Any kind of software is, of course subject to
failures (which, in this case, could be literally catastrophic).
Authentication would be a fairly major issue: sniffing of radio traffic
could easily determine commands, replay attacks, static passwords, or number
sequences.  (Note that the mines require "minimal training" for use.)
Failure of authentication could, again, result in failure of either
detonation or deactivation.  Battery failure would be an issue and therefore
transponders are more likely, but transponders would be more difficult to
troubleshoot.  (Should the transponders retransmit?  That would assist with
finding and disarming mines, but broadcasting a signal with known improper
authentication would result in a means of determining the location of
mines.)

Overall, mines still seem to be a pretty bad idea.

rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade


Online security with usability problems

<Ed Taft <taft@adobe.com>>
Tue, 12 Apr 2005 16:43:37 -0700

I recently received "The E*TRADE Complete Security System" for controlling
access to my online E*TRADE account. It introduces two-factor authentication
to the login process, requiring both something I know (my password) and
something I have (a keyfob device). While this seems like a very good idea
on the surface, the implementation leaves something to be desired from a
usability standpoint.

The keyfob device, which carries E*TRADE and RSA logos, has a 6-digit
display that changes once per minute. In order to login, I need to present
my username and a password consisting of my regular fixed password appended
with the currently displayed 6-digit number.

While this appears to have good security, some potential deficiencies come
to mind --

* It requires more typing than the old scheme, including an unfamiliar
sequence of characters that changes every time. A better arrangement would
be for the keyfob to have a USB connector that I plug into my computer to
prove that I have the keyfob.

* If multiple service providers adopt this scheme, I'll need a pocket full
of keyfobs. A better arrangement would be one keyfob that can hold
credentials for logging into multiple sites.

* The scheme seems to depend on the keyfob and the server to have
synchronized clocks. What happens if the keyfob's battery dies or the
server's clock becomes misadjusted, as appears to occur with some
regularity?

* What if I need to login when I don't have the keyfob? There is a phone
number I can call to obtain temporary-access instructions, assuming that I
can convince the agent that I am the legitimate owner of the account. This
seems like a potential weak link in the scheme.

Fortunately, use of this security system is optional. The RISK is that
nobody will use this scheme because it is too inconvenient.


So is this a phishing attack or not?

<"Horning, Jim" <Jim_Horning@McAfee.com>>
Fri, 1 Apr 2005 14:35:37 -0800

I really have no way to be sure.

Given that ACM is still sending me invitations to log in to my email
spam-filtering service almost daily, it seems plausible that this message
inviting risky behavior was actually sent on behalf of ACM.  But how can I
verify that, short of communicating directly with you?

Either way, sending it on April Fools Day is a nice ironic touch.

Jim H.
http://horning.blogspot.com/2005/03/phishing-report-through-february.html

  -----Original Message-----
  From: Election Services Corporation
  [mailto:acmsighelp@electionservicescorp.com]
  Sent: Friday, April 01, 2005 1:59 PM
  To: Horning, Jim
  Subject: ACM SIG 2005 Election
  Importance: High

  Dear James Horning:

  ACM is pleased to offer its Special Interest Group (SIG) members the
  opportunity to vote by the Internet in the 2005 Election.

  You are encouraged to participate in this election. Please note that 12:00
  noon Eastern Time, June 15, 2005 is the deadline for submitting your vote.
  It is important that the voice of ALL members be heard.

  To vote electronically, please go to:  https://www.escvote.com/acmsig

  You will need your 7-digit ACM/SIG Member Number to log in to the secure
  voting site. If you do not know your membership number, please go to
  https://campus.acm.org/public/accounts/Forgot.cfm
  For additional help, please visit the help screen on the log-in page by
  clicking on the "Help" button.

  Enter your 7-digit ACM/SIG Member Number to reach the menu of active SIG
  elections that you are eligible to vote in.

  In the on-line menu, select the Special Interest Group seen below.

  Enter the 10-digit unique PIN seen below.

  Follow the on-line voting instructions.

  Special Interest Group: [obscured]

  Your Unique PIN is: [obscured]

  If you have any questions or would like to request a paper ballot, please
  e-mail acmsighelp@electionservicescorp.com or call toll-free
  1-866-720-4357.

  Thank you for taking the time to submit your vote electronically.

  Association for Computing Machinery

    [Jim CC:ed John White <white@hq.acm.org>, who responded:
    Yes, this message was/is legit.  The spam-filtering message is changing
    shortly.  Obviously, we have more work to do.]


Re: Short links and phishing (Pryor, RISKS-23.83)

<"Zimmerman, Alan D." <alan.zimmerman@gd-ais.com>>
Thu, 7 Apr 2005 10:01:01 -0500

In RISKS-23.83, Louise Pryor included a link to the Barclays ATM story that
was "shortened" through makeashorterlink.com.  Ironically, the article
immediately before was about phishers becoming more sophisticated.
Acceptance of techniques and services like this are only giving phishers
more ammunition.


Re: Times change ... problems don't (RISKS-23.82,83)

<"Michael \(Streaky\) Bacon" <himself@streaky-bacon.co.uk>>
Thu, 7 Apr 2005 08:29:40 +0100

Louise Pryor's remarks (Times change ... problems don't (RISKS-23.82)
RISKS-23.83) about human intervention in the bi-annual time change process,
reminded me of my early days when the change was effected by an engineer
burrowing inside a cabinet searching for the right switch on the right
circuit board.  The Leap Year change involved calculating new values for a
resistor bank and resoldering!


Medical errors/usability

<Jim Jewett <jimjjewett@gmail.com>>
Fri, 15 Apr 2005 11:20:51 -0400

There was a recent discussion of medical errors, and whether to blame the
computer.  Most errors are the sort that happened even before computers.
Did the computer really cause a problem, or did it only make them easier to
track?

Jakob Nielsen's latest column explains how the interface may actually make
the errors more common.  For example:

Doctors could always prescribe the wrong dosage, but it happens more often
if an incorrect default is offered.
There could always be confusion about when "tomorrow" starts if an order is
written at 2:00 am, but humans were likely to understand the intent if they
were on the same shift, or coming in to "the morning's orders".  After
computer entry, it starts to look more like an arbitrary date.

http://www.useit.com/alertbox/20050411.html


Comcast cable daylight savings change over problem

<"Mark A. Biggar" <mark@floorboard.com>>
Wed, 13 Apr 2005 22:24:16 -0700

Comcast cable in Sunnyvale CA, seems to have had some problems with the
recent daylight savings change over.  The time on my cable box was not
adjusted forward 1 hour until around 11:30 Sunday morning, and until then
the on-box channel guide was showing the wrong times for all programs, For
example it was showing programs usually showing at 8AM as being on at 7AM.
This appears to have happened due to lack of testing beforehand.  The only
adverse effect on me was that it caused me to be late for church as my cable
box is the only clock I have in my living room.  This is what I deserve for
depending on a clock I can't set myself.

Please report problems with the web pages to the maintainer

Top