The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 89

Friday 10 June 2005

Contents

United abandons Denver Airport baggage system
PGN
More on the FBI Virtual Case File demise
Dan Eggen via PGN
Plane diverts after erroneous hijack alert
Geoff Kuenning
Self-service photo kiosk retains images, leads to prosecution
Matt Fichtenbaum
Search Engine Dependence Syndrome
PGN
Intelligence vs. Common Sense
Kevin N Haw
The Risks of HTML
William Colburn
Method discovered of cracking Bluetooth security
Pete Mellor
Messaging and Security Feature Pack for Windows Mobile 5.0
Alpha Lau
Challenge/response e-mail filtering
Atom Smasher
Wide-scale industrial espionage using Trojan horses in Israel
Gadi Evron
Bold thieves build complete ATM
James Bauman
Spammer using Yahoo service and Google's name to hide actual server
Joe Smith
Future ChoicePoint-related flaws
David B. Lewis
Re: Michigan message board says speed limit 100 mph
Bob Heuman
Zabasearch, and coverage thereof
Jay R. Ashworth
Re: MarketScore exploit
Chris Smith
Doug Burbidge
Re: "Rumplestiltskin worm" on the loose?
James W. Adams
Info on RISKS (comp.risks)

United abandons Denver Airport baggage system

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 9 Jun 2005 14:27:05 PDT

United Airlines has decided to stop using its controversial automated
baggage-handling system at Denver International Airport, reverting to a
conventional manual system by the end of 2005.  The automated system (which
began operation in 1995) never lived up to original expectations.  It had
enormous difficulties in its early days, including construction delays, cost
overruns, lost bags, damaged luggage, derailed cars, traffic jams, upgrade
problems, political battles, and so on.  (For example, see RISKS-17.61 and
18.66).  United is apparently obligated to pay $60 million a year for
another 25 years under its lease contract with the city of Denver (which
owns the airport).  However, United expects to save $1 million a month in
operating costs by NOT using the automated system.  The airport cost $250
million to build (BAE Automated Systems of Dallas, no longer in existence),
and the city reportedly put up another $100 million for construction and
$341 million to get it to work.  [Source: AP item, 7 Jun 2005; PGN-ed]
http://msnbc.msn.com/id/8135924/

    [The system will soon be carrion!  Carry on with carry-on.  PGN]


More on the FBI Virtual Case File demise

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sun, 5 Jun 2005 18:57:18 PDT

A recent report for the House Appropriations Committee has once again put
the FBI's Virtual Case File (VCF, see RISKS-23.66) development effort under
scrutiny.  (The $170 million project was scuttled earlier this year.)  An
FBI report in 2004 had identified 400 problems with early versions, but the
contractor was never informed.  $17 million was spent on a testing program
in December 2004 even after it seemed evident that the project would have to
be scrapped.  The new report documents many "errors and misjudgments that
were made during the software project's troubled history."  [Source: an
article by Dan Eggen, FBI Pushed Ahead With Troubled Software, *The
Washington Post*, 6 June 2005; PGN-ed]

http://www.washingtonpost.com/wp-dyn/content/article/2005/06/05/AR2005060501213.html


Plane diverts after erroneous hijack alert

<Geoff Kuenning <geoff@cs.hmc.edu>>
04 Jun 2005 23:34:45 +0200

The following story:
  http://news.bbc.co.uk/go/rss/-/1/hi/uk/4607657.stm
tells of a U.S.-bound aircraft diverted to Canada (with fighter escort)
after accidentally transmitting a hijack warning.

The thing that strikes me most about the article is the following sentence:

  ...the false alarm was caused by a malfunction which meant that when the
  transponder began transmitting the 4-digit hijack code, the crew were
  unable to shut it off.

Huh?  It seems to me that "unable to shut off the alarm" is the proper
behavior for such a system.  You don't want a hijacker to hold a gun to the
pilot's head, saying "Either shut off the hijack code or I'll kill you and
crash the whole plane."  Much better to make the switch one-way and spend
the extra money and inconvenience to escort the plane to a safe landing spot
while you investigate whether there really was a hijacking or it was a false
alarm.

Sometimes the proper fail-safe response is to insist on a human decision.

Geoff Kuenning   geoff@cs.hmc.edu   http://www.cs.hmc.edu/~geoff/


Self-service photo kiosk retains images, leads to prosecution

<Matt Fichtenbaum <mattfic@rcn.com>>
Thu, 09 Jun 2005 21:17:39 -0400

*The Boston Globe* 9 Jun 2005 carries an Associated Press story about a man
in New Hampshire who had taken some risque' digital photos of his
granddaughter.  He printed them out at a Kodak self-service print kiosk at a
CVS pharmacy.  Maybe he'd attracted the attention of the clerk -- or maybe
it's normal practice - the store manager looked at the photos *that had been
retained by the innards of the printer* and notified police.  There must
have been some more modest pictures as well, and these were shown on
national TV, leading to the girl's parents calling in and identifying the
perpetrator, who was then arrested.

Want privacy and anonymity?  Buy a printer.


Search Engine Dependence Syndrome

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 9 May 2005 15:54:20 +0100

"We have allowed concepts from information technology to enter the cognitive
consciousness of physicians without critical analysis of their impact."
Steven Merahn, MD, identifies Search Engine Dependence Syndrome as a
neuropsychological disorder:

  1. The assumption/perception that computers are "smart"
  2. The task interference associated with competing problem-solving paradigms
  3. The loss or lack of development of critical thinking skills that
     comes with prolonged reliance on IT infrastructure

http://www.cliniscience.com/objects/Cliniscience%20TEPR.pdf

  [Thanks to Lindsay Marshall for finding the 25-slide presentation from
  which this item is PGN-ed.]


Intelligence vs. Common Sense

<Kevin N Haw>
Wed, 8 Jun 2005 10:09:28 -0700

The *London Evening Standard* is reporting that the "world's biggest
computer hacker" has been arrested in London, giving us more evidence once
again that intelligence and common sense do not necessarily go hand in hand:

  The unemployed former computer engineer is accused of causing the US
  government $1 billion of damage by breaking into its most secure computers
  at the Pentagon and NASA.  He is likely to be extradited to America to
  face eight counts of computer crime in 14 states and could be jailed for
  70 years...  Friends said that he broke into the networks from his home
  computer to try to prove his theory that the US was covering up the
  existence of UFOs.

The mind simply boggles.

Full story:
http://www.thisislondon.co.uk/news/articles/19164714?source=Evening%20Standard&ct=5
Commentary:
http://it.slashdot.org/article.pl?sid=05/06/08/137249&tid=172

  [Biggest hacker?  He would perhaps have to exceed 450 pounds in weight
    to justify that claim.
  Pentagon's and NASA's most secure computers?  Wow!  Are we impressed?  PGN]


The Risks of HTML

<"Schlake (William Colburn)" <schlake@nmt.edu>>
Mon, 6 Jun 2005 08:49:45 -0600

I received e-mail from B&H Photo video about my order.  I don't use an
HTML-capable e-mail reader, and they don't send a text version.

    <td> <p><br>
        Dear WILLIAM D. COLBURN ,<br>
        <br>
        We are pleased to inform you that the following order has been
        shipped.</p>

     <!-- Comment out by YYW per bug #29992-->
     <!-- <p>PLEASE NOTE:</p>-->
     <!-- <p>You should be receiving your order shortly. </p>-->
     <!-- <p>Please review the information and verify that everything is
     correct.</p>-->

Since I hate waiting, I had ordered prompt delivery of my new possession.
Unfortunately, due to bug 29992 I will not be receiving my order shortly,
and I should not review my order to make sure that it is correct.  I hate
bug 29992.  B&H could be slowly shipping me the wrong thing, and I won't
know it until it arrives.

I'm also pretty baffled by what bug could possibly be fixed by commenting
out a textual note that my order will arrive soon and I should check what I
ordered to make sure it is correct.


Method discovered of cracking Bluetooth security

<Pete Mellor <pm@csr.city.ac.uk>>
Sat, 4 Jun 2005 11:19:41 +0100 (BST)

Avishai Wool and Yaniv Shaked of Tel Aviv University in Israel have
demonstrated a method of cracking Bluetooth security.  Every Bluetooth
device broadcasts its ID code to everything in the vicinity.  The method is
to pick up an ID code, then send a message to another device, spoofing the
ID code, and telling it that the 'link key' used for encrypting
communication has been 'forgotten'.  This forces the two devices to go
through a 'pairing' exercise to establish another link key.  (Normally this
is done only on the first occasion on which two devices communicate with
each other.)  The attacker can then eavesdrop on the messages exchanged in
the pairing session, and analyse these using software which implements the
Bluetooth algorithm.  The four-digit PIN (set on each device by the
legitimate user) can be cracked by 'brute force'.  The link key can then be
derived, and the attacker can then communicate with either device by
pretending to be the other.

Shaked and Wool will present their findings at the MobiSys conference next
Monday in Seattle.

For a more detailed description, see the on-line news item from New
Scientist magazine:

http://www.newscientist.com/article.ns?id=dn7461

Peter Mellor, Centre for Software Reliability, City University,
Northampton Square, London EC1V 0HB  +44 (0)20 7040 8422


Messaging and Security Feature Pack for Windows Mobile 5.0

<Alpha Lau <avlxyz@yahoo.com>>
Mon, 6 Jun 2005 18:46:38 -0700 (PDT)

  Local and remote device wipe. The ability to remove all information, over
  the air, and reset a device to its original state enables IT
  administrators to better manage sensitive information on a misplaced
  Windows Mobile-based device.  In addition, the administrator can choose to
  have the local memory on a device erased if the correct password is not
  entered after a designated number of attempts.
http://www.microsoft.com/presspass/press/2005/jun05/06-06SFPWindowsMobilePR.mspx

Oh sure, just wipe the device. Encryption is not an option, is it? :)


Challenge/response e-mail filtering

<Atom Smasher <atom@smasher.org>>
Tue, 10 May 2005 20:40:23 -0400 (EDT)

I recently received an e-mail challenge to a message claiming to be "From"
me. if i choose to click the link provided, my e-mail address would be added
to the recipients white-list. if i don't click the link then the message
would be deleted... or filed in a folder where no one looks... i'm not
sure...?

this allows two distinct failure modes:
  1) I ignore the challenge and a legitimate message is not delivered
  2) I acknowledge the challenge and spam is delivered, "From" me

regarding the first failure mode: when i post to a mailing list and receive
a challenge, i will always ignore it. if the recipient wants to receive mail
from the list, the list should be white-listed (not necessarily with an
obvious header, such as "To: mailing-list@example.com").

regarding the second failure mode: this particular challenge (from
earthlink) that i recently received only identified the message by the
recipient and subject line, making it difficult to determine if i sent the
message or not. i did not recognize the recipient or subject, so i had no
reason to respond to the challenge. but, if one were to acknowledge the
challenge without first determining the legitimacy of the message, 1) the
recipient will receive the spam and 2) the person who acknowledged the
challenge may ultimately be blacklisted for "sending" spam.

it is assumed that a challenge/response system such as this works because
spammers usually use invalid "From" addresses, and people would take the
time to scrutinize any challenge they receive before responding to it. i
know plenty of e-mail users who will be more than happy to click on any link
in their e-mail to ensure that someone gets "their" mail.

should the challenge include the original message? this introduces the risk
of using "From" addresses of the intended recipient and "bouncing" the spam
off of an account that generates challenges. the "sender" (as identified in
a forged From address) would then receive the spam.

this is in addition to the other flaw of challenge/response filter systems,
which is that viruses may attack an address book and/or saved messages. this
will facilitate spam that uses addresses that are likely white-listed. more
than once i have received spam "From" my wife... we live and work in a
m$ft-free home in NC, the messages originated from a cable modem in NYC. the
simplest explanation is that our names and e-mail addresses were both
participants in a message or address-book that was harvested by a virus. had
i been white-listing her name and/or e-mail address those spams would have
landed in my inbox; instead they were properly filtered and sent to my spam
folder.

another flaw that may be exploited in these automated challenge/response
systems is if mail is sent "From" evil-spammer@spammer.com and that mailbox
is read by a program that clicks every link that comes in.  variations on
this (better mousetraps, better mice, etc) would further destroy the utility
of such filtering systems (while consuming about three times the bandwidth
of normal spam).

my conclusion is that challenge/response systems, although at first seem
like a Good Idea (tm), are no match for a good spam filter (CRM114, DSPAM,
SpamAssassin, etc). i've been enjoying >99.95% accuracy with CRM-114, and
now that i've trained it to recognize e-mail challenges as spam i'm not
bothered by them so often.


Wide-scale industrial espionage using Trojan horses in Israel

<Gadi Evron <ge@linuxbox.org>>
Sun, 29 May 2005 19:45:37 +0400

Apparently, a Trojan horse was developed for three major private
investigators' companies in Israel, and later used for industrial espionage
with some of the biggest corporations in Israel.

Apart from the technical side of this attack and the extreme wide-scale of
it, another interesting aspect is the use of social engineering.

In one description, I heard that a woman called a certain individual at one
of the companies with a business offer, and later sent him a presentation
via e-mail. When that presentation did not work, she proceeded to send him a
CD, which did not work either.

You can find an article in English detailing some of the events here:
http://www.haaretz.com/hasen/spages/581718.html

This is not the first time this happened, and not the first time we've seen
industrial espionage in IL, or private investigator companies developing
their technological and operational capabilities. I've personally been
approached about such a job twice in the past 2 years.

Interesting tidbit of data:
The perps paid 17K UK pounds per COMPUTER per MONTH.

Gadi Evron, Infosec Manager, Israeli Government Internet Security.


Bold thieves build complete ATM

<"Bauman, James" <James.Bauman@safety-kleen.com>>
Wed, 11 May 2005 09:47:12 -0400

http://www.reuters.com/newsArticle.jhtml=3Ftype=3DoddlyEnoughNews&storyID=3D8412873&src=3Drss/oddlyEnoughNews

Audacious thieves in Romania have constructed a complete automated teller
machine (ATM), minus the cash box, to steal the details of account holders.
Fake ATMs have appeared at apartment buildings or in areas of the capital
where there are no banks.  Usually criminals only place a fake panel over an
existing ATM, and do not construct a complete machine.  Romania's biggest
bank, Banca Comerciala Romana (BCR), said customers should only use ATMs
situated around bank branches. "Banks do not install ATMs in blocks of
flats," BCR spokesman Cornel Cojocaru said.

Jim Bauman  S-K Lotus Notes Group  847-468-3014  jbauman@safety-kleen.com


Spammer using Yahoo service and Google's name to hide actual server

<Joe Smith <Joe.Smith@instantis.com>>
Mon, 06 Jun 2005 04:06:35 -0700

I expect that many of you have received spam messages containing
"Your existing loan situation makes you eligible..." and
"If your decision is not to make use of this final offer going here...".
The URL for Request Form and opt-out look respectable, but they are not.

They are in the form of
   http://rds.yahoo.com/a=b/*-http://www.google.com_cr3am.net/del.asp
where "a=b" is about 100 characters and the "_" is another period.

Yahoo must be running some sort of redirection service on their RDS server.
It ignores everything between rds.yahoo.com/ and "*-", then issues a
redirect to what's left.  The end result is a URL pointing to a server that
was registered in China on 2005-06-02.  It's using a subdomain of
www.google.com to trap the unwary.


Future ChoicePoint-related flaws

<"David B. Lewis" <dblen@earthlink.net>>
Fri, 3 Jun 2005 14:25:35 -0400

I had occasion to contact my ISP to reset the password on an account (which
I had misremembered). But instead of resetting the password to a whatever
value and giving it to me, so that I could change the password to what I
wanted, the ISP told me what the password had been!  We went through a
little back-and-forth about how they shouldn't be storing clear-text
passwords ("but the login screen is secure!")  without any impact.


Re: Michigan message board says speed limit 100 mph (Waters, R 23 85)

<"R.S. Heuman" <rsh@idirect.com>>
Tue, 26 Apr 2005 21:49:25 -0400

I have to wonder if the individual controlling the message board is one of
the people living in Windsor who commute to Detroit to work, and who is more
familiar with kph, as used to the east and north of Michigan :-)

Or, as an alternative, it really said 100 kph and someone expecting the mph
misread the board. After all, when we cross the border at Sarnia/Port Huron
or Windor/Detroit or Sault Ste. Marie/Sault Ste.  Marie perhaps they are
telling us the Michigan speed limit in terms that match our speedometers
[KPH] :-)

If either or those were the case, 100 kph is 62.5 mph and the 'error' makes
more sense or was not an error but a misread of one letter. I wonder if we
will ever know...


Zabasearch, and coverage thereof (Re: Zaba, RISKS-23.87)

<"Jay R. Ashworth" <jra@baylink.com>>
Fri, 20 May 2005 11:33:33 -0400

At http://writ.news.findlaw.com/ramasastry/20050512.html it is written,
amongst other things:

> True, much information was available publicly before. But now it can be
> collected together, online, at the press of a button. One scholar,
> Professor Daniel Solove, calls such collections of data "digital
> dossiers".
>
> And there's no reason these dossiers must be limited to addresses,
> phone numbers, birth years, and property information. Digital
> footprints can be tracked - so that digital dossiers could include
> Internet activity. In theory, they could also be connected to security
> camera footage from private stores, identification photos, and much
> more.
>
> Such dossiers can be permanent, and may be instantaneously disseminated
> around the world.
>
> They can also be stolen: Collecting information on an individual, and
> making the dossier publicly accessible, risks making identity theft
> virtually undetectable. The thief who steals your wallet may not know
> your mother's maiden name, or the name of your pet - common security
> questions. But what if that information ends up in your digital
> dossier?

And, of course, the answer is "then maybe companies will stop using such
puerile choices of authenticators and get serious about security"... but
that's politically incorrect to say aloud.

So I'll say it here, instead.

While Zabasearch may have problems, that's not one of them.

The world is changing, and while there may be some risks involved in that,
we would be well served to think long and hard about what those risks are,
and where they *really* come from... instead of killing the messenger.

Peter Brin's *TheTransparent Society* and Simson Garfinkel's *Database
Nation* have interesting, if opposing, takes on this issue.

Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA
http://baylink.pitas.com  +1 727 647 1274  jra@baylink.com


Re: MarketScore exploit (Emigh, RISKS-23.88)

<Chris Smith <smith@interlog.com>>
Thu, 2 Jun 2005 03:26:27 -0400 (Eastern Daylight Time)

In RISKS-23.88, Aaron Emigh includes a valuable summary of the operation of
MarketScore. However, recent changes have made this description badly out of
date. A different concern, however, is whether this is an "exploit" and an
"attack".

Although MarketScore does not tell their users precisely how the technology
works, they are quite clear about what they are doing.  Their End User
Licence Agreement (EULA) specifically states that the examined data includes
secure sessions. It's not at all clear that it is still a man-in-the-middle
*attack* if one end of the connection has agreed to the process. Like many
technologies, this one can be used for bad things. But just because this
technology is used is not sufficient to make what is done with it a bad
thing.

MarketScore appears to now use a different technology, effectively
summarized in this analysis from Cornell:

http://www.cit.cornell.edu/computer/security/marketscore/technical.html

Simply put: the proxy has been moved from MarketScore servers to the users'
own machines, and MarketScore now simply records a datastream from the
proxy. Where destination sites could formerly detect that proxied traffic
arrived from marketscore servers, now the proxied traffic arrives from the
users' regular IP address.

Furthermore, the use of a LSP (Layered Service Provider) appears to allow
the proxy to examine the contents of secured sessions without having to
re-encrypt traffic under the special trusted certificate. If you check a
site's credentials, it will show as secured by the site's own certificate,
not by Marketscore's.


Re: MarketScore exploit (Emigh, RISKS-23.88)

<Doug Burbidge <dougburbidge@dougburbidge.com>>
Thu, 02 Jun 2005 22:15:27 +0800

They're not the only ones.  Microsoft ISA (Internet Security and
Acceleration) Server 2004 does the same thing: it allows clients to
establish a secure connection with it, and then it establishes a secure
connection with the remote site.

It does not log the content of the session (though future versions of ISA
Server may allow this).  But it does log the full URL, and HTTP headers
(such as user agent) that you would normally expect to be invisible over an
https connection.

It can perform these tricks invisibly from the client's perspective because
it is integrated with the rest of the LAN's infrastructure.  It similarly
needs a root certificate, but since this is automatically installed on the
client when it is joined to a Windows domain with a certificate server, the
added certificate is inconspicuous.

The risk here, I guess, is trusting that the people who wrote the software
have your best interests at heart.  This is not the case for MarketScore,
and is evidently not the case for end users of IE, Windows client, and ISA
proxy.

Doug Burbidge  http://www.dougburbidge.com/  dougburbidge@dougburbidge.com


Re: "Rumplestiltskin worm" on the loose? (Glass, RISKS-23.88)

<"James W. Adams" <jadams84@columbus.rr.com>>
Wed, 01 Jun 2005 02:34:43 -0400

> As I've mentioned above, there will be some people who are philosophically
> opposed to the notion of restricting Internet traffic so as to limit abuse...

Yes, I am very opposed to such a notion.  I'm sorry, but the Internet is not
your private playground.  If you have a spam problem, deal with it or buy
your own intranet.  Such "idealism" is what lets people use the Internet to
communicate.  The US FCC rules about devices which use radio frequency
transmissions having to accept any "interference" come to mind.  If some
specific agent is disrupting your operations illegally, track down their
activities, record them, and turn it over to law enforcement.  Otherwise,
just deal with the fact that the Internet is no longer a closed society, and
you may have to deal with the same sorts of mischief you would in any other
public arena, as well as a large number of people who just need to tell
grandma about junior's first bowel movement with photos attached.

I don't like the fact that the USPS promotes the delivery of junk mail to my
home, but I don't demand that we require senders of postage to pass some
sort of security interrogation.  I just recycle or dispose of the junk.  The
fact is that the fees paid to mail this junk subsidize my ability to receive
mail at my home, so I accept it as a cost of doing business or a cost of
living.

Much spam is identifiable and can be blocked by well established means.
What can't is the cost of doing business in any public venue.  Your
convenience and avoidance of risk does not constitute an entitlement to
restrict the expression or actions of others any more than you have the
right to restrict the use of public highways to yourself and your assigned
agents, or, within reason, to dictate what sorts of vehicles they may
operate, who may occupy them or where and when they may travel.

Furthermore, the argument you raise about bandwidth is largely absurd.  One
of the reasons for the collapse of WorldCom was overcapacity.

If I have a dialup feed, I likely won't appreciate someone e-mailing me a
five megabyte graphic file, but I have little right to demand that nobody do
so unless there is obvious malicious intent.  There are also workarounds
such as IMAP.

Please report problems with the web pages to the maintainer

Top