The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 92

Wednesday 29 June 2005


Single Point of Failure paralyzes Swiss Railsystem for 3 hours
Debora Weber-Wulff
Anthony Thorn
The continuing saga of the German unemployment scheme Hartz IV
Debora Weber-Wulff
New Heathrow Connect Trains - Now Can't Even Connect!
S Byers
Flaw Is Found in Software Used to Accredit Hospitals
Milt Freudenheim via Monty Solomon
Robot runs riot at California hospital
Thom Kuhn
Frozen Windows in Delivery Room
Charles Palmer
Re: New Zealand Outage Shut Down Stock Exchange
Russell Smiley
One Week to Shattered Security: Lessons from the Sony PSP Exploit
Lauren Weinstein
Encryption Illegal in Minnesota
James R. Cottrell Jr.
U.K. firm boasts totally "hacker proof" ID card system
Ben Tudor via Declan McCullagh
CVS limits ExtraCare info access
Marion Davis via Monty Solomon
Yahoo Filters Phish
B Brown
Re: "Rumplestiltskin worm" on the loose?
Crispin Cowan
Breach tracking
Adam Shostack
REVIEW: "Spies Among Us", Ira Winkler
Rob Slade
Info on RISKS (comp.risks)

Single Point of Failure paralyzes Swiss Railsystem for 3 hours

<Debora Weber-Wulff <>>
Thu, 23 Jun 2005 20:56:34 +0200

On 22 Jun 2005 at 5.08pm, a power short occurred between Amsted (Canton Uri)
and Rotkreuz (Canton Zug, which in German means "train") on the Swiss train
line.  The SBB (Schweizerischen Bundesbahnen) operated their own power
lines, and this short circuit caused a sharp drop in voltage, which quickly
spread throughout the ENTIRE country of Switzerland.

Trains were stalled in the middle of nowhere, with no air conditioning in
the heat of the summer. Some train doors could not be opened. More than
200,000 passengers were affected. It took about two hours to get everyone
out of the trains. SBB used busses to transport stranded passengers and
diesel locomotives to drag trains to the nearest station.

It took two more hours before enough power was restored in order for the
trains to begin moving. But the efficient Swiss worked all night moving
trains so that everything moved rather smoothly the next day.

There were allegedly no computers involved, but the single point of failure
was a vivid illustration of many RISKS concepts, not the least of which is:
don't throw out those diesel locomotives yet!

Debora Weber-Wulff, FHTW Berlin, FB 4, Intern.Medieninf. Treskowallee 8,
10313 Berlin +49-30-5019-2320

Single Point of Failure paralyzes Swiss Railsystem for 3 hours

<Anthony Thorn <>>
Thu, 23 Jun 2005 09:54:23 +0200

[...]  My concern --and arguably the risk-- is the impact of such an
incident on passenger trains in the new Gotthard "base"-tunnel which will
open in 2011.  This will be 57 Km (35 miles) long and run at depths up to
2000 meters (7000 feet) which means that the tunnel temperature will exceed
45 C. (113 F).  If a train is stopped in the tunnel a very rapid response
would be required to avoid a catastrophe.

The continuing saga of the German unemployment scheme Hartz IV

<Debora Weber-Wulff <>>
Sat, 25 Jun 2005 13:16:22 +0200

In our previous installments (RISKS-23.53 and 23.60), we heard about
problems with the new German combined unemployment and social fee scheme.

Because of so much public unrest about the scheme, the parliament decided to
pass new rules permitting people to earn a little bit more money each month
before the entitlement is cut off. Just a small program change, one would
think, and with time until 1 Oct 2005 it should be no problem.

The *Berliner Zeitung* reported on 25 Jun that the program change will not
be finished until early 2006. The new rules are too complicated for the
software authors, T-Systems, it seems:

* Everyone can earn 100 Euros a month additionally without penalty.
* If you earn up to 800 Euros you can keep 20%.
* If you earn more, you get to keep 10% of what you earn above that, until
  your earnings reach the point where you no longer get the social fee.

About 700.000 people are affected, the administrative workers will have to
do the calculations by hand until the software is finished - meaning they
have no time to advise people on strategies for finding work.

Maybe I am being naive, but how difficult is it to set up a new table
"Earnings" with (Pnr, date, earnings) and fixing the method
"calculate_entitlement" to consult this table. There needs to be a screen
for entering in the data and recording who entered it in when.

This takes a large company > 6 months to fix?

New Heathrow Connect Trains - Now Can't Even Connect!

<"SB" <>>
23 Jun 2005 03:56:57 -0700

The new trains whilst widely advertised as 'Heathrow Connect' (in the local
press, on the HC website, etc.) have now stopped connecting to Heathrow
altogether!!  Passengers are now being advised to detrain at Hayes &
Harlington - the local stop before - and catch a 140 bus to the
Airport. This only costs an additional 1.20 (pounds) rather than the 6
(pounds) - but entails negotiating a steep flight of steps - not easy with
heavy luggage and no station staff to help.

The reason for this curtailment is a signal fault - apparently when the
trains reach Heathrow the signalling system there wont change aspect to
let them back out again!!

Also the Heathrow Connect trains use the two local slow tracks in order to
stop at local stations. The other two tracks (there are four in total) are
for high-speed Intercity services. In order to swing off the local tracks
into/out of the Airport Branch the Connect Trains have to cross over the
Intercity tracks. This means stopping all other trains to allow them to do
so. This is playing havoc with the timekeeping for all of the other services
using this very busy route.

The Risks:

* Didn't the planners realise the operational (and safety) problems of
local trains crossing Intercity tracks every 30 minutes and thereby
holding up high speed (100 mph) trains?

* For a multi-million pound prestige project shouldn't there have been
something called 'UAT' (user acceptance testing)?

* Actually shouldn't there have been something called 'testing' prior to
launching such a high profile service?

* The other problem is the young staff checking tickets whilst ensuring that
bona-fide passengers have paid, are starting to get bullied by the local
feral youths who on the late evening trains are damned if they are going to
pay whatever.

* Meanwhile the many computerised on-board inane announcements are beginning
to grate for regular passengers and are still frequently wrong - and they
can't even be changed to omit 'Heathrow' from the current list of

Flaw Is Found in Software Used to Accredit Hospitals

<Monty Solomon <>>
Sat, 25 Jun 2005 02:29:17 -0400

Joint Commission Resources, a unit of the Joint Commission on Accreditation
of Healthcare Organizations that enforces quality standards for hospitals
found a flaw in software that it had sold to more than 1,000 hospitals that
helps qualify for accreditation and payments from Medicare.  The problem was
a missing identification marker that alerts a hospital to the 250 standards
among the 1,300 that the commission and its auditors regard as essential.
[Source: Milt Freudenheim, *The New York Times*, 24 Jun 2005; PGN-ed]

Robot runs riot at California hospital

<"Thom Kuhn" <>>
Sat, 25 Jun 2005 11:47:22 -0400

Staff and patients at San Francisco's UCSF Medical Center were left fearful
and shaken last week, when a robotic nurse threw off its shackles and went
on the rampage.

Thomson Kuhn, American College of Physicians

Frozen Windows in Delivery Room

<Charles Palmer <>>
Thu, 23 Jun 2005 23:10:10 -0400

As my dear laboring spouse was rolled into the O.R. to deliver twin boys
last month, all of the machines in the room were happily humming along,
including several displaying a far too familiar screensaver.  Oone of the
attending physicians ordered "a quick ultrasound" to ensure things were
indeed as they should be. The nurse turned to one of the machines with
little windows flitting about on the screen.  Just as she moved the mouse to
wake up the machine, the flitting stopped and the machine was no more.  All
fifteen people in the room, including the soon-to-be mommy of plummeting
patience, then waited for the nurse to power-cycle the machine and await its

While this turned out not to be a life and death situation, it very well
could have been, especially with a multiple birth.  In addition to checking
the background of physicians, do we now have to check what software they're

PS: the twins Bennet and Bryan, while premature, are gonna be ok over time.

Charles C. Palmer, IBM Research

Re: New Zealand Outage Shut Down Stock Exchange

<"Russell Smiley" <>>
Wed, 22 Jun 2005 15:03:11 -0400

*The New Zealand Herald* 20 Jun 2005 had this explanation for the
telecommunications failure noted in RISKS-23.91:

  A fibre "ring" exists between Auckland and Wellington running up the east
  and west sides of the North Island.  In theory at least if one cable fails
  the other can continue at reduced capacity. Apparently in this case they
  lost both cables - one to a contractor digging and the other possibly to a

One Week to Shattered Security: Lessons from the Sony PSP Exploit

<Lauren Weinstein <>>
Wed, 22 Jun 2005 08:39:44 -0700

Greetings.  It only took around a week for the exploit to evolve from
unwieldy but powerful hack, to user-friendly production program, but the
"signed-code" security system of the Sony PSP Portable running 1.5 firmware,
designed to prevent the execution of pirated or other "unofficial"
(e.g. homebrew) code, appears to have been obliterated.

I note in:
  "The Camel Fully Enters the Tent?":
  ( )
that only about seven days after the release on the Internet of an exploit
permitting running of unsigned code via an "impractical for routine use"
memory-stick swapping technique, rumors were already circulating that a
program eliminating the stick swap was about to be released.

This appeared on schedule this morning, meaning that for all practical
purposes the widely available U.S. version of the Sony PSP with 1.5 firmware
is now as fully exploitable as the original limited-quantity Japanese-market
1.0 firmware units.

As mentioned in the referenced link above, Sony will attempt to minimize the
damage from these events.  But any path they choose is strewn with potential
pitfalls.  Newer firmware versions in shipped units may prove to be more
difficult or impossible to hack through non-hardware-invasive techniques.
But forcing firmware upgrades with new game releases may have the effect of
actually suppressing purchases of legitimate copies of games, and encourage
the use of pirated copies that won't trigger the firmware updates and the
likely loss of the ability to run unofficial, homebrew programs.

In an ever more pervasively Internet-connected world, it appears
increasingly likely that any error -- any opening -- in the implementation
of a security system for a "desirable target" will be quickly exploited and
that exploit widely distributed -- and probably much more rapidly than the
designers of the system would imagine in their worst nightmares.  This is a
security vulnerability "sea change" that we really haven't come to grips
with either as technologists or as businesses, and it goes far beyond the
running of programs on a portable gaming device.

There's a key question that we need to explore.  Given this new environment,
to what extent do "closed" systems still make sense?  The answers will vary
between applications and situations, but it clearly is foolhardy in the
extreme to simply assume that security paradigms, even those based on the
most advanced encryption and signature models, will long remain invulnerable
to successful attacks.  These penetrations will range from those initiated
by persons who are simply intellectually curious without evil or financial
motivations, to individuals who may have very dark intentions indeed.

Something to think about.

Lauren Weinstein, +1 (818) 225-2800
Co-Founder, PFIR People For Internet Responsibility
Co-Founder, EEPI Electronic Entertainment Policy Initiative
Moderator, PRIVACY Forum -
Lauren's Blog: DayThink:

Encryption Illegal in Minnesota

<"James R. Cottrell Jr." <>>
Wed, 22 Jun 2005 13:03:47 -0400

Well the state of Minnesota had better start renting rooms in the prisons of
other states, since the Minnesota State Web site supports encryption.  About
the third URL I tried after accessing the web site showed a secure URL.

Unless they have set up these computers in a different state or country that
allows the use of encryption!  If that is the case, maybe the FBI would like
to get involved since they would have crossed state lines to avoid

U.K. firm boasts totally "hacker proof" ID card system [Politech]

<Declan McCullagh <>>
Wed, 29 Jun 2005 01:10:26 -0400

  [O UK ID?  O U KID!  Who U KIDding?  PGN]

-------- Original Message --------
Date: Tue, 28 Jun 2005 20:05:49 +0100
From: Ben Tudor <>
Subject: Oh dear - Don't worry about UK ID card insecurity - here's a
         totally 'hacker proof' system

This press release makes an IT journo's job look rather like shooting fin
tuna in a barrel. Using cluster bombs.  There's so many holes in the
argument presented in this press release that I almost don't know where to
start.  Now that I know a company has been working on 'hush-hush software',
of course, all my concerns about national ID cards have simply sloughed
away.  Cheers, Ben

Ben Tudor, Features Editor, Computer Reseller News

Subject:  Biometric ID Card breakthrough
PRESS RELEASE, June 29th 2005

Further information: 02476 236644

Press Office: John Fisher - 01785 840978
M: 07808 171 664

Biometric Innovation Breakthrough answers UK ID Card Security Fears

A biometric identity card system that is hacker and thief-proof and puts
the missing privacy and security into the UK ID project - has been unveiled
today (Wednesday).

The British inventors of the BiometricPIN system say the system can be used
in the new UK ID cards, overcoming all security fears and objections and
putting control on the use of biometrics in the hands of the user. Instead
of using a single, easily lifted or stolen fingerprint, BiometricPIN will
allow any sequence of finger prints determined by the user. No one has been
able to achieve this so far and the implications will be global as spin-off
projects emerge.

The sequence creates a digital pattern that can only be recreated by the
user. When it is stored on a Government or central database it simply
becomes an unidentifiable "blob" that cannot be stolen.

Behind the world-first breakthrough is West Midlands biometric company,
Senselect Limited, which has been working on the hush-hush software-based
system for five years. John Topping, Managing Director of Senselect, said
BiometricPIN would have implications for everyday life across the world,
but the company has concentrated so far on the ID card security problem and
the "big brother" fears it instills in people.

"This is totally secure, fast and "hacker-proof", said Mr Topping. "The
sequence simply cannot be replicated by anyone other than by the user. It
also allows the user to determine just how much information others can see
about them. A doctor, for example, could be restricted to medical history
whilst a bartender will only get confirmation that the customer is over

With BiometricPIN there will be no "big brother", said John Topping and
identities stored on Government databases are safe from theft. With single
finger biometrics everyone has a right to be scared because, while you can
change a pin number if you are compromised, fingerprints are for life.

Biometrics using single fingerprints as an identifier have been used for
some years, and despite them being capable of being "lifted", their use has
grown. Their use in government ID cards - even with the backup of iris and
facial biometrics - is considered a step backwards by many.

"With BiometricPIN there would be total security as the pattern decided on
uniquely by the user cannot be lifted from a single finger reader or hacked
from a database", said John Topping. "BiometricPIN produces a unique
biometric print that just cannot be copied. It also needs live fingers."

Mr Topping said BiometricPIN would solve a huge worldwide problem. Anyone
concerned that their ID could be copied can rest assured that this will
allay all their fears. Protecting peoples ID is already written into our
law but with BiometricPIN it will be in the hands of the user. Senselect
says BiometricPIN, because it is software-based, can be used in conjunction
with all existing technology, along with iris and facial biometric systems.

The company says it already has several European governments interested in
implementing BiometricPIN and Senselect has produced a set of security
standards for cross border biometric identification. This is now being
considered by the European Union for adoption.

Added John Topping: "We believe we have solved a huge problem for the world
and are ready to share our knowledge. This is the biggest breakthrough in
computer technology for many years and will have a huge impact on everyday
commerce as further applications for BiometricPIN emerge".

Senselect Limited, Coventry University Technology Park, The Innovation Centre
Puma Way, Coventry, UK, CV1 2TT

For further information, please reply to

CVS limits ExtraCare info access (Marion Davis)

<Monty Solomon <>>
Wed, 29 Jun 2005 03:49:02 -0400

Marion Davis, pbn, 22 Jun 2005

The CVS Corp. has cut off Web access to ExtraCare card holders' detailed
purchase information after a consumer group showed reporters how easily an
intruder could log into the system and find out, say, how many condoms or
enema kits someone's bought.  CVS has issued about 50 million of the loyalty
cards, which allow the drugstore chain to track each customer's purchases
and, in exchange, provide a 2-percent rebate on those purchases, along with
customized coupons.  To log into your account on, all you need is
the card number, your ZIP code, and the first three letters of your surname.
Even now, anyone with that information can easily find out the card holder's
home address, phone number, and total purchases each quarter.  But until
last week, the Web site also allowed customers to request a detailed
purchase report to be e-mailed to them - to any address they put in.  ...

Yahoo Filters Phish

Wed, 29 Jun 2005 10:43:29 -0400

I take phishing scams a little more seriously than other spam, and often
spend a few minutes directing complaints to the right places.  A phishing
e-mail this week used a link in a domain registered using Yahoo's domain
registration.  Pinging the domain name revealed an IP number that ARIN says
is Yahoo's.  So, I sent off a copy of the message with full headers
etc. etc. to  It was rejected by Yahoo's spam filter
because, so the bounce said, it was a phishing e-mail.  Well, duhhh!

Undeterred, I send another message to, explaining that I had
received a phish that pointed to one of their machines and provided the URL
of a page that imitates an on-line payment service.  It got an auto-response
that told me I needed to send the full message, including headers.

No doubt Yahoo will be shocked, *shocked*! when a TV station or law
enforcement agency reveals that Yahoo's Web hosting service is being
employed to run scams, just as they were when a television station reported
last week that their user-created chat rooms were being used to attempt to
lure children into having sex with adults.

Re: "Rumplestiltskin worm" on the loose? (Adams, RISKS-23.89)

<Crispin Cowan <>>
Sat, 25 Jun 2005 10:09:51 -0700

> I'm sorry, but the Internet is not your private playground.  If you have a
> spam problem, deal with it or buy your own intranet.  Such "idealism" is
> what lets people use the Internet to communicate.  <freedom argument
> continues>

This is so deeply wrong that I feel I must rebut.

Bandwidth-based DoS attacks are fundamentally impossible to stop. If an
attacker can compromise even a trivial fraction of the Internet, and then
command those nodes to all flood your site with traffic, then your site
collapses under the load, and no legitimate traffic can reach you because
your connection is full. There is nothing to be done except track down the
attacking nodes and have them shut down until they are cleaned up. This is
an extortion attack that is in widespread use now, particularly against
sites that have time sensitivity, such as gambling sites that hope to take
bets on some big game: pay up, or we DoS you into the ground during your
critical period.

Widely enforced Internet hygiene of some form would go a long way towards
stopping this kind of attack. At some point in the future, this DoS attack
is going to become so pervasive that there *will* be Internet hygiene rules
imposed. Get used to it.

Personally, I hope that it comes sooner than later. That would mean that it
is at least an industry self-imposed practice, rather than a government

Crispin Cowan, Ph.D.  
CTO, Immunix, a Novell Company

Breach tracking

<Adam Shostack <>>
Fri, 24 Jun 2005 17:05:05 -0400

Since many of the entries in RISKS have been on security breaches, I'd like
to draw your attention to my weblog:
I've been cataloging breaches, and the fairly extensive (albeit not
complete) is at

REVIEW: "Spies Among Us", Ira Winkler

<Rob Slade <>>
Wed, 22 Jun 2005 08:24:57 -0800

BKSPAMUS.RVW   20050531

"Spies Among Us", Ira Winkler, 2005, 0-7645-8468-5,
%A   Ira Winkler
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2005
%G   0-7645-8468-5
%I   John Wiley & Sons, Inc.
%O   U$27.50/C$38.99/UK#16.99 416-236-4433 fax: 416-236-4448
%O   Audience n+ Tech 1 Writing 3 (see revfaq.htm for explanation)
%P   326 p.
%T   "Spies Among Us"

In the introduction, Winkler admits that the title is slightly misleading:
most surveillance is not done by international spies, but by common or
garden thieves, competitors, and so forth.  The point that he is trying to
make is that non-terrorists can hurt you, although he raises the issue with
illustrations that are not completely clear.

Part one deals with espionage concepts.  Chapter one reviews spying
terminology, but makes points about the process by explaining the jargon and
distinctions.  Risk analysis is introduced in chapter two, but the
calculations used may not be clear to all readers.  An attempt to assess the
value of information is made in chapter three.  Chapter four outlines
threats (entities that might harm you) and five covers vulnerabilities--the
way your own operations can make you subject to attack.

Part two describes some case studies of spying.  The content is interesting,
although the value is rather concentrated in the short "vulnerabilities
exploited" section at the end of each chapter.  I must say that I've read
all manner of similar stories and case studies in various security books,
and Winkler's are more interesting than most.

Part three deals with protection.  Chapter twelve lists a number of
countermeasures.  These are described in a level of detail that is
appropriate for non-specialists (in security), although the content related
to technical safety might be a bit thin.  How to plan and implement an
overall security program is outlined in chapter thirteen, which includes a
very interesting section on how the Department of Homeland Security has
taught us valuable lessons about how *not* to execute safeguards.

While not structured in a formal manner that would make for easier
reference, this book nonetheless has some excellent content.  Like
Schneier's "Beyond Fear" (cf. BKBYNDFR.RVW), it is easy enough, and engaging
enough, for those outside of the security profession to read.  Busy managers
may find the work a bit wordy and disorganized, but it makes useful points,
and has constructive suggestions.  Home users and amateurs will find the
style most suited to them, although the recommended controls are aimed at
businesses.  Security professionals will not (or should not) find anything
new here, but may appreciate the "war stories" and explanations that can be
employed in security awareness training.

copyright Robert M. Slade, 2005   BKSPAMUS.RVW   20050531    or

Please report problems with the web pages to the maintainer