The RISKS Digest
Volume 23 Issue 93

Sunday, 10th July 2005

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Monitor misprogrammed, air quality suffers
Bill Hopkins
US-VISIT
Marc Rotenberg
Pentagon Creating Student Database
PGN
USC application system cracked
PGN
Indian call centre 'fraud' probe
S Byers
Life gets messy online/offline in China
Esther Dyson via Dave Farber
Future Combat Systems procurement problems: GAO report
Dawn Onley via Pete Mellor
PayPal, a Risk when you do, and a risk when you don't...
David Lesher
More on Minnesota encryption
Steve Peterson
WWW 2006 Call For Papers: Security, Privacy & Ethics Track
Angelos D. Keromytis
REVIEW: "Silence on the Wire", Michal Zalewski
Rob Slade
Info on RISKS (comp.risks)

Monitor misprogrammed, air quality suffers

<"Bill Hopkins" <whopkins@wmi.com>>
Wed, 6 Jul 2005 14:45:46 -0400

Our local newspaper reports in print (but not on line) that Exelon Power's
Cromby generator in Phoenixville, PA exceeded pollution limits for seven
months in 2004 after an unidentified "vendor" programmed an emissions
monitor for the wrong standards, and that the company will pay 600 grand.
Websites for the company and the PA Dept of Environmental Protection confirm
the story.  Exelon is the parent company of PECO Energy, formerly
Philadelphia Electric Co., which supplies power to the area.

Cromby has two generators, one coal-fired and one switchable between oil and
natural gas.  The vendor ("a big company" says Exelon) set the monitor for
the coal-fired unit to standards for the other unit.  (I would guess that
the SO2 limits for oil might be higher.)  Exelon discovered the problem
while aggregating data "for a large use," stopped it and turned itself in.
DEP assesses a fine for each day of violation.

Risks for a company: trusting the dials and trusting the vendor when you're
on the hook.

Risks for the rest of us: breathing in.

Exelon report: http://www.exeloncorp.com/NR/rdonlyres/DDDBE22B-94E3-4EE1-9F3C-ED4266DB0093/977/environ_rpt_2004.pdf  (see page 16,
numbered 12)

PA DEP: http://www.depesf.state.pa.us/news/cwp/view.asp?a=3&q=465363

Daily Local News (West Chester, PA): www.dailylocal.com (The article appeared
2005-07-05; who knows, it might yet show up on the site.)


US-VISIT (from EPIC Alert 12.13)

<Marc Rotenberg <rotenberg@epic.org>>
Tue, 5 Jul 2005 08:48:33 -0400

                              E P I C  A l e r t
Volume 12.13                                              June 30, 2005
                              Published by the
                 Electronic Privacy Information Center (EPIC)
                              Washington, D.C.
               http://www.epic.org/alert/EPIC_Alert_12.13.html

EPIC Keeps Watchful Eye on US-VISIT

Foreign visitors to the United States are experiencing a new kind of jet
lag: delays and secondary security screenings prompted by technological
glitches in the border security program known as the United States Visitor
and Immigrant Status Indicator Technology (US-VISIT). Documents obtained by
EPIC under the Freedom of Information Act from the Department of Homeland
Security show that US-VISIT has resulted in many cases of mistaken
identity. Commercial aircrew members, vacationers, and businesspersons have
all been delayed by the gaffes. The problems caused unnecessary delays in
the visitors' travels and resulted in the improper flagging of crewmembers
by government watch lists.

US-VISIT was launched at 115 airports and 14 seaports in January 2004.  By
the end of 2005, the program will be operational at all of the nations more
than 400 ports of entry. US-VISIT requires foreign nationals entering or
exiting the country to submit biometric and biographical information. This
data collection often begins before a visitor buys her plane ticket, as
U.S. consular offices abroad may, before issuing a U.S. visa, collect
fingerscans from potential visitors and compare them against those in a
criminal database. Fingerscans are again collected upon the visitor's
arrival in the U.S. for verification and then stored in a government
database, as are travelers' arrival and departure records. Failure to be
processed through this departure confirmation system could jeopardize a
visitor's re-admittance to the U.S., as the government compares the manifest
information provided by air and cruise lines to ascertain that visitors have
not overstayed their visas.

Last September, US-VISIT expanded to include visitors from the 27 nations
who are members of the Visa Waiver Program, thus requiring the screening of
an additional 33,000 persons per day. Except for visiting diplomats and
officials and persons under 14 or over 79 years old, US-VISIT now applies to
virtually all foreign nationals holding nonimmigrant visas, regardless of
country of origin.

The documents obtained by EPIC show that some travelers are aware that the
US-VISIT database contains erroneous information well before DHS realizes
its own mistake and fear that their next visit to the U.S. will result in
misidentification. Visitors reported missing their connecting flights due to
errors in the database system, and airline crewmembers reported being
delayed up to ninety minutes after a long international flight. Some
travelers reported that the operator collecting fingerscans at a port had
erroneously reversed their left and right index fingerprints, labeled a
husband's fingerprints as his wife's, failed to collect the data required
under US-VISIT, or collected data from travelers exempt from the program,
such as holders of a G-4 visa.

Passengers' numerous requests to the DHS for correction of erroneous
personal information suggest that the rush to implement US-VISIT has come at
the expense of data accuracy and passenger privacy. IDENT, the government
database containing US-VISIT fingerscans, is based on technology that even
the DHS considers outdated, even though the government has already invested
about $1 billion in the program. The current fingerscan technology does not
meet the government's biometric standard, which mandates imaging of all ten
fingerprints. Last fall, Stanford University professor Lawrence M. Wein
testified before Congress that the chance of identifying a terrorist by
matching two index fingerscans poorly imaged by IDENT against the
government's biometric watch list is no more than 53%. Privacy concerns are
increasing as the government turns to the private sector for full
implementation of US-VISIT; global consultant Accenture received a $10
billion contract last year for full-scale implementation over the next
decade.

Freedom of Information Act documents obtained by EPIC on US-VISIT:
      http://www.epic.org/foia_notes/note7.html

EPIC's US-VISIT Page:
      http://www.epic.org/privacy/us-visit/
More information on the US-VISIT technology and cost is available at:
      http://www.epic.org/redirect/wpvisit605.html


Pentagon Creating Student Database

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 23 Jun 2005 7:03:01 PDT

  [Noted by Keith Rhodes.  This is another database full of unreliable
  information that will inadvertently released?]

The Defense Department has begun working with BeNow Inc, a private marketing
firm, to create a database of high school students ages 16 to 18 and all
college students to help the military identify potential recruits in a time
of dwindling enlistment in some branches.

The program is provoking a furor among privacy advocates. The new database
will include personal information including birth dates, Social Security
numbers, e-mail addresses, grade-point averages, ethnicity and what subjects
the students are studying.

Chris Jay Hoofnagle, West Coast director of the Electronic Privacy
Information Center, called the system "an audacious plan to target-market
kids, as young as 16, for military solicitation."  He added that collecting
Social Security numbers was not only unnecessary but posed a needless risk
of identity fraud. Theft of Social Security numbers and other personal
information from data brokers, government agencies, financial institutions
and other companies is rampant.  "What's ironic is that the private sector
has ways of uniquely identifying individuals without using Social Security
numbers for marketing."

The Pentagon statements said the military is "acutely aware of the
substantial security required to protect personal data," and that Social
Security numbers will be used only to "provide a higher degree of accuracy
in matching duplicate data records."

  [Source: Recruiting Tool For Military Raises Privacy Concerns,
  Jonathan Krim, *The Washington Post*, 23 Jun 2005; PGN-ed]


USC application system cracked

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 6 Jul 2005 16:53:55 PDT

A programming error in the University of Southern California's online system
for accepting applications from prospective students left the personal
information of ``hundreds of thousands of records'' publicly accessible.
The flaw was discovered by a student in the process of applying.  [Source:
Robert Lemos, SecurityFocus; PGN-ed]
  http://www.theregister.co.uk/2005/07/06/usc_site_cracked/

  [We hope that the student's application was not rejected because
  he had discovered the flaw!  PGN]


Indian call centre 'fraud' probe

<"SB" <s_byers666@yahoo.co.uk>>
23 Jun 2005 05:16:01 -0700

Information passed on could have been used to clone credit cards Police are
investigating reports an Indian call centre worker sold the bank account
details of 1,000 UK customers to an undercover reporter.

The Risks?

Obvious really - overseas call centres in poverty stricken third world
countries, the staff of whom have unlimited access to personal and private
information of the more wealthy, are the worst security risks ever devised
by financial organisations.

See:  http://news.bbc.co.uk/1/hi/uk/4121934.stm


Life gets messy online/offline in China

<Esther Dyson <edyson@edventure.com>>
July 1, 2005 7:50:56 AM EDT

http://www.pacificepoch.com/newsstories?id=33425_0_5_0_M
Game Accounts Take Center Stage In Divorce
Legend of Mir 2, Online Game, SNDA, Shanda
Posted by: <http://www.PacificEpoch.com/members/profile_view_ind.php?id=164
Zhou Zhengqian on Jul 01 | 17:07

A divorce in Chongqing has turned ugly when both parties want their joint
online game accounts, Chongqing Business Post reports. Mr. Wang from
Chongqing and Ms. Ye from Huibei met last September on Shanda's (Nasdaq:
SNDA) online game Legend of Mir 2. Wang saved Ye's character from being
killed by another player. The couple married at the end of October but
decided to get a divorce in June. During their marriage, the couple jointly
played over ten Mir 2 accounts, attaining level 40 to 50 status for all of
them. The characters and virtual items are estimated to be worth 40,000 to
50,000 Yuan. Wang said that he wants to keep the accounts and virtual items
and is willing to give their joint apartment to Ye. However, Ye wants to
split the apartment and game items equally.

Esther Dyson              Always make new mistakes!
Editor, Release 1.0

CNET Networks - www.cnet.com
104 Fifth Avenue (at 16th Street)
New York, NY 10011    USA

+1 (212) 924-8800

www.release1-0.com
PC FORUM: http://www.edventure.com/pcforum/
FLIGHT SCHOOL: http://www.edventure.com/pcforum/flight.cfm
current status (with pictures!) at http://www.flickr.com/photos/edyson/


Future Combat Systems procurement problems: GAO report

<Pete Mellor <pm@csr.city.ac.uk>>
Fri, 8 Jul 2005 18:32:46 +0100 (BST)

Dawn S. Onley, GAO: Army's FCS initiative faces uncertain future,
Government Computer News, 8 Jul 2005

The major communications programs that will support the Army's
transformational Future Combat Systems initiative are in jeopardy of failing
to meet technical challenges and an accelerated schedule, according to the
Government Accountability Office.  GAO found that each of the communications
pillars of the Army's Future Combat Systems (FCS) program - two Joint
Tactical Radio System (JTRS) clusters, the Warfighter Information
Network-Tactical (WIN-T) program and the System of Systems Common Operating
Environment (SOSCOE) - would likely fail to meet aggressive schedules due to
immature technologies.

"As currently structured, the JTRS, WIN-T and SOSCOE programs are at risk of
not delivering intended capabilities when needed, particularly for the first
spiral of FCS," according to GAO. "They continue to struggle to meet an
ambitious set of user requirements, steep technical challenges and stringent
time frames."

FCS is designed to link 18 manned and unmanned weapons systems via a common
computer network known as WIN-T and the System of Systems Common Operating
Environment.

The Army restructured its FCS program last year into spirals, with
officials announcing the first spiral would happen in fiscal 2008. But GAO
said the first spiral may not demonstrate key networking capabilities.

GAO found the FCS program faces network, developmental and financial
challenges that continue to slow progress. FCS' information network is
dependent on the success of JTRS, WIN-T and SOSCOE - programs that are not
included in FCS costs.

"Because JTRS, WIN-T and SOSCOE all rely on significant advances in
current technologies and capabilities and must be fully integrated to
realize FCS, there are substantial risks to this effort," wrote Paul L.
Francis, GAO's director of acquisition and sourcing management, in the
report.

For the full article, with a link to the original GAO report, see:
  http://www.gcn.com/vol1_no1/daily-updates/36302-1.html

Peter Mellor, Centre for Software Reliability, City University,
Northampton Square, London EC1V 0HB  +44 (0)20 7040 8422


PayPal, a Risk when you do, and a risk when you don't...

<"David Lesher" <wb8foz@panix.com>>
Wed, 6 Jul 2005 10:39:14 -0400 (EDT)

So I ordered some parts on-line.  They arrived.

Then 45 days later, my credit card bill listed a PayPal charge.  Whoa... I
don't engage in such foolishness; certified letter to CC Co, asking
"huh?"...

Two weeks later, PayPal starts sending ME email about fraudulent use of MY
account...to the email address that I use for on-line buying.

Doh! The *merchant* uses PayPal to do their processing. OK.

But I try to write to PayPal to explain. No Joy. Only option to contact them
is to FIRST log into my PayPal account; and use the webform....  and I don't
HAVE an account..

Write CC Co, dropping protest.

Now, 4 months later, PayPal writes again. My account is locked....  (Need I
continue?)

Paypal assumes only account holders have a reason to reach them. They can't
grok that that merchants and/or buyers may be involved. Further, they wrote
ME about the holder's account. [They did NOT, at least give me his account
ID just a incident number.]

Risks: Identity theft is sometimes TOO easy....


More on Minnesota encryption (Cotrell, RISKS-23.92)

<Steve Peterson <speterson@computer.org>>
Wed, 29 Jun 2005 15:12:17 -0500

Folks, get a grip.  The opinion doesn't say anything about encryption being
illegal.

Quoting from the opinion, the justices were trying to determine:
Did the district court err in admitting evidence concerning appellant's
internet usage and encryption capability for his computer?

They wrote:

... Appellant first argues that he is entitled to a new trial because the
district court erred in admitting irrelevant evidence of his internet usage
and the existence of an encryption program on his computer.  Rulings
involving the relevancy of evidence are generally left to the sound
discretion of the district court.  State v. Swain, 269 N.W.2d 707, 714
(Minn. 1978).  And rulings on relevancy will only be reversed when that
discretion has been clearly abused.  Johnson v. Washington County, 518
N.W.2d 594, 601 (Minn. 1994).  "The party claiming error has the burden of
showing both the error and the prejudice."  State v. Horning, 535 N.W.2d
296, 298 (Minn. 1995).

Appellant argues that his "internet use had nothing to do with the issues in
this case;" "there was no evidence that there was anything encrypted on the
computer;" and that he "was prejudiced because the court specifically used
this evidence in its findings of fact and in reaching its verdict."  We are
not persuaded by appellant's arguments.  The record shows that appellant
took a large number of pictures of S.M. with a digital camera, and that he
would upload those pictures onto his computer soon after taking them.  We
find that evidence of appellant's internet use and the existence of an
encryption program on his computer was at least somewhat relevant to the
state's case against him.  See Minn. R. Evid. 401.  ...

Think of it this way:
  (child pornography, (digital pictures, digital camera, computer, crypto
  software, photo sharing))
is like
  (check fraud, (computer, blank check stock, list of account numbers, MICR
  printer, ink removing solvent))
or
  (assault, (baseball bat, bloody towel, footprint))
or
  (burglary, (lock picks, bolt cutters, black cap, gloves)).


WWW 2006 Call For Papers: Security, Privacy & Ethics Track

<"Angelos D. Keromytis" <angelos@cs.columbia.edu>>
Fri, 08 Jul 2005 12:35:59 -0400

WWW2006 Refereed Track: Security, privacy & Ethics

Viruses, spyware, and identity theft are turning the World Wide Web into a
dangerous place. By undermining consumer trust, these problems are hampering
e-commerce and the growth of online communities. A basic lesson is coming
home to researchers, operators, and ordinary users alike: Security and
privacy are not frills or features, but vital and enabling building
blocks. As Web-based systems take on a physical dimension through wireless
devices and sensors, and as they absorb varied media — from books to online
games to home movies — digital security is ramifying in its economic and
social reach.

This track promotes the view that security, privacy, and sound guiding
ethics must be part of the texture of a successful World Wide Web. In
addition to devising practical tools and techniques, it is the duty of the
research community to promote and guide business adoption of security
technology for the Web and to help inform related legislation.

The organizers seek novel research in security, privacy, and ethics as they
relate to the Web, including but not limited to the following areas:

     * Biometrics and secure template management
     * Digital Rights Management from its technical, ethical, and legal
       perspectives
     * Economic / business analysis of Web security and privacy
     * Electronic commerce, particularly security mechanisms for e-cash,
       auctions, payment, and fraud detection
     * Intrusion detection, insider threats, auditing, and honeypots
     * Legal and legislative approaches to issues of Web security and
       privacy
     * Location-based services
     * Knowledge-based authentication, such as security questions for
       password recovery
     * Privacy-enhancing technologies, including anonymity, pseudonymity
       and identity management
     * Public-key infrastructure and supporting concepts like digital
       signatures and certification
     * Secure and robust management of server farms
     * User interfaces as they relate to digital signing, encryption,
       passwords, and online scams like phishing
     * Wireless devices that interface with the Web, including RFID,
       sensors, and mobile phones
     * Web-services and supporting standards like XML

Chairs
     * Ari Juels (RSA Laboratories) (Vice Chair)
     * Angelos Keromytis (Columbia University)  (Deputy Vice Chair)

PC Members [see website]
For more details, see http://www2006.org/tracks/security.php

The World's WWW Conference

WWW2006 will bring together the international communities of researchers,
developers and business that drive the Web forward, shaping and developing
its potential for new areas of communication, research, business and public
administration.

Since the first international WWW Conference in 1994, this prestigious
event, organized by the International World Wide Web Conference Committee
(IW3C2), has provided the annual public forum for communicating research and
development of the Web infrastructure and applications, as well as W3C
initiatives.

The fifteenth conference in the series comes to the UK for the first time,
and to one of the great historical centres of science and
technology. Edinburgh is Scotland's capital city, home to one of the UK's
oldest universities, an epicentre of the IT business sector and one of the
world's great festival cities.

The WWW2006 programme addresses topics in media, e-government, e-commerce,
education and e-science. The technical programme will draw on global
research and industrial strengths to provide a strategic forum for the
dissemination of new techniques and applications throughout the research
community, the business and company sector and government agencies.


REVIEW: "Silence on the Wire", Michal Zalewski

<Rob Slade <rslade@sprint.ca>>
Mon, 27 Jun 2005 08:28:54 -0800

BKSLNOWR.RVW   20050603

"Silence on the Wire", Michal Zalewski, 2005, 1-59327-046-1,
U$39.95/C$53.95
%A   Michal Zalewski lcamtuf@coredump.cx lcamtuf.coredump.cx/silence/
%C   555 De Haro Street, Suite 250, San Francisco, CA   94107
%D   2005
%G   1-59327-046-1
%I   No Starch Press
%O   U$39.95/C$53.95 415-863-9900 fax 415-863-9950 info@nostarch.com
%O  http://www.amazon.com/exec/obidos/ASIN/1593270461/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1593270461/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1593270461/robsladesin03-20
%O   Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   281 p.
%T   "Silence on the Wire"

I don't know why, exactly, the phrase "self-taught information
security researcher" (in "About the Author") should give me such a
sense of foreboding.  (The phrase could apply to me, and to many
colleagues, although we tend not to use it.)  And even before I read
it, a number of people had warned me I wouldn't like it.

Well, I did like it, once I figured out what it was.  I think a lot of
people don't understand it.  It is not a security text, by any means,
but rather a series of explorations that take our "professional
paranoid" mentality and examine some issues we seldom consider.

The subtitle states that the book is about passive and "indirect"
attacks.  Although passive attacks are well defined, indirect does not
have a formal distinction, and the introduction does not help in
explaining what the author intends.

Part one covers activities that occur at the origin of data and
processing.  Chapter one is titularly about typing, but spends a lot
of time dealing with the problems of pseudo-random number generation,
and seed data acquisition, and finally outlines an unlikely and very
complex attack, heavily dependent upon specific functions and data
availability, and seemingly directed at finding out if someone is
typing at the computer.  (The attack is also active, not passive.)  A
discussion of digital electronics, boolean algebra, and processor
architecture, in chapter two, eventually leads to a brief discussion
of the timing and power attacks that are well known in cryptology
circles.  (There are also odd and careless errors: readers are asked
to contrast figure 2-4 with figure 2-4.  There is a difference, it
just isn't explained.)  Chapter three reviews a few random and
unrelated vulnerabilities.  It is very difficult to determine what the
point of chapter four might be, but it seems to be a screed against
the use of Web crawling bots.

Part two appears to address local communications links.  Chapter five
provides a brief review of data communications 101, and then notes the
"flickering modem LED" vulnerability.  The ethernet frame padding
problem is described in chapter six, while chapter seven lists some
other networking difficulties, and eight briefly mentions
miscellaneous topics such as identification by keystroke analysis and
war driving.  (It should be noted that chapter length varies widely:
chapters one, two, and five average twenty-five pages each, while the
rest are closer to five.)

Part three moves out to the Internet.  Chapter nine reviews most of
the TCP/IP protocol, and then discusses how the ways that different
systems populate fields of the IP header can be used to identify
operating systems without a direct connection.  The discussion in
chapter ten starts with passive mapping of an inaccessible network,
but the attack described seems to be intended for sequence number
guessing (and session hijacking).  Chapter eleven addresses weaknesses
in various types of firewalls.  Dissection of an odd packet is in
chapter twelve, a method of third party scanning in thirteen, some
possible metrics for identifying software in fourteen, and some ways
of recognizing attacker machines in chapter fifteen.

Part four supposedly attempts to relate these disparate elements,
apparently without much success.  Chapter sixteen describes a storage
method using packets bouncing around the net, seventeen looks at
different methods of mapping the net and some possible uses, and
eighteen considers the discovery of worms and other malware via the
capturing of unusual packets.

The material in the book is fascinating in places.  However, the work
is not structured in a way that makes the security implications
obvious (the writing is not very direct, and the narrative or topical
thread tends to wind around subjects), and, in fact, the security
implications aren't very powerful at all.  Yes, in the end, the author
has written mostly about passive and indirect attacks, but the methods
covered are unusual, and probably not very useful.  Most of the
material concentrates on rather weak covert channels.  In this regard
it can have some uses in a minor way: covert channel examples are not
abundant in the general security literature.  The attacks suggested
are interesting thought experiments, but have limited uses either in
attack or defence.  As "Trivial Pursuit" (meaning the game of oddball
facts) for the tech crowd it's great, but the author never intended
the text to be a vulnerability warning.

copyright Robert M. Slade, 2005   BKSLNOWR.RVW   20050603
rslade@vcn.bc.ca      slade@victoria.tc.ca      rslade@sun.soci.niu.edu
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade

Please report problems with the web pages to the maintainer

x
Top