The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 23 Issue 94

Tuesday 26 July 2005

Contents

2,000 patients hit by lab test mix-up in Calgary, Alberta
R.A. Tremonti
Information system for Lisbon hospitals stopped for ten days
Fernando Pereira
Why doesn't meter reading use sanity checking?
PGN
Proposed daylight saving time changes
David Magda
Virginia DMV fraud again
PGN
Fraud on VoIP
uk.telecom.voip via Pete Mellor
Physical-layer network vulnerabilities
Michael Tandy
Multiple vulnerabilities in Diebold Optical Scan
Bruce O'Dell
UK Government statistics show Home Office leads in stolen computers
Ian Cuddy
Mixing data from multiple customers
art
European Parliament rejects Software Patent Directive
Pete Mellor
"Perspectives on Free and Open Source Software"
PGN
Info on RISKS (comp.risks)

2,000 patients hit by lab test mix-up in Calgary, Alberta

<"R.A. Tremonti" <robert.tremonti@shaw.ca>>
Mon, 11 Jul 2005 15:09:11 -0600

It seems a web database used by the Calgary Health Region to track and
distribute results of lab tests has suffered a "glitch".  According to the
article that appeared today, "The Calgary Health Region announced Sunday
that an Internet database - which physicians use to view lab work such as
blood and urine tests - mixed up results between patients and posted records
under the wrong names.  Officials are now contacting the offices of nearly
400 doctors and other health providers who saw the incorrect records, to
ensure patients are receiving proper treatment."  Doctors are concerned that
the mix-up means some patients are now receiving incorrect treatments which
can complicate their conditions, or that patients are receiving treatments
they don't need.  Additionally, some patients may be fretting needlessly
over their lab results because of the mix-up while others may be in for some
unpleasant surprises when they receive the correct results!

http://www.canada.com/calgary/calgaryherald/index.html

  [Also noted by Robert Israel at the University of British Columbia]
http://www.theglobeandmail.com/servlet/story/RTGAM.20050711.wcalgary0/BNStory/National/
http://calgary.cbc.ca/regional/servlet/View?filename=ca-chr-tests20050711


Information system for Lisbon hospitals stopped for ten days

<Fernando Pereira <pereira@cis.upenn.edu>>
Sun, 17 Jul 2005 10:29:55 -0400

Lisbon newspaper "O Público" reports today that the main information system
for the Lisbon Hospital Center, which supports three large Lisbon hospitals,
has not worked since July 8. It appears that the master patient index has
become inaccessible, and may be lost. If a patient shows up without a
hospital-issued card, which includes a patient id number, the patient's
records cannot be accessed. Out- patient consultations and admissions are
being processed manually, causing "great confusion." Emergency room
admissions are much slower than usual. The waiting list for surgery also
appears lost, although that has not been confirmed. A doctor at one of the
hospitals and board member for a doctors union said that "No one knows for
certain what will happen or when the problem will be solved." The assistant
to the director of the hospital group explains that "The system failed
totally eight days ago, and technicians tried to restore it immediately, but
without success. At the beginning of last week, the US firm who supplied the
system was brought in, and it is expected that the situation will be
resolved by Monday." He also said that the failure was unexpected, that the
hospital group did not the ability to fix it on their own, and that the
breakdown "has had no impact on the normal functioning of the hospitals,
except for the slowdown in patient registration."

So, it takes much longer to admit patients, their medical records are
inaccessible unless they have registered before and bring with them their
registration card (something that anyone dealing with a medical emergency
will for sure remember to do), and doctors report confusion, but there's
really no impact, according to the hospital group administration. A
mission-critical system has no backup or immediate access to repair
expertise.

For readers not familiar with Portugal, Lisbon public hospitals are
notorious for poor financing, inefficiency, bureaucracy, and long waiting
lists. They cater mostly to those who cannot afford private care, especially
many pensioners in an aging city. Another common problem with public
institutions in Portugal are poor procurement controls, especially for
technology and informations services. Many purchases are made without much
attention to cost of ownership, service guarantees, or access to parts and
service. Some administrators are too easily seduced by fancy presentations
by local representatives of foreign suppliers who have no local expertise or
staying power.

Fernando Pereira, Dept. of Computer and Information Science, U. of Pennsylvania


Why doesn't meter reading use sanity checking?

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 14 Jul 2005 15:03:33 PDT

The utility department in Mascoutah (Illinois) sent Rose Mary Cook a bill
for the use of 10 million gallons of water in a month, totalling $29,787 for
the water and $43,581 for the ensuing sewer usage.  The cause was not
surprisingly the result of a broken meter.  [Source: AP item, 14 July 2005]
  http://www.cnn.com/2005/US/07/14/hot.summer.ap/index.html

In past years we have seen similarly large charges attributed to the
installation of a new meter that was set slightly behind the old one.


Proposed daylight saving time changes

<David Magda <dmagda@ee.ryerson.ca>>
Wed, 20 Jul 2005 22:25:52 -0400

The US Congress is considering changing the way daylight saving time is
orchestrated, e.g.:
http://www.cbc.ca/story/canada/national/2005/07/20/daylight-savings-folo050720.html

Regardless of whether you actually think daylight saving is a good idea,
there are definite risks when you decide to change the rules on how it
works. In this case, the proposal is to have the change take effect this
fall. I'm curious if Congress realizes that just about every single computer
system would have to be updated so that it would keep the correct time.

And this does not effect just people in the US. In the above link it
discusses the effect on us Canadians. At this point in time about 80% of
Canada's exports go to the US (and 25% of America's exports go to Canada):
the two countries are heavily linked economically. If the US changes its
system, it is all but a foregone conclusion that we Canadians would have to
change the way we do things as well.

If Congress really wants to go through with this change it would be prudent
to at least push off the rule change until next year to give people time to
update and test their systems.

Mentions of daylight savings in past RISKS include 13.48, 18.04, 19.43, 9.80,
17.84, 20.28, 6.47, etc.

More information on daylight saving time is available on Wikipedia (among
other places):
 http://en.wikipedia.org/wiki/Daylight_saving_time


Virginia DMV fraud again

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 13 Jul 2005 18:26:59 PDT

Do you believe in drivers' licenses as proof of someone's identity?  The
manager of the Virginia Department of Motor Vehicles office at the
Springfield Mall was charged with selling at least 40 illicit licenses for
up to $3,500 each.  Many years ago we reported that the VA DMV rate for
bogus licenses was $25, when a ring of inside perpetrators was busted.  Two
years ago, two employees of the Tysons Corner Virginia DMV pleaded guilty to
fraudulently selling licenses.  Coincidentally the manager's wife was also
charged, and she had previously worked in the Tysons Corner DMV!  The latest
case was uncovered not by the DMV's oversight program, but by the U.S. State
Department's Bureau of Diplomatic Security.  [Source: *The Washington Post*,
13 July, B05; PGN-ed]

http://www.washingtonpost.com/wp-dyn/content/article/2005/07/12/AR2005071201421.html


Fraud on VoIP (fwd from newsgroup uk.telecom.voip)

<Pete Mellor <pm@csr.city.ac.uk>>
Mon, 11 Jul 2005 00:46:41 +0100 (BST)

The following item might be of interest.  Note that fraud recently brought
down a VoIP supplier in the US.

Newsgroup address: http://www.usenet.org.uk/uk.telecom.voip.html
By Carolyn Schuk, for VOXILLA.COM

It's one of the best kept secrets in the Voice over IP industry.  The
biggest problem facing VoIP providers isn't the specter of costly E911
requirements, overzealous regulators, or even competition from a myriad of
sources.  The biggest issue is fraud, perpetrated by scammers who take
advantage of lax international communications standards and regulations, and
make thousands of minutes of calls through carriers - many of them
fly-by-night operators - in places such as Afghanistan and Lichtenstein, who
charge exorbitant rates for call termination, leaving the originating
service provider with sky high bills and no one to charge for them.

VoIP scams have already caused start-ups in the fledgling industry millions
of dollars in losses and are blamed, in part, for the recent demise of one
service provider.  "It is the single largest problem facing providers," says
Ravi Sakaria, VoicePulse CEO, "because the development cost associated with
addressing the issue is significant enough that it could be prohibitive for
the smaller players."


Physical-layer network vulnerabilities

<Michael Tandy <m.j.tandy@warwick.ac.uk>>
Mon, 11 Jul 2005 13:56:07 +0100

During the construction of an extension to my house, builders had to take
down a wall bordering the garden. This wall ran parallel to an extension to
the building next door, with a gap a about two inches wide in between.

After the wall was taken down, I found the house next door had a hole
drilled in the now-revealed wall, with Cat5 network cable extending from it;
the Cat5 originally ran through the gap between their wall and ours.

I did not splice into the cable, but to do so would have been easy.

The risk is fairly obvious: Networks that are physically secure can be made
physically insecure by building work, particularly when said networks run
close to other properties.


Multiple vulnerabilities in Diebold Optical Scan

<"Bruce O'Dell" <bodell@digitalagility.com>>
Wed, 13 Jul 2005 13:35:39 -0500

A Technical Report published by BlackBoxVoting.org (4 Jul 2005) details
multiple critical security vulnerabilities in the Diebold Optical Scan
voting equipment that was used to tally approximately 25 million votes in
the 2004 US election.

Overview: http://www.bbvdocs.org/general/BBVreport-1sheet.pdf and
Full technical report: http://www.blackboxvoting.org/BBVreport.pdf

Harri Hursti, an independent security consultant - with the consent of
election officials in Leon County, Florida - was able to take full control
of the Diebold optical scan device and manipulate vote totals and audit
reports at will.

The Diebold Precinct-Based Optical Scan 1.94w device accommodates a
removable memory card. It had been believed that this card contained only
the electronic "ballot box", the ballot design and the race definitions;
astonishingly enough, the memory card also contains executable code
essential to the operation of the optical scan system.  The presence of
executable code on the memory card is not mentioned in the official product
documentation.  This architecture permits multiple methods for unauthorized
code to be downloaded to the memory cards, and is wide open to exploitation
by malicious insiders.

The individual cards are programmed by the Diebold GEMS central tabulator
device via a RS-232 serial port connection or via modem over the public
phone network.  There are no checksum mechanisms to detect or prevent
tampering with the executable code, and worse yet, there are credible
exploits which could compromise both the checksum and executable.  The
report notes that this appears to be in violation of Chapter 5 of the 1990
Federal Election Commission Standards for election equipment, and therefore
should never have been certified for use.

The executable code is written in a proprietary language, Accu-Basic.
Accu-Basic programs are first compiled into ASCII pseudocode, which is then
executed by an interpreter residing in the optical scan device. Hursti
located an inexpensive device capable of reading and updating the memory
cards advertised on the Internet, and using a publicly-available version of
the Accu-Basic compiler (found on the Internet, along with Diebold source
code and other documents, by Bev Harris in 2003) was able to exploit these
vulnerabilities - and publicly demonstrated the ability to modify vote
totals and audit reports at will.

According to the report:

"Exploits available with this design include, but are not limited to:

"1) Paper trail falsification - Ability to modify the election results
reports so that they do not match the actual vote data

"1.1) Production of false optical scan reports to facilitate checks and
balances (matching the optical scan report to the central tabulator
report), in order to conceal attacks like redistribution of the votes or
Trojan horse scripts such as those designed by Dr. Herbert Thompson.(19)

"1.2) An ingenious exploit presents itself, for a single memory card to
mimic votes from many precincts at once while transmitting votes to the
central tabulator. The paper trail falsification methods in this report
will hide evidence of out-of-place information from the optical scan report
if that attack is used.

"2) Removal of information about pre-loaded votes

"2.1) Ability to hide pre-loaded votes

"2.2) Ability to hide a pre-arranged integer overflow

"3) Ability to program conditional behavior based on time/date, number of
votes counted, and many other hidden triggers.

"According to public statements by elections officials(20), the paper trail
produced by the precinct optical scan has been placed into the role of a
vital safeguard mechanism. The paper report from the optical scan machine
is the key record used to confirm the integrity of the central tabulator
record. The exploits demonstrated in the false optical scan machine reports
("poll tapes") shown on page 16 do not change the votes, only the report of
the votes. When combined with the Trojan horse attack demonstrated by Dr.
Thompson, this attack vector maintains an illusion of integrity by
producing false reports to match the contaminated central tabulator report.

"The [second] exploit demonstrated in the poll tape with a true report
containing false votes, shown on page 18, changes the votes but not the
report. This example pre-stuffs the ballot box in such a way as to produce
an integer overflow. In this exploit, a small number of votes is loaded for
one candidate, offset by a large number of votes for the opposing candidate
such that the sum of the numbers, because of the overflow, will be zero.
The large number is designed to trigger an integer overflow such that after
a certain number of votes is received it will flip the vote counter over to
begin counting from zero for that candidate... combining the false report
method (demonstrated on page 16) with the pre-arranged integer overflow
(demonstrated on 18) seems to be an especially efficient exploit because it
is a one-step process that takes out both the actual process and its
safeguard at the same time, while surviving scrutiny of almost anything
short of a full manual recount."

Reportedly, at least 500 jurisdictions used the vulnerable optical scan
system in 2004; for example, the Diebold Precinct-Based Optical Scan 1.94w
system counted approximately 2.5 million votes in 30 counties, or about
one-third of all the votes in Florida, and nationwide, approximately 25
million votes (http://www.freddevan.com/blog/archives/00006724.html).

Although the exploits described in the report could be uncovered if a full
hand recount was performed, in practice, detection is unlikely. Most
jurisdictions limit the time frame for contesting an election.  For
numerous reasons, both candidates and election administrators are reluctant
to question the official tally, while hand recounts are expensive - with
costs borne by the contesting party.  Few elections tallied by optical scan
equipment are ever fully recounted, and automatic recounts legally
triggered by a narrow margin of victory will, of course, fail to detect
large-scale manipulation that shifts results outside the recount threshold.
Finally, there are classic problems with paper ballot chain of custody; the
more time passes, and the further a paper artifact travels from its point
of origin, the more vulnerable it is to tampering.

Therefore, the mere presence of a paper trail will not deter or detect
electronic vote manipulation by malicious insiders unless the
voter-verified paper ballot or optical scan ballot is actually randomly
audited - preferably, in-precinct, on election night . Yet the cost and
time required by a truly effective and random audit protocol undermines the
case for electronically-assisted vote tallying.  Therefore some analysts
now recommend US implementation of the Canadian system - hand-counting of
paper ballots in-precinct on Election Night, with accommodation for the
visually-impaired - as the best countermeasure to systematic electronic
election fraud.

Based on my experience in the financial services industry, discovery of
multiple security vulnerabilities of this severity in equipment in use by
any bank or brokerage house would trigger an immediate shutdown of all the
affected systems, followed by a full internal and external audit, and, in
all likelihood, formal investigation by regulatory and law enforcement
agencies.  We should accept no less from the election services industry.

The affected Diebold optical scan equipment should be immediately withdrawn
from use in any election until independent recertification is achieved, or
a secure alternative is obtained.  All other election equipment -
manufactured by Diebold or by other vendors - should be examined, and if
subject to the same vulnerability, should also be withdrawn.  An
investigation to determine how equipment with such serious vulnerabilities
to insider manipulation could ever have been certified should also be
launched, and certification and oversight procedures enhanced.

Good people died to gain and defend our right to vote. Election
administration must not be exempt from industry best practices for
security, audit and control.

Bruce O'Dell, Partner, Digital Agility Incorporated  www.digitalagility.com
Member, ACM SIGSOFT, SIGMETRICS, SIGART  bodell@digitalagility.com


UK Government statistics show Home Office leads in stolen computers

<"Ian Cuddy" <ic@egovmonitor.com>>
Tue, 12 Jul 2005 15:52:29 -0000

Whitehall Fails to Plug IT Theft (eGov monitor Newdesk)
An online version with embedded links is available at:
http://www.egovmonitor.com/node/1843

Central government departments have reported to have suffered at least 150
cases of computer theft in the last six months, according to official
figures.  The Home Office alone recorded 95 incidents of computer items
being stolen between January and June 2005 - equivalent to a theft taking
place in the Department every other day.

By comparison, the Ministry of Defence reported 23 computer thefts to date
in 2005, down from a total of 153 in the previous year.

Ministers made the disclosures in response to a series of parliamentary
questions tabled by Liberal Democrat MP Paul Burstow into incidents of
computer hacking, fraud and theft in each department.

In a written answer, Doug Touhig, a junior minister at the MoD, said the
Ministry had also experienced 30 attempted computer hacking incidents so far
in 2005, having only reported 36 for the whole of 2004.  However the
Minister gave an assurance that "none of the reported incidents of hacking
had any operational impact".  Most of these incidents were due to internal
security breaches, rather than external threats. Half of the cases were
classed as "internal - misuse of resources".

Instances of reported computer thefts in other departments were in single
figures so far this year, and most recorded no cases of IT systems being
accessed illegally.

The Department for Transport said it had experienced 71 cases of computer
hacking in 2003-4, 31 in the following year and one incident since April.
The Treasury, the Department for International Development and the
Department for Education and Skills said their IT systems had been breached
on one occasion in 2004-5.  Figures from the DfES show that in the two years
since 2003/4, it experienced 37 incidents of computer theft, all but one of
which were "perpetrated by insiders".  The Department of Health said it did
not distinguish between losses and theft of IT equipment, but said there
were 44 such incidents in 2004-5, costing it almost 40,000 pounds.  Figures
provided by Health Minister Jane Kennedy put the total sum lost by the
Department over the last four years at 233,000 pounds.

Ian Cuddy, Chief Editor, eGov monitor, Hurlingham Studios, Ranelagh Gardens,
London SW6 3PA UK 020 7384 1551 ian.cuddy@egovmonitor.com www.egovmonitor.com


Mixing data from multiple customers

<art-risks@dontsharemyemail.com>
Sun, 10 Jul 2005 15:35:56 -0400

I signed up for a mailing list from a potential vendor that my company was
considering using a few months back (well, I submitted a request for info
which got put on their mailing list).

A few weeks later I received a marketing e-mail from them. OK, that was
expected. But I got the same e-mail on my home e-mail. That was not
expected.

I have a domain, dontsharemyemail.com, that I use exclusively for signing up
for lists. I use a unique address for each list I sign up for so I can track
leaky e-mail lists.

Looking into the e-mail I received at home from the vendor I found that it
was sent to a mailing list that I used for a charity I give to. I contacted
both the vendor and the charity. The vendor confirmed the address was on
their list, but they said they had no record of how they got it. They don't
by lists (their marketing dept. complains about this) and they were very
puzzled. The charity confirmed that they had no record of sharing the
address (they claim they don't do that either).

After a little while it dawned on me what could have happened. Sure enough,
I looked at the headers of both e-mails and found that both parties used
Microsoft's bcentral.com mailing list service.

As far as I can figure, Microsoft's programmers figured that since the same
name, address, phone, etc., info was attached to both e-mail addresses, they
should be stored as a single entity. Thus when the vendor sent to "me" it
was sent to both e-mail addresses. Even though both were completely separate
mailing lists from completely separate customers.

The risks are in keeping your customer's private data private when you
manage multiple customers.


European Parliament rejects Software Patent Directive

<Pete Mellor <pm@csr.city.ac.uk>>
Mon, 11 Jul 2005 14:37:44 +0100 (BST)

On 6 July 2005, the European Parliament decisively rejected the directive of
the European Commission, which would have brought software into the patent
system.

For those like me who have followed the argument about software patents over
the last many years, this comes as a relief.  I was first alerted to the
potential damage of software patents many years ago when I heard Richard
Stallman talk.  He gave another set of seminars in London around two years
ago.  I find his arguments against software patents totally convincing.  He
has summarised these neatly in an article in The Guardian on 23rd June:

http://www.guardian.co.uk/online/story/0,,1511965,00.html

A search on the Guardian site turns up several related articles and letters.

My colleague David Dodson has circulated the press release from the FFII
("Foundation for a Free Information Infrastructure"), a campaigning group.
The web sites listed at the foot of the release are worth visiting by anyone
who still needs to be convinced that software patents are a bad thing.  In
particular, see: http://webshop.ffii.org/

This does not mean that we can relax, of course, since further attempts to
sneak in such legislation will probably be made.  "The price of freedom is
eternal vigilance."

> The Foundation for a Free Information Infrastructure (FFII) is a
> non-profit association registered in several European countries, which
> is dedicated to the spread of data processing literacy. The FFII
> supports the development of public information goods based on copyright,
> free competition, open standards. More than 3,000 companies and 90,000
> individuals have entrusted the FFII to act as their voice in public
> policy questions concerning software copyright and patents. The FFII
> maintains an office in Brussels and national sections in many countries.

It's essentially a cross-European grassroots group of volunteers, organised
primarily by e-mail lists and websites/wiki systems, primarily focussed on
the campaign against software patents and the software patent directive, and
which in the process has slowly learned its way around some of the Brussels
political jungle.

Increasingly, it has also acted as a focus for statements and support
from concerned SMEs:
  http://www.economic-majority.com/testimony/index.en.php

Peter Mellor, Centre for Software Reliability, City University,
Northampton Square, London EC1V 0HB p.mellor@csr.city.ac.uk +44(0)20 7040 8422


"Perspectives on Free and Open Source Software"

<"Peter G. Neumann" <neumann@csl.sri.com>>
Mon, 18 Jul 2005 15:42:45 PDT

edited by Joseph Feller, Brian Fitzgerald, Scott Hissam, and Karim Lakhani,
24 chapters, with a foreword by Michael Cusumano and an epilogue by Clay
Shirky, The MIT Press, 2005.  538pp+xxxi.  ISBN 0-262-06246-1.

Part I: Motivation of F/OSS Development
Part II: Evaluation of F/OSS Development
Part III: F/OS Processes and Tools
Part IV: F/OSS Economic and Business Models
Part V: Law, Community, and Society

  [Everything anybody ever wanted to know about F/OSS (which is the
  book's way of abbreviating "Free and Open Source Software")?
  Probably not, but may be useful.  PGN]

Please report problems with the web pages to the maintainer

Top