The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 27

Monday 1 May 2006

Contents

Sounding the Alarm on Government-Mandated Data Retention
Lauren Weinstein
Scarily Prophetic Ad
Daniel Graifer
New Private Investigator laws for e-USA
Al Macintyre
Japanese Newspaper subscriber information leaked to Internet
Glenn Story
Drexel personal information on stolen laptop
Leonard Finegold
Data storage firm apologizes for loss of railroad data tapes
Monty Solomon
TSA: Computer glitch led to Atlanta airport scare
Patrick J. Kobly
911 call show wrong address
John Curran
Driven to distraction: cellphones
Monty Solomon
Re: Man Gets $218 Trillion Phone Bill
Mathew
Re: PDF Hell for SA Bank
Seth Breidbart
Jan Vorbrüggen
Trivia -- Truth Stranger than Fiction?
Chris Drewe
Re: RFID Zapper
Jan Vorbrüggen
Re: Triple DES Upgrades
Richard Outerbridge
Re: Honeypot Cars
Paul Robinson
Info on RISKS (comp.risks)

Sounding the Alarm on Government-Mandated Data Retention

<Lauren Weinstein <lauren@vortex.com>>
Sat, 29 Apr 2006 17:57:11 -0700 (PDT)

  [A floor vote on this dangerous piece of legislation may happen as early
  as this Wednesday.  This is a disaster in the making relating to flagrant
  disregard of privacy issues, data access without warrants, unconstrained
  dissemination and reuse, etc.  The potential downsides are almost too
  numerous to list here!  PGN]

Greetings.  A few days ago, in this message:

  http://lists.elistx.com/archives/interesting-people/200604/msg00134.html

I commented on Attorney General Gonzales' recent statement regarding data
retention, and the alarming slippery slope that I feel this represented.

Now, this article:

http://news.com.com/Congress+may+consider+mandatory+ISP+snooping/2100-1028_3-6066608.html?tag=st_lh

reports that a Democratic Congresswoman is proposing to fast-track a bill or
amendment to *require* essentially permanent retention of users' Internet
activity data (until at *least* one year after the user *closes their
account*).  For long-term users, this means effectively permanent retention.

Again, I must note the supreme ironies.  It was only a few months ago that
people were screaming bloody murder about DoJ demanding Search Engine
records -- a demand that apparently only Google had the backbone to
appropriately resist, noting the sensitivity of the data involved.  This
controversy triggered calls (including in some legislative quarters) for a
law mandating the destruction of much related data after some reasonable,
relatively short interval, with appropriate designated exceptions for R&D,
business development, and the like.

Now, by waving the red flag of fighting child pornography, seemingly
intelligent and usually well-meaning legislators appear ready to create the
mother of all big-brother database laws, a treasure trove of personal data
that will ultimately be available for every fishing expedition under the
sun.

For those persons who trust the government not to abuse such data, I hasten
to note that these kinds of infrastructures, once in place, tend to be
self-perpetuating, and will be available to *future* governments as well,
including administrations who might not be as "benign" as the current one.

The article referenced above correctly notes the comparison with the
McMartin Preschool child abuse witch-hunts of years ago.  Hysteria over the
abhorrent and real problem of child porn is being used to potentially
decimate broad and critical privacy rights -- with the high probability of
negative effects and consequences that are almost impossible to overstate.

If we do not maintain a balance between law enforcement goals (including but
not limited to child abuse issues), and privacy rights, we will be flushing
those rights we've had as law-abiding citizens down the toilet -- all in the
name of seemingly laudable goals.

The Internet is rapidly becoming involved in most technology-based human
communications.  The sensitivity of Internet user activity data can be
enormous.  Broadly mandated data retention would move us drastically toward
the realm of previously unimaginable "nightmare" scenarios (such as
requiring the recording of all telephone calls, or the installation of
government cameras in bedrooms -- both actions that could indeed be useful
for law enforcement purposes).

Without wishing to sound melodramatic, I strongly assert that if we don't
take a stand now, we are likely to see the wonders of the Net repurposed
into shackles that have the potential to undermine the very basis of our
fundamental freedoms.

Lauren Weinstein  +1 (818) 225-2800 http://www.pfir.org/lauren
Co-Founder, PFIR People For Internet Responsibility - http://www.pfir.org
DayThink: http://daythink.vortex.com  lauren@pfir.org http://lauren.vortex.com


Scarily Prophetic Ad

<Daniel Graifer <graifer@earthlink.net>>
Wed, 26 Apr 2006 22:23:18 -0400

This Ad is REALLY SCARY....

http://www.adcritic.com/interactive/view.php?id=5927

  [Illustrative of what is to come?  Worth viewing if you have
  not yet seen it (it's been around for a while).  PGN]


New Private Investigator laws for e-USA

<Al Macintyre <macwheel99@sigecom.net>>
Thu, 27 Apr 2006 12:24:56 -0500

Some computer professionals will need to get a Private Investigator license
just to continue doing their computer work.  I imagine this will also apply
to accountants and auditors, in fact anyone who analyses data that is on
computer systems, on behalf of some other company, and perhaps people who
work at software houses, computer retailers, whoever does repairs to
computers, installations of new stuff.  We will have to be asking suppliers
of firewall, anti-virus, anti-spam, anti-spyware etc. if they have a PI
license, otherwise it might be illegal to buy their products, and if there
are no such suppliers, then it may be illegal to be protected against the
cyber-criminals.

Companies will need to get an opinion from their lawyers, with respect to
filing annual reports with the state and with government regulators. We are
supposed to swear this data is correct under penalty of perjury, but it was
derived by accounting and computer experts, not Private Investigators, but
now it is illegal to get such data from people who are not Private
Investigators?  Does this also mean that Police Department personnel need to
get a PI license before they may testify in court?

From Security in the news.
https://thei3p.org/pipermail/security-news-html

Forensic felonies, *The Register*, 26 Apr 2006

A new Georgia law aimed at private investigators now ``extends to computer
forensics and computer incident response, meaning that forensics experts who
testify in court without a PI license may be committing a felony''.  The
``law requires all private investigators in the State of Georgia to be
licensed'', and is ``intended to prevent people from simply opening up shop
and claiming to be PIs.''  However, the ``problem lies in both the
definition and interpretation of what services can only be offered by a
licensed PI, and how that extends into the electronic world.''  Forensic
experts, by definition help individuals and business owners to find, the
`cause and responsibility for ... losses and damage to ... property'', which
is exactly how the law describes the duties of private investigators,
meaning that under the new law forensic experts would be committing a felony
in the course of their usual trade. Other states will similar laws include
California, Arizona, Utah, Nevada, Texas, Delaware, and New York.  An
exception allowing attorneys, and those working directly under, as well as
any in- house experts a business may have, provides protection for some.

http://www.theregister.co.uk/2006/04/26/law_change_for_pis


Japanese Newspaper subscriber information leaked to Internet

<Glenn Story <storyg@acm.org>>
Fri, 28 Apr 2006 10:08:57 PDT

*The Mainichi Shimbun* reported that information on about 66,000 subscribers
(including names, addresses, phone numbers, dates of birth, and e-mail
addresses) was leaked onto the Internet.  This resulted from an employee
copying the data onto his own computer, which was thought to have been
infected with a virus that exploited a vulnerability in the *Share*
file-sharing application.  [Source: *The Japan Times*, 28 Apr 2006; PGN-ed]
  http://search.japantimes.co.jp/cgi-bin/nn20060428a3.html


Drexel personal information on stolen laptop

<Leonard Finegold <L@drexel.edu>>
Fri, 21 Apr 2006 15:31:34 -0400

We're informed that identity may be stolen up to 7 years after the present
theft.  And a colleague asked "if laptop be retrieved, will we be told?"  --
as if they'd never heard of copying.  LF

  Date: Fri, 21 Apr 2006 14:32:44 -0400
  From: Drexel Special Announcment <drexmail@drexel.edu
  Subject: Your Free CreditWatch Program has been Extended to Two Years

  As you know, Drexel has been informed by Deloitte & Touche, an independent
  firm that has conducted regular audits of our financial statements since
  2001 that a laptop computer stolen from an employee of Deloitte & Touche
  contained files with personal information on current and retired Drexel
  employees, including Social Security numbers and birth dates.

    [Lengthy plug for Equifax Personal Solutions omitted...  PGN]

Leonard X. Finegold, Physics, Drexel University, Phila. PA 19104
L@drexel.edu 1-215.895.2740


Data storage firm apologizes for loss of railroad data tapes

<Monty Solomon <monty@roscom.com>>
Sat, 29 Apr 2006 01:30:43 -0400

Iron Mountain Inc. has apologized for losing personal data, including Social
Security numbers, for as many as 17,000 Long Island Rail Road employees and
former employees.  [Source: Chris Reidy, *The Boston Globe*, 28 Apr 2006;
PGN-ed]

http://www.boston.com/business/globe/articles/2006/04/28/data_storage_firm_apologizes_for_loss_of_railroad_data_tapes/


TSA: Computer glitch led to Atlanta airport scare

<"Patrick J. Kobly" <patrick@kobly.com>>
Fri, 21 Apr 2006 09:47:03 -0600

A bomb scare that lead authorities to evacuate security checkpoints for two
hours at Atlanta's Hartsfield-Jackson International Airport on 19 Apr 2006
was reported by the Transportation Security Administration director as the
result of a "software malfunction".  The detected device was part of a
routine test, but apparently could not be located.  The software was
supposed to follow up with a "This is a test" message, but apparently failed
to do so.  [Source: cnn.com, 20 Apr 2006; PGN-ed]
  http://www.cnn.com/2006/US/04/20/atlanta.airport/index.html

You've probably seen this one a few times (certainly since it got picked up
by Slashdot), but it seems strangely reminiscent of the SAC/NORAD incidents
of June, 1980 and November, 1979 (particularly the 1980 incident). (See
http://www-ee.stanford.edu/~hellman/Breakthrough/book/pdfs/borning.pdf and
Neumann's "Computer-Related Risks" book.)

The risks seem obvious here - whether testing the alertness of operators (as
the Atlanta incident) or the systems (as in the 1980 SAC incident), we have
to think about the consequences of test data on operational systems...


911 call show wrong address

<"John Curran" <curranj@gmail.com>>
Fri, 21 Apr 2006 13:15:35 -0400

In the 21 Apr 2006 issue of *The Washington Post* there is a story about a
man in suburban Maryland who was suffering chest pains and called 911.  But
before he could tell the operator where he was, he passed out.  The
emergency squad responded to the address shown for the phone number, but it
was the main building for the company and the main was in an adjacent
building.  The emergency personnel searched the building but did not find
anything.  He was found dead in his office ten hours later by a cleaning
crew person.  So the identification information shown by some systems to the
911 centers is linked to the main switch and its location and not the
physical location of the unit making the call.

http://www.washingtonpost.com/wp-dyn/content/article/2006/04/20/AR2006042001923.html

  [This is not unusual, and clearly needs to be recognized as a risk.  PGN]


Driven to distraction: cellphones

<Monty Solomon <monty@roscom.com>>
Fri, 21 Apr 2006 02:32:17 -0400

The National Highway Traffic Safety Administration and the Virginia Tech
Transportation Institute tracked the behavior of drivers in 100 vehicles
equipped with video and sensor devices.

The results: Inattentiveness caused by drivers using a cell phone, applying
makeup, and being distracted from the road -- all caught on videotape --
cause nearly 80 percent of crashes and 65 percent of near-crashes, according
to the study.  Each distraction carried a different risk of causing crashes
or near crashes: reaching for an object increased the risk by nine times;
drowsiness by at least four times; and applying makeup by three times.  The
one-year study ... cited cell phone use and drowsiness as the major causes
of distraction.  [Source: Kathy Uek, *Metrowest Daily News*, 21 Apr 2006;
PGN-ed]
  http://www.metrowestdailynews.com/localRegional/view.bg?articleid=127986


Re: Man Gets $218 Trillion Phone Bill (Hatton, RISKS-24.24)

<mathew <meta@pobox.com>>
Tue, 25 Apr 2006 11:02:50 -0500

> An interesting one this.  Unless this got misprinted somewhere, they must
> have gone to 64-bit arithmetic to issue bills this big.

Far more likely is that their billing system is written in COBOL, and uses
BCD arithmetic.

In fact, since errors of a fraction of a penny are significant in telephony
billing, I sincerely hope that they use BCD, and don't run the risk of
binary representation errors.

See also <URL:http://www2.hursley.ibm.com/decimal/>. This is how financial
arithmetic should be done, and it's worth noting that the sample benchmark
code simulates a telco billing system.

http://www.pobox.com/~meta/


Re: PDF Hell for SA Bank

<sethb@panix.com (Seth Breidbart)>
Thu, 27 Apr 2006 22:01:52 +0000 (UTC)

Any printable format can be counterfeited; even if the bank sent a protected
PDF (and the protection worked), it could just be replaced with an entirely
user-generated PDF.

There are two methods for a bank to supply something that resembles proof of
a transaction:

1. Digitally sign a statement of transaction.  This has the weakness that
   most people can't verify the signature.

2. Provide a token (preferably opaque) that when entered into the bank's web
   site, provides the bank's view of the transaction as shown in the bank's
   records.


Re: PDF Hell for SA Bank (Risks 24.26)

<=?ISO-8859-15?Q?Jan_Vorbr=FCggen?= <jvorbrueggen-not@mediasec.de>>
Fri, 28 Apr 2006 09:56:13 +0200

> What do folks know about securing PDF documents? I know that encrypted and
> password-protected PDFs are fairly easily cracked

Obviously, the only way of handling this is to digitally sign the PDF, and
get the recipient to check the signature. However, if you put a legible note
to do so on the PDF itself, the mand-in-the-middle attacker might remove
that while falsifying the date...somewhat of a catch-22.

In this context, it remains unclear whether the functionality built into the
reader allows one to display _only_ the signed portion of the document. If
not, the attacker can add additional (unsigned) objects that overwrite some
of the displayed data with whatever she needs for her purposes. Technically,
the signature will be verified, but the recipient perceives something
different from what is signed - the What-you-see-is-what-you-sign problem.
There are, of course, ways to work around it (also in the context of PDFs),
but they require investment and additional work at both ends of the chain.

Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen
+49 201 437 52 52  jvorbrueggen@mediasec.de  http://www.mediasec.com


Trivia -- Truth Stranger than Fiction? (Re: Norman, RISKS-24.22)

<Chris Drewe <e767pmk@yahoo.co.uk>>
Wed, 19 Apr 2006 22:09:46 +0100

> ... "Rather interesting," said Lewis Carroll, spokesperson for the
> university, "several college buildings are quite off their correct
> location." Unfortunately, initial estimates for moving the buildings and
> roads to correct these discrepancies are too expensive, so, as Carroll
> puts it, "we will have to put up with these problems, but we will annotate
> the map to show where these placement errors occur."

By coincidence (presumably!), the following item appeared in the uk.railway
Usenet group recently.  Background is that Colne and Skipton are two small
towns in northern England, about 30 miles/50km north of Manchester; they are
only about 12 miles/20km apart, but the railway line between them was closed
some years ago, so although they retain their stations, traveling between
them by train means taking an amazingly circuitous route -- you could
probably do it quicker by bicycle.

  Date: Wed, 12 Apr 2006 13:45:32 +0100
  From: srbroadbet@btopenwold.com (Steve Broadbent)
  Newsgroups: uk.railway
  Subject: Re: Clitheroe-Hellifield

  > Why did that line close in the first place? Was it something to do with
  > the (now abandoned) plan to extend the motorway?

  When I was chairman of the SELRAP re-opening campaign group
  (www.selrap.org.uk), the story we were told that held sway locally was
  that a BR [British Railways] network map was shown to Barbara Castle, then
  Minister of Transport, which showed, erroneously, the Skipton-Colne line
  missing and thus closed.  Thus rather than admit the error to the
  Minister, the line was duly closed. It was not closed as a result of
  Beeching [plan for rationalisation of UK's railways in 1960s], it did not
  close till January 1970


Re: RFID Zapper (RISKS-24.26)

<=?ISO-8859-15?Q?Jan_Vorbr=FCggen?= <jvorbrueggen-not@mediasec.de>>
Fri, 28 Apr 2006 10:06:47 +0200

> I imagine that there will be a consumer market for this.

Oh yes!

> * Then the next society development will be that objects where RFID was
>   inserted for purposes of identification, like in ID cards, Passports etc.
>   will malfunction because someone had used the RFID Zapper on them,
>   rendering those people's ID unusable for the intended purposes.

Indeed so. And what are the issuers' and verifiers' fallback positions when
this happens, be it inadvertently or on purpose, either by the holder or by
a third party? At least ICAO has now woken up to the problem and is actively
pursuing such fallback positions.

Imagine an A380 load of passengers waiting at US immigrations, and somebody
uses an RFID zapper on the crowd, perhaps to make it easier for some of the
passengers to enter the US illegally.

People are already not amused by the prices they have to pay for the "RFID-
enhanced" ID documents (above 100 Euro / 125 USD), which is about 3-5 times
the current pricing. Lifetime issues are also a continuing problem - nobody
believes the chips will last the 10 years that are these documents'
lifetimes now. For frequent travelers, even the promised three years will be
iffy.

> * Then stores, and other institutions, will have to institute rules that
>   people are not allowed to enter their premises carrying an RFID Zapper, so
>   as to prevent unauthorized usage on the store merchandise.

That won't help some other, commercially relevant scenarios. As a variation
of the above, consider me running a pharmaceuticals warehouse for a whole
saler in a commercial district, with my competitor on the adjoining
property.  Everytime a truck drives up to unload, I activate my device that
will zap perhaps 30% of all RFIDs in the packages that are being
unloaded. Now consider all ramifications of this, both business and
regulatory. It's a nightmare.

Jan Vorbrüggen - MediaSec Technologies, Berliner Platz 6-8, D-45127 Essen
+49 201 437 52 52  jvorbrueggen@mediasec.de  http://www.mediasec.com


Re: Triple DES Upgrades (Redspin, RISKS-24.26)

<Richard Outerbridge <outer@sympatico.ca>>
Fri, 28 Apr 2006 12:22:05 -0400

The gist of the item is correct, but the fact of the matter is that it's not
3DES itself that is causing the problems.  The 20-year old magnetic stripe
infrastructure is the root cause, and moving to chip-and-PIN is the fix that
everyone except the USA is in the midst of adopting.  In stereotypical and
steadfastly arrogant fashion, USA banks are refusing to move to chip-
and-PIN, whilst at the same time refusing to accept any international
liability for not doing so.  Have our cake and eat it too, anyone?  Softwood
lumber, anyone?

It's widely expected that magstripe skimming fraud will migrate to and
become a significant distinguishing feature of the US retail marketplace, if
it isn't already.  Of course, any costs - either way, to deploy chip or
continue to swallow increasing magstripe fraud - will continue to be
externalized by the Banks to their retail consumers: you and me.

However, the article is absolutely right on one account: there's no way to
go chip-and-PIN without 3DES.  If that requires a Windows update to effect,
well, the US Supreme Court made that risk assessment for all of us some
while ago.


Re: Honeypot Cars (Cohen, RISKS-24.26)

<Paul Robinson <paul@paul-robinson.org>>
Sat, 29 Apr 2006 12:47:56 -0400

They can be done in one of two ways.  My home town of Arlington County,
Virginia is using them.

First, the cars are put out on the street, legally parked, unlocked, with
the keys in the ignition.  Someone comes by, sees the car, gets in and
drives off.  Within one block the car is disabled and locked.  The thief
(and anyone with them) is busted red handed for stealing a car.  Faced with
them caught locked in the stolen car and video evidence of them getting into
and driving off a car they have no legal right to be in, they always plead
guilty.

My understanding is that when the immobilization feature is used it is done
while the police are watching that particular vehicle and it's done within a
very short period of time, say a block or two of the person driving off, the
idea (I presume) is the police are going after the "low hanging fruit" of
casual joyriders.

(Please don't think I'm considering this lightly.  I've had a vehicle robbed
from maybe ten years ago, and I had a (different) car stolen a couple of
years ago.  I had the unfortunate privilege of getting the vehicle back, the
guy who stole it was caught (unfortunate because the car wasn't worth very
much but was fully insured and it would have been better for me if the
insurance company had paid me for the legitimately stolen car) and the
fortunate privelege that the guy who stole it learned his lesson, he went
out, found work and actually paid me back for all of the damages I had to
repair on the car.  The county sent me a check a few months ago.)

In the secondary case, cars are allowed to be stolen by professionals, who
now move them to walk-away parking lots where they leave them for a while in
case the vehicle has Lojack or other tracking systems to see if the police
come after them.  The police let the vehicle sit, and when the other thief
comes to get it, they follow it to its destination and bust the chop shop
operator (most vehicles are stolen for rendering because it's worth more
disassembled as parts than the vehicle as a whole and the parts are
untraceable).  In this scenario, the police are not going to immobilize the
vehicle or trap the driver because they want the driver to get wherever it's
going so they can bust him (or her) and the theft ring.

 > But presumably no one thinks of prosecuting an attacker who was not also
 > caught attempting to attack a real server.  Or do they?

If you can catch them.  Clifford Stoll tells in his book "The Cuckoo's Egg"
about his efforts to discover why there was a 75c discrepancy in billing
records on the computer system he was managing, and this lead him on an
intercontinental chase for a cracker who was breaking into various systems
and using some as gateways to others in an attempt to cover his tracks.

A lot of cyber attacks are being run by botnets in which the operator sends
one command out to a bunch of other "compromised zombie" computers that are
then committing DDOS attacks, sending spam, storing warez, etc.  Because
they are using a non-logging intermediary, it's much harder to catch them.
You have to find the zombies they are using, then trace the incoming traffic
from those zombies (if you can).  If the guy uses enough intermediaries it
may be damn near impossible, at least for DDOS attacks.

Basically, you need to "follow the money."  Where there is spam being sent,
someone is paying for the advertising, they need to be squeezed to find out
whom they are using; if someone is doing a DDOS attack there almost
certainly be an extortion demand, and the answer is to watch for whomever is
coming to collect the money by flagging the transaction so they can be
nabbed.

In both cases it's the same: catching someone who has to be physically
present to commit the crime is trivial; they have to be there to steal the
car and (in the other case) they have to be at some physical location to
pull extortion payoff money from a transfer agent.

Compare that to catching someone who is using ten or twenty thousand
compromised computers in ten thousand locations that may be in places as
much as 1/2 way around the world from their actual location.

Please report problems with the web pages to the maintainer