The RISKS Digest
Volume 24 Issue 38

Friday, 18th August 2006

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


RFID car keys and insurance
Joshua Levy
Anti-hijack software: what a great idea!
Nickee Sanders
Bit bucket swallows 17 million AU dollars
Rodney Polkinghorne
Sober Warnings About e-Voting Systems
Eric Sinrod via TechNews
The FBI's Upgrade That Wasn't
Eggen and Witte
Your Cable Company — powered by the guy with the extension cord
Lauren Weinstein
UK bank details sold in Nigeria
Amos Shapir
Another auditor's laptop stolen
Neil Youngman
First conviction in UK for Wi-Fi hijack
Peter Mellor
Can't type? Your Dell laptop battery must be OK!
Dan Miller
Re: 3.1 million HSBC
Thor Lancelot Simon
Re: LA power outages
Scott Peterson
Re: Letter on cybersecurity from the president
Nick Simicich
REVIEW: "Risk Management Solutions ... Compliance, Quarterman
Rob Slade
Info on RISKS (comp.risks)

RFID car keys and insurance

<Joshua Levy <>>
Mon, 14 Aug 2006 09:46:30 -0700

  [Source: Brad Stone, Pinch My Ride, *WiReD News*; PGN-ed]

To make a long story short, Emad Wassef had his Lincoln Navigator stolen
from a Target parking lot in Orange County, California.  He reported the
theft to police and his insurance company.  Two weeks later the SUV turned
up near the Mexican boarder, stripped.  His insurance company (Unitrin
Direct) claimed the transponder antitheft system is absolutely nonspoofable.
Brad Stone (the author of the article) himself had had a similar experience
two years before, which he had written up for *Newsweeek* in 2004, which led
to many letters reporting similar thefts.  Brad suggests various
possibilities.  Cloned key?  Masquerader requesting a duplicate for an
observed vehicle identification number?  He also discovered there is an
emergency override known to insiders, involving a particular nongeneric
sequence of mechanical actions.  The moral of this story is that if you
believe your transponder makes you more secure and less likely to get
stiffed by your insurance company, forget about it.

Anti-hijack software: what a great idea!

<Nickee Sanders <>>
Fri, 18 Aug 2006 18:15:10 +1200

A joint European effort is working on software that would enable remote
control of an aircraft that could override any attempts by hijackers to
control the plane, and force a safe landing.  "The system would be designed
in such a way that even a computer hacker on board could not get round it."
If successful, it would resolve various debates such as those going on in
Germany about shooting down hijacked commercial airliners.  The project is
budgeted for 36m Euros.   [Source: Yahoo News, 22 Jul 2006; PGN-ed]

If only it were April Fools' Day...
Nickee Sanders, Software Engineer, Auckland, New Zealand

  [Ah, perfect security at long last!  How reassuring to RISKS readers. PGN]

Bit bucket swallows 17 million AU dollars

<Rodney Polkinghorne <>>
Tue, 15 Aug 2006 14:49:28 +1000

Today's issue of *The Australian* has two stories about a new accounting
system that Australian Pharmaceutical Industries installed when it outgrew
Excel.  The one in the IT section [1] features the company's information
management leader congratulating himself on how quickly he got the new
system got up and running.

The one in the business section [2] reports that the company's shares have
been suspended from trading because the new books don't balance, and no one
knows whether the company made 20 or 40 million Australian dollars last

[1] "Finding the right modelling tool", The Australian, 15th August 2006,
[2] "API mystified by missing millions", The Australian, 15th August 2006,

"Sober Warnings About e-Voting Systems"

<TechNews <technews@HQ.ACM.ORG>>
Fri, 18 Aug 2006 16:29:02 -0400

[Source: Eric J. Sinrod, CNet (08/17/06) via ACM TechNews; 18 Aug 2006]

In its analysis of three of the most widely used electronic voting systems,
the Brennan Center for Justice at New York University found significant
security and reliability flaws in each of them that could compromise the
integrity of local, state, and national elections.  With sufficient
precautions at the state and local levels, the most serious vulnerabilities
can be addressed, but few jurisdictions have implemented the necessary
countermeasures to shore up their systems.  The study analyzed the Direct
Recording Electronic (DRE) system, which directly records a voter's choices
with a ballot that appears on the screen; DRE with Voter Verified Paper
Trail, which captures the vote both electronically and on paper; and
Precinct Optical Scan, which enables the voter to mark a ballot with a pen
and then carry it to a scanner.  It would be fairly easy for someone to
deploy software attack systems to alter vote counts or launch an attack on
the system with a wireless device.  New York and Minnesota are currently the
only two states that prohibit wireless components on all voting machines.
The Brennan Center report recommends automatic, routine audits that compare
electronic tallies with voter-verified paper records after every election.
The report also urges states to adopt wireless bans and randomly examine
machines on Election Day for viruses and worms.

The FBI's Upgrade That Wasn't

<"Peter G. Neumann" <>>
Fri, 18 Aug 2006 11:28:18 PDT

[Source: Dan Eggen and Griff Witte, The FBI's Upgrade That Wasn't: $170
Million Bought an Unusable Computer System, *The Washington Post*, 18 Aug
2006, A01; PGN-ed]

It was late 2003, and a contractor, Science Applications International Corp
.  (SAIC), had spent months writing 730,000 lines of computer code for the
Virtual Case File (VCF), a networked system for tracking criminal cases that
was designed to replace the bureau's antiquated paper files and, finally,
shove J. Edgar Hoover's FBI into the 21st century.  It appeared to work
beautifully. Until Azmi, now the FBI's technology chief , asked about the
error rate.  Software problem reports numbered in the hundreds, and were
multiplying as engineers continued to run tests. Scores of basic functions
had yet to be analyzed.  "A month before delivery, you don't have SPRs,"
Azmi said. "You're making things pretty. . . . You're changing colors."

  [This is more on an old story that was foreordained a long time ago.  PGN]

Your Cable Company — powered by the guy with the extension cord

<Lauren Weinstein <>>
Sat, 12 Aug 2006 03:47:03 -0700

Last night at around 2:15am (yup, everyone's just leaving the bars) my area
had a widespread power failure when someone wrapped themselves around a main
distribution line power pole (this is a Friday and Saturday night tradition
of course).  While LADWP started on it pretty quickly, power was not
restored for around seven hours.

That long an outage is enough to expose one of the serious weak points in
our telecom networks — remotely situated batteries.  They don't last very
long without external charging power, and we already know that microcell
sites tend to go down quickly for this reason when power fails.

Early this morning when I started walking the area to see the effects, I
quickly found an unmarked white bucket truck with engine running, parked at
a nearby corner, with an orange extension cord running from its open hood to
the open cable backup power box on the nearby pole, containing what looked
like about three gel cells.

When I went over and talked to the friendly cable guy splicing wires on the
back of his truck, he told me that he wasn't even trying to charge the
batteries, all he could do was try to keep the system running from his truck
until power was restored.

Cable modems?  Cable VoIP?  Our whole world of modern cable telecom,
dependent on a guy with an extension cord and an old bucket truck.

I found it rather amusing, in a "sad commentary" sort of way.

Lauren Weinstein +1 (818) 225-2800
Moderator, PRIVACY Forum - Blog:

UK bank details sold in Nigeria

<"Amos Shapir" <>>
Mon, 14 Aug 2006 18:17:22 +0300

Bank account details belonging to thousands of Britons are being sold in
West Africa for less than 20 each, the BBC's Real Story programme has
found.  It discovered that fraudsters in Nigeria were able to find internet
banking data stored on recycled PCs sent from the UK to Africa.


Another auditor's laptop stolen

<Neil Youngman <>>
Sun, 13 Aug 2006 17:12:56 +0100

Recently my wife received a letter from Ernst and Young, regarding the loss
of a laptop containing credit card information for customers of various
travel websites. I don't recall seeing it mentioned on RISKS, so I thought
I'd add it to your collection.

The letter states that "For the past several years, Ernst and Young has been
the auditor for, a travel company which provides the hotel product
and booking technology to may leading travel websites." ...  "An Ernst and
Young employee's backpack containing his laptop computer was stolen from his
locked vehicle in the US." ...  "Following the theft we commenced an
internal investigation of this matter and determined that the stolen
computer contained certain customer information regarding some
customer transactions primarily from the year 2004.  There were also a small
number of transactions from 2003 and 2002.  We believe the transaction
information may have included a transaction you made with and,
specifically, that the information on the laptop may have included your
name, address and some credit or debit card information you provided.  "

The laptop required a password to use it. To date we have received no
information from law enforcement officials that any of the data stored on
the computer has been accessed by an unauthorised person or used improperly.
There is insufficient information in the letter for me to determine which
website was involved and which credit card might be affected.

Ernst and Young do say at the end "We have put in place enhanced security
procedures, including encrypting our laptop computers, to provide additional
protection for sensitive information and have taken other measures to
designed to protect against this type of incident happening again."

First conviction in UK for Wi-Fi hijack

Sun, 13 Aug 2006 13:29:40 EDT

Quoted from BBC News article:

"A recent court case, which saw a West London man fined =A3500 and sentenced
to 12 months' conditional discharge for hijacking a wireless broadband
connection, has repercussions for almost every user of wi-fi networks.

It is believed to be the first case of its kind in the UK, but with an
estimated one million wi-fi users around the country, it is unlikely to be
the last. "There are a lot of implications and this could open the
floodgates to many more such cases," said Phil Cracknell, chief technology
officer of security firm NetSurity."

Apparently, the convicted man had used his laptop from his car while parked
outside a house in which the resident was using an unsecured wi-fi
connection, over a period of three months.  Neighbours noticed him and
reported his behaviour to the police as suspicious.

For the full article, see:

Peter Mellor;  +44 (0)20 8459 7669 (new)

Can't type? Your Dell laptop battery must be OK!

<"Dan Miller" <>>
Tue, 15 Aug 2006 10:43:07 -0400

Dell has set up a website where you can check to see if your laptop battery
is one of the group being recalled, due to overheating.  See

If your laptop belongs to a certain subset of models, you need to find your
battery ID (printed on the battery itself). The code is of the format
zz-zzzzzz-zzzzz-zzz-zzzz; a combination of 20 numbers and uppercase
letters. If the last 5 characters of the second group match one of 36
combinations, you are directed to enter the entire ID to see if your battery
needs replacement. See

The form in question allows you to enter one or more 20-character codes and
hit a Submit button. If your battery is OK, the phrase "No need for
replacement" appears next to the entered ID. I don't know what it says if
your battery does need to be replaced.

Unfortunately, there appears to be absolutely no check to verify you entered
a proper ID. Apparently, battery AB-CDEFGH-IJKLM-NOP-QRST is OK, as is
00-000000-00000-000-0000, and ten random combinations of numbers and

So you'd better heed the warning at the bottom of the page to "Please verify
you entered your PPID correctly before submitting".  You can tell a zero
from a capital letter O if only one of them appears on a label, right?

    [Of course, if you were injured in the process,
    you could call on the Pharma in the Dell.  E-EYE-E-I-O.  PGN!!!]

Re: 3.1 million HSBC (Macintyre, RISKS-24.37)

< (Thor Lancelot Simon)>
Mon, 14 Aug 2006 04:01:46 +0000 (UTC)

To be, perhaps, all too kind, the claim is nonsense, and the fact that its
sole support is an argument about bombs at airports (which I've snipped) is
good reason to suspect as much as soon as you see it.  The "bomb" example is
an exercise in emotional manipulation through the presentation of an
immediate, vivid, highly aversive consequence, intended to trick the reader
into miscomputing the actual cost and benefit of the other problem it
accompanies (the "telling the news media about a security flaw" problem) for
emotional reasons.

To be clear, let's look at the actual ethical problem here in simple
consequentialist terms.  To believe that "you have a responsibility NOT
to be telling the news media", you have to believe that the negative
consequences of you telling the news media outweigh, for ever and ever
going forward from today-here-now, the positive consequences of you doing

Is that really plausible?  Absent the specious "bomb" example, why
should we think so, when we have been given, as the conditions of the
problem, that "you report it to the institution and to law enforcement,
and they do not seem to take you seriously"?  That suggests that (at least)
whatever level of harm is currently occurring will continue indefinitely --
unless, that is, someone _else_ were to make a public disclosure, and thus
even more dramatically absolve you of this phantom 'responsibility' Al is
claiming that you have.  At some point in time, it is clear that the small
continuing harm of continual abuse of the security flaw would in fact far
outweigh the (allegedly) larger, very temporary harm of which your disclosure
of the flaw to the media would purportedly be the cause — after which
disclosure, of course, all harm would stop, since fear of liability would
cause the institition to plug the hole.

The correct choice as a matter of consequentialist ethics is plainly to
continue to attract the correct attention from the appropriate authorities,
but to be prepared to publicly disclose the problem _before_ that small
continuing cost swamps the one-time cost of disclosure.  To claim that one
has some kind of absolute responsibility to not disclose such problems as a
matter of ethics is balderdash, and emotional appeals to examples about
ticking bombs do not (as they usually do not) help.

Re: LA power outages (Jacobson, RISKS-24.37)

<Scott Peterson <>>
Sat, 12 Aug 2006 20:24:32 -0700

>World class first tier facility, two redundant grid hookups, backup battery
>array with two separate sets of diesel generators. Trucks full of diesel are
>on standby and the datacenter is run on each for 12 hours each month to make
>sure everything is working as it should.

I had a girlfriend who worked as a programmer for Carter Hawley Hale.  This
was a good sized California department store chain back in the 1980's.  They
built a huge data center in Orange County, CA.  They made the same kind of
plans for their mainframes.

Tied into multiple grids for power backup, got permission to use the cities
fire hydrant water system for cooling as backup to the regular water supply.
They thought they had everything covered.  Anyway, one day a car hit a
hydrant about a block away.  A valve that was supposed to stop backflushing
hadn't been installed properly and when the city tried to shut off the
hydrant break they found that the datacenter was pumping water from the city
lines into the emergency system with no way to shut it off without turning
off water to the whole data center.  They were down for about 4 days and it
was pretty disastrous.

Re: Letter on cybersecurity from the president

<Nick Simicich <>>
Thu, 17 Aug 2006 10:18:27 -0400

After publishing this deprecation of the current administration from the
loyal opposition, our moderator makes a weak call for "a similar message
from a republican".

I have a further request: How about not publishing things that are obviously
political diatribes masked as legitimate technical criticisms and comments?

It does bother me that the moderators seem to be unable to tell a polemic,
complete with vague, denigrative suggestions from a legitimate technical
criticism.  I won't bother with a point by point response, that would give
too much attention to a content-free political speech.

One thing does scare me about Reid's polemic.  Toward the end, flag firmly
in hand, he refers to 911 and then makes the following comment:

> it is critical that the American people trust that their
> government is taking every possible step to protect them.

No, every reasonable and constitutional step, not every possible step.  We
have already had a series of unreasonable steps, like no nail clippers on
airplanes, and losing your items rather than having them mailed or checked
through as punishment for accidentally bringing them (still in effect).

The "every possible" language is tossed about by both sides, and it is
tossed about by people who probably are not affected by either the measures
they take or their results, short or long term.  Yes, we are at war, and at
war, you take some special actions.  — Blog: Atom: RSS:

REVIEW: "Risk Management Solutions ... Compliance, Quarterman

<Rob Slade <>>
Thu, 17 Aug 2006 09:07:42 -0800

BKRMSSOX.RVW   20060722

"Risk Management Solutions for Sarbanes-Oxley Section 404 IT
Compliance", John S. Quarterman, 2006, 0-7645-9839-2,
%A   John S. Quarterman
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   2006
%G   0-7645-9839-2
%I   John Wiley & Sons, Inc.
%O   U$50.00/C$64.99/UK#31.99 416-236-4433 fax: 416-236-4448
%O   Audience a+ Tech 2 Writing 2 (see revfaq.htm for explanation)
%P   278 p.
%T   "Risk Management Solutions for Sarbanes-Oxley Section 404 IT

There is a problem with the title, quite apart from the fact that it is just
too long.  This book is not about "Sarbanes-Oxley Section 404" (which is in
the largest type on the front cover) as such.  In the preface, Quarterman
explains that this work addresses risk management, and, specifically, those
risks related to the Internet.  The text is intended for a wide ranging
audience: C-level executives who need to manage and report risk, IT
professionals needing information about non-technical control of risk,
insurance and financial organizations needing to make monetary assessments
of risks and benefits, employees of Internet related companies, and business
risk management students.

Having been through the publishing process myself, I know that the title and
cover are not Quarterman's fault: publishers get to choose.  (And, somewhere
in Wiley, there is a marketing person just bouncing up and down with glee at
finally being able to publish a SOX book.)  On the other hand, the title is
not completely misleading: SOX 404 is about the proper assessment and
reporting of potential risks, and pretty much every company these days has
to factor in the perils of dependence upon the Internet.

Chapter one is an introduction, noting that, contrary to standard risk
assessment ideology, some threats are beyond the control of the enterprise,
and not subject to any kind of technical safeguards.  Perils may be too
large for the company (some financial losses are simply too great for an
individual company to survive) and difficult to quantify.  Quarterman points
out that, rather than a fixed value resource, the Internet may be more
similar in valuation to a stock option, or other financial instrument, and
doesn't fit older cost/benefit models.  A variety of hazards from and to the
Internet are listed in chapter two.  Solutions are addressed in chapter
three, and the author also examines proposed solutions that do not work.
For example, the difficulties of the Internet are frequently blamed on the
fact that there is no central authority and management, and it has often
been proposed to implement (or impose) such centralized command structures
on the net.  However, Quarterman demonstrates that decentralization has
worked in a number of cases, including a number of Internet applications.

Chapter four, is problematic: options for risk transfer are discussed
before the concept is raised, and although the title talks about
strategy it is hard to pick strategic measures out of all the tactical
measures.  The work of Basel II, with the concepts of credit and
operational risk calculations, are outlined in chapter five.  Examples
of risks that are troublesome to quantify are given in chapter six.

Chapter seven turns to large enterprises, noting some threats that are
somewhat intrinsic to the breed.  Quarterman doesn't stop with the
"trite but true": some of the perils are hubris and a reputation for
bullying behaviour.  Small enterprises might not find the same kind of
help in chapter eight: the material here talks more about
opportunities and benefits.  Various aspects of bonding, insuring, and
service level agreements (SLAs) for Internet service providers are
examined in chapter nine.  There is an interesting discussion of
third-party bonding, and the advantages that automatically accrue to
all parties under such a situation.  Chapter ten turns to the
government, and the ways in which it can, and can't, help.  Numerous
aspects of insurance; policy language, legal precedents, new concepts,
and the lack of hard data for the effectiveness of the new
instruments; are reviewed in chapter eleven to address the
possibilities, limits, and restrictions of new forms fo risk
transference.  Chapter twelve summarizes the reasons why Internet risk
is different than others.

This book has a rushed feeling to it, and there are a number of odd errors.
The "Acknowledgements" section is, instead, a repeat of the first page of
the preface.  Text and phrases are repeated ("cyberhurricanes"), often
without definition and sometimes in contradictory fashion.  There is, for
example, an amount of $100 billion for risk from the Internet.  This number
is repeated on pages xxiii, 1, 30, 146, and 256 but seems to be used in one
place for a global figure, and in another for the risk to an individual
company.  The structure of individual chapters can be difficult as well: it
is hard to determine threads of specific arguments out of the (admittedly
intriguing) stream of information.

There are three threads that are repeated again and again in the book:
diversity, insurance, and mapping of the Internet.  But there is much
more: Quarterman does not address the standard picture of risk
management, since he is pointing out that the Internet throws our
usual tools for quantified risk analysis into disarray.  Instead he
notes areas that have been neglected, because of the difficulty of
fitting them into standard models, and proposes new, if somewhat
vague, risk paradigms.  This is not a text that can be used as a
reference for ordinary threat analysis, but should be thoroughly
studied by anyone involved with protecting information (and
particularly communications) for a large company, anyone with a major
involvement in the Internet itself, and anyone responsible for
business risks in a rapidly changing environment.

copyright Robert M. Slade, 2006   BKRMSSOX.RVW   20060722

Please report problems with the web pages to the maintainer