The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 08

Weds 26 October 2005

Contents

Colleges protest call to upgrade online systems
Sam Dillon / Stephen Labaton
Printer steganography
Mike Musgrove
Meso-Mess: German registration office -- Just leave us alone!
Debora Weber-Wulff
Keep your eyes on the road!
Peter Scott
Internet banking risks need fixing
Monty Solomon
Mileage sign errors
Monty Solomon
OARS privacy problems
Nanette Asimov
Membership database from bankrupt User Group to go to highest bidder
Dale E. Coy
BlackBerry Thumb
PGN
Woman summoned to court over unread Oyster card
Nick Rothwell
Cingular says: "No password needed" is a Good Thing!
Steve Fenwick
How ATM fraud nearly brought down British banking: phantom withdrawals
Andrew King
ACM e-mail looks like Phishing -- again!
James Garrison
UK electoral registration security issues
Mike Williams
Interest Earned at a bank not the same as Interest Paid
Keith Price
Criticism of CNID well founded
Robert Ellis Smith
Re: Windows delete command can fail silently
Erling Kristiansen
CfP: Human-Computer Interaction in Aeronautics
Chris Johnson
Mark Stamp, Information Security: Principles and Practice
PGN
Info on RISKS (comp.risks)

Colleges Protest Call to Upgrade Online Systems

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sat, 22 Oct 2005 15:52:27 PDT

The federal government, vastly extending the reach of an 11-year-old law, is
requiring hundreds of universities, online communications companies and
cities to overhaul their Internet computer networks to make it easier for
law enforcement authorities to monitor e-mail and other online
communications.  The action, which the government says is intended to help
catch terrorists and other criminals, has unleashed protests and the threat
of lawsuits from universities, which argue that it will cost them at least
$7 billion while doing little to apprehend lawbreakers. Because the
government would have to win court orders before undertaking surveillance,
the universities are not raising civil liberties issues.

The order, issued by the Federal Communications Commission in August and
first published in the Federal Register last week, extends the provisions of
a 1994 wiretap law not only to universities, but also to libraries, airports
providing wireless service and commercial Internet access providers.  It
also applies to municipalities that provide Internet access to residents, be
they rural towns or cities like Philadelphia and San Francisco, which have
plans to build their own Net access networks.  So far, however, universities
have been most vocal in their opposition.

The 1994 law, the Communications Assistance for Law Enforcement Act,
requires telephone carriers to engineer their switching systems at their own
cost so that federal agents can obtain easy surveillance access. ...

[Source: Sam Dillon and Stephen Labaton, *The New York Times*, 23 Oct 2005;
PGN-ed]
http://www.nytimes.com/2005/10/23/technology/23college.html?ex=1287720000&en=36556cd12f8fc287&ei=5090


Printer steganography (Mike Musgrove)

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 21 Oct 2005 9:53:05 PDT

Many color printers (Xerox, HP, etc.) add barely visible yellow dots that
encode printer serial numbers and time stamps (down to the minute).
Intended primarily to combat counterfeiters, the purportedly "secret"
steganographic code in color printer copies has now been decoded by four
people at the Electronic Frontier Foundation.  (The encoding is
straightforward, and includes no encryption.)  There are of course various
slippery-slope privacy issues.  [Source: Mike Musgrove, Sleuths Crack
Tracking Code Discovered in Color Printers, *The Washington Post*, 19 Oct
2005, D01; PGN-ed]
http://www.washingtonpost.com/wp-dyn/content/article/2005/10/18/AR2005101801663.html

  [Also noted by Amos Shapir, who suggests you look at the eff site, which
  nicely documents the encoding:
    http://www.eff.org/Privacy/printers/docucolor/
  PGN]


Meso-Mess: German registration office -- Just leave us alone!

<Debora Weber-Wulff <D.Weber-Wulff@fhtw-berlin.de>>
Sat, 15 Oct 2005 17:34:04 +0200

The Berlin daily newspaper "Tagesspiegel" has reported on the newest
software chaos in town [we actually have a number to contend with at the
moment... -- dww]:
  http://archiv.tagesspiegel.de/archiv/13.10.2005/2112250.asp
  http://archiv.tagesspiegel.de/archiv/15.10.2005/2117152.asp

It seems the registration offices bought themselves some brand-spanking-new
software. All people living in Germany must register their address and the
names of people who live with them with this office (which is part of the
police jurisdiction) inside of a week of moving into town. The police use
the data for all sorts of purposes.

They cut over to the new system October 4, and the police suddenly
discovered that they were offline - their systems did not work anymore,
probably because the API was different.  The police had to set up emergency
computers directly linked to the official system and have police officers in
the field *call in* their requests. Result: the line is always busy.  But of
course, there is no threat to the general public, just nasty waiting for the
police [so maybe they don't need it at all? --dww].

The registration office was pointing the finger at the police, saying they
had known for a year that this was coming. Then people called the papers
complaining that waiting times at the office - which also issues passports
and ID cards and the like - had gone from an hour to FOUR hours.

The official excuse is that clerks were not sufficiently trained in the use
of the 23 million Euro software called "Meso". And they insist that the
waiting time is "only" doubled, not more. They request the good taxpayers
who paid for the software to just stay home and not bother them until they
get the kinks worked out - really, one office gave out a press release to
just leave them alone!

An added problem is that many people are trying to apply for new passports
because from December on people have to pay more for them because they have
to have RFID chips with biometric data stored in them so that the US
government is appeased and will still let Germans in without visas.....

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Internationale Medieninformatik
10313 Berlin http://www.f4.fhtw-berlin.de/people/weberwu/ +49-30-5019-2320


Keep your eyes on the road!

<Peter Scott <risks@PSDT.com>>
Tue, 18 Oct 2005 10:39:00 -0700

An item in an Information Week article
(http://www.informationweek.com/story/showArticle.jhtml?articleID=170702055
: "Car Smarts") brings new meaning to the admonition to keep your eyes on
the road:

  Toyota is testing technology meant to keep a driver's eyes on the road,
  according to The Associated Press. The technology employs a camera
  attached near the car's steering wheel and image-processing software that
  recognizes when the driver isn't facing forward. The system flashes a
  light on the dashboard and beeps when the driver looks away, according to
  the AP. If the driver doesn't respond, *the brakes are applied
  automatically*. The feature will be in Lexus luxury models to be sold in
  Japan next spring.

(my emphasis).  Well, *that* sounds reliable... I feel safer already.

I hope they paint them a distinctive color so I can recognize them on the
road and stay well away...


Internet banking risks need fixing

<Monty Solomon <monty@roscom.com>>
Wed, 19 Oct 2005 00:56:32 -0400

Federal regulators will require banks to strengthen security for Internet
customers through authentication that goes beyond mere user names and
passwords, which have become too easy for criminals to exploit.  Bank Web
sites are expected to adopt some form of "two-factor" authentication by the
end of 2006, regulators with the Federal Financial Institutions Examination
Council said in a letter to banks last week.  [...]  [Source: Feds Want
Banks to Strengthen Web Log-Ons, AP item, 18 Oct 2005; PGN-ed]
  http://finance.lycos.com/home/news/story.asp?story=52442651


Mileage sign errors

<Monty Solomon <monty@roscom.com>>
Mon, 17 Oct 2005 02:22:00 -0400

Excerpt from

http://www.boston.com/news/local/articles/2005/10/16/state_rejects_somerville_i_93_lane_shift/

We finally have an answer about how those new state mileage signs got so
terribly messed up.  And the blame is being placed on Bill Gates.
MassHighway admitted that the state had found 19 legends on the new signs
with significant errors in mileage.  That's 12 percent of the 164 new signs
in the $1.05 million contract.

According to the contractor, some of the distances were calculated using
Microsoft's Streets & Trips software. According to Microsoft, the software
without a GPS hookup costs $39.95. This contractor was paid $130,000 by the
state.

Apparently the contractor had tried to use Mapquest, but found it
unreliable.

 - - - -

Excerpt from
http://www.boston.com/news/local/articles/2005/09/25/in_chelsea_pedalers_celebrate_the_bus/

One sign on Interstate 93 north, near Exit 45 in Andover, reported that
Manchester, N.H. was 42 miles away, although the actual distance is just a
bit more than 28 miles.  Another sign on Route 128/95 in Needham reported
that Wellesley is 7 miles away. The actual distance is slightly less than 3
miles. A sign on Route 3 north in Braintree listed the distance to I-93 as 5
miles when the distance by odometer was 3 miles.


  [Also reported by Mark Lutton. PGN]


Privacy problems

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 21 Oct 2005 9:46:07 PDT

San Francisco administrators of OARS, Online Assessment Reporting System,
issued a generic password (same for all teachers) that left the system wide
open to anyone who knew a teacher's user name, because many teachers had not
gotten around to changing the password.  [Source: Nanette Asimov, *San
Francisco Chronicle*, 21 Oct 2005, B2; PGN-ed]

Cingular moved its voicemail system over to an AT&T wireless service over
the past two weeks.  Anyone initializing the account before the legitimate
owner can then gain total access to the account.  Approximately 26 million
Cingular subscribers of the old system are potentially affected.  [Source:
Ryan Kim, *San Francisco Chronicle*, 21 Oct 2005, C1; PGN-ed]


Membership database from bankrupt User Group to go to highest bidder

<"Dale E. Coy" <dale@thecoys.net>>
Thu, 13 Oct 2005 20:12:39 -0600

http://www.computerworld.com/governmenttopics/government/legalissues/story/0,10801,105386,00.html?source=NLT_PM&nid=105386

Interex membership list for sale to highest bidder; The bankrupt user
group's member database is being sold to satisfy creditor demands

A California bankruptcy court will sell Interex's membership database to the
highest bidder to help satisfy creditor demands of the bankrupt user group,
according to recently filed court papers.  The Hewlett-Packard Co. user
group claimed about 100,000 members before filing in August for bankruptcy
in U.S. Bankruptcy Court for the Northern District of California after
incurring more than $4 million in debt. The court filing is dated Oct. 5,
but notices of the sale apparently reached some Interex members this week.


BlackBerry Thumb

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 21 Oct 2005 9:47:39 PDT

Repetitive motion injuries are now entering the mobile handheld world,
with doctors reporting a spate of complaints about BlackBerry Thumb.
[AP item seen in the (Palo Alto) *Daily News*, 21 Oct 2005; PGN-ed]


Woman summoned to court over unread Oyster card

<Nick Rothwell <nick@cassiel.com>>
20 Oct 2005 17:06:20 -0000

A woman is being summoned to court, and faces a 1000-pound fine if found
guilty, over non-payment of a 1.20-pound London bus fare.

Most of London's transport system is moving over to the Oyster card system,
where quasi-smartcards are touched against readers at tube station barriers
or doors to buses. A card can contain season tickets, top-up funds for
pay-as-you-go travel, or both.

According to the television news coverage today, Jo Cahill believed that she
had paid on entering the bus, but the reader did not register her card in
order to deduct the fare from the top-up funds. An inspector has treated her
as a fare-dodger, even though she explained the situation and offered to
pay.

This seems to set the precedent that users are required to confirm that the
reader has indeed registered their card, even though the visual and audible
signals are not always clear. Transport for London claims that its Oyster
card readers rarely fail, although they do not specify whether or not users
will always be taken to court when they do fail. (I frequently get onto
buses where the reader has a post-it note saying "reader broken" stuck to
it.)

More at: http://news.bbc.co.uk/1/hi/england/london/4361286.stm

nick rothwell -- composition, systems, performance -- http://www.cassiel.com


Cingular says: "No password needed" is a Good Thing!

<Steve Fenwick <risky_business@w0x0f.com>>
Sat, 15 Oct 2005 17:28:47 -0700

Effective 26 Oct 2005, Cingular is switching to a new voicemail system for
all its customers. One of the "features" is "Skip Password"--apparently, one
will no longer need to enter a password if one has physical access to a
handset.  The option to continue to use a password will still be available,
but "skip password" appears to be the default.

>From their website (<http://cingular.com/voicemail_west>):

> Skip Password
>  Save time accessing Voice Mail from your wireless handset. Just a one-time
>  password setupthat's it. Press and hold 1 from your wireless handset to go
>  straight to your voice mail. When accessing your voice mail from another
>  phone, your password will be required.
>
>  To require a password for all calls from the Main Menu,
>  1) Press 4 for Personal Options  2) Press 2 for Administrative Options 3)
>  Press 1 for Password and follow instructions to turn on your password

The risks are obvious--to everyone except decision-makers at Cingular.


How ATM fraud nearly brought down British banking: phantom withdrawals

<Andrew King <ak-a@ak-a.com>>
Fri, 21 Oct 2005 13:11:57 +0100

Posted on *The Register*
  http://www.theregister.co.uk/2005/10/21/phantoms_and_rogues/
with some background at
  http://www.cl.cam.ac.uk/~mkb23/phantom/

Interesting stuff on risks and responsibilities.


ACM e-mail looks like Phishing -- again!

<James Garrison <jhg@athensgroup.com>>
Tue, 18 Oct 2005 15:08:08 -0500

The organizations that should know better just don't seem to be learning.
Today I received a request to participate in a survey, titled "New ACM
Products/Services Survey" (I am a member of ACM).  There were a number of
things wrong with it:

1) The "From" address was not an acm.org address.
2) The link to the survey pointed to a site also not in acm.org
3) The survey link included an opaque token
4) The message was not digitally signed

The fact that the from address and link don't point back to acm.org is a
classic hallmark of phishing.  The fact that the link contained an opaque
token marks it as possible e-mail address harvesting.  The lack of a
signature means it's not possible to validate the message's authenticity.

Actually, come to think of it, items 1 & 2 may ironically point to the
message's authenticity.  A real phisher would have made sure the reply-to
address and displayed link were in acm.org.  So this is either genuine or a
very incompetent phisher :-)

Unfortunately, this is the third such e-mail I've received from the ACM in
the past couple of years.  Each time I point out the obvious problems, and
get a polite, if miffed-sounding reply.  And nothing changes.  How hard is
it to buy a copy of PGP (or install GPG) and publish a key for this purpose
on the ACM's website?

Of all organizations in the world, I would hope that ACM would be leading
the battle against e-mail fraud by example, not lagging far behind.  Yes, I
know key management isn't simple, but you'd think it would be worth the
effort for the ACM.

James Garrison, Athens Group, Inc.  5608 Parkcrest Dr Austin, TX 78731
http://www.athensgroup.com  1-512-345-0600 x150  jhg@athensgroup.com


UK electoral registration security issues

<Mike Williams <mike.williams@globalgraphics.com>>
Fri, 21 Oct 2005 09:19:40 +0100

It is that time of the year in the UK when then annual canvass of electors
is done.  My form came through the post yesterday.  Originally the form had
to be completed and returned in the post.  A couple of years ago they
started allowing you to register by phone, and this year you can now do it
via the Internet.

To register by phone or Internet there is a 10-digit reference number on the
form.  This is that is needed to update the register details by phone (usual
automated answering service with 'press key n' to navigate responses).  For
registering via the Internet there is a 8-letter password.

The reference number and password looks reasonably unguessable - no obvious
patterns in the number and the password, although all lower csae letters,
contains no words.  On the down side, all the information is on a single
sheet, which as I said was sent through the post.  What extra security does
the password provide?

The real problem is that the envelope in which the form is sent is the one
that is used to return the form in if it is to be returned, I suppose to try
and save some money.  Since the envelope is one you have to lick to seal,
the registration form was delivered in an envelope that was open!


Interest Earned at a bank not the same as Interest Paid

<Keith Price <price@usc.edu>>
Thu, 20 Oct 2005 10:52:30 -0700 (PDT)

Last month while going over the statement for the one of our interest paying
checking accounts from a major bank (one named for a western state that
promotes its customer service in ads) I noticed a small discrepancy. The
statement (which has recently been redesigned) has an entry for "Interest
Earned" and a second one for "Interest Paid." The logical assumption is that
you would be paid what you earned. But, this is not the case. Often (at
least from recent experience) these differ by $0.01.  In the first instance,
the interest earned was $0.01 more than the interest paid. After noticing
this, I had an interesting visit at the near-by branch, which occupied the
branch manager for about 45 minutes while he discussed the issue with the
people who should know what is happening ("the back office").  He was unable
to relay a satisfactory explanation, other than that the 2 numbers come from
2 different systems, that over time it will even out, and that the
operations people do not consider this an open problem (there was a strong
indication that they had never heard of this problem). The next month the
situation for this account was reversed, i.e. interest earned was $0.01 less
than interest paid, so, at least so far, it has evened out.

How common is this? We have a total of 3 checking accounts at this bank and
in the past 2 months have seen this discrepancy 3 times (the 2 times on one
account described above, and in the second month on another account). The
first occurrence caused me to look through old statements more carefully,
but I found no earlier cases.

The risks: Inconsistent treatment of rounding and providing the customer
inconsistent information.


Criticism of CNID well founded (Re: Kuenning, RISKS-24.05)

<"Robert Ellis Smith" <ellis84@rcn.com>>
Tue, 11 Oct 2005 15:46:10 -0400

Telephone customers have some protections from the negative consequences of
Caller ID precisely because privacy advocates expended a lot of energy to
assure the availability of number-ID blocking and to create a culture of
privacy protection within the new technology. We succeeded. We weren't
mistaken!

Geoff Kuenning's numbered arguments conflict with each other. Many of us
still lead lives in which protecting the identity of our phone numbers from
strangers - not to mention marketers - is vital. I believe that automatic
rejection of incoming ID-blocked calls is irresponsible to one's family and
self. We can't possibly anticipate when a loved one will be in distress,
calling us from a stranger's telephone. Automatic blocking disallows such a
call from reaching us. Geoff says that a parent with a teenager on the loose
at night would be sure to disengage the automatic blocking feature. Maybe
so. But how about the next night, when the kid is safely in bed and an aunt
or a cousin or a business associate is trying to reach us from a strange
phone? The call will not get through.

Geoff's commentary is comparable to saying that Martin Luther King Jr., was
wasting his time because African-Americans now have some degree of equal
opportunity. How do we think that came about, by magic? The efforts of
privacy advocates when Caller ID was first introduced make it possible for
Geoff to blithely proclaim, there's no privacy problem in 2005, the battling
back in the 1980s wasn't important.

Robert Ellis Smith, Publisher, Privacy Journal
www.privacyjournal.net, privacyjournal@rcn.com.


Re: Windows delete command can fail silently (RISKS-24.06,07)

<Erling Kristiansen <erling.kristiansen@xs4all.nl>>
Sun, 23 Oct 2005 17:17:29 +0200

Windows may also delete the wrong file.

I had two files on a network drive, hosted via Samba on a UNIX server, whose
names differed only by capitalization of some letters.  Windows Explorer
faithfully displayed both names, with the proper capitalization. But when
asked to delete one file, it deleted the other one. No warning about a
potential conflict was given.

I think this goes back to the half-hearted use by Windows of lower and upper
case letters in file names. In some contexts, they are taken to be
equivalent, in other cases they are considered different.

I don't know whether this specific problem was due to Windows or Samba.  But
the end result was rather scary. Luckily, in this particular case, I noticed
the problem right away, and was able to re-create the lost file by
re-running the application that created it.


CfP: Human-Computer Interaction in Aeronautics

<"Chris Johnson" <johnson@dcs.gla.ac.uk>>
Thu, 20 Oct 2005 16:35:44 +0100

Organized by The European Institute of Cognitive Sciences and Engineering
In cooperation with ACM's Special Interest Group for Computer-Human
Interaction (SIGCHI)
Call for Papers

The international aviation community is advocating goals that compel radical
innovation in approach to the fundamentals of aeronautical operations. The
role of Human-Computer Integration professionals is to contribute and
participate in an active manner to the success of innovation. HCI-Aero 2006
seeks to gather experts and novices from industry, government and academia
in the field of human factors in aerospace computing systems. We invite
researchers and practitioners to present innovative methods, techniques,
tools, and technology.  These include air and ground operations, training,
design, certification and support both in civil and military applications
with a focus on safety challenges, cost effectiveness, performance and
comfort. The theme of HCI-Aero 2006 is "Innovation of Aeronautical
Operations". This innovation vision finds expression in international air
traffic management, coordinated via a satellite-based information exchange,
based on coordinated air-ground operations, 4-D trajectory control and
reduced constraint in control of aircraft movement.  Innovation asserts new
modes of operation and technological requirements. These technologies
fundamentally change aviation work processes. These advancements impact
information redistribution, interactions among agents, decision-making and
various optimization processes. The changes in the work of air
transportation operations require an approach to research and analysis that
includes concern for the changes in the cognitive processes that supports
the work in context.  =20 Florence Reuzeau and Kevin Corker, General
Co-Chairs of HCI-Aero'06 Dea =20 Submission Deadlines: 15th March 2006 -
Full Research Papers 15 April 2006 - Industry Papers and Early Stage
Research Papers=20 15 April 2006 - Panels, Workshops, Posters and Demos

For more information see the attached call for details or access the
conference web site on: http://www.eurisco.org/hci-aero2006


Mark Stamp, Information Security: Principles and Practice

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 26 Oct 2005 10:57:13 PDT

  Mark Stamp
  Information Security: Principles and Practice
  John Wiley (Wiley Interscience), Hoboken NJ
  2006
  xxi+390

In his preface, Mark Stamp says that he hates black boxes and that the book
is intended to illuminate some of the currently popular black boxes.  This
book seems quite useful as a textbook, with four main thrusts: cryptography,
access control, protocols, and software.  It includes some challenging
problems at the end of each chapter, some of which are quite specific while
others are open-ended and thought provoking.  Security is of course a huge
problem area and difficult to circumscribe.  Although this book does not
attempt to delve into all of the primary historical paths taken thus far
(for example, understanding the bad ones can be very useful), it does a good
job of analyzing where we are today in the areas that it carves out.

Please report problems with the web pages to the maintainer

Top