The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 43

Thurs 21 September 2006

Contents

Air Traffic Controllers Chafe at Plan to Cut Staff
PGN
Should you wear a helmet while bicycling?
Jerry Leichter
Cost of online banking typo put on consumer
Kjetil Torgrim Homme
Risks of reprogrammable ATMs
Mark Brader
Segway software gives hard landing
PGN
Yet Another Power Outage
Mike Swaim
Careful with that Fedex account number
Matt Wilbur
Hotel minibar keys open Diebold voting machines
Ed Felten via PGN
Cuyahoga County Primary Election Report
David Lesher
Re: Avi Rubin's latest report as an election judge
Kurt Fredriksson
SSN-as-ID under scrutiny - again
Peter B. Ladkin
New way to break into cars
Gerrit Muller
Thieves sabotage telecom infrastructure
Gerrit Muller
Cops say teen concocted radio calls
S Hutto
Regarding High-tech Product Sabotage
Phil Singer
REVIEW: "Computer Security Basics", Lehtinen/Russell/Gangemi
Rob Slade
Info on RISKS (comp.risks)

Air Traffic Controllers Chafe at Plan to Cut Staff

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 20 Sep 2006 11:18:07 PDT

A drive by the Federal Aviation Administration to cut the number of air
traffic controllers nationally by 10 percent below negotiated levels, and
even more sharply at places like the busy radar center here, is producing
tension, anger and occasional shows of defiance among controllers.  One of
the new changes may have safety implications: ending of contractual
protection against being kept working on a controller's radar screen for
more than two hours without a break.  Having just one controller on duty is
also problematic [as noted in the recent wrong-runway episode in Lexington
KY (RISKS-24.41)].  [Source: Matthew L. Wald, *The New York Times*, 20 Sep
2006; PGN-ed, TNX to Lauren Weinstein]
http://www.nytimes.com/2006/09/20/washington/20control.html


Should you wear a helmet while bicycling?

<Jerry Leichter <jerroldleichter@mac.com>>
Sat, 16 Sep 2006 19:35:18 -0400

We've had previous discussion in RISKS of the unexpected side-effects that
can result when human beings respond to safety measures by changing their
behavior, taking on risks that previously were too great to feel acceptable.

http://www.eurekalert.org/pub_releases/2006-09/uob-wah091106.php is a news
release about some research in this area.  Dr. Ian Walker spend a great deal
of time bicycling around the UK on a bicycle with equipment that measured
how close drivers of different kinds of vehicles came to him when passing.
Half the time, he wore a helmet; half the time, he didn't.  Result: Drivers
approached closer (and average of 8.5 cm) when he was wearing a helmet.

Walker's hypothesis is that drivers see bicyclists wearing helmets as more
experienced and competent, hence not in need of consideration.

In other interesting results, when Walker wore a wig so that he looked like
a woman, he was given significantly more room.  He also confirmed a feeling
all bicyclist have: Yes, indeed, trucks and buses do approach bicycles more
closely (average of 19 cm for trucks and 23 cm for buses) than cars do.

As Walker points out, helmets definitely do protect a rider in low-speed
falls.  How much they help in collisions with vehicles is harder to say -
and if wearing a helmet makes a collision more likely, the net effect is
difficult to predict.  (Walker was hit twice, once by a bus and once by a
truck, during his experiments.  He was wearing a helmet both times.)

  [Spelling correction in archive copy.]


Cost of online banking typo put on consumer

<Kjetil Torgrim Homme <kjetilho@ifi.uio.no>>
Tue, 19 Sep 2006 10:25:40 +0200

Grete Fossbakk wanted to transfer NOK 500,000 (USD 76400) to her daughter
using her online bank account, but entered a digit too many in the account
number field.  The bank software stripped it silently and transferred the
money to a third party.  Unfortunately, the recipient immediately withdrew
the bounty and started to gamble it away.  Meanwhile, the daughter was on
vacation, so the mishap wasn't discovered until three weeks had passed.  The
matter was reported to the police, and they were able to reclaim NOK 100,000
in cash in the man's apartment.  Ms Fossbakk has launched a civil claim
against the man for the remainder of the money, but since he lives off
social security, the chances of getting it back are slim.

The bank, Sparebank1 Nord-Norge, claims that if you type the wrong number,
you have the bear the consequences yourself.  The Norwegian bank industry's
board of complaints (Bankklagenemnda) will hopefully decide in the case in
time for Christmas.  The Minister for Consumer Affairs, Karita Bekkemellem,
has stated this is an important issue, and will consider to propose new
legislation if the banks don't accept responsibility.

Articles in Norwegian:
http://www.dn.no/privatokonomi/article875204.ece
http://www.dn.no/forsiden/politikkSamfunn/article876885.ece

  [Also noted by Tore A. Klock.  PGN]


Risks of reprogrammable ATMs

<msb@vex.net (Mark Brader)>
Thu, 14 Sep 2006 23:18:36 -0400 (EDT)

Surveillance footage on a gas station ATM shows a man swiping an ATM card,
punching in a series of numbers, and breaking the machine's security code.
He apparently reprogrammed the ATM to disburse $20 bills while recording the
transaction as a $5 debit.  He then apparently used a prepaid debit card.
The shortfall was not noticed until nine days later, when a customer
reported receiving four times what was requested.  [PGN-ed]
  http://apnews.myway.com/article/20060913/D8K496CO4.html


Segway software gives hard landing

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 15 Sep 2006 8:59:18 PDT

[Source: Linda Rosencrance, Software glitch prompts Segway recall;
Six injuries reported when transporter unexpectedly reverses direction
*Computerworld*, 14 Sep 2006, PGN-ed; TNX to Nelson H. F. Beebe, U Utah.]
http://cwflyris.computerworld.com/t/854524/419952/33869/2/

Segway Inc. is recalling all of its 23,500 Segway Personal Transporters
because of a software problem that can cause the wheels of the device to
unexpectedly reverse direction and cause a rider to fall.

Consumers should stop using the device immediately and contact the company
for a free software upgrade, according to the U.S. Consumer Product Safety
Commission, which is working with Segway on the recall. Bedford, N.H.-based
Segway said no hardware changes are required.

A commission spokesman said Segway received reports of six incidents that
involved facial and wrist injuries. One user required facial surgery and
another was hospitalized overnight. Others suffered broken teeth, he said.

"A condition has been identified in which the Segway PT can unexpectedly
reverse the direction of the wheels, which can cause a rider to fall," the
company said today. "This can occur when the PT's Speed Limiter tilts back
the machine to slow it down and the rider goes off and then back onto the PT
within a short period of time."

The voluntary recall applies to all Segway PTs sold to date, including all
Segway PT i Series, e Series, p Series, XT, GT and i2 models. The Segway x2,
due for release later this month, is not affected by the recall. All new
shipments of the I2 are being shipped with the new software release, the
company said in the statement.

  [This was also noted by Howard Israel and Jeremy Epstein.]


Yet Another Power Outage

<"Mike Swaim" <mswaim@mdacc.tmc.edu>>
Wed, 6 Sep 2006 12:27:41 -0500

Here's yet another power outage story that features a failure mode that I
don't think has been mentioned yet. Back around 2000 or so, when I was at
Enron, we lost power to most of the production database servers used for gas
and power trading. Only the servers were affected, and the power outage
wasn't caused by the failure of anything electronic.

The raised floor under the power director feeding the servers collapsed.
When the director sensed the sudden motion, it immediately shut off, taking
all of the servers with it. After a couple of hours it was jacked back into
a level position, and turned back on, bringing everything else back to life.
That weekend the floor was repaired.

Mike Swaim swaim@hal-pc.org
MD Anderson Dept. of Biostatistics & Applied Mathematics
mpswaim@mdanderson.org or mswaim@mdacc.tmc.edu at work


Careful with that Fedex account number

<Matt Wilbur <matt@efs.org>>
Wed, 20 Sep 2006 10:45:49 -0700

Sending packages with Fedex is now easier than ever, thanks to the fedex.com
website. Unfortunately, it's too easy. In most cases, if you know a
company's account number, you can send whatever you like using the site,
assuming you have a pulse, a browser, and access to the Internet.

We recently had an angry ex-employee use our account number to send multiple
small dollar amount packages all over the place. The dollar value was too
low for the authorities, and it was really just a nuisance. Our "Fedex
person" called Fedex to stop this, and customer service told her the only
way was to change our account number. This would be painful, so we sent him
letters telling him to stop. It didn't. We called Fedex again, this time
asking for security, using words/phrases like "fraud," "theft," and "you
will have to pay when we reverse the charges." We didn't get anyone from
Security, but they did begin to listen.

After being bounced around at fedex, we learned the following:

* Unless you take specific action (enable and configure Shipping
  Administration for your account within Ship Manager on the website),
  anyone on the planet can create a fedex.com account, associate it with
  your account number, and ship whatever, wherever they way, third party
  included.

* there is no way, even with shipping administrator, within fedex.com, to
  view the logins associated with your account. We had to call and insist on
  a list - for "security" reasons they could not email or otherwise send us
  a list, but were able to tell us logins, names, last login, and email of
  active accounts.

After setting up Shipping Administration, we verified that this ex-employee
(or anyone else we don't approve) can no longer set up a new login and
associate it with our account.

After about an hour on the phone, we were able to get his login deleted (and
learn all of this additional information about their system).

Risks?  For Fedex? Not defaulting to a more secure configuration (like, want
to use fedex on the web? First sign-in associated with that fedex account
must set up "Shipping Administrator" to prevent unauthorized use). Building
an application with all the shipping capabilities imaginable available, and
very little for the account holder to manage access and security. Not having
a security contact or phone number listed, or accessible by calling in to
customer service. Money lost to fraud by abuse of this system.

For the Fedex user? Giving your fedex account number to third parties who
may ship things to you, unless you know and trust them, and trust their
handling of your account number.  Not watching your bills closely. Signing
up and using for a service that, when you think about it, is far too easy to
use to have any built-in safety.


Hotel minibar keys open Diebold voting machines

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 21 Sep 2006 9:47:01 PDT

The access panel door on a Diebold AccuVote-TS voting machine --- the door
that protects the memory card that stores the votes, and is the main barrier
to the injection of a virus --- can be opened with a standard key that is
widely available on the Internet.  ... we did a live demo for our Princeton
Computer Science colleagues of the vote-stealing software described in our
paper and video. Afterward, Chris Tengi, a technical staff member, asked to
look at the key that came with the voting machine. He noticed an
alphanumeric code printed on the key, and remarked that he had a key at home
with the same code on it. The next day he brought in his key and sure enough
it opened the voting machine.

See Ed Felten's blog:
  http://www.freedom-to-tinker.com/?p=1064


Cuyahoga County Primary Election Report

<"David Lesher" <wb8foz@panix.com>>
Sun, 17 Sep 2006 17:01:11 -0400 (EDT)

Cuyahoga County [which includes Cleveland] had a major meltdown in their May
2006 primary election.  A Review Panel [comprised of a local judge, the head
of the Ohio Lottery, an academic, with local law students as staff] issued a
report on the event, and what needs to be fixed.
  <http://www.votingintegrity.org/pdf/cerp_rpt06.pdf>

While Diebold DRE machines are deeply embedded in the debacle, the report is
not about the problems with machine's security [as Ed Felten's is] as much
as the issues of acquiring, configuring and deploying them.

The Road To Hell is paved with good intentions, and this report has asphalt
enough to go around. It's an example of how you can you can make any problem
too hard to handle if only there is enough money & patronage floating
around...

RISK readers can easily identify all the Usual Suspects; you could almost
duplicate it with cut and paste from say, DIVAD/Sergeant York, Virtual Case
File, and oh the Second Ave subway project escapades. Cuyahoga County Board
of Elections says they were told they were buying, from the sole source
vendor, "seamless integration" between the registered voter database and
ballot creation processes; while the vendor was seemingly wearing hooded
white robes. [Diebold bought the West Coast voter database company but it
was still a separate operation who {oops} wanted to be paid extra for their
added work; work allegedly never mentioned by the corporate salesman who
sold the "seamless" package to the BoE.]

The BoE didn't even have the authority to spend the money they thought was
"theirs" and thus never asked the County Commissioners.

It also touches on the very real issue of poll workers/election day
staff. Elections are transient events, and many of the polling places are
likely to be staffed by people not just with little or no computer
experience; but often computerphobia. Add training problems and you have a
disaster brewing.

There are VERY few Avi Rubin's working at polling places; and outside of
Silicon Valley, I bet do no more than start Word. I wonder how many RISK
readers do so? I'm almost tempted to say there should be Election Day Duty
al-la Jury Duty. For now, employers could show their support by encouraging
both senior staff & IT support to volunteer. Both would get a valuable
reminder in Real World 101.

The only good aspect is the Ohio Legislature required honest-to-gosh paper
as the ballot of record. While that makes jammed printers important, it
means there is something to recount when, not if, things go wrong...


Re: Avi Rubin's latest report as an election judge

<"Kurt Fredriksson" <kurt.fredriksson@ieee.org>>
Wed, 13 Sep 2006 23:50:08 +0200

I'm a Swede and is a bit puzzled about the eletronic voting that seems
to become so popular in the US.

As we are going to have a general election this sunday (sept 17), I
can't help making a comparison.

The precinct Avi was reporting from had over 1000 voters. The precinct I am
going to use this sunday has around 1200 voters of which around 1000 usually
show up. Thus quite similar in size.

Avi had 12 machines and 16 judges, opening hours 0700 - 2200, long queues.

We have no machines (old fashion paper ballots) and 3 + 3 layman officials,
opening hours 0800 - 2000, no queues.

After 2000 (8 pm) the votes for the the Swedish Parliament are handcounted
at the precinct in the presence of all interested. That takes about one
hour. These results are then telephoned to the central authority.  All votes
are then recounted a couple of days later, to get the official result. This
recount is also performed in the presence of all interested.  All votes are
kept in sealed and secured boxes during transport.

What are the advantages with electronic voting? Reading Avi's blog makes one
wonder.


SSN-as-ID under scrutiny - again

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Tue, 12 Sep 2006 08:08:11 +0200

The insecure method of trying to use a verbal report of a U.S. Social
Security Number (SSN) as personal identification is coming under wider
scrutiny because of the brouhaha about the Hewlett-Packard board. The
Chairman apparently ordered an investigation into who was giving privileged
information to news media, and the investigators hired pretexters to obtain
phone records of board members.

Pretexters are people who use "social engineering" skills to impersonate a
third person while communicating with a service provider, in order to obtain
information about the services provided to that person. In this case, the
pretexters wanted to obtain the telephone-call records of HP board members.

The International Herald Tribune recounts the practice at
http://www.iht.com/articles/2006/09/11/business/hpspy.php in a story from
the New York Times by Matt Richtel and Miguel Helft.  One investigator who
helps auto-repossession agencies demonstrated:

  "In most cases [the investigator] said, he already had the Social Security
  number from the lien holder. But if necessary, he could find it in
  commercial databases. To demonstrate, he asked a reported his full name
  and state of residence, and read him back his Social Security number
  within seconds." [op.cit.]

Among companies who have adapted belatedly to this reality are Verizon, who
apparently stopped using SSN as "a chief way to establish [a customer's]
identity" last year. Among those who have not yet adapted are AT&T, which
"[continues] to accept Social Security numbers as a central means of
identification."

The article discusses the legality of pretexting, which may already be
generally illegal in many jurisdictions and is so for particular goals such
as obtaining financial records, and efforts to make it more explicitly
illegal. The legality of pretexting is obviously a different issue from the
insecurity of authentication through SSN, just as the legality of thievery
is a different issue from whether I lock my front door when I leave the
house.

It has been known for years, and not just to RISKS readers, just how
dysfunctional the practice is of trying to authenticate people through basic
information such as residential address and SSN. Perhaps it persists because
the perpetrators (service companies) are not the sufferers (their
customers). There is, however, a general legal notion of "due diligence",
whereby if a company uses a method which is known to be ineffective, it can
be held responsible for deleterious consequences, as having not exercise due
diligence. So, when it becomes sufficiently "well known" that divulging SSN
is ineffective as authentication, practice could change. The HP story might
help to tip the scales.

Peter B. Ladkin,  Causalis Limited and University of Bielefeld
www.causalis.com   www.rvs.uni-bielefeld.de


New way to break into cars

<Gerrit Muller <gerrit.muller@embeddedsystems.nl>>
Tue, 12 Sep 2006 10:08:55 +0200

Dutch media report on a new way thieves are using to break into cars with
electronic locks, see for instance:
  http://www.rtvnoord.nl/nieuws/index.asp?actie=totaalbericht&pid=60184

In Stadskanaal, in the North of the Netherlands, at least 30 cars have been
illegally opened without any trace or damage.  Thieves appear mostly to look
for car documents. The police don't have any clue how the cars have been
opened. One of the possibilities being looked into is the existence of some
new electronic device acting as a passkey.

If such an electronic passkey would exist, then we see the next phase in the
(electronic) security rat-race.

Gaudi systems architecting <http://www.gaudisite.nl/>


Thieves sabotage telecom infrastructure

<Gerrit Muller <gerrit.muller@embeddedsystems.nl>>
Tue, 12 Sep 2006 10:02:29 +0200

Several Dutch media report the sabotage of telecom infrastructure at
a business park in Blerick, near Venlo, in the South of the Netherlands, e.g.,
http://www.telegraaf.nl/binnenland/49777581/KPN_heeft_handenvol_aan_gesaboteerde_kastjes.html

In Blerick the cabinets of KPN (Dutch Telecom provider) were broken down.
Apparently the inflictors wanted to eliminate the security of businesses at
the park. They succeeded and stole for 100k's Euro's from DHL, the courier
company.

The same attempt was made at the business park in Herkenbosch, another small
town in the South. However an attempt to break in at an attraction park here
didn't succeed, because the alarm was still functional.

This example again illustrates the often invisible dependencies of modern
interlinked systems. Many modern security services depend on public
infrastructure. How many of them have these single points of vulnerability?


Cops say teen concocted radio calls

<"S Hutto" <shuttoj@gmail.com>>
Mon, 11 Sep 2006 22:01:31 -0600

Westword, a Denver area weekly, has published a long article on the teen who
was arrested for impersonating an officer on local police radio bands in
2001.  According to the article, he had been routinely communicating on
police bands for about three months, requesting licence plate checks and
once reporting a fake hit-and-run accident.  He was found guilty and
sentenced to six months in the Division of Youth Corrections and two years'
probation.  The article provides some mundane technical details on the
incident.  RISKS readers may be interested in the somewhat dramatized events
and motivations that drove the teen to impersonate a law enforcement
officer.  In 2006, he was arrested and charged with impersonating an EMT and
theft by receiving.

The article will be available for some amount of time here:
http://www.westword.com/Issues/2006-08-31/news/feature.html


Regarding High-tech Product Sabotage (Mellor, RISKS-24.41)

<Phil Singer <psinger1@chartermi.net>>
Wed, 06 Sep 2006 20:17:39 -0400

During the early 1980's the place I worked at had a Honeywell-compatible
version of the venerable IBM 1401.  It came in several models (I don't
remember the model numbers - call them Model A for the lowest end up to
Model D for the top end).  We found out the hard way that the only
difference between them was one resistor - take it out and a Model A was as
fast as a Model D (but leased for tens of thousands less).  Our field
engineer did not like to waste time, so he always disconnected the resistor
when he did his P.M.  In fact he hated wasting time so much that he never
bothered to reconnect it.  On one periodic maintenance day, he was on
vacation and a somewhat more conscientious engineer took his place.  The
resistor was replaced.  The director wanted to know why everything slowed
down.  When he found out, he immediately terminated the lease.

  [This is indeed an old phenomenon.  Long ago, during my Bell Labs days, I
  requested an upgrade for a telephone modem, which was made by snipping a
  single wire with a disproportionate increase in the monthly rental.  PGN]


REVIEW: "Computer Security Basics", Lehtinen/Russell/Gangemi

<Rob Slade <rmslade@shaw.ca>>
Mon, 18 Sep 2006 11:57:20 -0800

BKCMPSEC.RVW   20060819

"Computer Security Basics", Rick Lehtinen/Deborah Russell/G. T.
Gangemi Sr., 2006, 0-596-00669-1, U$39.99/C$51.99
%A   Rick Lehtinen
%A   Deborah Russell
%A   G. T. Gangemi Sr.
%C   103 Morris St., Suite A, Sebastopol, CA   95472-9902
%D   2006
%G   0-596-00669-1
%I   O'Reilly and Associates, Inc.
%O   U$39.99/C$51.99
%O  http://www.amazon.com/exec/obidos/ASIN/0596006691/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0596006691/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0596006691/robsladesin03-20
%O   Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
%P   296 p.
%T   "Computer Security Basics, Second Edition"

I've been waiting a long time for an updated version of this classic.

"Computer Security Basics" was a pretty accurate name for the first edition.
The book was an overview of many aspects that go into the security of
computers and data systems.  While not exhaustive, it provided a starting
point from which to pursue specific topics that required more detailed
study.  Such is no longer the case.

Part one looks at security for today.  Chapter one starts with 9/11, then
talks about various infosec groups, and only then gets to an introduction of
what security is, and how to evaluate potential loopholes.  The definition
points out the useful difference between the problems of confidentiality and
availability, and now adds integrity.  The distinction between threats,
vulnerabilities and countermeasures is helpful, but may fail to resolve
certain issues.  Ironically, in view of the title of this section, chapter
two gives some historical background to the development of modern data
security.

Part two deals with computer security itself.  Chapter three looks at access
control, but is somewhat unstructured.  Malware and viruses receive the
all-too-usual mix of advice and inaccuracies in chapter four.  Policy is
supposed to be the topic of chapter five, but most of the text is concerned
with matters of operations.  Internet and Web technologies, and a few
network attacks, are listed in chapter six.

The prior inclusion of network topics is rather funny, since part three
delves into communications security.  Chapter seven turns first to
encryption, which could be presumed to have applications in more than
communications, although it is important in that field.  The material on
encryption is quite scattered and disorganized, and the explanation of
asymmetric systems is probably more confusing than helpful.  A lot about
networks, a list of network security components, and not much that is useful
makes up chapter eight.

Part four turns to other types of security.  Chapter nine takes a confused
look at physical security, and includes biometrics: as with encryption and
communications, the topic that could be related to physical security, but
might more properly be dealt with elsewhere.  Chapter ten reviews wireless
LANs, mentioning threats, but only tersely listing security measures, with
no detail for use or implementation.

The original version of the book was a good starting point for beginners who
had to deal with computer security at a basic level.  This second edition is
a tremendous disappointment: Lehtinen has done a disservice not only to
Russell and Gangemi, but also to those relying on this foundational guide.
The tone of the first edition may have been too pompous, but the contents
were informed by the primary concerns for information security.  This update
has introduced random new technical trivia, muddied the structure and flow,
and reduced the value of the reference overall.

copyright Robert M. Slade, 1993, 2002, 2006   BKCMPSEC.RVW   20060819
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm

Please report problems with the web pages to the maintainer

Top