The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 50

Friday 15 December 2006

Contents

Florida's Voting System Certification
Rebecca Mercuri
Midair Collision in Brasil
Peter B. Ladkin
Don't Try to Program and Fly at the Same Time
Peter B. Ladkin
RFID access control tokens widely open to cloning
Adam Laurie
How Pop-Ups Could Brand You a Pervert or Crook
Lauren Weinstein
No computer issues in Kim family navigation error
Andrew Klossner
Time Warner Cable / Showtime Major Fubar
Simon Higgs via Dave Farber
*The Guardian*'s billing dept. aids identity theft
Nik Clayton
REVIEW: "Understanding and Managing Cybercrime", Samuel C. McQuade
Rob Slade
Info on RISKS (comp.risks)

Florida's Voting System Certification

<"R. Mercuri" <notable@mindspring.com>>
Thu, 14 Dec 2006 13:32:21 -0500

I had the opportunity to review the Florida Voting System Standards (at
<http://election.dos.state.fl.us/laws/proposedrules/pdf/dsde101Form.pdf>)
and have found them to be inadequate in numerous regards. My 3-page comment
on the potential inequities, inadequacies and omissions of Florida's voting
system certification process can be found at
<http://www.notablesoftware.com/Papers/FLVSSRMComment.pdf>

Rebecca Mercuri.
Permission granted to post and forward this e-mail message in its entirety.


Midair Collision in Brasil

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Wed, 13 Dec 2006 19:49:23 +0100

On 29 Sep 2006, a midair collision occurred in Brazil on Airway UZ6, between
Brasilia and Manaus, at Flight Level (FL) 370 (an altitude at an air
pressure equal to that at 37,000 ft in an International Standard
Atmosphere).  An Embraer Legacy business jet, on a delivery flight from the
manufacturer to a U.S. owner, apparently collided with a B737 transport
aircraft, GOL Flight 1907.  The GOL aircraft subsequently broke up in flight
and crashed into the jungle, with the loss of all on board. The Legacy
continued flying and made an emergency landing at a military airbase. New
York Times columnist Joe Sharkey was on board and related the tale. (David
Magda noted this accident in RISKS-24.45.)

Both aircraft were equipped with Honeywell's TCAS 2000 collision-avoidance
systems. It has not yet been determined why the collision avoidance systems
did not issue a warning. It is suspected that the Legacy transponder, an
essential component on which the TCAS is dependent, was not operating but it
has not yet been determined why this would have been so.  Transponders on
other Embraer jets have been recently subject to an Airworthiness Directive
(AD) from the U.S. FAA because of incidents in which the transponders have
ceased operating during a code change without sufficient notification to the
pilots, but it has been pointed out that this AD is not related to the
Brazilian midair (as far as one can tell).

The flight plan of the Legacy called for an altitude of FL 360 when joining
UZ6. However, the Legacy had been previously cleared to FL 370, and had
subsequently lost contact with ATC, who had tried but failed to issue a
descent to FL 360.  US rules under such circumstances require pilots
sometimes to maintain last cleared FL; sometimes to revert to flight plan,
according to circumstance. I know of no source which clearly states
Brazilian rules. The GOL aircraft was cleared on UZ6 in the opposite
direction at FL 370.

The Legacy pilots have had their passports impounded and an investigation is
underway to determine whether they have any criminal responsibility. Besides
the human cost (they are holed up in a hotel in Rio with their lawyer and
don't go outside), such a judicial process in advance of the causal
investigation has been criticised by the Flight Safety Foundation, the
(British) Royal Aeronautical Society, the (French) Academie Nationale de
l'Air, and the Civil Air Navigation Services Organisation. FSF President
Bill Voss has said "We are increasingly alarmed that the focus of
governments in the wake of [civil aircraft] accidents is to conduct lengthy,
expensive and highly disruptive criminal investigations in an attempt to
exact punishment, instead of ensuring the free flow of information to
understand what happened and why, and prevent recurrence of the tragedy"
(cited in Pierre Sparaco's column A European Perspective, entitled
"Unwarranted Criminalisation", in Aviation Week and Space Technology,
13 Nov 2006, p43. Sparaco has addressed this issue three times this
year, the first two on 22 May 2006, p45 and 3 Jul 2006, p42, in the wake
of the Concorde accident, and the fourteen-year-old Mont St.-Odile accident,
which only this year came to court: the defendants were acquitted.) Similar
jurisdiction conflicts arise in Germany, with investigations into accidents
on the railways, and have been most recently pointed out in consequence of
the Maglev accident (Weber-Wulf, RISKS-24.45; Weber-Wulf, Virtel, Ladkin,
RISKS-24.44).

But the computer-risk connection is this time not with TCAS.

David Kaminski-Morrow reported in Flight International, 5-11 Dec 2006, p15,
that the Cindacta-1 display software running at the ATC center controlling
the flights can automatically update altitude-clearance information without
controller intervention. As the Legacy joined UZ6, the system automatically
updated the Legacy's cleared flight level to FL 360. "Loss of the Legacy's
transponder information [which includes the actual FL] shortly afterwards
... eliminated a crucial indication to controllers that there was a mismatch
over its altitude." In other words, the Legacy was flying at FL 370 and the
controller's display was showing FL 360.

I omit the justified criticism from the Brazilian arm of the International
Federation of Air Traffic Controllers' Associations, which visited the
Cindacta-1 center and discovered this, um, feature of the SW, because I am
sure that RISKS readers can supply their own, similar, reactions.

Peter B. Ladkin, Causalis Limited and University of Bielefeld
www.causalis.com        www.rvs.uni-bielefeld.de


Don't Try to Program and Fly at the Same Time

<"Peter B. Ladkin" <ladkin@rvs.uni-bielefeld.de>>
Wed, 13 Dec 2006 19:55:39 +0100

David Learmount reports in Flight International, 12-18 Dec, p16, on a
Ryanair B737-800 which almost flew into terrain on 23 Mar 2006, on approach
to Knock airport, Ireland. The Irish Air Accident Investigation Unit (AAIU)
determined the principal cause to be that the "pilots fixated on
reprogramming the flight management computer (FMC) while the aircraft
continued its descent". A contributory cause was reported to be a "systemic
failure" at the airline and the chart supplier Jeppesen (owned by Boeing)
that failed to supply the pilots with up-to-date information about the
navigation aids available at Knock.

Peter B. Ladkin, Causalis Limited and University of Bielefeld
www.causalis.com      www.rvs.uni-bielefeld.de


RFID access control tokens widely open to cloning

<Adam Laurie <adam.laurie@thebunker.net>>
Mon, 11 Dec 2006 17:57:55 +0000

Too many systems to itemize here rely on the 'unique ID' of an RFID token to
grant access to a system or building, and, in the case that these tokens are
based on 125kHz or 134.2kHz standard tags, many of them may be vulnerable to
relatively simple cloning attacks.

In a way this is nothing new - several researchers have previously presented
attacks whereby RFID tags were emulated by custom built circuits which were
able to fool readers into thinking that a genuine tag had been presented.
However, the industry response was normally that this was not a 'real'
threat, as it required specialist knowledge and equipment, and the resulting
device was not a 'true clone' as it didn't have the same form factor as the
original.

The difference here is that the 'clone' may actually follow the same form
factor as the original, and is therefore indistinguishable not just to the
reader, but also to the human eye. In addition, no specialist equipment or
custom circuitry is required, and the 'clones' can be produced using off the
shelf equipment, software and blank tags purchased perfectly legally over
the Internet. In fact, the tags are only doing what they were designed to do
in the first place: implement industry standards.

The problem is that many security system suppliers are integrating industry
standard tag readers, and promoting the 'uniqueness' of the tag ID as a
guaranteed certainty when it isn't, and thereby compromising the security of
the entire system.

The two specific tag types I've looked at are:

 * Trovan 'Unique', aka EM4x02
 * FDX-B, aka EM4x05 - ISO-11784/5 (animal tags)

The description of the 'Unique' tag, from the Trovan website is as follows:

"The TROVAN UNIQUE (c) Read-Only System is well-suited to applications that
require a high level of data security. Unlike other vendors' factory
preprogrammed lines, the protocol of the TROVAN UNIQUE (c) line is patented,
providing unmatched protection against unauthorised third-party
cloning. Each transponder is programmed with a unique 10-digit ID code
during manufacture. Comprehensive automatic test methods ensure that no code
exists in duplicate in any of the TROVAN UNIQUE (c) transponder types, and
that codes are programmed correctly in a readable manner. Once the code is
programmed at the time of the transponder's manufacture, it cannot be
counterfeited or tampered with.  A total of 550 billion unique ID codes is
available."

Q5 are general purpose, multi-standard tags, that are capable of emulating
other devices. I found that it was a standard feature of the Q5 chip to
emulate a 'Unique' tag, and it was trivial to program a duplicate ID into
one. The resulting tags were tested against three different systems that I
have access to, and all three systems were unable to distinguish between the
original and the 'clone'.

In response to my questioning the security of the Unique tags, the response
I got from Trovan was: "There are a variety of H4102 versions, some of which
can be emulated by a Q5 tag. Our tags are a custom version of the H4100
tag.".

It should be noted that I am not pointing the finger at Trovan devices here,
but the 'Unique' standard some of their tags implement and which are
generally available as a generic tag type - it is sometimes hard to tell
exactly who's devices or tags are used in a specific installation, but
suffice it to say that I have found 3rd party systems (one at a very recent
security systems show in London) that were vulnerable to EM4x02 style
cloning. The equipment required to do this was a laptop and off the shelf
RFID reader/writer, but it could just as easily have been a small handheld,
and so a credible threat exists of simply swiping an access tag ID in a
'walk-by' of someone leaving a building, and then producing a clone which
will give full access.

I am also able to produce what seem to be accurate clones of FDX-B tags
(such as the one in my dog), and also VeriChip tags, in as much as a
standard FDX-B reader such as you might find at your local vet will not be
able to tell the difference. I have not been able to test if a genuine
VeriGuard system would also be fooled, but VeriCorp's response when I took
it up with them was:

"You can take a write-once and re-writable chip and put the VeriGuard ID
number on this chip, and a lot of readers will read the ID and including the
VeriGuard reader. I can not tell you every but their three things that tell
are unit that it is a VeriChip 16 digits not 15, timing and one other
thing. We call it copying not cloning because the can't get all the
information need to send to the VeriGuard reader at the right time." [sic]

The latest release of the open source python library, RFIDIOt (v0.1h),
contains tools for programming both EM4x02 and EM4x05 tag IDs to Q5 or
Hitag2 tags, and I would suggest that if you own (or supply) systems based
on either of these standards, that you use them to audit for this
vulnerability.

Full details at http://rfidiot.org

Adam Laurie, The Bunker Secure Hosting Ltd., Ash Radar Station, Marshborough
Road, Sandwich Kent CT13 0PL UK +44 (0) 1304 814800 http://www.thebunker.net


How Pop-Ups Could Brand You a Pervert or Crook

<Lauren Weinstein <lauren@vortex.com>>
Mon, 11 Dec 2006 16:00:18 -0800

                 How Pop-Ups Could Brand You a Pervert or Crook
                  http://lauren.vortex.com/archive/000203.html

Greetings.  An article in *The New York Times* today explores the problem of
Web-based "pop-up" ads being used to artificially inflate Web traffic.
http://www.nytimes.com/2006/12/11/technology/11push.html

I'd like to point out a potentially much more serious problem related to
pop-ups that can access arbitrary Web sites -- they could be used for
purposes that could get innocent Web users into major legal problems.

The issue of sites triggering unsolicited access to other sites is not new.
In an IP message over a year ago ("Google's new feature creates another user
privacy problem" --
http://lists.elistx.com/archives/interesting-people/200506/msg00190.html ),
I discussed how Google's triggering of top item "prefetch" in returned
search results could result in Firefox browsers visiting the referenced site
-- and collecting any associated cookies -- without users' knowledge (I also
suggested ways to prevent this behavior).

The essential problem is that Web logs that record users' access to sites
would record such visits as if they had been voluntarily initiated by those
users.  If those destinations happen to be sites with various forms of
"illicit" materials that could be the subject of government or other
investigations that would go digging through associated access logs...
Well, you can imagine the possible complications.

Google's prefetch behavior is an example of a well-intended feature with
unfortunate negative side-effects.

On the other hand, the sorts of nefarious pop-ups described in the NYT piece
have much greater potential for intentionally serious sorts of damage, since
they can be far more flexible and directed than simple Web prefetches, and
so could put innocent consumers at even greater risk.  They might not only
access pages that could get people arrested (perhaps c-porn?), but also
download files that could trigger RIAA and/or MPAA "automatic" lawsuits, or
any number of other nightmare scenarios.

It's fair to ask why anyone might want to set loose such technical monsters
on innocent victims.  The simple answer is that there are quite a few people
out there who just want to score a point -- to prove that they can do it --
plus of course the sick minds who enjoy watching other people suffer.

If nothing else, this specter is yet another reason to block all pop-ups
routinely and to disable browser prefetch as appropriate.  Most of all it is
a reminder to authorities that just because particular entries are present
in subpoenaed Web logs, does not necessarily mean that they are accurate
representations of user intent.  In many cases you may actually be looking
at victims, not perpetrators.

Lauren Weinstein lauren@vortex.com or lauren@pfir.org  +1 (818) 225-2800
http://www.pfir.org/lauren http://lauren.vortex.com http://daythink.vortex.com


No computer issues in Kim family navigation error

<Andrew Klossner <andrew@cesa.opbu.xerox.com>>
Mon, 11 Dec 2006 09:55:08 -0800

The Kim family were not misled by computerized navigation.  They fell
off their plotted route when they missed an exit on I-5, then tried to
reroute using paper maps.  The fatal error was that they mistakenly
turned onto a road whose gate had been closed and locked for the
winter but which had been broken open by vandals.

  [Perry Clarke had a similar take.  PGN]


Time Warner Cable / Showtime Major Fubar [From Dave Farber's IP]

<Simon Higgs <simon@higgs.com>>
Thu, 14 Dec 2006 15:48:51 -0800

Time Warner Cable are mailing out Christmas cards to their customers with an
offer for a free DVD promoting the Showtime cable channel.

The instructions are simple. Customers visit a web page provided with the
Christmas card and enter their phone number associated with their
account. There's also a privacy notice on the resulting web page that says:

"Privacy notice: Time Warner Cable respects the relationship we have with
our subscribers. We will never sell or disclose your personal account
information or e-mail address."

After entering their phone number, customers then receive a confirmation
page with their name, address and telephone number printed on it.

You guessed it. Anyone who knows the location of the Showtime offer can go
fishing for Time Warner Cable customer names, addresses and telephone
numbers just by entering random phone numbers.


*The Guardian*'s billing dept. aids identity theft

<Nik Clayton <nik@ngo.org.uk>>
Thu, 14 Dec 2006 21:45:47 +0000

This is a repost from my blog:

     http://jc.ngo.org.uk/blog/2006/12/14/identify-theft/

I've just discovered that I've been an unwitting participant in an identify
theft.

But not, perhaps, in the way that you might imagine.

Some of my writing recently made it into *The Guardian*.  As is the way of
these things *The Guardian* like to pay their writers, so I sent off my
details to their billing department and waited for the money to come rolling
in (as you do).

It turns out that, by an odd coincidence, I'm not the only Nik Clayton to
write for *The Guardian*. I'm not even the first. This other Nick Clayton
(note the extra c) has written a number of columns for them, and they're
also about technology matters.

This much became apparent when I received an e-mail from *The Guardian*'s
billing department today confirming that they had dispatched payment for two
articles that Nick had written to me. This e-mail contained Nick's name and
address details, and the payment details (amounts) for the articles he's
written. But it also contains my bank details (account number and sort
code). The money hasn't been deposited in to my account yet, but I imagine
it soon will be.

A bit of Googling turned up Nick's site, and a bit more Googling turned up a
phone number, so I've called him, and had the slightly surreal experience
of:

  NC: Good evening. Could I speak to Nick Clayton?

  TG: Speaking

  NC: Hi. It's Nik Clayton here!

Now I know how Dave Gorman must feel.

I've tried calling The Guardian's billing department but the number given in
the e-mail redirects to voice mail at the moment, so I'll be in touch with
them again tomorrow morning.

There are at least four risks here.

First, The Guardian's billing department will apparently change the sort
code, bank account, and e-mail address details that they hold for writers on
the basis of a single unauthenticated e-mail. My message to them was:

   Charles Arthur asked me to send my payment details for
   http://technology.guardian.co.uk/online/insideit/story/0,,1954392,00.html
   to you.

   Sort code is ZZ ZZ ZZ, the account number is ZZZZZZZZ.

   Please let me know if there are any problems.

Second, when they pay their writers they send out an e-mail that contains,
in clear, the writer's name, reference number, full address, sort code, bank
account number, and the values of the payments. This may well be enough to
carry out a social engineering attack.

Third, this could easily have gone the other way, and my bank account
details could have been forwarded to Nick Clayton. Had he been nefarious I
imagine that (given that we share the same name) these could have been used
to carry out a very effective identity theft.

Fourth, had I not been quite so honest I could probably have got away with
this for some time --- at the very least, continuing to earn interest on the
money that The Guardian have paid.

Hmm. I wonder if The Guardian would like to use this as the basis for an
article.


REVIEW: "Understanding and Managing Cybercrime", Samuel C. McQuade

<Rob Slade <rMslade@shaw.ca>>
Mon, 11 Dec 2006 12:08:15 -0800

BKUMCBCR.RVW   20061105

"Understanding and Managing Cybercrime", Samuel C. McQuade, 2006,
0-205-43973-X
%A   Samuel C. McQuade scmcms@rit.edu
%C   75 Arlington Street, Boston, MA   02116
%D   2006
%G   0-205-43973-X
%I   Allyn and Bacon (Pearson)
%O   U$60.80/C$77.200 www.ablongman.com
%O  http://www.amazon.com/exec/obidos/ASIN/020543973X/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/020543973X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/020543973X/robsladesin03-20
%O   Audience i+ Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   500 p.
%T   "Understanding and Managing Cybercrime"

The preface states that this book should be considered an introductory text
to the field of cybercrime (although it does not define what that topic is
until chapter one of the book).  The guide is addressed to two audiences of
students, those in the field of information technology administration and
management, and those in the field of criminology.  McQuade suggests that
the work can be used as a primer in basic courses expounding on information
systems security, and may also be used as a supporting volume for curricula
in sociology, law, public administration, public policy, or ethics courses
that deal with information system crime and abuse.  In the Foreword, Charles
Wellford notes the increase in significance of crimes related to, or
perpetrated via the use of, computers.  Whereas crime statistics of
traditional types have been falling in recent years, cybercrime has exploded
in an environment where traditional law enforcement has been largely
unprepared.

Part one introduces the field, and outlines the growth, of cybercrime.
Chapter one starts out with a valuable addition to the discussion of the
sociology of cybercrime: the concept of "relative" normality and deviance of
behaviour in a new and rapidly changing field.  The author then moves on to
note the range of terms and activities covered under the cybercrime
reference, and to note the importance of defining those terms not only in
regard to research, but particularly in relation to law and prosecution.
(Sam, since I have attacked the whole *concept* of salami scams for years,
and have received only a single [and minimal: the "drive-through" incident
noted in the RISKS-FORUM Digest] instance of one occurring, you can*not*
expect me to let footnote 11 pass unchallenged: it should be a documented
citation, not a mere explanation.)  The questions provided at the end of the
chapter are not simply reading checks, but thoughtful items to prompt
discussion of critical concepts.  The protection of information and other
assets is covered in chapter two, starting with the nature of information
itself, moving through the standard concepts of information security, and
ending up with critical infrastructure protection (which may be a bit of
overkill).  Chapter three reviews the various types of cyber attacks and
crimes.  I was intrigued to note the inclusion of a section on academic
computer abuses (generally a neglected topic), and pleased with the
realistic assessment of cyberterrorism, but the structure and taxonomy of
attacks could use some work.  In addition, the material on malware is quite
weak: the definitions for differing types are better than many in general
security works, but many of the surrounding explanations are false or
misleading.  For example, McQuade partially uses the Cohenesque definition
that viruses must infect existing programs (which is no longer true of
recent versions), and implies that a user is required for viral reproduction
and spread (viruses generally require some user action for invocation, but
spread is usually automated).  Additionally, he makes the rather
questionable assertion that the skills necessary for creating malware are
the same as those required to defend national security.  The psychology of
cybercriminals and abusers is reviewed in chapter four, which also provides
a very detailed classification for social engineering, and Donn Parker's
SKRAM (skill, knowledge, resources, access, motivation) model for assessing
attackers.  McQuade notes the difficulty in getting agreement on a profile
for computer abusers, but does not address the changing style of attacks and
attackers over time.

It is interesting that chapter four is not contained within part two, which
addresses social thought on cybercrime.  Chapter five, in a sense, extends
chapter four's discussion of categories of criminals by providing an
overview of major criminologic theories: it would have been interesting to
see the classification schema analyzed in light of the hypotheses, but
simply having the philosophies outlined here is a major contribution to the
information security literature.  In assessing the impact of cybercrime, in
chapter six, McQuade notes that there is both economic and social damage to
be determined.  However, this merely exacerbates an existing problem: the
author also points out the lack of reliable information, even in regard to
economic losses alone.  It is difficult to know what to make of chapter
seven.  Titularly it promises emerging and controversial topics in
cybercrime.  However, the discussion of the necessity for attack skills in
regard to defence (promised in chapter three) never appears.  The topics
that are presented would seem to extend either the first section of chapter
one (noting that computers are changing various activities in society), or
chapter three (listing different types of attacks).

Part three moves to the management of cybercrime: prevention and protection.
Although chapter eight deals with legal philosophies and types of laws, most
of the material is only relevant to the United States.  The limitations on
investigators, which is the primary content of chapter nine, is again mostly
restricted to the United States.  There is material on investigation and
computer forensics (although network and software forensics do not appear to
be covered), but it is fairly brief.  Chapter ten's review of information
security is oddly disjointed: parts are academic in tone, parts read like a
"secure your home computer" pamphlet, and parts promote risk assessment
models best suited to major corporations.  Future activities (mostly at the
federal government level) that might help reduce cybercrime is one part of
chapter eleven, the other is a discussion of computer ethics.

The book is readable, and entertaining in sections.  Most of the information
is reasonable.  However, suggesting this as a sole text for an information
security course would be unwise: it is weak in a number of technical areas.
As an adjunct text it would be excellent: the law enforcement perspective is
all too often neglected in security literature.

copyright Robert M. Slade, 2006   BKUMCBCR.RVW   20061105
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm

Please report problems with the web pages to the maintainer

Top