The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 62

Wednesday 4 April 2007

Contents

TJX ID theft: 45.7M and counting ...
PGN
Nothing succeeds like failure
PGN
Risk of depending on a half-used system
David Lesher
Visitor Tagging abandoned for US VISIT
George Michaelson
A couple of unrelated risks
Jay R. Ashworth
Opposition to e-voting grows in France
Elaine Sciolino via PGN
Re: NEDAP, the Dutch chess-playing voting machine
Debora Weber-Wulff
Re: Yet more privacy risks from copiers
Alistair McDonald
Re: 'Tamperproof' autopilot for passenger jets to avoid hijacks
Rick Damiani
Re: Insured car wrongly crushed
Tony Woolf
AMEX prepaid cards can be forced into overdraft
Charles Hanes
10TH IEEE High-Assurance Systems Engineering Symposium CFP
Jicheng Fu
REVIEW: "Botnets: The Killer Web App", Craig A. Schiller et al.
Rob Slade
REVIEW: "Beyond COSO", Steven J. Root
Rob Slade
Info on RISKS (comp.risks)

TJX ID theft: 45.7M and counting ...

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 30 Mar 2007 9:53:08 PDT

At least 45.7 million credit and debit card numbers from customers in the
United States, Britain and Canada were stolen over a period of several years
from the computers of TJX. ...  The computer breach is significant not only
because of its scope but also because the hacker or hackers had access to
the decryption tool used to decipher sensitive encrypted information and an
ability to intercept data as shoppers' credit transactions were being
approved.  [1]

Encryption alone is no panacea for threats to consumer data.  ... recent
details ... show how encryption can be defeated by clever thieves -- and
suggest the breach may have been an inside job.  [2]

[Sources (PGN-ed):
1. Ellen Nakashima and Ylan Q. Mui, Data Theft Grows To Biggest Ever;
   Fraudulent Purchases Pop Up in Breach Of 45.7 Million Shoppers' Records
   *The Washington Post*, 30 Mar 2007
2. TJX breach shows that encryption can be foiled
   Ross Kerber, *The Boston Globe*, 31 Mar 2007]
http://www.boston.com/business/globe/articles/2007/03/31/tjx_breach_shows_that_encryption_can_be_foiled/


Nothing succeeds like failure

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 4 Apr 2007 11:06:39 PDT

RISKS has included items on some of the largest system development failures.
An article by Shane Harris documents difficulties uncovered by Siobhan
Gorman, going back to the failure of the National Security Agency's $1.2
billion Trailblazer electronic filtering system development, and continuing
with Turbulence, a new data-sniffing system development that is costing
about half a billion dollars annually and also in trouble.  The article also
notes previous development failures of the FBI and IRS.  A few excerpts:

  "The reasons for these disasters are well-documented and maddeningly
  similar: insufficient agency management, contractors that over promised
  and anemic-to-nonexistent congressional oversight."

  SAIC, the company NSA hired to fix Trailblazer in 2002, was the lead
  contractor on the FBI's Virtual Case File [RISKS-23.89 and 24.03].
  "And according to its 2006 proxy statement, SAIC is running another NSA
  program called ExecuteLocus, which it describes as a successor to
  Trailblazer.  Out-of-control projects breed more projects ostensibly to
  right what went wrong."

  "Even if they don't know why, there's a reason people keep making the same
  mistakes: Failure is one of the most successful things going."

[Source: Shane Harris <sharris@nationaljournal.com>, The Success of Failure,
*National Journal*, 4 Apr 2007; PGN-ed]
  http://www.govexec.com/dailyfed/0407/040407mm.htm


Risk of depending on a half-used system

<"David Lesher" <wb8foz@panix.com>>
Fri, 30 Mar 2007 00:24:34 -0400 (EDT)

'Electronic Medical Records' are one of the latest "Gee Whiz; we aren't
keeping up with the Jones" issue in both private & USG arenas.  Aetna is
even running TV ads hoping you'll surrender all your private medical records
to their database...and whomever gets into it, with or without your
permission.

But besides the obvious privacy sacrifice, there's another gotcha.  If the
treating hospitals & MD's assume 'the computer knows all' then when it does
not, guess who suffers?

This is not the only article on soldiers who have suffered from the DoD's
record-keeping. As part of the *WashPost* series on Army Medical problems,
both at Walter Reed and elsewhere, they detailed a soldier with
after-effects of an explosive concussion. But when they could not come up
with his medical history, they ruled that his depression/PTSD were a
pre-enlistment condition, and discharged him sans disability rating.

The RISK? If you put all your data eggs in one basket; the yolks on you if
they drop it...

> Disuse of System Is Cited in Gaps in Soldiers Care
> Ian Urbina and Ron Nixon, *The New York Times*, 30 Mar 2007

  Lapses in using a digital medical record system for tracking wounded
  soldiers have led to medical mistakes and delays in care, and have kept
  thousands of injured troops from getting benefits, according to former
  defense and military medical officials.

  The Defense Department's inability to get all hospitals to use the system
  has routinely forced thousands of wounded soldiers to endure long waits
  for treatment, the officials said, and exposed others to needless testing.

  Several department officials said the problem may have played a role in
  the suicide of a soldier last year after he was taken to Fort Lewis in
  Washington State from Iraq. His intentions to kill himself were clearly
  documented in his digital medical record from overseas, but doctors at
  Fort Lewis did not consult the file and released him, according to
  department records and defense officials.

  "The D.O.D.'s failure to share data and track patient records is truly a
  matter of life and death," Senator Patty Murray, Democrat of Washington,
  said in a statement. "This isn't an isolated case, but a system-wide
  failure."


Visitor Tagging abandoned for US VISIT

<George Michaelson <ggm@apnic.net>>
Wed, 14 Mar 2007 10:41:23 +1000

http://www.epic.org/alert/EPIC_Alert_14.05.html

  "...In a July 2006 report, the Department of Homeland Security's Inspector
  General echoed EPIC's concerns, stating that the US-VISIT border security
  program fails to protect data collected through the use of RFID tags. The
  report found "security vulnerabilities that could be exploited to gain
  unauthorized or undetected access to sensitive data" associated with
  people who carried the RFID-enabled forms. ..."

but this sentence seems more telling:

  "...Essentially, the I-94 form could not guarantee that the person to whom
  the form was issued would be the same individual exiting the country with
  the form. ..."

Classic instance of "magic tokens" being mistaken for a tightly bound secure
outcome, forgetting that who *holds* the magic token probably matters more
than whats *in* the magic token.

I'd rather go with tally sticks, or a torn postcard. Actually, if they just
tore the I-94 jagged and gave me back half, that would work for me..


A couple of unrelated risks

<"Jay R. Ashworth" <jra@baylink.com>>
Mon, 19 Mar 2007 14:23:16 -0500

In http://news.com.com/2100-1012_3-6168226.html, the writer notes that
Microsoft's new business phone system (where are the Ctrl, Alt, and
Delete keys?) will

  Rather than [...] multiple buttons for transferring calls and for checking
  voice mail, [have] a single button [which] will enable users to speak to
  identify the function they want.

Now, press-to-speak is not quite as bad as "one button for multiple
functions" (ask a new BMW owner about iDrive), but "speak the function you
want" has -- as has been covered in RISKS before -- its own set of
problems... even if you rule out Spider Robinson's famous 'speech-activated
bomb/cub news photog who thinks (aloud) "that'll make a great page-one blow
up".'  :-)

As usual, though, design by people who don't know what to optimize for is
usually a bad thing, and optimizing for training over use (which tends to
cast your staff turnover rate into question) is always bad -- ask Allied Van
Lines, whose AMS replacement for CAMIS more than tripled their mainframe's
load (a 2-transaction CICS process became a 7-transaction one) as well as
the staff time to do the work -- or so I was told.

On an unrelated topic, one of the choke points in the food distribution
business was illustrated this week by the Great Pet Food Scare of 2006;
Ontario based Menu Foods apparently manufactures wet petfood for 17 of the
20 brand names in that market (a fact mentioned, but not explored, by one of
the wire-service pieces on the story), and some problem with that food has
killed roughly a dozen house pets in the last month.

The waitress who feeds me lunch most days asked me today if I thought that
was a low-grade terrorist attack... a thought which some prompt Googling
failed to turn up anyone else considering.  Hmmm...

Homogeneity, though, is still a bad thing, whether someone's out to get you
or not.  Concealed original-sourcing can be intrinsically bad too,
apparently.

Jay R. Ashworth, Ashworth & Associates, St Petersburg FL USA +1 727 647 1274
http://baylink.pitas.com jra@baylink.com


Opposition to e-voting grows in France (Elaine Sciolino via PGN)

<"Peter G. Neumann" <neumann@csl.sri.com>>
Wed, 4 Apr 2007 9:27:37 PDT

This is apparently the first French election to use paperless electronic
voting systems, although only for about 1.5 million of the 44.5 million
voters.  Three weeks before the election, Elaine Sciolino reports that many
doubts are being raised.  One candidate's spokesperson said, "I don't want
to lecture America. But we don't want France to fall into the same
Kafkaesque balloting as happened in the United States."  80% of the machines
will be the Dutch NEDAP (which Ireland used in 2004 and 2006, but has now
suspended -- see RISKS-24.61 and the next item below).  160 additional
machines will be ES&S-iVotronic (which is the system used in the
still-disputed Sarasota election in November 2006), with others being
Spain's Indra.  Two vendor spins stand out for RISKS readers to chew on:

Matthijs Schippers, director of election systems for NEDAP [see next item]:
  "The systems we have developed for France comply with all legal standards
  and regulations that are incorporated in French electoral law.  The
  accusations have no factual basis."

Rob Palmer, director of marketing and communications for ES&S-iVotronic
  "We have an extreme amount of confidence in our machines in France,"
  said Rob Palmer, director of marketing and communications for
  ES&S-iVotronic. "Our machines have proven themselves in thousands of
  elections in the United States and elsewhere."

[Source: Elaine Sciolino, Opposition to e-voting grows in France, *The New
York Times, 4 Apr 2007, A3 in the National Edition; PGN-ed]


Re: NEDAP, the Dutch chess-playing voting machine (Re: RISKS-24.60)

<Debora Weber-Wulff <D.Weber-Wulff@fhtw-berlin.de>>
Sun, 01 Apr 2007 12:34:24 +0200

Mike Smith writes about what is known in Europe as the "NEDAP hack".  I had
the privilege of seeing Ron Gonggrijp present this at the CCC conference in
Berlin in December 2006. I was shocked at the old, simplistic architecture
and the easiness of the "hack".

The Dutch group "We don't trust voting computers" reported in February 2007
on a further twist in the story:

(English version:
http://www.wijvertrouwenstemcomputersniet.nl/English/Groenendaal :
Voting systems company threatens Dutch state - "Buy my company now or you
won't have provincial elections")

It seems that the Dutch government has become entirely dependent on the
insecure and rather outdated NEDAP voting machines. Sensing a good
opportunity to make a bit of cash instead of investing in an upgrade, Jan
Groenendaal, the owner of the company apparently blackmailed the Dutch
government.

Wijvertrouwenstemcomputersniet obtained documents under the Dutch freedom of
information act which include an email (English translation:
http://www.wijvertrouwenstemcomputersniet.nl/English/Mail_Groenendaal) from
Groenendaal to the ministry threatening to quit all work if the government
appoints "Hacker" Rop Gonggrijp (the guy who led the chess-playing
implementation on the NEDAP computers) to the independent commission for
investigating the future of the electoral process, i.e., which
software/hardware the government needs to purchase for the next elections.

Groenendaal make an offer the government can't refuse: "The ministry buys
the shares of our company at a reasonable price, [...] and we will still
cooperate during the next election [the Dutch 2007 provincial elections to
be held March 7th]." But the government does not, strangely, snap up the
shares offered, so he repeats his "offer", then informs the government that
he has told his workers to cease activity "until we have received an answer
that is acceptable to us".

The elections were held (if, indeed, they actually were elections) and
Wijvertrouwenstemcomputersniet has written to the new minister Ter Horst,
calling on her to "take the necessary measures needed to restore confidence
in the electoral process and in the notion that our government can not be
blackmailed."

So we have one more risk in the area of eVoting - not some dark, unknown
"hacker" throwing the election, but the seller of the hard- or software
blackmailing the government because they are helpless to conduct an
electronic election without their help.

I vote for paper ballots, anyone with me on this one?

(Sarcastic side note: The German government seems to be considering
purchasing NEDAP computers. They are getting a good deal on some used Dutch
ones....)

Prof. Dr. Debora Weber-Wulff, FHTW Berlin, Treskowallee 8, 10313 Berlin
+49-30-5019-2320  http://www.f4.fhtw-berlin.de/people/weberwu/


Re: Yet more privacy risks from copiers (Arthur, RISKS-24.60)

<Alistair McDonald <alistair@inrevo.com>>
Fri, 16 Mar 2007 21:47:00 +0000

This has been brought up before in RISKS-22.01:
http://catless.ncl.ac.uk/Risks/22.01.html#subj11

Alistair McDonald, InRevo Ltd :- http://www.inrevo.com/
Author of the SpamAssassin Book (http://spamassassinbook.packtpub.com/)
Tel: +44 7017 467 386 (Work)    +44 7812 829 020 (Cell)


Re: 'Tamperproof' autopilot for passenger jets to avoid hijacks

<"Rick Damiani" <rick@patongroup.com>>
Sat, 17 Mar 2007 16:22:21 -0700

I'm pretty sure this has come up here before. A quick search of Risks
shows some cautionary tales. I like this one best:
http://catless.ncl.ac.uk/Risks/24.05.html#subj1.1

A word from a pilot:
http://catless.ncl.ac.uk/Risks/24.25.html#subj7.1

Rick Damiani, Applications Engineer, The Paton Group
California: (310)429-7095  Hawaii: (808)284-3033


Re: Insured car wrongly crushed (Drewe, RISKS-24.59)

<Tony Woolf <news@t-onywoolf.co.uk>>
Wed, 14 Mar 2007 11:01:41 GMT

> ... anyone with a computer can knock up a `valid' certificate of insurance
> preferring to believe what the database told them.

Neither the paper document nor the computer record is proof of insurance.
(A relative found this out the hard way with a surveyor's Professional
Indemnity insurance.)  However, both give a reference that allows you to
contact the insurance company and find out whether it is valid.  The police
could have confirmed by phoning the insurance company help line and giving
the car and driver details.


AMEX prepaid cards can be forced into overdraft

<Charles Hanes <chanes@pacbell.net>>
Wed, 4 Apr 2007 13:56:40 -0700

I have been using some prepaid American Express cards that I get through a
hotel timeshare program.  I just found out something interesting about them.

About 3 weeks after using one of the cards at a hotel in San Francisco, I
received a letter from AEIS or American Express Incentive Services,
explaining that my prepaid card number was in overdraft by a significant
amount.  I had directed the hotel to deduct the exact value of the card, and
then charge the remainder of the bill to another credit card.

By checking the hotel billing statement, I quickly figured out that the
extra amount was not charged to the different card, but was erroneously
charged to the same prepaid card number.  I was mystified how this was
possible.

A complicating factor was that I no longer had the physical card, I
unintentionally left it there at the hotel checkout desk instead of bringing
it away with me.

So, I called the customer service number on the letter, and explained what
happened.  The rep explained that it is possible for a merchant to
overcharge the card if they force the transaction, and do not abide by the
rejection of the amount.  I did not know this could be done.

So, the letter and the representative directed me to mail in a check for the
balance, which was no problem since I verified that the amount was valid and
did not get charged to the other card.

I asked that the card number be canceled, since I no longer had the card in
my possession, and the representative explained that that was automatically
done when the card went into overdraft.

Apparently these cards do not automatically cancel when their value goes to
zero.  The card number apparently remains valid until the card expires.
This is very, very dangerous.

Lessons:

1) Make certain that only the correct amount gets charged to one of these
prepaid cards.

2) Do NOT throw it away after you have charged the balance.  If someone
forces another transaction on the card (and this is possible), the bill
comes back to you.  Destroy the card securely after you have used up the
balance.


10TH IEEE High-Assurance Systems Engineering Symposium CFP

<"Jicheng Fu" <jxf024000@utdallas.edu>>
Tue, 3 Apr 2007 11:49:35 -0500

THE 10TH IEEE HIGH ASSURANCE SYSTEMS ENGINEERING SYMPOSIUM
November 14-16, 2007, Dallas, Texas
http://hase07.utdallas.edu/

The IEEE International Symposium on High Assurance Systems Engineering is a
forum for discussion of systems and software engineering issues to achieve
high assurance systems. The focus is on integrated approaches for assuring
reliability, availability, integrity, privacy, confidentiality, safety, and
real-time of complex systems and the methods for assessing the assurance
levels of the systems to a high degree of confidence. Technical and
experience papers on algorithms, policies, middleware, tools, and models for
high assurance systems development, verification and validation, and
assessment are welcome.  Papers due by 1 Jun 2007


REVIEW: "Botnets: The Killer Web App", Craig A. Schiller et al.

<Rob Slade <rmslade@shaw.ca>>
Tue, 03 Apr 2007 11:40:17 -0800

BKBOTNTS.RVW   20070126

"Botnets: The Killer Web App", Craig A. Schiller et al., 2007,
1-59749-135-7,U$49.95/C$64.95
%A   Craig A. Schiller craigs@pdx.edu
%A   Jim Binkley
%A   David Harley david.a.harley@gmail.com
%A   Gadi Evron ge@linuxbox.org
%A   Tony Bradley tony@s3kur3.com
%A   Carsten Willems
%A   Michael Cross
%C   800 Hingham Street, Rockland, MA   02370
%D   2007
%G   1-59749-135-7 978-1-59749-135-8
%I   Syngress Media, Inc.
%O   U$49.95/C$64.95 781-681-5151 fax: 781-681-3585 www.syngress.com
%O  http://www.amazon.com/exec/obidos/ASIN/1597491357/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/1597491357/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/1597491357/robsladesin03-20
%O   Audience i Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   464 p.
%T   "Botnets: The Killer Web App"

I'm starting the review of this book sitting in the Baker Room at the
Microsoft Conference Center, attending ISOI II (the second set of Internet
Security Operations and Intelligence meetings).  We have just finished
singing along with Gadi Evron (who arranged both the community and the
meetings) to an Israeli pop song from a few years back (and from a band with
the oddly appropriate name of Mashina).  Craig Schiller gave me a copy of
the book last night at dinner.  (When I asked Jim Binkley to autograph it
for me he was jealous because he hasn't yet received his own copy.)  Carsten
Willems was here yesterday, but I haven't seen him to ask him to sign it
this morning.  I'll have to ask for David Harley's autograph the next time
he visits Vancouver.

All of which is by way of saying that it may be difficult to be
objective about this book, but ...

The subtitle of chapter one, "A Call to Action," is correct.  Normally one
would expect a definition of the topic or technology of botnets, but the
text is more of an exhortation to pay attention to the problem.  The history
provided is piecemeal: it does not mention the early DDoS (Distributed
Denial of Service) systems (which were application-specific botnets) nor the
spambotnet wars of 2004.  The definition of botnets in chapter two tends to
be technical, rather than functional, and the descriptions and categories
could be grouped in a more logical and organized manner.  A variety of
alternative command and control systems are described in chapter three: the
material is well written.  The one weakness is the lack of detail on the
standard IRC (Internet Relay Chat) control system, but this should probably
have been covered more fully in the introductory chapters.  Chapter four
describes some of the major botnet "client" software families.  The content
is too technical to be of use to the average computer user, but isn't really
all that detailed.  Technical information about a variety of possible
indications of botnet activity is listed in chapter five.

The use of the Ourmon tool for detecting botnet traffic is discussed in
chapters six and seven.  (The structure of the text, and the reason for two
chapters, is not completely clear, although six is more on installation and
seven is more on use.)  Ourmon's examination of IRC traffic is covered in
chapter eight.  Chapter nine deals with more advanced techniques.

Using the CWSandbox program for malware analysis is examined in chapter ten.
Software tools, research communities, and other sources of information are
listed in chapter eleven.  Chapter twelve is a (mostly) philosophical look
at how we, as a society, should respond to botnets.  There is also a brief
section on protecting your own computer so as not to become part of the
problem, although assessment and use of a number of the recommendations
would be beyond the capabilities of the average user.

Botnets are a significant problem, and one which has not been adequately
addressed in the current security literature.  Therefore, this work is of
major importance.  The book does provide a good deal of useful information
for network administrators and security professionals, although better
arrangement of the data and more technical detail would have been even more
helpful.  (The brief attempts to address individual users are not
successful.)  The text is a decent professional reference, and hopefully it
will promote further attention and activity in this area.  (Security
activity.  We don't need any more botnet activity.)

copyright Robert M. Slade, 2007   BKBOTNTS.RVW   20070126
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm


REVIEW: "Beyond COSO", Steven J. Root

<Rob Slade <rmslade@shaw.ca>>
Thu, 29 Mar 2007 08:58:36 -0800

BKBECOSO.RVW   20070218

"Beyond COSO", Steven J. Root, 1998, 0-471-39112-3, U$65.00/C$84.99
%A   Steven J. Root
%C   5353 Dundas Street West, 4th Floor, Etobicoke, ON   M9B 6H8
%D   1998
%G   0-471-39112-3
%I   John Wiley & Sons, Inc.
%O   U$65.00/C$84.99 416-236-4433 fax: 416-236-4448
%O  http://www.amazon.com/exec/obidos/ASIN/0471391123/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/0471391123/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/0471391123/robsladesin03-20
%O   Audience i Tech 1 Writing 2 (see revfaq.htm for explanation)
%P   340 p.
%T   "Beyond COSO: Internal Control to Enhance Corporate Governance"

In the preface, the author notes that it is impossible to have complete
control of any situation: problems and fraud will happen despite all of our
efforts.  Root recommends that companies should implement internal controls
as suggested by COSO (the Committee of Sponsoring Organizations of the
Treadway Commission), but must also go beyond them, in a manner similar to
the layered defence or defence in depth models.

Chapter one contains an analysis of the limitations of the COSO directives
(and ends with a rather odd overview of the book itself).  The concepts of,
and problems with, internal control is covered in chapter two.  Chapter
three presents a history of twentieth century corporate frauds and the
attempts to restrict them.  Business ethics and values are discussed in
chapter four.

Chapter five outlines the COSO framework, noting that internal controls
provide assurance of the efficiency of operations and reliability of
financial reporting--as long as there is compliance with the laws and
regulations.  (As this material is based on the 1992 version of COSO, it is
interesting to note that the components of risk management are pretty much
the same, but that the dimensions of objectives categories and unit-levels
had not yet been added to the model.)  Further concerns and limitations of
COSO are expressed and analyzed.  Additional frameworks are reviewed in
chapter six.  Using a hybrid of devices from these other frameworks, chapter
seven suggests the extension of internal controls with additional management
aspects.  Chapter eight recommends that an oversight process be established
for internal controls, noting particularly legal obligations and related
factors such as standards of care, generic corporate organization and
business roles and tasks.  The oversight issues are extended in chapter
nine, looking in more detail at job roles, and also insights that arise from
chaos theory.  Chapter ten finishes off the book with a review of the
reporting of internal controls: much of this is concerned with the wording
used in such statements, and the ineffectiveness of such reports to control
incidents and fraud.

Despite its age, this book is one of the more useful guides in the area of
governance and controls in corporations.  Root was willing to go beyond the
usual promotional jobs that masquerade as management advice.  While he does
not solve the problem, he at least makes the issues clearer, and raises
interesting points in regard to solutions.

copyright Robert M. Slade, 2007   BKBECOSO.RVW   20070218
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm

Please report problems with the web pages to the maintainer

Top