The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 24 Issue 68

Monday 11 June 2007

Contents

US Flight Service Privatization system problems
Don Poitras
FDA issues Class I recall for an algorithm
Richard Cook
New Hampshire federal judge overrules privacy law
Ethan Ackerman
IT industry has failed in desktop security
Munir Kotadia via PGN
Belgian biometric passport
Jean-Jacques Quisquater
Flawed Symantec update cripples Chinese PCs
PGN
Facebook doesn't allow friends born before 1910
Henry Baker
Royal Bank of Scotland total failure of cash access systems
PGN
Keyloggers used to steal city funds
Rick Damiani
Want to Write a Virus? Take a Class
Erik Larkin via George Ledin
Windows' ATMs
Mark Barnabas Luntzel
Round Up, Round Down, or How one cent became a profitable event
Leon Kuunders
Re: UK judge: "What's a website?"
Rob Slade
Re: Broken Microsoft + Daylight saving
Len Spyker
Engaging Privacy and Information Technology in a Digital Age
Jim Horning
Info on RISKS (comp.risks)

US Flight Service Privatization system problems

<Don Poitras <poitras@pobox.com>>
Thu, 24 May 2007 08:36:48 -0400 (EDT)

Lockheed Martin has been converting Flight Service Stations (FSSs) to use
new software and digital interfaces to FAA computers since it won the
contract to run the stations in 2005. Part of the contract were guarantees
that certain response times were achieved.  Phone calls were to be answered
in 20 seconds, radio calls answered with 5 seconds and flight plans filed
within 3 minutes.

With the start of fair-weather flying by the majority of US private pilots
this spring, the system has come under stress and response times have been
abysmal, flight plans have been dropped and weather briefings have been
conducted by briefers with no local knowledge of weather conditions.

  CONTROLS OVER THE FEDERAL AVIATION ADMINISTRATION'S CONVERSION OF FLIGHT
  SERVICE STATIONS CONTRACT OPERATIONS
  <http://www.oig.dot.gov/item.jsp?id=2051>

  "Several FAA officials indicated that the use of call off-loading has
  increased significantly since the contract was put in place.  In some
  cases, we found multiple facilities that had to adjust their operations in
  order to cover off-loaded calls from short-staffed facilities, which
  created a cascading effect across the country."

and:

  "FS-21 requires digital capabilities and, per terms of the contract, must
  interface with FAA's Telecommunications Infrastructure Network.  To meet
  this requirement, FAA plans on installing digital connections between the
  Lockheed Martin hub facilities and the closing and continuing flight
  service stations.  While FAA has begun installing the digital connections,
  one FAA official noted that, based on the current schedule, there are only
  about 75 days between when the digital connections are installed and when
  operations at closing and continuing flight service stations are cut over.
  Given the tight timeframe, any delays or problems with the installation of
  these connections could hamper testing and operation of FS-21, possibly
  delaying the transition and increasing contractual costs."

AOPA's (Aircraft Owners and Pilots Association) Phil Boyer had this
to say:

  "In short, the FS21 (twenty-first century) system is in crisis and failing
  pilots. Based on the hundreds of complaints that AOPA has received in the
  past month, it is clear that the technical and operational problems
  plaguing FS21 are now affecting safety," said AOPA President Phil Boyer in
  a letter to FAA Administrator Marion Blakey.  "The FAA and Lockheed Martin
  must immediately address the problems and implement a plan to bridge the
  service gap and provide critical FSS safety of flight services."

There are several safety issues. If the automated system ends up sending you
to a weather briefer in another state, he might not be aware of local
conditions, e.g., wind coming over a local mountain might produce severe
turbulence, but he wouldn't know that and wouldn't have any reason to
mention it.

A more serious safety risk is just that pilots my avoid getting pre- flight
briefings altogether because they can't get through.

Personally, (and the reason I'm making this post) I was trying to get an IFR
clearance and ended up getting bounced around the system and ended up with a
briefer in Macon, GA (I'm in Raleigh, NC). He had to fumble through what was
obviously a labor intensive effort to get the call switched to
Raleigh. While talking to Raleigh, the call disconnected.

As I was going through this, the plane behind me was doing the same thing.
After about ten minutes he says to me (via the radio), "I'm on hold, the
ASOS (automated local weather recording) says 1500 feet, so I'm going VFR."

I ended up doing the same thing. Leaving VFR in marginal conditions means
that ATC will not be providing IFR separation services. They don't even know
you've left until you call them up. Well, they might see your VFR
transponder code, but they won't have any idea where you're going.


FDA issues Class I recall for an algorithm

<Richard Cook <ri-cook@uchicago.edu>>
Wed, 06 Jun 2007 06:59:20 -0500

> Date:    Tue, 5 Jun 2007 13:01:43 -0400
> From:    CDER MEDWATCH LISTSERV <MEDWATCHLIST@CDER.FDA.GOV>
> Subject: FDA - MedWatch- Alcon Refractive Horizons LADAR6000 Excimer
> Laser System Class I Recall Because The Algorithm For Myopia With and
> Without Astigmatism Caused Cornea Abnormalities
>
> MedWatch - The FDA Safety Information and Adverse Event Reporting Program
>
> Alcon Refractive Horizons and FDA notified healthcare professionals and
> patients of a Class I Recall of the LADAR6000 Excimer Laser System for
> CustomCornea algorithm for myopia with astigmatism (M3) and myopia
> without astigmatism (A7).   This system is used for LASIK and wave-front
> guided LASIK treatment for the reduction or elimination of mild to
> moderate nearsightedness (myopia) and farsightedness (hyperopia) with or
> without astigmatism or for mixed astigmatism in patients who are 21
> years of age or older with documented stability of refraction for the
> prior 12 months. The product was recalled because use of the Alcon
> Refractive Horizons CustomCornea algorithm for myopia with and without
> astigmatism with the LADAR6000 Excimer Laser caused corneal
> abnormalities ("central islands") and decreased visual sharpness (visual
> acuity) in patients with myopia with and without astigmatism.  These
> "central islands" may not be correctable with lasers and the decrease in
> visual acuity may not be correctable with glasses or contact lenses.
> Patients with questions should call the company at 1-877-523-2784.
>
> Read the complete 2007 Safety Summary, including a link to the FDA
> Recall Notice regarding this issue at:
>
> http://www.fda.gov/medwatch/safety/2007/safety07.htm#LADAR6000

Recalling an algorithm is a relatively new phenomenon. Devices such as
infusion pumps typically have firmware and software that is integral to the
device. Complex devices such as LASIK systems allow the operator to select
amongst multiple functions using different algorithms. In February of this
year, Alcon told customers to stop using two algorithms (M3 and A7) and went
on to 'deactivate' these algorithms in U.S.  devices.  A Class I recall is
for "dangerous or defective products that predictably could cause serious
health problems or death. Examples of products that could fall into this
category are a food found to contain botulinal toxin, food with undeclared
allergens, a label mix-up on a life saving drug, or a defective artificial
heart valve."

Richard I. Cook, MD, University of Chicago, Anesthesia and Critical Care,
Chicago IL 60637 1-773-702-4890 http://www.ctlab.org/Cook.cfm


New Hampshire federal judge overrules privacy law

<Ethan Ackerman <eackerma@u.washington.edu>>
May 22, 2007 5:30:43 PM EDT

1st Amendment protects reselling medical records.  [via Dave Farber's IP]

The New Hampshire Legislature recently enacted a law that bars pharmacies,
insurance companies, and similar entities from transferring or using both
patient-identifiable data and prescriber-identifiable data for certain
commercial purposes.  The law was enacted to protect patient privacy,
prescriber privacy, and to prevent drug industry 'targeting' of doctors who
prescribed generics.

It was promptly challenged by 2 data-mining companies who buy up
prescription records from pharmacies and resell the info to drug
manufacturers, and on April 30th was overturned by US District Court Judge
Paul Barbadoro.

Judge Barbadoro ruled that the data-miners had a 1st Amendment right to
resell the prescription records and the State of New Hampshire violated that
right in passing this law.

http://www.washingtonpost.com/wp-dyn/content/article/2007/05/21/AR2007052101701.html
has a "big picture" treatment of the issue which mentions the case.

It also looks like the state plans to appeal:
http://www.citizen.com/apps/pbcs.dll/article?AID=/20070504/NEWS0201/70504029/-1/CITIZEN

  [IP Archives: http://v2.listbox.com/member/archive/247/=now]


IT industry has failed in desktop security (Munir Kotadia)

<"Peter G. Neumann" <neumann@csl.sri.com>>
Fri, 25 May 2007 13:54:55 PDT

The IT industry has failed when it comes to desktop security for all major
operating systems.  Ivan Krstic, director of security architecture for the
One Laptop per Child project, kicked off the AusCert 2007 conference Monday
morning with a keynote speech that blasted desktop computer security --
including that of Windows, Linux and Macintosh machines -- because it is
based on a 35-year-old premise where software can run with the same
privilege as a user.  ...  One example of such a program, he said, is
Minesweeper <http://en.wikipedia.org/wiki/Minesweeper_(computer_game)>, a
single-player game that has shipped with virtually all versions of Microsoft
Windows.  [Source: Munir Kotadia, ZDNet AUStralia, Expert: IT industry has
failed in desktop security, *News.com*, 22 May 2007; PGN-ed]
http://news.com.com/Expert+IT+industry+has+failed+in+desktop+security/2100-1002_3-6185295.html
http://www.zdnet.com.au


Belgian biometric passport

<Jean-Jacques Quisquater <jjq@dice.ucl.ac.be>>
Sat, 09 Jun 2007 14:26:55 +0200

A research team in cryptography (Gildas Avoine, Kassem Kalach and
Jean-Jacques Quisquater) from the Catholic University of Louvain
(Louvain-la-Neuve) disclosed serious weaknesses in the Belgian biometric
passport, the only type of passport distributed in Belgium since the end of
2004. The work carried out in Louvain-la-Neuve during the course of May 2007
show that Belgian passports issued between end 2004 and July 2006 do not
include any security mechanism to protect the personal data embedded in the
passport's microchip. Passports issued after July 2006 do benefit from
security mechanisms but these ones are flawed. This means that anyone
possessing a little electronic reading device, which is easy and cheap to
acquire, can steal the passport content while it is still in the pocket of
the victim owners and thus without their knowing.  Face and signature are
among the data at risk. This news is all the more surprising because Karel
De Gucht, the Belgian Minister for Foreign Affairs, declared in the Belgian
Parliament on 9th January 2007 that the Belgian passport benefited from the
security mechanisms advocated by the International Civil Aviation
Organization. Skimming (that is, reading remotely these passports without
the consent of the holder) is thus very easy and is true for 720.000
passports valid till end 2009 at least, out of all 1.500.000 valid Belgian
passports.  [Probably gratuitous for most of you but note that
Belgian "." = American ","]

The risk is evident for the privacy of their holders.  From the obtained
information such flawed passports are the only ones in the world.

More at http://www.dice.ucl.ac.be/crypto/passport/index.html


Flawed Symantec update cripples Chinese PCs

<"Peter G. Neumann" <neumann@csl.sri.com>>
Thu, 24 May 2007 12:58:05 PDT

  [TNX to Keith A Rhodes.  PGN]

An erroneous Symantec antivirus signature update caused Norton Internet
Security 2007 and Norton 360 antivirus software to identify two critical
system files (netapi32.dll and lsasrv.dll) as the Backdoor.Haxdoo Trojan in
the Simplified Chinese version of Windows XP (with Service Pack 2 and a
particular patch), resulting in those files being quarantined.  As a result,
millions of PCs throughout China were crippled, unable to be
rebooted. ``According to Symantec, the problem was caused when Symantec made
a change to the automated process used by the company's security response
team to detect malicious software.''  [Source: Article by Aaron Tan, CNET
News.com; PGN-ed]
http://news.com.com/Flawed+Symantec+update+cripples+Chinese+PCs/2100-1002_3-6186271.html?tag=st.ref.goo
http://www.cctv.com/program/bizchina/20070524/103599.shtml


Facebook doesn't allow friends born before 1910

<Henry Baker <hbaker1@pipeline.com>>
Thu, 24 May 2007 14:43:23 -0700

Facebook discriminates against centenarians!  You can't get an account
unless your birthday is 1910 or later.  (Of course, most centenarians won't
have the prettiest faces for Facebook, but everything is relative...)

  [According to Wikipedia, there are 55K centenarians in the US and 25K in
  Japan, so this is not a small market.  I think that the founder of
  Facebook is about 23 years old, so perhaps he doesn't trust anyone over
  100.  I've got 40 years before worrying about this, but I don't want to
  run into a Y2K-type problem with 100+ ages.  (Actually, there already is
  such a problem, as many websites only allow 2 digit ages.)  HB]


Royal Bank of Scotland total failure of cash access systems

<"Peter G. Neumann" <neumann@csl.sri.com>>
Sat, 2 Jun 2007 11:58:13 PDT

The Royal Bank of Scotland (RBS), which also owns NatWest, has apologised
after its cashpoint, online, and telephone banking systems all crashed.  A
spokeswoman said: "We are very sorry, and we're working to sort it out."
[Source: BBC, courtesy of Keith Rhodes; PGNed]
  http://news.bbc.co.uk/nolpda/ukfs_news/hi/newsid_6714000/6714857.stm


Keyloggers used to steal city funds ...

<"Rick Damiani" <rick@patongroup.com>>
Fri, 1 Jun 2007 17:49:37 -0700

... $450,000.00 in attempted wire transfers, but the city was able to freeze
all but $45,000.00.  *LA Times*
http://www.latimes.com/news/local/la-me-hackers1jun01,1,3026207.story?coll=la-headlines-california

Interesting quote:

"Avilla said she still doesn't know how her computer was targeted. She said
she doubts it had the latest security software patch protections - something
sheriff's detectives and bank investigators told her is essential in
safeguarding her computer."

Two-factor authentication wasn't mentioned, so my guess is that the city's
bank doesn't offer it or the city chose not to use it.

Rick Damiani, Applications Engineer, The Paton Group
California: (310)429-7095 Hawaii: (808)284-3033


Want to Write a Virus? Take a Class (Erik Larkin, *PC WORLD*)

<George Ledin <ledin@sonoma.edu>>
Tue, 22 May 2007 16:10:49 -0700

  [Ironically, the story is spreading... like a virus!  George]

<http://blogs.pcworld.com/staffblog/archives/004452.html>
Want to Write a Virus? Take a Class.  Erik Larkin, 22 May 2007

A college computer course that teaches students how to write computer
viruses is riling up security companies once again, according to a story in
a local California paper today.

Per the story, a computer science professor [George Ledin] at Sonoma State
University in California is teaching the course in order to train his
students how to design better defenses. Security companies, on the other
hand, have always vigorously decried any attempts to create new malware as
automatically unethical, no matter the end goal. And at least three
companies are sending Ledin letters saying they will boycott hiring Ledin's
students, according to the story.

This is an ongoing debate.
<http://www.informationweek.com/story/showArticle.jhtml?articleID=10100296>
Other colleges have previously taught such classes, and Consumer Reports
took major heat when it created new malware to test antivirus software.
<http://blog.washingtonpost.com/securityfix/2006/08/antivirus_testing_and_consumer_1.html>

So who's right? Is Ledin violating an unwritten Hippocratic oath of computer
security? Or is this an important thing to teach, and learn, and test?

Personally, I think the genie's out of the bottle. Unlike with biological
viruses, it's not hard to create a new piece of malware.  You don't need a
lab, expensive equipment or even much techie know-how; There has long been
software available that allows any aspiring online thug to easily create a
new piece of malware.

What's more, malware writers are constantly spewing out new variants in an
attempt to evade antivirus programs. The recent
<http://www.pcworld.com/article/id,130686-page,1/article.html>
Storm Worm blast was a great example.

So I don't really think it makes us less safe if a few students create new
malware in order to learn how they're built. Even if one of them escapes its
protected environment, it will be a drop in the bucket compared to the
already existing deluge of new virus variants that come out all the time.

And such training may help with what's really important: Developing
<http://www.pcworld.com/article/id,129883-page,2-c,antivirus/article.html>
effective proactive defenses that can block attacks whether they're old or
brand new.


Windows' ATMs

<"Mark Barnabas Luntzel" <mark@luntzel.com>>
Mon, 11 Jun 2007 09:01:00 -0700

Here is a Russian ATM with a Windows Product Activation screen:

  Your Windows product must be activated within 7 days.
  Do you want to activate Windows now?

http://www.geekologie.com/2007/06/11/russian-windows-atm.jpg


Round Up, Round Down, or How one cent became a profitable event

<Leon Kuunders <leon@kuunders.info>>
Tue, 29 May 2007 09:32:47 +0200

One Dutch energy company, Eneco, offers an extra service to other
organisations, they act as an collecting agent. My local cable television
company Rekam is using that service to have their monthly payments
collected.  One of the invoices I received recently showed a to-be-collected
amount of 5,01. I immediately got triggered by this number: where did this
one cent originate from?

Quick research showed the cable company charges you with 5,00 for
administration costs. Including 19% VAT. When the energy company tried to
calculate the costs without VAT they got into a nasty problem: the amount
excluding VAT comes down to 4,2016806722 .. etc. Rounded this would be
4,20. When they calculated 19% VAT of 4,20, it equals 0,798. Dutch taxrules
require to round down such a number to ... 0,79.

This would leave them with a total amount of 4,99. But hey! That wasn't
enough! So they decided to round up the amount excluding VAT to 4,21 and
then calculate the 19% VAT: 0,7999. Then they decided that this number was
close enough to round up to 0,80 (against dutch tax rules ...). The total
amount then was 4,21 + 0,80 = 5,01.

In a conversation with the general manager of the cable company he ensured me
that there was no way around this, and offered to sent me a direct bill of
15,00. Because they had outsourced their billing department they had to
increase direct bills with ₁ 10,00 administration costs. ...

The risks of this event are as follows: because the energy company
automatically debits the accounts of their customers this one cent will
automatically be transferred to their account. The cable company does not
collect this amount, nor do they pay it to the dutch tax services. So
somewhere somebody enjoys these orphaned one cent payments.

In the last letter I received from the cable company the general manager told
me I could go to court to get this issue resolved. My lawyer has confirmed
that that was the best news she had in years.

http://leon.kuunders.info  M: +31 6411 64 995  F: +31 848 359 359


Re: UK judge: "What's a website?" (Knowlton, RISKS-24.67)

<Rob Slade <rMslade@shaw.ca>>
Sat, 19 May 2007 17:14:26 -0800

(http://www.thesun.co.uk/article/0,,2-2007220614,00.html)

I can't really tell if this is a good thing or a bad.  Possibly some of the
evidence in regard to identity hangs on who accessed a website (or had
ownership of it).  In that case I would assume that a solid understanding of
the technology would be necessary.  A faulty understanding might result in
an incorrect decision (as seems to be the situation with the Amero case in
the US).

Certainly I can have sympathy with another comment in the story:

  "Later he said he hoped a computer expert would give `simple' evidence
  when called to the stand -- because otherwise he would not understand it.
  "Judge Openshaw said: `Will you ask him to keep it simple? We've got to
  start from basics.'"

Being involved in certain aspects of forensics, I recognize that a number of
"experts" simply seem to want to be able to give an opinion without being
challenged, questioned, or having to explain their reasoning and opinions.

(Given the way the story is written, I can easily recognize the risks of
admitting that you need help with technical concepts outside your field ...)

rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
http://victoria.tc.ca/techrev/rms.htm www.syngress.com/catalog/?pid=4150


Re: Broken Microsoft + Daylight saving

<"Len Spyker Perth Australia" <lspyker@helixesg.com>>
Thu, 24 May 2007 13:21:53 +0800

Dag-Erling Sm=F8rgrav disagrees in RISKS-24.67 to my stating in RISKS-24.66
that fixing the Microsoft RTC design bug would break a few thousand apps.

He asserts that as only high level system calls are used and they would see
no changes and all would be well.

While I agree in principle, reality was different.

I recently worked on a 6 months software project involving monitoring many
mine sites and ports, in the middle of which our state government introduced
daylight saving for the FIRST time ever, on barely 4 week notice.

We had the expected breaking of legacy boxes that had no notion of daylight
saving, OK.

However the biggest surprise was the number of state of the art corporate
databases from well known global companies that broke badly.

They appeared to contain code fudges to work around the MS ambiguity and
other problems I mentioned.

Some of these global databases had no sense of a UTC time stamp and used
"local" time stamps only!

We uncovered a rat's nests of daylight or no daylight savings kludges at
every system level by every vendor and applications writers that another
$500K barely made a dent in.

If you can't trust your OS high level system time calls 100.0% and you have
to work around them, then it still doesn't help.


Engaging Privacy and Information Technology in a Digital Age

<"Jim Horning" <Jim.Horning@SPARTA.COM>>
Fri, 25 May 2007 13:03:42 -0700

This book <http://books.nap.edu/catalog.php?record_id=11896> will, I think,
be of interest to many USACM members interested in IT privacy issues as
viewed from a variety of perspectives outside our usual computer-oriented
view.  Now available for pre-order from the National Academies Press, it is
the result of a multi-year study committee on Privacy in the Information Age
(of which I was a member), sponsored by the Computer Science and
Telecommunications Board (CSTB) of the National Research Council (NRC).
Privacy is a growing concern in the United States and around the world.  The
spread of the Internet and the seemingly boundaryless options for
collecting, saving, sharing, and comparing information trigger consumer
worries.

Online practices of business and government agencies may present new ways to
compromise privacy, and e-commerce and technologies that make a wide range
of personal information available to anyone with a Web browser only begin to
hint at the possibilities for inappropriate or unwarranted intrusion into
our personal lives. Engaging Privacy and Information Technology in a Digital
Age presents a comprehensive and multidisciplinary examination of privacy in
the information age. It explores such important concepts as how the threats
to privacy evolving, how can privacy be protected and how society can
balance the interests of individuals, businesses and government in ways that
promote privacy reasonably and effectively? This book seeks to raise
awareness of the web of connectedness among the actions one takes and the
privacy policies that are enacted, and provides a variety of tools and
concepts with which debates over privacy can be more fruitfully
engaged. Engaging Privacy and Information Technology in a Digital Age
focuses on three major components affecting notions, perceptions, and
expectations of privacy: technological change, societal shifts, and
circumstantial discontinuities. This book will be of special interest to
anyone interested in understanding why privacy issues are often so
intractable.

The full draft text is available free online
<http://books.nap.edu/catalog.php?record_id=11896>, and will be replaced
with the final version when it is published.  Much credit is due to the
editors, Jim Waldo, Herb Lin, and Lynnette Millett for imposing a
substantial amount of coherence to disparate contributions from one of the
most diverse committees I have ever served on.  (I think that both the
lawyers and the philosophers outnumbered the three "computerists" on the
committee--it was a very broadening experience.)

I must confess that I am now much less confident that much privacy can be
salvaged than I was when the study was started.
<http://virtualbumperstickers.blogspot.com/2006/05/you-have-zero-privacyanywayget-over-it.html>

Please report problems with the web pages to the maintainer

Top